@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.1

package/lib/commonjs/credential/presentation/05-verify-request-object.js

@@ -3,38 +3,93 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.verifyRequestObjectSignature = void 0;
-var _errors = require("./errors");
+exports.verifyRequestObject = void 0;
 var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
+var _errors = require("./errors");
 var _types = require("./types");
-const verifyRequestObjectSignature = async (requestObjectEncodedJwt, jwkKeys) => {
+var _retrieveRpJwks = require("./04-retrieve-rp-jwks");
+/**
+ * Function to verify the Request Object's validity, from the signature to the required properties.
+ * @param requestObjectEncodedJwt The Request Object in JWT format
+ * @param context.clientId The client ID to verify
+ * @param context.rpConf The Entity Configuration of the Relying Party
+ * @param context.state Optional state
+ * @returns The verified Request Object
+ * @throws {InvalidRequestObjectError} if the Request Object cannot be validated
+ */
+const verifyRequestObject = async (requestObjectEncodedJwt, _ref) => {
+  let {
+    clientId,
+    rpConf,
+    rpSubject,
+    state
+  } = _ref;
   const requestObjectJwt = (0, _ioReactNativeJwt.decode)(requestObjectEncodedJwt);
-
-  // verify token signature to ensure the request object is authentic
-  const pubKey = (jwkKeys === null || jwkKeys === void 0 ? void 0 : jwkKeys.find(_ref => {
-    let {
-      kid
-    } = _ref;
-    return kid === requestObjectJwt.protectedHeader.kid;
-  })) || (jwkKeys === null || jwkKeys === void 0 ? void 0 : jwkKeys.find(_ref2 => {
-    let {
-      use
-    } = _ref2;
-    return use === "sig";
-  }));
-  if (!pubKey) {
-    throw new _errors.UnverifiedEntityError("Request Object signature verification!");
+  const pubKey = getSigPublicKey(rpConf, requestObjectJwt.protectedHeader.kid);
+  try {
+    // Standard claims are verified within `verify`
+    await (0, _ioReactNativeJwt.verify)(requestObjectEncodedJwt, pubKey, {
+      issuer: clientId
+    });
+  } catch (_) {
+    throw new _errors.InvalidRequestObjectError("The Request Object signature verification failed");
   }
-  await (0, _ioReactNativeJwt.verify)(requestObjectEncodedJwt, pubKey);
-  const requestObject = _types.RequestObject.parse(requestObjectJwt.payload);
-  // Check if exp exists and is expired
-  // exp is typically in seconds since epoch, Get current time in seconds
-  if (requestObject.exp && requestObject.exp <= Date.now() / 1000) {
-    throw new _errors.UnverifiedEntityError("Request Object is expired!");
+  const requestObject = validateRequestObjectShape(requestObjectJwt.payload);
+  const isClientIdMatch = clientId === requestObject.client_id && clientId === rpSubject;
+  if (!isClientIdMatch) {
+    throw new _errors.InvalidRequestObjectError("Client ID does not match Request Object or Entity Configuration");
+  }
+  const isStateMatch = state && requestObject.state ? state === requestObject.state : true;
+  if (!isStateMatch) {
+    throw new _errors.InvalidRequestObjectError("The provided state does not match the Request Object's");
   }
   return {
     requestObject
   };
 };
-exports.verifyRequestObjectSignature = verifyRequestObjectSignature;
+
+/**
+ * Validate the shape of the Request Object to ensure all required properties are present and are of the expected type.
+ *
+ * @param payload The Request Object to validate
+ * @returns A valid Request Object
+ * @throws {InvalidRequestObjectError} when the Request Object cannot be parsed
+ */
+exports.verifyRequestObject = verifyRequestObject;
+const validateRequestObjectShape = payload => {
+  const requestObjectParse = _types.RequestObject.safeParse(payload);
+  if (requestObjectParse.success) {
+    return requestObjectParse.data;
+  }
+  throw new _errors.InvalidRequestObjectError("The Request Object cannot be parsed successfully", formatFlattenedZodErrors(requestObjectParse.error.flatten()));
+};
+
+/**
+ * Get the public key to verify the Request Object's signature from the Relying Party's EC.
+ *
+ * @param rpConf The Relying Party's EC
+ * @param kid The identifier of the key to find
+ * @returns The corresponding public key to verify the signature
+ * @throws {InvalidRequestObjectError} when the key cannot be found
+ */
+const getSigPublicKey = (rpConf, kid) => {
+  try {
+    const {
+      keys
+    } = (0, _retrieveRpJwks.getJwksFromConfig)(rpConf);
+    const pubKey = keys.find(k => k.kid === kid);
+    if (!pubKey) throw new Error();
+    return pubKey;
+  } catch (_) {
+    throw new _errors.InvalidRequestObjectError(`The public key for signature verification (${kid}) cannot be found in the Entity Configuration`);
+  }
+};
+
+/**
+ * Utility to format flattened Zod errors into a simplified string `key1: key1_error, key2: key2_error`
+ */
+const formatFlattenedZodErrors = errors => Object.entries(errors.fieldErrors).map(_ref2 => {
+  let [key, error] = _ref2;
+  return `${key}: ${error[0]}`;
+}).join(", ");
 //# sourceMappingURL=05-verify-request-object.js.map

package/lib/commonjs/credential/presentation/05-verify-request-object.js.map

@@ -1 +1 @@
-{"version":3,"names":["_errors","require","_ioReactNativeJwt","_types","verifyRequestObjectSignature","requestObjectEncodedJwt","jwkKeys","requestObjectJwt","decodeJwt","pubKey","find","_ref","kid","protectedHeader","_ref2","use","UnverifiedEntityError","verify","requestObject","RequestObject","parse","payload","exp","Date","now","exports"],"sourceRoot":"../../../../src","sources":["credential/presentation/05-verify-request-object.ts"],"mappings":";;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AAEA,IAAAC,iBAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AASO,MAAMG,4BAA0D,GACrE,MAAAA,CAAOC,uBAAuB,EAAEC,OAAO,KAAK;EAC1C,MAAMC,gBAAgB,GAAG,IAAAC,wBAAS,EAACH,uBAAuB,CAAC;;EAE3D;EACA,MAAMI,MAAM,GACV,CAAAH,OAAO,aAAPA,OAAO,uBAAPA,OAAO,CAAEI,IAAI,CACXC,IAAA;IAAA,IAAC;MAAEC;IAAI,CAAC,GAAAD,IAAA;IAAA,OAAKC,GAAG,KAAKL,gBAAgB,CAACM,eAAe,CAACD,GAAG;EAAA,CAC3D,CAAC,MAAIN,OAAO,aAAPA,OAAO,uBAAPA,OAAO,CAAEI,IAAI,CAACI,KAAA;IAAA,IAAC;MAAEC;IAAI,CAAC,GAAAD,KAAA;IAAA,OAAKC,GAAG,KAAK,KAAK;EAAA,EAAC;EAEhD,IAAI,CAACN,MAAM,EAAE;IACX,MAAM,IAAIO,6BAAqB,CAAC,wCAAwC,CAAC;EAC3E;EACA,MAAM,IAAAC,wBAAM,EAACZ,uBAAuB,EAAEI,MAAM,CAAC;EAE7C,MAAMS,aAAa,GAAGC,oBAAa,CAACC,KAAK,CAACb,gBAAgB,CAACc,OAAO,CAAC;EACnE;EACA;EACA,IAAIH,aAAa,CAACI,GAAG,IAAIJ,aAAa,CAACI,GAAG,IAAIC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAG,IAAI,EAAE;IAC/D,MAAM,IAAIR,6BAAqB,CAAC,4BAA4B,CAAC;EAC/D;EAEA,OAAO;IAAEE;EAAc,CAAC;AAC1B,CAAC;AAACO,OAAA,CAAArB,4BAAA,GAAAA,4BAAA"}
+{"version":3,"names":["_ioReactNativeJwt","require","_errors","_types","_retrieveRpJwks","verifyRequestObject","requestObjectEncodedJwt","_ref","clientId","rpConf","rpSubject","state","requestObjectJwt","decodeJwt","pubKey","getSigPublicKey","protectedHeader","kid","verify","issuer","_","InvalidRequestObjectError","requestObject","validateRequestObjectShape","payload","isClientIdMatch","client_id","isStateMatch","exports","requestObjectParse","RequestObject","safeParse","success","data","formatFlattenedZodErrors","error","flatten","keys","getJwksFromConfig","find","k","Error","errors","Object","entries","fieldErrors","map","_ref2","key","join"],"sourceRoot":"../../../../src","sources":["credential/presentation/05-verify-request-object.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAEA,IAAAC,OAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,eAAA,GAAAH,OAAA;AAYA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMI,mBAAwC,GAAG,MAAAA,CACtDC,uBAAuB,EAAAC,IAAA,KAEpB;EAAA,IADH;IAAEC,QAAQ;IAAEC,MAAM;IAAEC,SAAS;IAAEC;EAAM,CAAC,GAAAJ,IAAA;EAEtC,MAAMK,gBAAgB,GAAG,IAAAC,wBAAS,EAACP,uBAAuB,CAAC;EAE3D,MAAMQ,MAAM,GAAGC,eAAe,CAACN,MAAM,EAAEG,gBAAgB,CAACI,eAAe,CAACC,GAAG,CAAC;EAE5E,IAAI;IACF;IACA,MAAM,IAAAC,wBAAM,EAACZ,uBAAuB,EAAEQ,MAAM,EAAE;MAAEK,MAAM,EAAEX;IAAS,CAAC,CAAC;EACrE,CAAC,CAAC,OAAOY,CAAC,EAAE;IACV,MAAM,IAAIC,iCAAyB,CACjC,kDACF,CAAC;EACH;EAEA,MAAMC,aAAa,GAAGC,0BAA0B,CAACX,gBAAgB,CAACY,OAAO,CAAC;EAE1E,MAAMC,eAAe,GACnBjB,QAAQ,KAAKc,aAAa,CAACI,SAAS,IAAIlB,QAAQ,KAAKE,SAAS;EAEhE,IAAI,CAACe,eAAe,EAAE;IACpB,MAAM,IAAIJ,iCAAyB,CACjC,iEACF,CAAC;EACH;EAEA,MAAMM,YAAY,GAChBhB,KAAK,IAAIW,aAAa,CAACX,KAAK,GAAGA,KAAK,KAAKW,aAAa,CAACX,KAAK,GAAG,IAAI;EAErE,IAAI,CAACgB,YAAY,EAAE;IACjB,MAAM,IAAIN,iCAAyB,CACjC,wDACF,CAAC;EACH;EAEA,OAAO;IAAEC;EAAc,CAAC;AAC1B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AANAM,OAAA,CAAAvB,mBAAA,GAAAA,mBAAA;AAOA,MAAMkB,0BAA0B,GAAIC,OAAgB,IAAoB;EACtE,MAAMK,kBAAkB,GAAGC,oBAAa,CAACC,SAAS,CAACP,OAAO,CAAC;EAE3D,IAAIK,kBAAkB,CAACG,OAAO,EAAE;IAC9B,OAAOH,kBAAkB,CAACI,IAAI;EAChC;EAEA,MAAM,IAAIZ,iCAAyB,CACjC,kDAAkD,EAClDa,wBAAwB,CAACL,kBAAkB,CAACM,KAAK,CAACC,OAAO,CAAC,CAAC,CAC7D,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMrB,eAAe,GAAGA,CACtBN,MAA8D,EAC9DQ,GAAuB,KACpB;EACH,IAAI;IACF,MAAM;MAAEoB;IAAK,CAAC,GAAG,IAAAC,iCAAiB,EAAC7B,MAAM,CAAC;IAE1C,MAAMK,MAAM,GAAGuB,IAAI,CAACE,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACvB,GAAG,KAAKA,GAAG,CAAC;IAE9C,IAAI,CAACH,MAAM,EAAE,MAAM,IAAI2B,KAAK,CAAC,CAAC;IAE9B,OAAO3B,MAAM;EACf,CAAC,CAAC,OAAOM,CAAC,EAAE;IACV,MAAM,IAAIC,iCAAyB,CAChC,8CAA6CJ,GAAI,+CACpD,CAAC;EACH;AACF,CAAC;;AAED;AACA;AACA;AACA,MAAMiB,wBAAwB,GAC5BQ,MAA+C,IAE/CC,MAAM,CAACC,OAAO,CAACF,MAAM,CAACG,WAAW,CAAC,CAC/BC,GAAG,CAACC,KAAA;EAAA,IAAC,CAACC,GAAG,EAAEb,KAAK,CAAC,GAAAY,KAAA;EAAA,OAAM,GAAEC,GAAI,KAAIb,KAAK,CAAC,CAAC,CAAE,EAAC;AAAA,EAAC,CAC5Cc,IAAI,CAAC,IAAI,CAAC"}

package/lib/commonjs/credential/presentation/06-fetch-presentation-definition.js

@@ -4,31 +4,22 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.fetchPresentDefinition = void 0;
-var _types = require("./types");
-var _misc = require("../../utils/misc");
 /**
  * Retrieves a PresentationDefinition based on the given parameters.
  *
  * The method attempts the following strategies in order:
  * 1. Checks if `presentation_definition` is directly available in the request object.
- * 2. Fetches the `presentation_definition` from the URI provided in the relying party configuration.
- * 3. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
+ * 2. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
  *
- * If none of the above conditions are met, the function throws an error indicating the definition could not be found.
+ * If none of the above conditions are met, the function throws an error indicating the definition could not be found. Note that `presentation_definition_uri` is not supported in 0.9.x.
  *
  * @param {RequestObject} requestObject - The request object containing the presentation definition or references to it.
  * @param {RelyingPartyEntityConfiguration["payload"]["metadata"]} [rpConf] - Optional relying party configuration.
- * @param {Object} [context] - Optional context for providing a custom fetch implementation.
- * @param {GlobalFetch["fetch"]} [context.appFetch] - Custom fetch function, defaults to global `fetch`.
  * @returns {Promise<{ presentationDefinition: PresentationDefinition }>} - Resolves with the presentation definition.
  * @throws {Error} - Throws if the presentation definition cannot be found or fetched.
  */
-const fetchPresentDefinition = async function (requestObject) {
-  var _rpConf$wallet_relyin, _rpConf$wallet_relyin2;
-  let {
-    appFetch = fetch
-  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
-  let rpConf = arguments.length > 2 ? arguments[2] : undefined;
+const fetchPresentDefinition = async (requestObject, rpConf) => {
+  var _rpConf$openid_creden;
   // Check if `presentation_definition` is directly available in the request object
   if (requestObject.presentation_definition) {
     return {
@@ -36,25 +27,10 @@ const fetchPresentDefinition = async function (requestObject) {
     };
   }
 
-  // Check if `presentation_definition_uri` is provided in the relying party configuration
-  if (rpConf !== null && rpConf !== void 0 && (_rpConf$wallet_relyin = rpConf.wallet_relying_party) !== null && _rpConf$wallet_relyin !== void 0 && _rpConf$wallet_relyin.presentation_definition_uri) {
-    try {
-      // Fetch the presentation definition from the provided URI
-      const presentationDefinition = await appFetch(rpConf === null || rpConf === void 0 ? void 0 : rpConf.wallet_relying_party.presentation_definition_uri, {
-        method: "GET"
-      }).then((0, _misc.hasStatusOrThrow)(200)).then(raw => raw.json()).then(json => _types.PresentationDefinition.parse(json));
-      return {
-        presentationDefinition
-      };
-    } catch (error) {
-      throw new Error(`Failed to fetch presentation definition: ${error}`);
-    }
-  }
-
   // Check if `scope` is present in the request object and a pre-configured presentation definition exists
-  if (requestObject.scope && rpConf !== null && rpConf !== void 0 && (_rpConf$wallet_relyin2 = rpConf.wallet_relying_party) !== null && _rpConf$wallet_relyin2 !== void 0 && _rpConf$wallet_relyin2.presentation_definition) {
+  if (requestObject.scope && rpConf !== null && rpConf !== void 0 && (_rpConf$openid_creden = rpConf.openid_credential_verifier) !== null && _rpConf$openid_creden !== void 0 && _rpConf$openid_creden.presentation_definition) {
     return {
-      presentationDefinition: rpConf.wallet_relying_party.presentation_definition
+      presentationDefinition: rpConf.openid_credential_verifier.presentation_definition
     };
   }
   throw new Error("Presentation definition not found");

package/lib/commonjs/credential/presentation/06-fetch-presentation-definition.js.map

@@ -1 +1 @@
-{"version":3,"names":["_types","require","_misc","fetchPresentDefinition","requestObject","_rpConf$wallet_relyin","_rpConf$wallet_relyin2","appFetch","fetch","arguments","length","undefined","rpConf","presentation_definition","presentationDefinition","wallet_relying_party","presentation_definition_uri","method","then","hasStatusOrThrow","raw","json","PresentationDefinition","parse","error","Error","scope","exports"],"sourceRoot":"../../../../src","sources":["credential/presentation/06-fetch-presentation-definition.ts"],"mappings":";;;;;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AAEA,IAAAC,KAAA,GAAAD,OAAA;AAYA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAME,sBAAmD,GAAG,eAAAA,CACjEC,aAAa,EAGV;EAAA,IAAAC,qBAAA,EAAAC,sBAAA;EAAA,IAFH;IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAAA,IACzBG,MAAM,GAAAH,SAAA,CAAAC,MAAA,OAAAD,SAAA,MAAAE,SAAA;EAEN;EACA,IAAIP,aAAa,CAACS,uBAAuB,EAAE;IACzC,OAAO;MACLC,sBAAsB,EAAEV,aAAa,CAACS;IACxC,CAAC;EACH;;EAEA;EACA,IAAID,MAAM,aAANA,MAAM,gBAAAP,qBAAA,GAANO,MAAM,CAAEG,oBAAoB,cAAAV,qBAAA,eAA5BA,qBAAA,CAA8BW,2BAA2B,EAAE;IAC7D,IAAI;MACF;MACA,MAAMF,sBAAsB,GAAG,MAAMP,QAAQ,CAC3CK,MAAM,aAANA,MAAM,uBAANA,MAAM,CAAEG,oBAAoB,CAACC,2BAA2B,EACxD;QACEC,MAAM,EAAE;MACV,CACF,CAAC,CACEC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEG,IAAI,IAAKC,6BAAsB,CAACC,KAAK,CAACF,IAAI,CAAC,CAAC;MAErD,OAAO;QACLP;MACF,CAAC;IACH,CAAC,CAAC,OAAOU,KAAK,EAAE;MACd,MAAM,IAAIC,KAAK,CAAE,4CAA2CD,KAAM,EAAC,CAAC;IACtE;EACF;;EAEA;EACA,IACEpB,aAAa,CAACsB,KAAK,IACnBd,MAAM,aAANA,MAAM,gBAAAN,sBAAA,GAANM,MAAM,CAAEG,oBAAoB,cAAAT,sBAAA,eAA5BA,sBAAA,CAA8BO,uBAAuB,EACrD;IACA,OAAO;MACLC,sBAAsB,EACpBF,MAAM,CAACG,oBAAoB,CAACF;IAChC,CAAC;EACH;EAEA,MAAM,IAAIY,KAAK,CAAC,mCAAmC,CAAC;AACtD,CAAC;AAACE,OAAA,CAAAxB,sBAAA,GAAAA,sBAAA"}
+{"version":3,"names":["fetchPresentDefinition","requestObject","rpConf","_rpConf$openid_creden","presentation_definition","presentationDefinition","scope","openid_credential_verifier","Error","exports"],"sourceRoot":"../../../../src","sources":["credential/presentation/06-fetch-presentation-definition.ts"],"mappings":";;;;;;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMA,sBAAmD,GAAG,MAAAA,CACjEC,aAAa,EACbC,MAAM,KACH;EAAA,IAAAC,qBAAA;EACH;EACA,IAAIF,aAAa,CAACG,uBAAuB,EAAE;IACzC,OAAO;MACLC,sBAAsB,EAAEJ,aAAa,CAACG;IACxC,CAAC;EACH;;EAEA;EACA,IACEH,aAAa,CAACK,KAAK,IACnBJ,MAAM,aAANA,MAAM,gBAAAC,qBAAA,GAAND,MAAM,CAAEK,0BAA0B,cAAAJ,qBAAA,eAAlCA,qBAAA,CAAoCC,uBAAuB,EAC3D;IACA,OAAO;MACLC,sBAAsB,EACpBH,MAAM,CAACK,0BAA0B,CAACH;IACtC,CAAC;EACH;EAEA,MAAM,IAAII,KAAK,CAAC,mCAAmC,CAAC;AACtD,CAAC;AAACC,OAAA,CAAAT,sBAAA,GAAAA,sBAAA"}

package/lib/commonjs/credential/presentation/07-evaluate-dcql-query.js

@@ -3,28 +3,31 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.evaluateDcqlQuery = void 0;
+exports.prepareRemotePresentations = exports.evaluateDcqlQuery = void 0;
 var _dcql = require("dcql");
 var _valibot = require("valibot");
 var _sdJwt = require("../../sd-jwt");
-var _errors = require("../../utils/errors");
-var _errors2 = require("./errors");
-var _ioReactNativeCbor = require("@pagopa/io-react-native-cbor");
+var _crypto = require("../../utils/crypto");
+var _errors = require("./errors");
 /**
  * The purpose for the credential request by the RP.
  */
 
 /**
- * Convert a credential in SD-JWT format to an object with claims
+ * Convert a credential in JWT format to an object with claims
  * for correct parsing by the `dcql` library.
  */
-const mapCredentialSdJwtToObj = credentials => credentials.map(_ref => {
-  let [,, jwt] = _ref;
+const mapCredentialToObject = jwt => {
   const {
     sdJwt,
     disclosures
   } = (0, _sdJwt.decode)(jwt);
   const credentialFormat = sdJwt.header.typ;
+
+  // TODO [SIW-2082]: support MDOC credentials
+  if (credentialFormat !== "vc+sd-jwt") {
+    throw new Error(`Unsupported credential format: ${credentialFormat}`);
+  }
   return {
     vct: sdJwt.payload.vct,
     credential_format: credentialFormat,
@@ -33,63 +36,74 @@ const mapCredentialSdJwtToObj = credentials => credentials.map(_ref => {
       [disclosure.decoded[1]]: disclosure.decoded
     }), {})
   };
+};
+
+/**
+ * Extract only successful matches from the DCQL query result.
+ */
+const getDcqlQueryMatches = result => Object.entries(result.credential_matches).filter(_ref => {
+  let [, match] = _ref;
+  return match.success === true;
 });
 
 /**
- * Convert a credential in Mdoc format to an object with claims
- * for correct parsing by the `dcql` library.
+ * Extract only failed matches from the DCQL query result.
+ */
+const getDcqlQueryFailedMatches = result => Object.entries(result.credential_matches).filter(_ref2 => {
+  let [, match] = _ref2;
+  return match.success === false;
+});
+
+/**
+ * Extract missing credentials from the DCQL query result.
+ * Note: here we are assuming a failed match is a missing credential,
+ * but there might be other reasons for its failure.
  */
-const mapCredentialsMdocToObj = async credentialsMdoc => {
-  return await Promise.all(credentialsMdoc === null || credentialsMdoc === void 0 ? void 0 : credentialsMdoc.map(async _ref2 => {
-    let [type, _, credential] = _ref2;
-    const issuerSigned = credential ? await _ioReactNativeCbor.CBOR.decodeIssuerSigned(credential) : undefined;
-    if (!issuerSigned) {
-      throw new _errors2.CredentialNotFoundError("mso_mdoc credential is not present.");
+const extractMissingCredentials = (queryResult, originalQuery) => {
+  return getDcqlQueryFailedMatches(queryResult).map(_ref3 => {
+    var _credential$meta;
+    let [id] = _ref3;
+    const credential = originalQuery.credentials.find(c => c.id === id);
+    if ((credential === null || credential === void 0 ? void 0 : credential.format) !== "vc+sd-jwt") {
+      throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
     }
-    const namespaces = Object.entries(issuerSigned.nameSpaces).reduce((acc, _ref3) => {
-      let [ns, nsClaims] = _ref3;
-      const flattenNsClaims = Object.entries(nsClaims).reduce((ac, _ref4) => {
-        let [, el] = _ref4;
-        return {
-          ...ac,
-          [el.elementIdentifier]: el.elementValue
-        };
-      }, {});
-      return {
-        ...acc,
-        [ns]: flattenNsClaims
-      };
-    }, {});
+
     return {
-      credential_format: "mso_mdoc",
-      doctype: type,
-      namespaces
+      id,
+      vctValues: (_credential$meta = credential.meta) === null || _credential$meta === void 0 ? void 0 : _credential$meta.vct_values
     };
-  }));
+  });
 };
-
-/**
- * Extract only successful matches from the DCQL query result.
- */
-const getDcqlQueryMatches = result => Object.entries(result.credential_matches).filter(_ref5 => {
-  let [, match] = _ref5;
-  return match.success === true;
-});
-const evaluateDcqlQuery = async (query, credentialsSdJwt, credentialsMdoc) => {
-  const credentials = [];
-  credentials.push(...mapCredentialSdJwtToObj(credentialsSdJwt));
-  credentials.push(...(await mapCredentialsMdocToObj(credentialsMdoc)));
+const evaluateDcqlQuery = (credentialsSdJwt, query) => {
+  const credentials = credentialsSdJwt.map(_ref4 => {
+    let [, credential] = _ref4;
+    return mapCredentialToObject(credential);
+  });
   try {
     // Validate the query
     const parsedQuery = _dcql.DcqlQuery.parse(query);
     _dcql.DcqlQuery.validate(parsedQuery);
     const queryResult = _dcql.DcqlQuery.query(parsedQuery, credentials);
     if (!queryResult.canBeSatisfied) {
-      throw new Error("No credential can satisfy the provided DCQL query");
+      throw new _errors.CredentialsNotFoundError(extractMissingCredentials(queryResult, parsedQuery));
     }
-    return getDcqlQueryMatches(queryResult).map(_ref6 => {
+
+    // Build an object vct:credentialJwt to map matched credentials to their JWT
+    const credentialsSdJwtByVct = credentials.reduce((acc, c, i) => ({
+      ...acc,
+      [c.vct]: credentialsSdJwt[i]
+    }), {});
+    return getDcqlQueryMatches(queryResult).map(_ref5 => {
       var _queryResult$credenti;
-      let [id, match] = _ref6;
+      let [id, match] = _ref5;
+      if (match.output.credential_format !== "vc+sd-jwt") {
+        throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+      }
+
+      const {
+        vct,
+        claims
+      } = match.output;
       const purposes = (_queryResult$credenti = queryResult.credential_sets) === null || _queryResult$credenti === void 0 || (_queryResult$credenti = _queryResult$credenti.filter(set => {
         var _set$matching_options;
         return (_set$matching_options = set.matching_options) === null || _set$matching_options === void 0 ? void 0 : _set$matching_options.flat().includes(id);
@@ -100,82 +114,48 @@ const evaluateDcqlQuery = async (query, credentialsSdJwt, credentialsMdoc) => {
           required: Boolean(credentialSet.required)
         };
       });
-      if (match.output.credential_format === "vc+sd-jwt") {
-        const {
-          vct,
-          claims
-        } = match.output;
-        const [, keyTag, credential] = credentialsSdJwt.find(_ref7 => {
-          let [type] = _ref7;
-          return type === vct;
-        });
-        const requiredDisclosures = Object.values(claims);
-        return {
-          id,
-          vct,
-          keyTag,
-          format: match.output.credential_format,
-          credential,
-          requiredDisclosures,
-          // When it is a match but no credential_sets are found, the credential is required by default
-          // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
-          purposes: purposes ?? [{
-            required: true
-          }]
-        };
-      }
-      if (match.output.credential_format === "mso_mdoc") {
-        const {
-          doctype,
-          namespaces
-        } = match.output;
-        const [, keyTag, credential] = credentialsMdoc.find(_ref8 => {
-          let [type] = _ref8;
-          return type === doctype;
-        });
-        const requiredDisclosures = Object.entries(namespaces).reduce((acc, _ref9) => {
-          let [ns, nsClaims] = _ref9;
-          return [...acc, ...Object.entries(nsClaims).map(_ref10 => {
-            let [claimName] = _ref10;
-            return {
-              namespace: ns,
-              name: claimName,
-              value: nsClaims[claimName]
-            };
-          })];
-        }, []);
-        return {
-          id,
-          keyTag,
-          format: match.output.credential_format,
-          credential,
-          requiredDisclosures,
-          // When it is a match but no credential_sets are found, the credential is required by default
-          // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
-          purposes: purposes ?? [{
-            required: true
-          }],
-          doctype
-        };
-      }
-      throw new Error(`Unsupported credential format: ${match.output.credential_format}`);
+      const [keyTag, credential] = credentialsSdJwtByVct[vct];
+      const requiredDisclosures = Object.values(claims);
+      return {
+        id,
+        vct,
+        keyTag,
+        credential,
+        requiredDisclosures,
+        // When it is a match but no credential_sets are found, the credential is required by default
+        // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
+        purposes: purposes ?? [{
+          required: true
+        }]
+      };
     });
   } catch (error) {
-    // Invalid DCQL query structure
+    // Invalid DCQL query structure. Remap to `DcqlError` for consistency.
     if ((0, _valibot.isValiError)(error)) {
-      throw new _errors.ValidationFailed({
-        message: "Invalid DCQL query",
-        reason: error.issues.map(issue => issue.message).join(", ")
+      throw new _dcql.DcqlError({
+        message: "Failed to parse the provided DCQL query",
+        code: "PARSE_ERROR",
+        cause: error.issues
       });
     }
-    if (error instanceof _dcql.DcqlError) {
-      // TODO [SIW-2110]: handle invalid DQCL query or let the error propagate
-    }
-    if (error instanceof _dcql.DcqlCredentialSetError) {
-      // TODO [SIW-2110]: handle missing credentials or let the error propagate
-    }
+
+    // Let other errors propagate so they can be caught with `err instanceof DcqlError`
     throw error;
   }
 };
 exports.evaluateDcqlQuery = evaluateDcqlQuery;
+const prepareRemotePresentations = async (credentials, nonce, clientId) => {
+  return Promise.all(credentials.map(async item => {
+    const {
+      vp_token
+    } = await (0, _sdJwt.prepareVpToken)(nonce, clientId, [item.credential, item.requestedClaims, (0, _crypto.createCryptoContextFor)(item.keyTag)]);
+    return {
+      credentialId: item.id,
+      requestedClaims: item.requestedClaims,
+      vpToken: vp_token,
+      format: "vc+sd-jwt"
+    };
+  }));
+};
+exports.prepareRemotePresentations = prepareRemotePresentations;
 //# sourceMappingURL=07-evaluate-dcql-query.js.map

package/lib/commonjs/credential/presentation/07-evaluate-dcql-query.js.map

@@ -1 +1 @@
-{"version":3,"names":["_dcql","require","_valibot","_sdJwt","_errors","_errors2","_ioReactNativeCbor","mapCredentialSdJwtToObj","credentials","map","_ref","jwt","sdJwt","disclosures","decode","credentialFormat","header","typ","vct","payload","credential_format","claims","reduce","acc","disclosure","decoded","mapCredentialsMdocToObj","credentialsMdoc","Promise","all","_ref2","type","_","credential","issuerSigned","CBOR","decodeIssuerSigned","undefined","CredentialNotFoundError","namespaces","Object","entries","nameSpaces","_ref3","ns","nsClaims","flattenNsClaims","ac","_ref4","el","elementIdentifier","elementValue","doctype","getDcqlQueryMatches","result","credential_matches","filter","_ref5","match","success","evaluateDcqlQuery","query","credentialsSdJwt","push","parsedQuery","DcqlQuery","parse","validate","queryResult","canBeSatisfied","Error","_ref6","_queryResult$credenti","id","purposes","credential_sets","set","_set$matching_options","matching_options","flat","includes","credentialSet","_credentialSet$purpos","description","purpose","toString","required","Boolean","output","keyTag","find","_ref7","requiredDisclosures","values","format","_ref8","_ref9","_ref10","claimName","namespace","name","value","error","isValiError","ValidationFailed","message","reason","issues","issue","join","DcqlError","DcqlCredentialSetError","exports"],"sourceRoot":"../../../../src","sources":["credential/presentation/07-evaluate-dcql-query.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAOA,IAAAC,QAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AAEA,IAAAG,OAAA,GAAAH,OAAA;AACA,IAAAI,QAAA,GAAAJ,OAAA;AAEA,IAAAK,kBAAA,GAAAL,OAAA;AAEA;AACA;AACA;;AAiCA;AACA;AACA;AACA;AACA,MAAMM,uBAAuB,GAAIC,WAAuC,IACtEA,WAAW,CAACC,GAAG,CAACC,IAAA,IAAe;EAAA,IAAd,IAAKC,GAAG,CAAC,GAAAD,IAAA;EACxB,MAAM;IAAEE,KAAK;IAAEC;EAAY,CAAC,GAAG,IAAAC,aAAM,EAACH,GAAG,CAAC;EAC1C,MAAMI,gBAAgB,GAAGH,KAAK,CAACI,MAAM,CAACC,GAAG;EAEzC,OAAO;IACLC,GAAG,EAAEN,KAAK,CAACO,OAAO,CAACD,GAAG;IACtBE,iBAAiB,EAAEL,gBAAgB;IACnCM,MAAM,EAAER,WAAW,CAACS,MAAM,CACxB,CAACC,GAAG,EAAEC,UAAU,MAAM;MACpB,GAAGD,GAAG;MACN,CAACC,UAAU,CAACC,OAAO,CAAC,CAAC,CAAC,GAAGD,UAAU,CAACC;IACtC,CAAC,CAAC,EACF,CAAC,CACH;EACF,CAAC;AACH,CAAC,CAAC;;AAEJ;AACA;AACA;AACA;AACA,MAAMC,uBAAuB,GAAG,MAC9BC,eAA2C,IACxC;EACH,OAAO,MAAMC,OAAO,CAACC,GAAG,CACtBF,eAAe,aAAfA,eAAe,uBAAfA,eAAe,CAAElB,GAAG,CAAC,MAAAqB,KAAA,IAAiC;IAAA,IAA1B,CAACC,IAAI,EAAEC,CAAC,EAAEC,UAAU,CAAC,GAAAH,KAAA;IAC/C,MAAMI,YAAY,GAAGD,UAAU,GAC3B,MAAME,uBAAI,CAACC,kBAAkB,CAACH,UAAU,CAAC,GACzCI,SAAS;IACb,IAAI,CAACH,YAAY,EAAE;MACjB,MAAM,IAAII,gCAAuB,CAC/B,qCACF,CAAC;IACH;IAEA,MAAMC,UAAU,GAAGC,MAAM,CAACC,OAAO,CAACP,YAAY,CAACQ,UAAU,CAAC,CAACpB,MAAM,CAC/D,CAACC,GAAG,EAAAoB,KAAA,KAAqB;MAAA,IAAnB,CAACC,EAAE,EAAEC,QAAQ,CAAC,GAAAF,KAAA;MAClB,MAAMG,eAAe,GAAGN,MAAM,CAACC,OAAO,CAACI,QAAQ,CAAC,CAACvB,MAAM,CACrD,CAACyB,EAAE,EAAAC,KAAA;QAAA,IAAE,GAAGC,EAAE,CAAC,GAAAD,KAAA;QAAA,OAAM;UACf,GAAGD,EAAE;UACL,CAACE,EAAE,CAACC,iBAAiB,GAAGD,EAAE,CAACE;QAC7B,CAAC;MAAA,CAAC,EACF,CAAC,CACH,CAAC;MAED,OAAO;QACL,GAAG5B,GAAG;QACN,CAACqB,EAAE,GAAGE;MACR,CAAC;IACH,CAAC,EACD,CAAC,CACH,CAAC;IAED,OAAO;MACL1B,iBAAiB,EAAE,UAAU;MAC7BgC,OAAO,EAAErB,IAAI;MACbQ;IACF,CAAC;EACH,CAAC,CACH,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA,MAAMc,mBAAmB,GAAIC,MAAuB,IAClDd,MAAM,CAACC,OAAO,CAACa,MAAM,CAACC,kBAAkB,CAAC,CAACC,MAAM,CAC9CC,KAAA;EAAA,IAAC,GAAGC,KAAK,CAAC,GAAAD,KAAA;EAAA,OAAKC,KAAK,CAACC,OAAO,KAAK,IAAI;AAAA,CACvC,CAAiC;AAE5B,MAAMC,iBAAoC,GAAG,MAAAA,CAClDC,KAAK,EACLC,gBAAgB,EAChBnC,eAAe,KACZ;EACH,MAAMnB,WAAW,GAAG,EAAsB;EAC1CA,WAAW,CAACuD,IAAI,CAAC,GAAGxD,uBAAuB,CAACuD,gBAAgB,CAAC,CAAC;EAC9DtD,WAAW,CAACuD,IAAI,CAAC,IAAI,MAAMrC,uBAAuB,CAACC,eAAe,CAAC,CAAC,CAAC;EAErE,IAAI;IACF;IACA,MAAMqC,WAAW,GAAGC,eAAS,CAACC,KAAK,CAACL,KAAK,CAAC;IAC1CI,eAAS,CAACE,QAAQ,CAACH,WAAW,CAAC;IAE/B,MAAMI,WAAW,GAAGH,eAAS,CAACJ,KAAK,CAACG,WAAW,EAAExD,WAAW,CAAC;IAE7D,IAAI,CAAC4D,WAAW,CAACC,cAAc,EAAE;MAC/B,MAAM,IAAIC,KAAK,CAAC,mDAAmD,CAAC;IACtE;IAEA,OAAOjB,mBAAmB,CAACe,WAAW,CAAC,CAAC3D,GAAG,CAAC8D,KAAA,IAAiB;MAAA,IAAAC,qBAAA;MAAA,IAAhB,CAACC,EAAE,EAAEf,KAAK,CAAC,GAAAa,KAAA;MACtD,MAAMG,QAAQ,IAAAF,qBAAA,GAAGJ,WAAW,CAACO,eAAe,cAAAH,qBAAA,gBAAAA,qBAAA,GAA3BA,qBAAA,CACbhB,MAAM,CAAEoB,GAAG;QAAA,IAAAC,qBAAA;QAAA,QAAAA,qBAAA,GAAKD,GAAG,CAACE,gBAAgB,cAAAD,qBAAA,uBAApBA,qBAAA,CAAsBE,IAAI,CAAC,CAAC,CAACC,QAAQ,CAACP,EAAE,CAAC;MAAA,EAAC,cAAAD,qBAAA,uBAD7CA,qBAAA,CAEb/D,GAAG,CAAqBwE,aAAa;QAAA,IAAAC,qBAAA;QAAA,OAAM;UAC3CC,WAAW,GAAAD,qBAAA,GAAED,aAAa,CAACG,OAAO,cAAAF,qBAAA,uBAArBA,qBAAA,CAAuBG,QAAQ,CAAC,CAAC;UAC9CC,QAAQ,EAAEC,OAAO,CAACN,aAAa,CAACK,QAAQ;QAC1C,CAAC;MAAA,CAAC,CAAC;MAEL,IAAI5B,KAAK,CAAC8B,MAAM,CAACpE,iBAAiB,KAAK,WAAW,EAAE;QAClD,MAAM;UAAEF,GAAG;UAAEG;QAAO,CAAC,GAAGqC,KAAK,CAAC8B,MAAM;QAEpC,MAAM,GAAGC,MAAM,EAAExD,UAAU,CAAC,GAAG6B,gBAAgB,CAAC4B,IAAI,CAClDC,KAAA;UAAA,IAAC,CAAC5D,IAAI,CAAC,GAAA4D,KAAA;UAAA,OAAK5D,IAAI,KAAKb,GAAG;QAAA,CAC1B,CAAE;QACF,MAAM0E,mBAAmB,GAAGpD,MAAM,CAACqD,MAAM,CACvCxE,MACF,CAA0B;QAC1B,OAAO;UACLoD,EAAE;UACFvD,GAAG;UACHuE,MAAM;UACNK,MAAM,EAAEpC,KAAK,CAAC8B,MAAM,CAACpE,iBAAiB;UACtCa,UAAU;UACV2D,mBAAmB;UACnB;UACA;UACAlB,QAAQ,EAAEA,QAAQ,IAAI,CAAC;YAAEY,QAAQ,EAAE;UAAK,CAAC;QAC3C,CAAC;MACH;MAEA,IAAI5B,KAAK,CAAC8B,MAAM,CAACpE,iBAAiB,KAAK,UAAU,EAAE;QACjD,MAAM;UAAEgC,OAAO;UAAEb;QAAW,CAAC,GAAGmB,KAAK,CAAC8B,MAAM;QAE5C,MAAM,GAAGC,MAAM,EAAExD,UAAU,CAAC,GAAGN,eAAe,CAAC+D,IAAI,CACjDK,KAAA;UAAA,IAAC,CAAChE,IAAI,CAAC,GAAAgE,KAAA;UAAA,OAAKhE,IAAI,KAAKqB,OAAO;QAAA,CAC9B,CAAE;QACF,MAAMwC,mBAAmB,GAAGpD,MAAM,CAACC,OAAO,CAACF,UAAU,CAAC,CAACjB,MAAM,CAC3D,CAACC,GAAG,EAAAyE,KAAA;UAAA,IAAE,CAACpD,EAAE,EAAEC,QAAQ,CAAC,GAAAmD,KAAA;UAAA,OAAK,CACvB,GAAGzE,GAAG,EACN,GAAGiB,MAAM,CAACC,OAAO,CAACI,QAAQ,CAAC,CAACpC,GAAG,CAACwF,MAAA;YAAA,IAAC,CAACC,SAAS,CAAC,GAAAD,MAAA;YAAA,OAAM;cAChDE,SAAS,EAAEvD,EAAE;cACbwD,IAAI,EAAEF,SAAS;cACfG,KAAK,EAAExD,QAAQ,CAACqD,SAAS;YAC3B,CAAC;UAAA,CAAC,CAAC,CACJ;QAAA,GACD,EACF,CAAC;QAED,OAAO;UACLzB,EAAE;UACFgB,MAAM;UACNK,MAAM,EAAEpC,KAAK,CAAC8B,MAAM,CAACpE,iBAAiB;UACtCa,UAAU;UACV2D,mBAAmB;UACnB;UACA;UACAlB,QAAQ,EAAEA,QAAQ,IAAI,CAAC;YAAEY,QAAQ,EAAE;UAAK,CAAC,CAAC;UAC1ClC;QACF,CAAC;MACH;MAEA,MAAM,IAAIkB,KAAK,CACZ,kCAAiCZ,KAAK,CAAC8B,MAAM,CAACpE,iBAAkB,EACnE,CAAC;IACH,CAAC,CAAC;EACJ,CAAC,CAAC,OAAOkF,KAAK,EAAE;IACd;IACA,IAAI,IAAAC,oBAAW,EAACD,KAAK,CAAC,EAAE;MACtB,MAAM,IAAIE,wBAAgB,CAAC;QACzBC,OAAO,EAAE,oBAAoB;QAC7BC,MAAM,EAAEJ,KAAK,CAACK,MAAM,CAAClG,GAAG,CAAEmG,KAAK,IAAKA,KAAK,CAACH,OAAO,CAAC,CAACI,IAAI,CAAC,IAAI;MAC9D,CAAC,CAAC;IACJ;IAEA,IAAIP,KAAK,YAAYQ,eAAS,EAAE;MAC9B;IAAA;IAEF,IAAIR,KAAK,YAAYS,4BAAsB,EAAE;MAC3C;IAAA;IAEF,MAAMT,KAAK;EACb;AACF,CAAC;AAACU,OAAA,CAAApD,iBAAA,GAAAA,iBAAA"}
+{"version":3,"names":["_dcql","require","_valibot","_sdJwt","_crypto","_errors","mapCredentialToObject","jwt","sdJwt","disclosures","decode","credentialFormat","header","typ","Error","vct","payload","credential_format","claims","reduce","acc","disclosure","decoded","getDcqlQueryMatches","result","Object","entries","credential_matches","filter","_ref","match","success","getDcqlQueryFailedMatches","_ref2","extractMissingCredentials","queryResult","originalQuery","map","_ref3","_credential$meta","id","credential","credentials","find","c","format","vctValues","meta","vct_values","evaluateDcqlQuery","credentialsSdJwt","query","_ref4","parsedQuery","DcqlQuery","parse","validate","canBeSatisfied","CredentialsNotFoundError","credentialsSdJwtByVct","i","_ref5","_queryResult$credenti","output","purposes","credential_sets","set","_set$matching_options","matching_options","flat","includes","credentialSet","_credentialSet$purpos","description","purpose","toString","required","Boolean","keyTag","requiredDisclosures","values","error","isValiError","DcqlError","message","code","cause","issues","exports","prepareRemotePresentations","nonce","clientId","Promise","all","item","vp_token","prepareVpToken","requestedClaims","createCryptoContextFor","credentialId","vpToken"],"sourceRoot":"../../../../src","sources":["credential/presentation/07-evaluate-dcql-query.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AACA,IAAAC,QAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AAEA,IAAAG,OAAA,GAAAH,OAAA;AAEA,IAAAI,OAAA,GAAAJ,OAAA;AAEA;AACA;AACA;;AAuCA;AACA;AACA;AACA;AACA,MAAMK,qBAAqB,GAAIC,GAAW,IAAK;EAC7C,MAAM;IAAEC,KAAK;IAAEC;EAAY,CAAC,GAAG,IAAAC,aAAM,EAACH,GAAG,CAAC;EAC1C,MAAMI,gBAAgB,GAAGH,KAAK,CAACI,MAAM,CAACC,GAAG;;EAEzC;EACA,IAAIF,gBAAgB,KAAK,WAAW,EAAE;IACpC,MAAM,IAAIG,KAAK,CAAE,kCAAiCH,gBAAiB,EAAC,CAAC;EACvE;EAEA,OAAO;IACLI,GAAG,EAAEP,KAAK,CAACQ,OAAO,CAACD,GAAG;IACtBE,iBAAiB,EAAEN,gBAAgB;IACnCO,MAAM,EAAET,WAAW,CAACU,MAAM,CACxB,CAACC,GAAG,EAAEC,UAAU,MAAM;MACpB,GAAGD,GAAG;MACN,CAACC,UAAU,CAACC,OAAO,CAAC,CAAC,CAAC,GAAGD,UAAU,CAACC;IACtC,CAAC,CAAC,EACF,CAAC,CACH;EACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA,MAAMC,mBAAmB,GAAIC,MAAuB,IAClDC,MAAM,CAACC,OAAO,CAACF,MAAM,CAACG,kBAAkB,CAAC,CAACC,MAAM,CAC9CC,IAAA;EAAA,IAAC,GAAGC,KAAK,CAAC,GAAAD,IAAA;EAAA,OAAKC,KAAK,CAACC,OAAO,KAAK,IAAI;AAAA,CACvC,CAAiC;;AAEnC;AACA;AACA;AACA,MAAMC,yBAAyB,GAAIR,MAAuB,IACxDC,MAAM,CAACC,OAAO,CAACF,MAAM,CAACG,kBAAkB,CAAC,CAACC,MAAM,CAC9CK,KAAA;EAAA,IAAC,GAAGH,KAAK,CAAC,GAAAG,KAAA;EAAA,OAAKH,KAAK,CAACC,OAAO,KAAK,KAAK;AAAA,CACxC,CAAiC;;AAEnC;AACA;AACA;AACA;AACA;AACA,MAAMG,yBAAyB,GAAGA,CAChCC,WAA4B,EAC5BC,aAAwB,KACH;EACrB,OAAOJ,yBAAyB,CAACG,WAAW,CAAC,CAACE,GAAG,CAACC,KAAA,IAAU;IAAA,IAAAC,gBAAA;IAAA,IAAT,CAACC,EAAE,CAAC,GAAAF,KAAA;IACrD,MAAMG,UAAU,GAAGL,aAAa,CAACM,WAAW,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACJ,EAAE,KAAKA,EAAE,CAAC;IACrE,IAAI,CAAAC,UAAU,aAAVA,UAAU,uBAAVA,UAAU,CAAEI,MAAM,MAAK,WAAW,EAAE;MACtC,MAAM,IAAI/B,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;IACzC;;IACA,OAAO;MAAE0B,EAAE;MAAEM,SAAS,GAAAP,gBAAA,GAAEE,UAAU,CAACM,IAAI,cAAAR,gBAAA,uBAAfA,gBAAA,CAAiBS;IAAW,CAAC;EACvD,CAAC,CAAC;AACJ,CAAC;AAEM,MAAMC,iBAAoC,GAAGA,CAClDC,gBAAgB,EAChBC,KAAK,KACF;EACH,MAAMT,WAAW,GAAGQ,gBAAgB,CAACb,GAAG,CAACe,KAAA;IAAA,IAAC,GAAGX,UAAU,CAAC,GAAAW,KAAA;IAAA,OACtD9C,qBAAqB,CAACmC,UAAU,CAAC;EAAA,CACnC,CAAC;EAED,IAAI;IACF;IACA,MAAMY,WAAW,GAAGC,eAAS,CAACC,KAAK,CAACJ,KAAK,CAAC;IAC1CG,eAAS,CAACE,QAAQ,CAACH,WAAW,CAAC;IAE/B,MAAMlB,WAAW,GAAGmB,eAAS,CAACH,KAAK,CAACE,WAAW,EAAEX,WAAW,CAAC;IAE7D,IAAI,CAACP,WAAW,CAACsB,cAAc,EAAE;MAC/B,MAAM,IAAIC,gCAAwB,CAChCxB,yBAAyB,CAACC,WAAW,EAAEkB,WAAW,CACpD,CAAC;IACH;;IAEA;IACA,MAAMM,qBAAqB,GAAGjB,WAAW,CAACvB,MAAM,CAC9C,CAACC,GAAG,EAAEwB,CAAC,EAAEgB,CAAC,MAAM;MAAE,GAAGxC,GAAG;MAAE,CAACwB,CAAC,CAAC7B,GAAG,GAAGmC,gBAAgB,CAACU,CAAC;IAAG,CAAC,CAAC,EAC1D,CAAC,CACH,CAAC;IAED,OAAOrC,mBAAmB,CAACY,WAAW,CAAC,CAACE,GAAG,CAACwB,KAAA,IAAiB;MAAA,IAAAC,qBAAA;MAAA,IAAhB,CAACtB,EAAE,EAAEV,KAAK,CAAC,GAAA+B,KAAA;MACtD,IAAI/B,KAAK,CAACiC,MAAM,CAAC9C,iBAAiB,KAAK,WAAW,EAAE;QAClD,MAAM,IAAIH,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;MACzC;;MACA,MAAM;QAAEC,GAAG;QAAEG;MAAO,CAAC,GAAGY,KAAK,CAACiC,MAAM;MAEpC,MAAMC,QAAQ,IAAAF,qBAAA,GAAG3B,WAAW,CAAC8B,eAAe,cAAAH,qBAAA,gBAAAA,qBAAA,GAA3BA,qBAAA,CACblC,MAAM,CAAEsC,GAAG;QAAA,IAAAC,qBAAA;QAAA,QAAAA,qBAAA,GAAKD,GAAG,CAACE,gBAAgB,cAAAD,qBAAA,uBAApBA,qBAAA,CAAsBE,IAAI,CAAC,CAAC,CAACC,QAAQ,CAAC9B,EAAE,CAAC;MAAA,EAAC,cAAAsB,qBAAA,uBAD7CA,qBAAA,CAEbzB,GAAG,CAAqBkC,aAAa;QAAA,IAAAC,qBAAA;QAAA,OAAM;UAC3CC,WAAW,GAAAD,qBAAA,GAAED,aAAa,CAACG,OAAO,cAAAF,qBAAA,uBAArBA,qBAAA,CAAuBG,QAAQ,CAAC,CAAC;UAC9CC,QAAQ,EAAEC,OAAO,CAACN,aAAa,CAACK,QAAQ;QAC1C,CAAC;MAAA,CAAC,CAAC;MAEL,MAAM,CAACE,MAAM,EAAErC,UAAU,CAAC,GAAGkB,qBAAqB,CAAC5C,GAAG,CAAE;MACxD,MAAMgE,mBAAmB,GAAGtD,MAAM,CAACuD,MAAM,CAAC9D,MAAM,CAAiB;MACjE,OAAO;QACLsB,EAAE;QACFzB,GAAG;QACH+D,MAAM;QACNrC,UAAU;QACVsC,mBAAmB;QACnB;QACA;QACAf,QAAQ,EAAEA,QAAQ,IAAI,CAAC;UAAEY,QAAQ,EAAE;QAAK,CAAC;MAC3C,CAAC;IACH,CAAC,CAAC;EACJ,CAAC,CAAC,OAAOK,KAAK,EAAE;IACd;IACA,IAAI,IAAAC,oBAAW,EAACD,KAAK,CAAC,EAAE;MACtB,MAAM,IAAIE,eAAS,CAAC;QAClBC,OAAO,EAAE,yCAAyC;QAClDC,IAAI,EAAE,aAAa;QACnBC,KAAK,EAAEL,KAAK,CAACM;MACf,CAAC,CAAC;IACJ;;IAEA;IACA,MAAMN,KAAK;EACb;AACF,CAAC;AAACO,OAAA,CAAAvC,iBAAA,GAAAA,iBAAA;AAEK,MAAMwC,0BAAsD,GAAG,MAAAA,CACpE/C,WAAW,EACXgD,KAAK,EACLC,QAAQ,KACL;EACH,OAAOC,OAAO,CAACC,GAAG,CAChBnD,WAAW,CAACL,GAAG,CAAC,MAAOyD,IAAI,IAAK;IAC9B,MAAM;MAAEC;IAAS,CAAC,GAAG,MAAM,IAAAC,qBAAc,EAACN,KAAK,EAAEC,QAAQ,EAAE,CACzDG,IAAI,CAACrD,UAAU,EACfqD,IAAI,CAACG,eAAe,EACpB,IAAAC,8BAAsB,EAACJ,IAAI,CAAChB,MAAM,CAAC,CACpC,CAAC;IAEF,OAAO;MACLqB,YAAY,EAAEL,IAAI,CAACtD,EAAE;MACrByD,eAAe,EAAEH,IAAI,CAACG,eAAe;MACrCG,OAAO,EAAEL,QAAQ;MACjBlD,MAAM,EAAE;IACV,CAAC;EACH,CAAC,CACH,CAAC;AACH,CAAC;AAAC2C,OAAA,CAAAC,0BAAA,GAAAA,0BAAA"}