@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.1

package/src/credential/presentation/08-send-authorization-response.ts

@@ -1,26 +1,24 @@
 import { EncryptJwe } from "@pagopa/io-react-native-jwt";
 import uuid from "react-native-uuid";
-import type { FetchJwks } from "./04-retrieve-rp-jwks";
-import type { VerifyRequestObjectSignature } from "./05-verify-request-object";
-import {
-  NoSuitableKeysFoundInEntityConfiguration,
-  CredentialNotFoundError,
-} from "./errors";
+import { getJwksFromConfig, type FetchJwks } from "./04-retrieve-rp-jwks";
+import type { VerifyRequestObject } from "./05-verify-request-object";
+import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import {
+  type RemotePresentation,
   DirectAuthorizationBodyPayload,
   ErrorResponse,
-  type RemotePresentation,
-  type PrepareRemotePresentations,
+  type LegacyRemotePresentation,
 } from "./types";
 import * as z from "zod";
 import type { JWK } from "../../utils/jwk";
-import { Base64 } from "js-base64";
-
-import { prepareVpTokenMdoc } from "../../mdoc";
-import { generateRandomAlphaNumericString } from "../../utils/misc";
-import { createCryptoContextFor } from "../../utils/crypto";
-import { prepareVpToken } from "../../sd-jwt";
+import type { RelyingPartyEntityConfiguration } from "../../trust";
+import {
+  RelyingPartyResponseError,
+  ResponseErrorBuilder,
+  UnexpectedStatusCodeError,
+  RelyingPartyResponseErrorCodes,
+} from "../../utils/errors";
 
 export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
 export const AuthorizationResponse = z.object({
@@ -39,9 +37,6 @@ export const AuthorizationResponse = z.object({
  * Selects a public key (with `use = enc`) from the set of JWK keys
  * offered by the Relying Party (RP) for encryption.
  *
- * Preference is given to EC keys (P-256 or P-384), followed by RSA keys,
- * based on compatibility and common usage for encryption.
- *
  * @param rpJwkKeys - The array of JWKs retrieved from the RP entity configuration.
  * @returns The first suitable public key found in the list.
  * @throws {NoSuitableKeysFoundInEntityConfiguration} If no suitable encryption key is found.
@@ -49,18 +44,7 @@ export const AuthorizationResponse = z.object({
 export const choosePublicKeyToEncrypt = (
   rpJwkKeys: Out<FetchJwks>["keys"]
 ): JWK => {
-  // First try to find RSA keys which are more commonly used for encryption
-  const encKeys = rpJwkKeys.filter((jwk) => jwk.use === "enc");
-
-  // Prioritize EC keys first, then fall back to RSA keys if needed
-  // io-react-native-jwt support only EC keys with P-256 or P-384 curves
-  const ecEncKeys = encKeys.filter(
-    (jwk) => jwk.kty === "EC" && (jwk.crv === "P-256" || jwk.crv === "P-384")
-  );
-  const rsaEncKeys = encKeys.filter((jwk) => jwk.kty === "RSA");
-
-  // Select the first available key based on priority
-  const encKey = ecEncKeys[0] || rsaEncKeys[0] || encKeys[0];
+  const encKey = rpJwkKeys.find((jwk) => jwk.use === "enc");
 
   if (encKey) {
     return encKey;
@@ -72,72 +56,44 @@ export const choosePublicKeyToEncrypt = (
   );
 };
 
-/**
- * Builds a URL-encoded form body for a direct POST response without encryption.
- *
- * @param requestObject - Contains state, nonce, and other relevant info.
- * @param payload - Object that contains either the VP token to encrypt and the stringified mapping of the credential disclosures or the error code
- * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
- */
-export const buildDirectPostBody = async (
-  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  payload: DirectAuthorizationBodyPayload
-): Promise<string> => {
-  const formUrlEncodedBody = new URLSearchParams({
-    ...(requestObject.state ? { state: requestObject.state } : {}),
-    ...Object.fromEntries(
-      Object.entries(payload).map(([key, value]) => {
-        return [
-          key,
-          Array.isArray(value) || typeof value === "object"
-            ? JSON.stringify(value)
-            : value,
-        ];
-      })
-    ),
-  });
-
-  return formUrlEncodedBody.toString();
-};
-
 /**
  * Builds a URL-encoded form body for a direct POST response using JWT encryption.
  *
  * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
  * @param requestObject - Contains state, nonce, and other relevant info.
- * @param payload - Object that contains either the VP token to encrypt and the mapping of the credential disclosures or the error code
- * @param generatedNonce - Optional nonce for the `apu` claim in the JWE header, it is used during ISO 18013-7.
- * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body,
- *          where `response` contains the encrypted JWE.
+ * @param payload - Object that contains the VP token to encrypt and the mapping of the credential disclosures
+ * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body, where `response` contains the encrypted JWE.
  */
 export const buildDirectPostJwtBody = async (
-  jwkKeys: Out<FetchJwks>["keys"],
-  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  payload: DirectAuthorizationBodyPayload,
-  generatedNonce?: string
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"],
+  payload: DirectAuthorizationBodyPayload
 ): Promise<string> => {
+  type Jwe = ConstructorParameters<typeof EncryptJwe>[1];
+
   // Prepare the authorization response payload to be encrypted
   const authzResponsePayload = JSON.stringify({
     state: requestObject.state,
     ...payload,
   });
+  // Choose a suitable public key for encryption
+  const { keys } = getJwksFromConfig(rpConf);
+  const encPublicJwk = choosePublicKeyToEncrypt(keys);
 
-  const encPublicJwk = choosePublicKeyToEncrypt(jwkKeys);
   // Encrypt the authorization payload
-  const { client_metadata } = requestObject;
+  const {
+    authorization_encrypted_response_alg,
+    authorization_encrypted_response_enc,
+  } = rpConf.openid_credential_verifier;
+
+  const defaultAlg: Jwe["alg"] =
+    encPublicJwk.kty === "EC" ? "ECDH-ES" : "RSA-OAEP-256";
+
   const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
-    alg:
-      (client_metadata?.authorization_encrypted_response_alg as
-        | "RSA-OAEP-256"
-        | "RSA-OAEP") || "RSA-OAEP-256",
+    alg: (authorization_encrypted_response_alg as Jwe["alg"]) || defaultAlg,
     enc:
-      (client_metadata?.authorization_encrypted_response_enc as
-        | "A256CBC-HS512"
-        | "A128CBC-HS256") || "A256CBC-HS512",
+      (authorization_encrypted_response_enc as Jwe["enc"]) || "A256CBC-HS512",
     kid: encPublicJwk.kid,
-    /* ISO 18013-7 */
-    apv: Base64.encodeURI(requestObject.nonce),
-    ...(generatedNonce ? { apu: Base64.encodeURI(generatedNonce) } : {}),
   }).encrypt(encPublicJwk);
 
   // Build the x-www-form-urlencoded form body
@@ -149,27 +105,44 @@ export const buildDirectPostJwtBody = async (
 };
 
 /**
- * Type definition for the function that sends the authorization response
- * to the Relying Party, completing the presentation flow.
+ * Builds a URL-encoded form body for a direct POST response without encryption.
+ *
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param payload - Object that contains either the VP token to encrypt and the stringified mapping of the credential disclosures or the error code
+ * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
  */
-export type SendAuthorizationResponse = (
-  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  presentationDefinitionId: string,
-  jwkKeys: Out<FetchJwks>["keys"],
-  remotePresentation: RemotePresentation,
-  context?: {
-    appFetch?: GlobalFetch["fetch"];
-  }
-) => Promise<AuthorizationResponse>;
+export const buildDirectPostBody = async (
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  payload: DirectAuthorizationBodyPayload
+): Promise<string> => {
+  const formUrlEncodedBody = new URLSearchParams({
+    ...(requestObject.state && { state: requestObject.state }),
+    ...Object.entries(payload).reduce(
+      (acc, [key, value]) => ({
+        ...acc,
+        [key]:
+          Array.isArray(value) || typeof value === "object"
+            ? JSON.stringify(value)
+            : value,
+      }),
+      {} as Record<string, string>
+    ),
+  });
+
+  return formUrlEncodedBody.toString();
+};
 
 /**
  * Type definition for the function that sends the authorization response
  * to the Relying Party, completing the presentation flow.
+ * Use with `presentation_definition`.
+ * @deprecated Use `sendAuthorizationResponse`
  */
-export type SendAuthorizationResponseDcql = (
-  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  jwkKeys: Out<FetchJwks>["keys"],
-  remotePresentation: RemotePresentation,
+export type SendLegacyAuthorizationResponse = (
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  presentationDefinitionId: string,
+  remotePresentations: LegacyRemotePresentation[],
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"],
   context?: {
     appFetch?: GlobalFetch["fetch"];
   }
@@ -186,55 +159,91 @@ export type SendAuthorizationResponseDcql = (
  * @param context - Contains optional custom fetch implementation.
  * @returns Parsed and validated authorization response from the Relying Party.
  */
-export const sendAuthorizationResponse: SendAuthorizationResponse = async (
-  requestObject,
-  presentationDefinitionId,
-  jwkKeys,
-  remotePresentation,
-  { appFetch = fetch } = {}
-): Promise<AuthorizationResponse> => {
-  const { generatedNonce, presentations } = remotePresentation;
-  /**
-   * 1. Prepare the VP token and presentation submission
-   * If there is only one credential, `vpToken` is a single string.
-   * If there are multiple credential, `vpToken` is an array of string.
-   **/
-  const vp_token =
-    presentations?.length === 1
-      ? presentations[0]?.vpToken
-      : presentations.map((presentation) => presentation.vpToken);
+export const sendLegacyAuthorizationResponse: SendLegacyAuthorizationResponse =
+  async (
+    requestObject,
+    presentationDefinitionId,
+    remotePresentations,
+    rpConf,
+    { appFetch = fetch } = {}
+  ): Promise<AuthorizationResponse> => {
+    /**
+     * 1. Prepare the VP token and presentation submission
+     * If there is only one credential, `vpToken` is a single string.
+     * If there are multiple credential, `vpToken` is an array of string.
+     **/
+    const vp_token =
+      remotePresentations?.length === 1
+        ? remotePresentations[0]?.vpToken
+        : remotePresentations.map(
+            (remotePresentation) => remotePresentation.vpToken
+          );
+
+    const descriptor_map = remotePresentations.map(
+      (remotePresentation, index) => ({
+        id: remotePresentation.inputDescriptor.id,
+        path: remotePresentations.length === 1 ? `$` : `$[${index}]`,
+        format: remotePresentation.format,
+      })
+    );
 
-  const descriptor_map = presentations.map((presentation, index) => ({
-    id: presentation.credentialId,
-    path: presentations?.length === 1 ? `$` : `$[${index}]`,
-    format: presentation.format,
-  }));
+    const presentation_submission = {
+      id: uuid.v4(),
+      definition_id: presentationDefinitionId,
+      descriptor_map,
+    };
 
-  const presentation_submission = {
-    id: uuid.v4(),
-    definition_id: presentationDefinitionId,
-    descriptor_map,
+    const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {
+      vp_token,
+      presentation_submission,
+    });
+
+    // 3. Send the authorization response via HTTP POST and validate the response
+    return await appFetch(requestObject.response_uri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: requestBody,
+    })
+      .then(hasStatusOrThrow(200))
+      .then((res) => res.json())
+      .then(AuthorizationResponse.parse);
   };
 
-  // 2. Choose the appropriate request body builder based on response mode
-  const requestBody =
-    requestObject.response_mode === "direct_post.jwt"
-      ? await buildDirectPostJwtBody(
-          jwkKeys,
-          requestObject,
-          {
-            vp_token,
-            presentation_submission,
-          },
-          generatedNonce
-        )
-      : await buildDirectPostBody(requestObject, {
-          vp_token,
-          presentation_submission: presentation_submission,
-        });
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ * Use with DCQL queries.
+ */
+export type SendAuthorizationResponse = (
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  remotePresentations: RemotePresentation[],
+  rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResponse>;
 
-  // 3. Send the authorization response via HTTP POST and validate the response
-  const authResponse = await appFetch(requestObject.response_uri, {
+export const sendAuthorizationResponse: SendAuthorizationResponse = async (
+  requestObject,
+  remotePresentations,
+  rpConf,
+  { appFetch = fetch } = {}
+): Promise<AuthorizationResponse> => {
+  // 1. Prepare the VP token as a JSON object with keys corresponding to the DCQL query credential IDs
+  const requestBody = await buildDirectPostJwtBody(requestObject, rpConf, {
+    vp_token: remotePresentations.reduce(
+      (acc, presentation) => ({
+        ...acc,
+        [presentation.credentialId]: presentation.vpToken,
+      }),
+      {} as Record<string, string>
+    ),
+  });
+
+  // 2. Send the authorization response via HTTP POST and validate the response
+  return await appFetch(requestObject.response_uri, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
@@ -243,10 +252,8 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.json())
-    .then(AuthorizationResponse.safeParse);
-
-  // Some Relying Parties may return an empty body.
-  return authResponse.success ? authResponse.data : {};
+    .then(AuthorizationResponse.parse)
+    .catch(handleAuthorizationResponseError);
 };
 
 /**
@@ -254,9 +261,8 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
  * to the Relying Party, completing the presentation flow.
  */
 export type SendAuthorizationErrorResponse = (
-  requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  error: ErrorResponse,
-  jwkKeys: Out<FetchJwks>["keys"],
+  requestObject: Out<VerifyRequestObject>["requestObject"],
+  error: { error: ErrorResponse; errorDescription: string },
   context?: {
     appFetch?: GlobalFetch["fetch"];
   }
@@ -267,61 +273,21 @@ export type SendAuthorizationErrorResponse = (
  * This function completes the presentation flow in an OpenID 4 Verifiable Presentations scenario.
  *
  * @param requestObject - The request details, including presentation requirements.
- * @param error - The response error value
- * @param jwkKeys - Array of JWKs from the Relying Party for optional encryption.
+ * @param error - The response error value, with description
  * @param context - Contains optional custom fetch implementation.
  * @returns Parsed and validated authorization response from the Relying Party.
  */
 export const sendAuthorizationErrorResponse: SendAuthorizationErrorResponse =
   async (
     requestObject,
-    error,
-    jwkKeys,
+    { error, errorDescription },
     { appFetch = fetch } = {}
   ): Promise<AuthorizationResponse> => {
-    // 2. Choose the appropriate request body builder based on response mode
-    const requestBody =
-      requestObject.response_mode === "direct_post.jwt"
-        ? await buildDirectPostJwtBody(jwkKeys, requestObject, { error })
-        : await buildDirectPostBody(requestObject, { error });
-    // 3. Send the authorization error response via HTTP POST and validate the response
-    return await appFetch(requestObject.response_uri, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
-      body: requestBody,
-    })
-      .then(hasStatusOrThrow(200))
-      .then((res) => res.json())
-      .then(AuthorizationResponse.parse);
-  };
+    const requestBody = await buildDirectPostBody(requestObject, {
+      error,
+      error_description: errorDescription,
+    });
 
-export const sendAuthorizationResponseDcql: SendAuthorizationResponseDcql =
-  async (
-    requestObject,
-    jwkKeys,
-    remotePresentation,
-    { appFetch = fetch } = {}
-  ): Promise<AuthorizationResponse> => {
-    const { generatedNonce, presentations } = remotePresentation;
-    // 1. Prepare the VP token as a JSON object with keys corresponding to the DCQL query credential IDs
-    const requestBody = await buildDirectPostJwtBody(
-      jwkKeys,
-      requestObject,
-      {
-        vp_token: presentations.reduce(
-          (acc, presentation) => ({
-            ...acc,
-            [presentation.credentialId]: presentation.vpToken,
-          }),
-          {} as Record<string, string>
-        ),
-      },
-      generatedNonce
-    );
-
-    // 2. Send the authorization response via HTTP POST and validate the response
     return await appFetch(requestObject.response_uri, {
       method: "POST",
       headers: {
@@ -329,83 +295,35 @@ export const sendAuthorizationResponseDcql: SendAuthorizationResponseDcql =
       },
       body: requestBody,
     })
-      .then(hasStatusOrThrow(200))
+      .then(hasStatusOrThrow(200, RelyingPartyResponseError))
       .then((res) => res.json())
       .then(AuthorizationResponse.parse);
   };
 
 /**
- * Prepares remote presentations for a set of credentials.
- *
- * For each credential, this function:
- * - Validates the credential format (currently supports 'mso_mdoc' and 'vc+sd-jwt').
- * - Generates a verifiable presentation token (vpToken) using the appropriate method.
- * - For ISO 18013-7, generates a special nonce with minimum entropy of 16.
- *
- * @param credentials - An array of credential items containing format, credential data, requested claims, and key information.
- * @param authRequestObject - The authentication request object containing nonce, clientId, and responseUri.
- * @returns A promise that resolves to an object containing an array of presentations and the generated nonce.
- * @throws {CredentialNotFoundError} When the credential format is unsupported.
+ * Handle the the presentation error by mapping it to a custom exception.
+ * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
+ * @param e - The error to be handled
+ * @throws {RelyingPartyResponseError} with a specific code for more context
  */
-export const prepareRemotePresentations: PrepareRemotePresentations = async (
-  credentials,
-  authRequestObject
-) => {
-  /* In case of ISO 18013-7 we need a nonce, it shall have a minimum entropy of 16  */
-  const generatedNonce = generateRandomAlphaNumericString(16);
-
-  const presentations = await Promise.all(
-    credentials.map(async (item) => {
-      const { credentialInputId, format } = item;
-
-      if (format === "mso_mdoc") {
-        const { vp_token } = await prepareVpTokenMdoc(
-          authRequestObject.nonce,
-          generatedNonce,
-          authRequestObject.clientId,
-          authRequestObject.responseUri,
-          item.doctype,
-          item.keyTag,
-          [
-            item.credential,
-            item.requestedClaims,
-            createCryptoContextFor(item.keyTag),
-          ]
-        );
-
-        return {
-          requestedClaims: [...item.requestedClaims.map(({ name }) => name)],
-          credentialId: credentialInputId,
-          vpToken: vp_token,
-          format: "mso_mdoc",
-        };
-      }
-
-      if (format === "vc+sd-jwt") {
-        const { vp_token } = await prepareVpToken(
-          authRequestObject.nonce,
-          authRequestObject.clientId,
-          [
-            item.credential,
-            item.requestedClaims,
-            createCryptoContextFor(item.keyTag),
-          ]
-        );
-
-        return {
-          requestedClaims: [...item.requestedClaims.map(({ name }) => name)],
-          credentialId: credentialInputId,
-          vpToken: vp_token,
-          format: "vc+sd-jwt",
-        };
-      }
+const handleAuthorizationResponseError = (e: unknown) => {
+  if (!(e instanceof UnexpectedStatusCodeError)) {
+    throw e;
+  }
 
-      throw new CredentialNotFoundError(`${format} format is not supported.`);
+  throw new ResponseErrorBuilder(RelyingPartyResponseError)
+    .handle(400, {
+      code: RelyingPartyResponseErrorCodes.InvalidAuthorizationResponse,
+      message:
+        "The Authorization Response contains invalid parameters or it is malformed",
     })
-  );
-
-  return {
-    presentations,
-    generatedNonce,
-  };
+    .handle(403, {
+      code: RelyingPartyResponseErrorCodes.InvalidAuthorizationResponse,
+      message: "The Authorization Response was forbidden",
+    })
+    .handle("*", {
+      code: RelyingPartyResponseErrorCodes.RelyingPartyGenericError,
+      message: "Unable to successfully send the Authorization Response",
+    })
+    .buildFrom(e);
 };