@pagopa/io-react-native-wallet 2.0.0-next.2 → 2.0.0-next.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/commonjs/credential/issuance/03-start-user-authorization.js +38 -24
- package/lib/commonjs/credential/issuance/03-start-user-authorization.js.map +1 -1
- package/lib/commonjs/credential/issuance/05-authorize-access.js +6 -10
- package/lib/commonjs/credential/issuance/05-authorize-access.js.map +1 -1
- package/lib/commonjs/credential/issuance/06-obtain-credential.js +43 -11
- package/lib/commonjs/credential/issuance/06-obtain-credential.js.map +1 -1
- package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js +51 -48
- package/lib/commonjs/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
- package/lib/commonjs/credential/issuance/README.md +34 -13
- package/lib/commonjs/credential/issuance/const.js +1 -1
- package/lib/commonjs/credential/issuance/types.js +16 -10
- package/lib/commonjs/credential/issuance/types.js.map +1 -1
- package/lib/commonjs/credential/presentation/07-evaluate-dcql-query.js +4 -4
- package/lib/commonjs/credential/presentation/07-evaluate-input-descriptor.js +3 -3
- package/lib/commonjs/credential/status/README.md +0 -1
- package/lib/commonjs/sd-jwt/__test__/index.test.js +11 -15
- package/lib/commonjs/sd-jwt/__test__/index.test.js.map +1 -1
- package/lib/commonjs/sd-jwt/__test__/types.test.js +5 -2
- package/lib/commonjs/sd-jwt/__test__/types.test.js.map +1 -1
- package/lib/commonjs/sd-jwt/__test__/utils.test.js +37 -0
- package/lib/commonjs/sd-jwt/__test__/utils.test.js.map +1 -0
- package/lib/commonjs/sd-jwt/index.js +20 -0
- package/lib/commonjs/sd-jwt/index.js.map +1 -1
- package/lib/commonjs/sd-jwt/types.js +51 -4
- package/lib/commonjs/sd-jwt/types.js.map +1 -1
- package/lib/commonjs/sd-jwt/utils.js +64 -0
- package/lib/commonjs/sd-jwt/utils.js.map +1 -0
- package/lib/commonjs/trust/types.js +18 -13
- package/lib/commonjs/trust/types.js.map +1 -1
- package/lib/commonjs/utils/par.js +32 -22
- package/lib/commonjs/utils/par.js.map +1 -1
- package/lib/commonjs/utils/pop.js +1 -1
- package/lib/commonjs/utils/pop.js.map +1 -1
- package/lib/commonjs/wallet-instance-attestation/types.js +5 -1
- package/lib/commonjs/wallet-instance-attestation/types.js.map +1 -1
- package/lib/module/credential/issuance/03-start-user-authorization.js +38 -24
- package/lib/module/credential/issuance/03-start-user-authorization.js.map +1 -1
- package/lib/module/credential/issuance/05-authorize-access.js +6 -10
- package/lib/module/credential/issuance/05-authorize-access.js.map +1 -1
- package/lib/module/credential/issuance/06-obtain-credential.js +44 -12
- package/lib/module/credential/issuance/06-obtain-credential.js.map +1 -1
- package/lib/module/credential/issuance/07-verify-and-parse-credential.js +51 -48
- package/lib/module/credential/issuance/07-verify-and-parse-credential.js.map +1 -1
- package/lib/module/credential/issuance/README.md +34 -13
- package/lib/module/credential/issuance/const.js +1 -1
- package/lib/module/credential/issuance/types.js +12 -8
- package/lib/module/credential/issuance/types.js.map +1 -1
- package/lib/module/credential/presentation/07-evaluate-dcql-query.js +4 -4
- package/lib/module/credential/presentation/07-evaluate-input-descriptor.js +3 -3
- package/lib/module/credential/status/README.md +0 -1
- package/lib/module/sd-jwt/__test__/index.test.js +11 -16
- package/lib/module/sd-jwt/__test__/index.test.js.map +1 -1
- package/lib/module/sd-jwt/__test__/types.test.js +5 -2
- package/lib/module/sd-jwt/__test__/types.test.js.map +1 -1
- package/lib/module/sd-jwt/__test__/utils.test.js +35 -0
- package/lib/module/sd-jwt/__test__/utils.test.js.map +1 -0
- package/lib/module/sd-jwt/index.js +1 -0
- package/lib/module/sd-jwt/index.js.map +1 -1
- package/lib/module/sd-jwt/types.js +50 -3
- package/lib/module/sd-jwt/types.js.map +1 -1
- package/lib/module/sd-jwt/utils.js +57 -0
- package/lib/module/sd-jwt/utils.js.map +1 -0
- package/lib/module/trust/types.js +18 -13
- package/lib/module/trust/types.js.map +1 -1
- package/lib/module/utils/par.js +29 -20
- package/lib/module/utils/par.js.map +1 -1
- package/lib/module/utils/pop.js +1 -1
- package/lib/module/utils/pop.js.map +1 -1
- package/lib/module/wallet-instance-attestation/types.js +5 -1
- package/lib/module/wallet-instance-attestation/types.js.map +1 -1
- package/lib/typescript/client/generated/wallet-provider.d.ts +12 -12
- package/lib/typescript/credential/issuance/01-start-flow.d.ts +2 -2
- package/lib/typescript/credential/issuance/01-start-flow.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/03-start-user-authorization.d.ts +7 -6
- package/lib/typescript/credential/issuance/03-start-user-authorization.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/05-authorize-access.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/06-obtain-credential.d.ts +10 -5
- package/lib/typescript/credential/issuance/06-obtain-credential.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts +3 -2
- package/lib/typescript/credential/issuance/07-verify-and-parse-credential.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/const.d.ts +1 -1
- package/lib/typescript/credential/issuance/types.d.ts +46 -26
- package/lib/typescript/credential/issuance/types.d.ts.map +1 -1
- package/lib/typescript/pid/sd-jwt/types.d.ts +7 -7
- package/lib/typescript/sd-jwt/__test__/utils.test.d.ts +2 -0
- package/lib/typescript/sd-jwt/__test__/utils.test.d.ts.map +1 -0
- package/lib/typescript/sd-jwt/index.d.ts +21 -8
- package/lib/typescript/sd-jwt/index.d.ts.map +1 -1
- package/lib/typescript/sd-jwt/types.d.ts +194 -12
- package/lib/typescript/sd-jwt/types.d.ts.map +1 -1
- package/lib/typescript/sd-jwt/utils.d.ts +18 -0
- package/lib/typescript/sd-jwt/utils.d.ts.map +1 -0
- package/lib/typescript/trust/build-chain.d.ts +30 -14
- package/lib/typescript/trust/build-chain.d.ts.map +1 -1
- package/lib/typescript/trust/types.d.ts +322 -158
- package/lib/typescript/trust/types.d.ts.map +1 -1
- package/lib/typescript/utils/par.d.ts +29 -13
- package/lib/typescript/utils/par.d.ts.map +1 -1
- package/lib/typescript/wallet-instance-attestation/types.d.ts +9 -9
- package/lib/typescript/wallet-instance-attestation/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/credential/issuance/01-start-flow.ts +2 -2
- package/src/credential/issuance/03-start-user-authorization.ts +57 -38
- package/src/credential/issuance/05-authorize-access.ts +5 -11
- package/src/credential/issuance/06-obtain-credential.ts +53 -23
- package/src/credential/issuance/07-verify-and-parse-credential.ts +54 -62
- package/src/credential/issuance/README.md +34 -13
- package/src/credential/issuance/const.ts +1 -1
- package/src/credential/issuance/types.ts +18 -8
- package/src/credential/presentation/07-evaluate-dcql-query.ts +4 -4
- package/src/credential/presentation/07-evaluate-input-descriptor.ts +3 -3
- package/src/credential/status/README.md +0 -1
- package/src/sd-jwt/__test__/index.test.ts +8 -29
- package/src/sd-jwt/__test__/types.test.ts +6 -2
- package/src/sd-jwt/__test__/utils.test.ts +37 -0
- package/src/sd-jwt/index.ts +2 -0
- package/src/sd-jwt/types.ts +49 -2
- package/src/sd-jwt/utils.ts +73 -0
- package/src/trust/types.ts +23 -17
- package/src/utils/par.ts +37 -21
- package/src/utils/pop.ts +1 -1
- package/src/wallet-instance-attestation/types.ts +3 -1
|
@@ -6,55 +6,60 @@ Object.defineProperty(exports, "__esModule", {
|
|
|
6
6
|
exports.startUserAuthorization = void 0;
|
|
7
7
|
var _misc = require("../../utils/misc");
|
|
8
8
|
var _par = require("../../utils/par");
|
|
9
|
-
var _const = require("./const");
|
|
10
9
|
var _logging = require("../../utils/logging");
|
|
11
10
|
/**
|
|
12
11
|
* Ensures that the credential type requested is supported by the issuer and contained in the
|
|
13
12
|
* issuer configuration.
|
|
14
13
|
* @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
|
|
15
|
-
* @param
|
|
16
|
-
* @param context.wiaCryptoContext The Wallet Instance's crypto context
|
|
17
|
-
* @param context.walletInstanceAttestation The Wallet Instance's attestation
|
|
18
|
-
* @param context.redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
|
|
19
|
-
* @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
|
|
14
|
+
* @param credentialId The credential configuration ID to be requested;
|
|
20
15
|
* @returns The credential definition to be used in the request which includes the format and the type and its type
|
|
21
16
|
*/
|
|
22
|
-
const selectCredentialDefinition = (issuerConf,
|
|
17
|
+
const selectCredentialDefinition = (issuerConf, credentialId) => {
|
|
23
18
|
const credential_configurations_supported = issuerConf.openid_credential_issuer.credential_configurations_supported;
|
|
24
|
-
const [result] = Object.keys(credential_configurations_supported).filter(e => e.includes(
|
|
25
|
-
credential_configuration_id:
|
|
26
|
-
format: credential_configurations_supported[e].format,
|
|
19
|
+
const [result] = Object.keys(credential_configurations_supported).filter(e => e.includes(credentialId)).map(() => ({
|
|
20
|
+
credential_configuration_id: credentialId,
|
|
27
21
|
type: "openid_credential"
|
|
28
22
|
}));
|
|
29
23
|
if (!result) {
|
|
30
|
-
_logging.Logger.log(_logging.LogLevel.ERROR, `Requested credential
|
|
31
|
-
throw new Error(`No credential support the type '${
|
|
24
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, `Requested credential ${credentialId} is not supported by the issuer according to its configuration ${JSON.stringify(credential_configurations_supported)}`);
|
|
25
|
+
throw new Error(`No credential support the type '${credentialId}'`);
|
|
32
26
|
}
|
|
33
27
|
return result;
|
|
34
28
|
};
|
|
35
29
|
|
|
36
30
|
/**
|
|
37
31
|
* Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
|
|
32
|
+
* When multiple credentials are provided, all of them must support the same response_mode.
|
|
38
33
|
* @param issuerConf The issuer configuration
|
|
39
|
-
* @param
|
|
34
|
+
* @param credentialIds The credential configuration IDs to be requested
|
|
40
35
|
* @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
|
|
41
36
|
*/
|
|
42
|
-
const selectResponseMode = (issuerConf,
|
|
37
|
+
const selectResponseMode = (issuerConf, credentialIds) => {
|
|
43
38
|
const responseModeSupported = issuerConf.oauth_authorization_server.response_modes_supported;
|
|
44
|
-
const
|
|
45
|
-
|
|
39
|
+
const responseModeSet = new Set();
|
|
40
|
+
for (const credentialId of credentialIds) {
|
|
41
|
+
responseModeSet.add(credentialId.match(/PersonIdentificationData/i) ? "query" : "form_post.jwt");
|
|
42
|
+
}
|
|
43
|
+
if (responseModeSet.size !== 1) {
|
|
44
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, `${credentialIds} have incompatible response_mode: ${[...responseModeSet.values()]}`);
|
|
45
|
+
throw new Error("Requested credentials have incompatible response_mode and cannot be requested with the same PAR request");
|
|
46
|
+
}
|
|
47
|
+
const [responseMode] = responseModeSet.values();
|
|
48
|
+
_logging.Logger.log(_logging.LogLevel.DEBUG, `Selected response mode ${responseMode} for credential IDs ${credentialIds}`);
|
|
46
49
|
if (!responseModeSupported.includes(responseMode)) {
|
|
47
50
|
_logging.Logger.log(_logging.LogLevel.ERROR, `Requested response mode ${responseMode} is not supported by the issuer according to its configuration ${JSON.stringify(responseModeSupported)}`);
|
|
48
|
-
throw new Error(`No response mode support
|
|
51
|
+
throw new Error(`No response mode support for IDs '${credentialIds}'`);
|
|
49
52
|
}
|
|
50
53
|
return responseMode;
|
|
51
54
|
};
|
|
52
55
|
|
|
53
56
|
/**
|
|
54
57
|
* WARNING: This function must be called after {@link evaluateIssuerTrust} and {@link startFlow}. The next steam is {@link compeUserAuthorizationWithQueryMode} or {@link compeUserAuthorizationWithFormPostJwtMode}
|
|
58
|
+
*
|
|
55
59
|
* Creates and sends a PAR request to the /as/par endpoint of the authorization server.
|
|
56
60
|
* This starts the authentication flow to obtain an access token.
|
|
57
|
-
* This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer
|
|
61
|
+
* This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer; when multiple credential types are passed,
|
|
62
|
+
* it is possible to use the same access token for the issuance of all requested credentials.
|
|
58
63
|
* This is an HTTP POST request containing the Wallet Instance identifier (client id), the code challenge and challenge method as specified by PKCE according to RFC 9126
|
|
59
64
|
* along with the WTE and its proof of possession (WTE-PoP).
|
|
60
65
|
* Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details),
|
|
@@ -64,11 +69,12 @@ const selectResponseMode = (issuerConf, credentialType) => {
|
|
|
64
69
|
* to the Wallet Instance's Token Endpoint to obtain the Access Token, and the redirectUri of the Wallet Instance where the Authorization Response
|
|
65
70
|
* should be delivered. The redirect is achived by using a custom URL scheme that the Wallet Instance is registered to handle.
|
|
66
71
|
* @param issuerConf The issuer configuration
|
|
67
|
-
* @param
|
|
72
|
+
* @param credentialIds The credential configuration IDs to be requested
|
|
68
73
|
* @param ctx The context object containing the Wallet Instance's cryptographic context, the Wallet Instance's attestation, the redirect URI and the fetch implementation
|
|
69
|
-
* @returns The URI to which the end user should be redirected to start the authentication flow, along with the client id, the code verifier and the credential definition
|
|
74
|
+
* @returns The URI to which the end user should be redirected to start the authentication flow, along with the client id, the code verifier and the credential definition(s)
|
|
70
75
|
*/
|
|
71
|
-
|
|
76
|
+
|
|
77
|
+
const startUserAuthorization = async (issuerConf, credentialIds, ctx) => {
|
|
72
78
|
const {
|
|
73
79
|
wiaCryptoContext,
|
|
74
80
|
walletInstanceAttestation,
|
|
@@ -82,13 +88,21 @@ const startUserAuthorization = async (issuerConf, credentialType, ctx) => {
|
|
|
82
88
|
}
|
|
83
89
|
const codeVerifier = (0, _misc.generateRandomAlphaNumericString)(64);
|
|
84
90
|
const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
|
|
85
|
-
const
|
|
86
|
-
const
|
|
91
|
+
const aud = issuerConf.openid_credential_issuer.credential_issuer;
|
|
92
|
+
const credentialDefinition = credentialIds.map(c => selectCredentialDefinition(issuerConf, c));
|
|
93
|
+
const responseMode = selectResponseMode(issuerConf, credentialIds);
|
|
87
94
|
const getPar = (0, _par.makeParRequest)({
|
|
88
95
|
wiaCryptoContext,
|
|
89
96
|
appFetch
|
|
90
97
|
});
|
|
91
|
-
const issuerRequestUri = await getPar(
|
|
98
|
+
const issuerRequestUri = await getPar(parEndpoint, walletInstanceAttestation, {
|
|
99
|
+
aud,
|
|
100
|
+
clientId,
|
|
101
|
+
codeVerifier,
|
|
102
|
+
redirectUri,
|
|
103
|
+
responseMode,
|
|
104
|
+
authorizationDetails: credentialDefinition
|
|
105
|
+
});
|
|
92
106
|
return {
|
|
93
107
|
issuerRequestUri,
|
|
94
108
|
clientId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_misc","require","_par","
|
|
1
|
+
{"version":3,"names":["_misc","require","_par","_logging","selectCredentialDefinition","issuerConf","credentialId","credential_configurations_supported","openid_credential_issuer","result","Object","keys","filter","e","includes","map","credential_configuration_id","type","Logger","log","LogLevel","ERROR","JSON","stringify","Error","selectResponseMode","credentialIds","responseModeSupported","oauth_authorization_server","response_modes_supported","responseModeSet","Set","add","match","size","values","responseMode","DEBUG","startUserAuthorization","ctx","wiaCryptoContext","walletInstanceAttestation","redirectUri","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","generateRandomAlphaNumericString","parEndpoint","pushed_authorization_request_endpoint","aud","credential_issuer","credentialDefinition","c","getPar","makeParRequest","issuerRequestUri","authorizationDetails","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-user-authorization.ts"],"mappings":";;;;;;AAEA,IAAAA,KAAA,GAAAC,OAAA;AAGA,IAAAC,IAAA,GAAAD,OAAA;AACA,IAAAE,QAAA,GAAAF,OAAA;AAkBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMG,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,YAA4C,KACpB;EACxB,MAAMC,mCAAmC,GACvCF,UAAU,CAACG,wBAAwB,CAACD,mCAAmC;EAEzE,MAAM,CAACE,MAAM,CAAC,GAAGC,MAAM,CAACC,IAAI,CAACJ,mCAAmC,CAAC,CAC9DK,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,QAAQ,CAACR,YAAY,CAAC,CAAC,CACvCS,GAAG,CAAC,OAAO;IACVC,2BAA2B,EAAEV,YAAY;IACzCW,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACR,MAAM,EAAE;IACXS,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,wBAAuBf,YAAa,kEAAiEgB,IAAI,CAACC,SAAS,CAAChB,mCAAmC,CAAE,EAC5J,CAAC;IACD,MAAM,IAAIiB,KAAK,CAAE,mCAAkClB,YAAa,GAAE,CAAC;EACrE;EACA,OAAOG,MAAM;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMgB,kBAAkB,GAAGA,CACzBpB,UAAkD,EAClDqB,aAAuB,KACN;EACjB,MAAMC,qBAAqB,GACzBtB,UAAU,CAACuB,0BAA0B,CAACC,wBAAwB;EAEhE,MAAMC,eAAe,GAAG,IAAIC,GAAG,CAAe,CAAC;EAE/C,KAAK,MAAMzB,YAAY,IAAIoB,aAAa,EAAE;IACxCI,eAAe,CAACE,GAAG,CACjB1B,YAAY,CAAC2B,KAAK,CAAC,2BAA2B,CAAC,GAC3C,OAAO,GACP,eACN,CAAC;EACH;EAEA,IAAIH,eAAe,CAACI,IAAI,KAAK,CAAC,EAAE;IAC9BhB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,GAAEK,aAAc,qCAAoC,CAAC,GAAGI,eAAe,CAACK,MAAM,CAAC,CAAC,CAAE,EACrF,CAAC;IACD,MAAM,IAAIX,KAAK,CACb,yGACF,CAAC;EACH;EAEA,MAAM,CAACY,YAAY,CAAC,GAAGN,eAAe,CAACK,MAAM,CAAC,CAAC;EAE/CjB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACiB,KAAK,EACb,0BAAyBD,YAAa,uBAAsBV,aAAc,EAC7E,CAAC;EAED,IAAI,CAACC,qBAAqB,CAACb,QAAQ,CAACsB,YAAa,CAAC,EAAE;IAClDlB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,2BAA0Be,YAAa,kEAAiEd,IAAI,CAACC,SAAS,CAACI,qBAAqB,CAAE,EACjJ,CAAC;IACD,MAAM,IAAIH,KAAK,CAAE,qCAAoCE,aAAc,GAAE,CAAC;EACxE;EAEA,OAAOU,YAAY;AACrB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEO,MAAME,sBAA8C,GAAG,MAAAA,CAC5DjC,UAAU,EACVqB,aAAa,EACba,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,WAAW;IACXC,QAAQ,GAAGC;EACb,CAAC,GAAGL,GAAG;EAEP,MAAMM,QAAQ,GAAG,MAAML,gBAAgB,CAACM,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EAEzE,IAAI,CAACJ,QAAQ,EAAE;IACb3B,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,kCAAiCwB,QAAS,0BAC7C,CAAC;IACD,MAAM,IAAIrB,KAAK,CAAC,qBAAqB,CAAC;EACxC;EACA,MAAM0B,YAAY,GAAG,IAAAC,sCAAgC,EAAC,EAAE,CAAC;EACzD,MAAMC,WAAW,GACf/C,UAAU,CAACuB,0BAA0B,CAACyB,qCAAqC;EAC7E,MAAMC,GAAG,GAAGjD,UAAU,CAACG,wBAAwB,CAAC+C,iBAAiB;EACjE,MAAMC,oBAAoB,GAAG9B,aAAa,CAACX,GAAG,CAAE0C,CAAC,IAC/CrD,0BAA0B,CAACC,UAAU,EAAEoD,CAAC,CAC1C,CAAC;EACD,MAAMrB,YAAY,GAAGX,kBAAkB,CAACpB,UAAU,EAAEqB,aAAa,CAAC;EAClE,MAAMgC,MAAM,GAAG,IAAAC,mBAAc,EAAC;IAAEnB,gBAAgB;IAAEG;EAAS,CAAC,CAAC;EAC7D,MAAMiB,gBAAgB,GAAG,MAAMF,MAAM,CACnCN,WAAW,EACXX,yBAAyB,EACzB;IACEa,GAAG;IACHT,QAAQ;IACRK,YAAY;IACZR,WAAW;IACXN,YAAY;IACZyB,oBAAoB,EAAEL;EACxB,CACF,CAAC;EAED,OAAO;IAAEI,gBAAgB;IAAEf,QAAQ;IAAEK,YAAY;IAAEM;EAAqB,CAAC;AAC3E,CAAC;AAACM,OAAA,CAAAxB,sBAAA,GAAAA,sBAAA"}
|
|
@@ -9,7 +9,6 @@ var _dpop = require("../../utils/dpop");
|
|
|
9
9
|
var _uuid = require("uuid");
|
|
10
10
|
var _pop = require("../../utils/pop");
|
|
11
11
|
var WalletInstanceAttestation = _interopRequireWildcard(require("../../wallet-instance-attestation"));
|
|
12
|
-
var _const = require("./const");
|
|
13
12
|
var _types = require("./types");
|
|
14
13
|
var _errors = require("../../utils/errors");
|
|
15
14
|
var _logging = require("../../utils/logging");
|
|
@@ -33,16 +32,14 @@ function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj &&
|
|
|
33
32
|
* @throws {IssuerResponseError} with a specific code for more context
|
|
34
33
|
* @return The token response containing the access token along with the token request signed with DPoP which has to be used in the {@link obtainCredential} step.
|
|
35
34
|
*/
|
|
36
|
-
const authorizeAccess = async (issuerConf, code,
|
|
35
|
+
const authorizeAccess = async (issuerConf, code, _, redirectUri, codeVerifier, context) => {
|
|
37
36
|
const {
|
|
38
37
|
appFetch = fetch,
|
|
39
38
|
walletInstanceAttestation,
|
|
40
39
|
wiaCryptoContext,
|
|
41
40
|
dPopCryptoContext
|
|
42
41
|
} = context;
|
|
43
|
-
const
|
|
44
|
-
const parUrl = new URL(parEndpoint);
|
|
45
|
-
const aud = `${parUrl.protocol}//${parUrl.hostname}`;
|
|
42
|
+
const aud = issuerConf.openid_credential_issuer.credential_issuer;
|
|
46
43
|
const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
|
|
47
44
|
const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
|
|
48
45
|
const tokenRequestSignedDPop = await (0, _dpop.createDPopToken)({
|
|
@@ -59,12 +56,9 @@ const authorizeAccess = async (issuerConf, code, clientId, redirectUri, codeVeri
|
|
|
59
56
|
_logging.Logger.log(_logging.LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
|
|
60
57
|
const requestBody = {
|
|
61
58
|
grant_type: "authorization_code",
|
|
62
|
-
client_id: clientId,
|
|
63
59
|
code,
|
|
64
|
-
redirect_uri: redirectUri,
|
|
65
60
|
code_verifier: codeVerifier,
|
|
66
|
-
|
|
67
|
-
client_assertion: walletInstanceAttestation + "~" + signedWiaPoP
|
|
61
|
+
redirect_uri: redirectUri
|
|
68
62
|
};
|
|
69
63
|
const authorizationRequestFormBody = new URLSearchParams(requestBody);
|
|
70
64
|
_logging.Logger.log(_logging.LogLevel.DEBUG, `Auth form request body: ${authorizationRequestFormBody}`);
|
|
@@ -72,7 +66,9 @@ const authorizeAccess = async (issuerConf, code, clientId, redirectUri, codeVeri
|
|
|
72
66
|
method: "POST",
|
|
73
67
|
headers: {
|
|
74
68
|
"Content-Type": "application/x-www-form-urlencoded",
|
|
75
|
-
DPoP: tokenRequestSignedDPop
|
|
69
|
+
DPoP: tokenRequestSignedDPop,
|
|
70
|
+
"OAuth-Client-Attestation": walletInstanceAttestation,
|
|
71
|
+
"OAuth-Client-Attestation-PoP": signedWiaPoP
|
|
76
72
|
},
|
|
77
73
|
body: authorizationRequestFormBody.toString()
|
|
78
74
|
}).then((0, _misc.hasStatusOrThrow)(200, _errors.IssuerResponseError)).then(res => res.json()).then(body => _types.TokenResponse.safeParse(body));
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_misc","require","_dpop","_uuid","_pop","WalletInstanceAttestation","_interopRequireWildcard","
|
|
1
|
+
{"version":3,"names":["_misc","require","_dpop","_uuid","_pop","WalletInstanceAttestation","_interopRequireWildcard","_types","_errors","_logging","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","authorizeAccess","issuerConf","code","_","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","dPopCryptoContext","aud","openid_credential_issuer","credential_issuer","iss","decode","payload","cnf","jwk","kid","tokenUrl","oauth_authorization_server","token_endpoint","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuidv4","Logger","log","LogLevel","DEBUG","signedWiaPoP","createPopToken","requestBody","grant_type","code_verifier","redirect_uri","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","hasStatusOrThrow","IssuerResponseError","res","json","TokenResponse","safeParse","success","ERROR","error","message","ValidationFailed","reason","accessToken","data","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAGA,IAAAC,KAAA,GAAAD,OAAA;AACA,IAAAE,KAAA,GAAAF,OAAA;AACA,IAAAG,IAAA,GAAAH,OAAA;AACA,IAAAI,yBAAA,GAAAC,uBAAA,CAAAL,OAAA;AAEA,IAAAM,MAAA,GAAAN,OAAA;AACA,IAAAO,OAAA,GAAAP,OAAA;AAEA,IAAAQ,QAAA,GAAAR,OAAA;AAAuD,SAAAS,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAL,wBAAAS,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAgBvD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMW,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,CAAC,EACDC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC,gBAAgB;IAChBC;EACF,CAAC,GAAGL,OAAO;EACX,MAAMM,GAAG,GAAGX,UAAU,CAACY,wBAAwB,CAACC,iBAAiB;EACjE,MAAMC,GAAG,GAAG1C,yBAAyB,CAAC2C,MAAM,CAACP,yBAAyB,CAAC,CACpEQ,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGpB,UAAU,CAACqB,0BAA0B,CAACC,cAAc;EAErE,MAAMC,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEN,QAAQ;IACbO,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE;EACnB,CAAC,EACDlB,iBACF,CAAC;EAEDmB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBT,sBAAuB,EAAC,CAAC;EAE3E,MAAMU,YAAY,GAAG,MAAM,IAAAC,mBAAc,EACvC;IACEP,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE,EAAC;IAClBjB,GAAG;IACHG;EACF,CAAC,EACDL,gBACF,CAAC;EAEDoB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,mBAAkBC,YAAa,EAAC,CAAC;EAE7D,MAAME,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCnC,IAAI;IACJoC,aAAa,EAAEjC,YAAY;IAC3BkC,YAAY,EAAEnC;EAChB,CAAC;EAED,MAAMoC,4BAA4B,GAAG,IAAIC,eAAe,CAACL,WAAW,CAAC;EAErEN,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,2BAA0BO,4BAA6B,EAC1D,CAAC;EAED,MAAME,QAAQ,GAAG,MAAMnC,QAAQ,CAACc,QAAQ,EAAE;IACxCsB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAErB,sBAAsB;MAC5B,0BAA0B,EAAEf,yBAAyB;MACrD,8BAA8B,EAAEyB;IAClC,CAAC;IACDY,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEG,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBJ,IAAI,CAAEF,IAAI,IAAKO,oBAAa,CAACC,SAAS,CAACR,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACa,OAAO,EAAE;IACrBzB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACwB,KAAK,EACb,qCAAoCd,QAAQ,CAACe,KAAK,CAACC,OAAQ,EAC9D,CAAC;IAED,MAAM,IAAIC,wBAAgB,CAAC;MACzBD,OAAO,EAAE,kCAAkC;MAC3CE,MAAM,EAAElB,QAAQ,CAACe,KAAK,CAACC;IACzB,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEG,WAAW,EAAEnB,QAAQ,CAACoB;EAAK,CAAC;AACvC,CAAC;AAACC,OAAA,CAAA/D,eAAA,GAAAA,eAAA"}
|
|
@@ -30,11 +30,11 @@ const createNonceProof = async (nonce, issuer, audience, ctx) => {
|
|
|
30
30
|
* @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
|
|
31
31
|
* @param accessToken The access token response returned by {@link authorizeAccess}
|
|
32
32
|
* @param clientId The client id returned by {@link startUserAuthorization}
|
|
33
|
-
* @param credentialDefinition The credential definition of the credential to be obtained returned by {@link
|
|
34
|
-
* @param tokenRequestSignedDPop The DPoP signed token request returned by {@link authorizeAccess}
|
|
33
|
+
* @param credentialDefinition The credential definition of the credential to be obtained returned by {@link authorizeAccess}
|
|
35
34
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential
|
|
36
35
|
* @param context.dPopCryptoContext The DPoP crypto context
|
|
37
36
|
* @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
|
|
37
|
+
* @param operationType Specify the type of credential issuance (used for reissuing)
|
|
38
38
|
* @returns The credential response containing the credential
|
|
39
39
|
*/
|
|
40
40
|
exports.createNonceProof = createNonceProof;
|
|
@@ -44,18 +44,34 @@ const obtainCredential = async (issuerConf, accessToken, clientId, credentialDef
|
|
|
44
44
|
appFetch = fetch,
|
|
45
45
|
dPopCryptoContext
|
|
46
46
|
} = context;
|
|
47
|
+
const {
|
|
48
|
+
credential_configuration_id,
|
|
49
|
+
credential_identifier
|
|
50
|
+
} = credentialDefinition;
|
|
47
51
|
const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
|
|
52
|
+
const issuerUrl = issuerConf.oauth_authorization_server.issuer;
|
|
53
|
+
const nonceUrl = issuerConf.openid_credential_issuer.nonce_endpoint;
|
|
54
|
+
|
|
55
|
+
// Fetch the nonce from the Credential Issuer
|
|
56
|
+
const {
|
|
57
|
+
c_nonce
|
|
58
|
+
} = await appFetch(nonceUrl, {
|
|
59
|
+
method: "POST",
|
|
60
|
+
headers: {
|
|
61
|
+
"Content-Type": "application/json"
|
|
62
|
+
}
|
|
63
|
+
}).then((0, _misc.hasStatusOrThrow)(200)).then(res => res.json()).then(body => _types.NonceResponse.parse(body));
|
|
48
64
|
|
|
49
65
|
/**
|
|
50
66
|
* JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
|
|
51
67
|
* This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
|
|
52
68
|
* @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
|
|
53
69
|
*/
|
|
54
|
-
const signedNonceProof = await createNonceProof(
|
|
70
|
+
const signedNonceProof = await createNonceProof(c_nonce, clientId, issuerUrl, credentialCryptoContext);
|
|
55
71
|
_logging.Logger.log(_logging.LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
|
|
56
72
|
|
|
57
73
|
// Validation of accessTokenResponse.authorization_details if contain credentialDefinition
|
|
58
|
-
const containsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id ===
|
|
74
|
+
const containsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id === credential_configuration_id && (credential_identifier ? c.credential_identifiers.includes(credential_identifier) : true));
|
|
59
75
|
if (!containsCredentialDefinition) {
|
|
60
76
|
_logging.Logger.log(_logging.LogLevel.ERROR, `Credential definition not found in the access token response ${accessToken.authorization_details}`);
|
|
61
77
|
throw new _errors.ValidationFailed({
|
|
@@ -63,12 +79,20 @@ const obtainCredential = async (issuerConf, accessToken, clientId, credentialDef
|
|
|
63
79
|
});
|
|
64
80
|
}
|
|
65
81
|
|
|
66
|
-
/**
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
82
|
+
/**
|
|
83
|
+
* The credential request body.
|
|
84
|
+
* We accept both `credential_identifier` (recommended) and `credential_configuration_id`
|
|
85
|
+
* when the Authorization Server does not support `credential_identifier`.
|
|
86
|
+
* @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#section-3.3.4
|
|
87
|
+
*/
|
|
88
|
+
const credentialRequestFormBody = credential_identifier ? {
|
|
89
|
+
credential_identifier: credential_identifier,
|
|
90
|
+
proof: {
|
|
91
|
+
jwt: signedNonceProof,
|
|
92
|
+
proof_type: "jwt"
|
|
93
|
+
}
|
|
94
|
+
} : {
|
|
95
|
+
credential_configuration_id: credential_configuration_id,
|
|
72
96
|
proof: {
|
|
73
97
|
jwt: signedNonceProof,
|
|
74
98
|
proof_type: "jwt"
|
|
@@ -102,7 +126,15 @@ const obtainCredential = async (issuerConf, accessToken, clientId, credentialDef
|
|
|
102
126
|
});
|
|
103
127
|
}
|
|
104
128
|
_logging.Logger.log(_logging.LogLevel.DEBUG, `Credential Response: ${JSON.stringify(credentialRes.data)}`);
|
|
105
|
-
|
|
129
|
+
|
|
130
|
+
// Extract the format corresponding to the credential_configuration_id used
|
|
131
|
+
const issuerCredentialConfig = issuerConf.openid_credential_issuer.credential_configurations_supported[credential_configuration_id];
|
|
132
|
+
|
|
133
|
+
// TODO: [SIW-2264] Handle multiple credentials
|
|
134
|
+
return {
|
|
135
|
+
credential: credentialRes.data.credentials.at(0).credential,
|
|
136
|
+
format: issuerCredentialConfig.format
|
|
137
|
+
};
|
|
106
138
|
};
|
|
107
139
|
|
|
108
140
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_ioReactNativeJwt","require","_misc","_errors","_types","_dpop","_uuid","_logging","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","SignJWT","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","exports","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","operationType","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credentialUrl","openid_credential_issuer","credential_endpoint","
|
|
1
|
+
{"version":3,"names":["_ioReactNativeJwt","require","_misc","_errors","_types","_dpop","_uuid","_logging","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","SignJWT","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","exports","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","operationType","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credential_configuration_id","credential_identifier","credentialUrl","openid_credential_issuer","credential_endpoint","issuerUrl","oauth_authorization_server","nonceUrl","nonce_endpoint","c_nonce","method","headers","then","hasStatusOrThrow","res","json","body","NonceResponse","parse","signedNonceProof","Logger","log","LogLevel","DEBUG","containsCredentialDefinition","authorization_details","some","c","credential_identifiers","includes","ERROR","ValidationFailed","message","credentialRequestFormBody","proof","jwt","proof_type","JSON","stringify","tokenRequestSignedDPop","createDPopToken","htm","htu","jti","uuidv4","ath","sha256ToBase64","access_token","credentialRes","DPoP","Authorization","token_type","CredentialResponse","safeParse","catch","handleObtainCredentialError","success","error","reason","data","issuerCredentialConfig","credential_configurations_supported","credential","credentials","at","format","e","UnexpectedStatusCodeError","ResponseErrorBuilder","IssuerResponseError","handle","code","IssuerResponseErrorCodes","CredentialIssuingNotSynchronous","CredentialInvalidStatus","CredentialRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAOA,IAAAC,KAAA,GAAAD,OAAA;AAEA,IAAAE,OAAA,GAAAF,OAAA;AAOA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,KAAA,GAAAJ,OAAA;AACA,IAAAK,KAAA,GAAAL,OAAA;AACA,IAAAM,QAAA,GAAAN,OAAA;AAkBO,MAAMO,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIC,yBAAO,CAACH,GAAG,CAAC,CACpBI,UAAU,CAAC;IACVP;EACF,CAAC,CAAC,CACDQ,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BL;EACF,CAAC,CAAC,CACDM,WAAW,CAACR,QAAQ,CAAC,CACrBS,SAAS,CAACV,MAAM,CAAC,CACjBW,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAfAC,OAAA,CAAAhB,gBAAA,GAAAA,gBAAA;AAgBO,MAAMiB,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,OAAO,EACPC,aAAa,KACV;EACH,MAAM;IACJC,uBAAuB;IACvBC,QAAQ,GAAGC,KAAK;IAChBC;EACF,CAAC,GAAGL,OAAO;EACX,MAAM;IAAEM,2BAA2B;IAAEC;EAAsB,CAAC,GAC1DR,oBAAoB;EAEtB,MAAMS,aAAa,GAAGZ,UAAU,CAACa,wBAAwB,CAACC,mBAAmB;EAC7E,MAAMC,SAAS,GAAGf,UAAU,CAACgB,0BAA0B,CAAChC,MAAM;EAC9D,MAAMiC,QAAQ,GAAGjB,UAAU,CAACa,wBAAwB,CAACK,cAAc;;EAEnE;EACA,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAMZ,QAAQ,CAACU,QAAQ,EAAE;IAC3CG,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MAAE,cAAc,EAAE;IAAmB;EAChD,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEI,IAAI,IAAKC,oBAAa,CAACC,KAAK,CAACF,IAAI,CAAC,CAAC;;EAE5C;AACF;AACA;AACA;AACA;EACE,MAAMG,gBAAgB,GAAG,MAAM/C,gBAAgB,CAC7CqC,OAAO,EACPjB,QAAQ,EACRa,SAAS,EACTT,uBACF,CAAC;EAEDwB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBJ,gBAAiB,EAAC,CAAC;;EAErE;EACA,MAAMK,4BAA4B,GAAGjC,WAAW,CAACkC,qBAAqB,CAACC,IAAI,CACxEC,CAAC,IACAA,CAAC,CAAC3B,2BAA2B,KAAKA,2BAA2B,KAC5DC,qBAAqB,GAClB0B,CAAC,CAACC,sBAAsB,CAACC,QAAQ,CAAC5B,qBAAqB,CAAC,GACxD,IAAI,CACZ,CAAC;EAED,IAAI,CAACuB,4BAA4B,EAAE;IACjCJ,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACQ,KAAK,EACb,gEAA+DvC,WAAW,CAACkC,qBAAsB,EACpG,CAAC;IACD,MAAM,IAAIM,wBAAgB,CAAC;MACzBC,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;;EAEA;AACF;AACA;AACA;AACA;AACA;EACE,MAAMC,yBAAyB,GAAGhC,qBAAqB,GACnD;IACEA,qBAAqB,EAAEA,qBAAqB;IAC5CiC,KAAK,EAAE;MAAEC,GAAG,EAAEhB,gBAAgB;MAAEiB,UAAU,EAAE;IAAM;EACpD,CAAC,GACD;IACEpC,2BAA2B,EAAEA,2BAA2B;IACxDkC,KAAK,EAAE;MAAEC,GAAG,EAAEhB,gBAAgB;MAAEiB,UAAU,EAAE;IAAM;EACpD,CAAC;EAELhB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,4BAA2Bc,IAAI,CAACC,SAAS,CAACL,yBAAyB,CAAE,EACxE,CAAC;EAED,MAAMM,sBAAsB,GAAG,MAAM,IAAAC,qBAAe,EAClD;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAExC,aAAa;IAClByC,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE,EAAC;IAClBC,GAAG,EAAE,MAAM,IAAAC,gCAAc,EAACvD,WAAW,CAACwD,YAAY;EACpD,CAAC,EACDhD,iBACF,CAAC;EAEDqB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAG,uBAAsBgB,sBAAuB,EAAC,CAAC;EAE3E,MAAMS,aAAa,GAAG,MAAMnD,QAAQ,CAACK,aAAa,EAAE;IAClDQ,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCsC,IAAI,EAAEV,sBAAsB;MAC5BW,aAAa,EAAG,GAAE3D,WAAW,CAAC4D,UAAW,IAAG5D,WAAW,CAACwD,YAAa,EAAC;MACtE,IAAIpD,aAAa,KAAK,WAAW,IAAI;QAAEA;MAAc,CAAC;IACxD,CAAC;IACDqB,IAAI,EAAEqB,IAAI,CAACC,SAAS,CAACL,yBAAyB;EAChD,CAAC,CAAC,CACCrB,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEI,IAAI,IAAKoC,yBAAkB,CAACC,SAAS,CAACrC,IAAI,CAAC,CAAC,CAClDsC,KAAK,CAACC,2BAA2B,CAAC;EAErC,IAAI,CAACP,aAAa,CAACQ,OAAO,EAAE;IAC1BpC,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACQ,KAAK,EACb,0CAAyCkB,aAAa,CAACS,KAAK,CAACzB,OAAQ,EACxE,CAAC;IACD,MAAM,IAAID,wBAAgB,CAAC;MACzBC,OAAO,EAAE,uCAAuC;MAChD0B,MAAM,EAAEV,aAAa,CAACS,KAAK,CAACzB;IAC9B,CAAC,CAAC;EACJ;EAEAZ,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,wBAAuBc,IAAI,CAACC,SAAS,CAACU,aAAa,CAACW,IAAI,CAAE,EAC7D,CAAC;;EAED;EACA,MAAMC,sBAAsB,GAC1BtE,UAAU,CAACa,wBAAwB,CAAC0D,mCAAmC,CACrE7D,2BAA2B,CAC5B;;EAEH;EACA,OAAO;IACL8D,UAAU,EAAEd,aAAa,CAACW,IAAI,CAACI,WAAW,CAACC,EAAE,CAAC,CAAC,CAAC,CAAEF,UAAU;IAC5DG,MAAM,EAAEL,sBAAsB,CAAEK;EAClC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AALA7E,OAAA,CAAAC,gBAAA,GAAAA,gBAAA;AAMA,MAAMkE,2BAA2B,GAAIW,CAAU,IAAK;EAClD9C,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACQ,KAAK,EAAG,8CAA6CoC,CAAE,EAAC,CAAC;EAE7E,IAAI,EAAEA,CAAC,YAAYC,iCAAyB,CAAC,EAAE;IAC7C,MAAMD,CAAC;EACT;EAEA,MAAM,IAAIE,4BAAoB,CAACC,2BAAmB,CAAC,CAChDC,MAAM,CAAC,GAAG,EAAE;IACX;IACA;IACAC,IAAI,EAAEC,gCAAwB,CAACC,+BAA+B;IAC9DzC,OAAO,EACL;EACJ,CAAC,CAAC,CACDsC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACE,uBAAuB;IACtD1C,OAAO,EAAE;EACX,CAAC,CAAC,CACDsC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACE,uBAAuB;IACtD1C,OAAO,EAAE;EACX,CAAC,CAAC,CACDsC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEC,gCAAwB,CAACG,uBAAuB;IACtD3C,OAAO,EAAE;EACX,CAAC,CAAC,CACD4C,SAAS,CAACV,CAAC,CAAC;AACjB,CAAC"}
|
|
@@ -13,45 +13,39 @@ var _logging = require("../../utils/logging");
|
|
|
13
13
|
|
|
14
14
|
// handy alias
|
|
15
15
|
|
|
16
|
-
const parseCredentialSdJwt = function (
|
|
16
|
+
const parseCredentialSdJwt = function (credentialConfig, _ref) {
|
|
17
17
|
let {
|
|
18
18
|
sdJwt,
|
|
19
19
|
disclosures
|
|
20
20
|
} = _ref;
|
|
21
21
|
let ignoreMissingAttributes = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : false;
|
|
22
22
|
let includeUndefinedAttributes = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
_logging.Logger.log(_logging.LogLevel.ERROR,
|
|
26
|
-
throw new _errors.IoWalletError(
|
|
27
|
-
}
|
|
28
|
-
if (credentialSubject.format !== sdJwt.header.typ) {
|
|
29
|
-
_logging.Logger.log(_logging.LogLevel.ERROR, `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}'`);
|
|
30
|
-
throw new _errors.IoWalletError(`Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `);
|
|
23
|
+
if (credentialConfig.format !== sdJwt.header.typ) {
|
|
24
|
+
const message = `Received credential is of an unknwown type. Expected one of [${credentialConfig.format}], received '${sdJwt.header.typ}'`;
|
|
25
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, message);
|
|
26
|
+
throw new _errors.IoWalletError(message);
|
|
31
27
|
}
|
|
32
|
-
|
|
33
|
-
// transfrom a record { key: value } in an iterable of pairs [key, value]
|
|
34
|
-
if (!credentialSubject.claims) {
|
|
28
|
+
if (!credentialConfig.claims) {
|
|
35
29
|
_logging.Logger.log(_logging.LogLevel.ERROR, "Missing claims in the credential subject");
|
|
36
30
|
throw new _errors.IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
|
|
37
31
|
}
|
|
38
32
|
|
|
39
|
-
const attrDefinitions =
|
|
33
|
+
const attrDefinitions = credentialConfig.claims;
|
|
40
34
|
|
|
41
35
|
// the key of the attribute defintion must match the disclosure's name
|
|
42
|
-
const attrsNotInDisclosures = attrDefinitions.filter(_ref2 => {
|
|
43
|
-
let [
|
|
44
|
-
return
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
});
|
|
36
|
+
const attrsNotInDisclosures = attrDefinitions.filter(definition => !disclosures.some(_ref2 => {
|
|
37
|
+
let [, name] = _ref2;
|
|
38
|
+
return name === definition.path[0];
|
|
39
|
+
}) // Ignore nested paths for now, see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#name-claims-path-pointer
|
|
40
|
+
);
|
|
41
|
+
|
|
49
42
|
if (attrsNotInDisclosures.length > 0) {
|
|
50
|
-
const missing = attrsNotInDisclosures.map(_ => _[0
|
|
43
|
+
const missing = attrsNotInDisclosures.map(_ => _.path[0]).join(", ");
|
|
51
44
|
const received = disclosures.map(_ => _[1 /* name */]).join(", ");
|
|
52
45
|
if (!ignoreMissingAttributes) {
|
|
53
|
-
|
|
54
|
-
|
|
46
|
+
const message = `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`;
|
|
47
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, message);
|
|
48
|
+
throw new _errors.IoWalletError(message);
|
|
55
49
|
}
|
|
56
50
|
}
|
|
57
51
|
|
|
@@ -59,28 +53,31 @@ const parseCredentialSdJwt = function (credentials_supported, _ref) {
|
|
|
59
53
|
// and are present in the disclosure set
|
|
60
54
|
const definedValues = Object.fromEntries(attrDefinitions
|
|
61
55
|
// retrieve the value from the disclosure set
|
|
62
|
-
.map(
|
|
56
|
+
.map(_ref3 => {
|
|
63
57
|
var _disclosures$find;
|
|
64
|
-
let
|
|
65
|
-
|
|
58
|
+
let {
|
|
59
|
+
path,
|
|
60
|
+
...definition
|
|
61
|
+
} = _ref3;
|
|
62
|
+
return [path[0], {
|
|
66
63
|
...definition,
|
|
67
|
-
value: (_disclosures$find = disclosures.find(_ => _[1 /* name */] ===
|
|
64
|
+
value: (_disclosures$find = disclosures.find(_ => _[1 /* name */] === path[0])) === null || _disclosures$find === void 0 ? void 0 : _disclosures$find[2 /* value */]
|
|
68
65
|
}];
|
|
69
66
|
})
|
|
70
67
|
// add a human readable attribute name, with i18n, in the form { locale: name }
|
|
71
68
|
// example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
|
|
72
|
-
.map(
|
|
69
|
+
.map(_ref4 => {
|
|
73
70
|
let [attrKey, {
|
|
74
71
|
display,
|
|
75
72
|
...definition
|
|
76
|
-
}] =
|
|
73
|
+
}] = _ref4;
|
|
77
74
|
return [attrKey, {
|
|
78
75
|
...definition,
|
|
79
|
-
name: display.reduce((names,
|
|
76
|
+
name: display.reduce((names, _ref5) => {
|
|
80
77
|
let {
|
|
81
78
|
locale,
|
|
82
79
|
name
|
|
83
|
-
} =
|
|
80
|
+
} = _ref5;
|
|
84
81
|
return {
|
|
85
82
|
...names,
|
|
86
83
|
[locale]: name
|
|
@@ -91,8 +88,8 @@ const parseCredentialSdJwt = function (credentials_supported, _ref) {
|
|
|
91
88
|
if (includeUndefinedAttributes) {
|
|
92
89
|
// attributes that are in the disclosure set
|
|
93
90
|
// but are not defined in the issuer configuration
|
|
94
|
-
const undefinedValues = Object.fromEntries(disclosures.filter(_ => !Object.keys(definedValues).includes(_[1])).map(
|
|
95
|
-
let [, key, value] =
|
|
91
|
+
const undefinedValues = Object.fromEntries(disclosures.filter(_ => !Object.keys(definedValues).includes(_[1])).map(_ref6 => {
|
|
92
|
+
let [, key, value] = _ref6;
|
|
96
93
|
return [key, {
|
|
97
94
|
value,
|
|
98
95
|
name: key
|
|
@@ -129,23 +126,26 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
|
|
|
129
126
|
cnf
|
|
130
127
|
} = decodedCredential.sdJwt.payload;
|
|
131
128
|
if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
|
|
132
|
-
|
|
133
|
-
|
|
129
|
+
const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`;
|
|
130
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, message);
|
|
131
|
+
throw new _errors.IoWalletError(message);
|
|
134
132
|
}
|
|
135
133
|
return decodedCredential;
|
|
136
134
|
}
|
|
137
|
-
|
|
138
|
-
// utility type that specialize VerifyAndParseCredential for given format
|
|
139
|
-
|
|
140
|
-
const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) => {
|
|
135
|
+
const verifyAndParseCredentialSdJwt = async (issuerConf, credential, credentialConfigurationId, _ref7) => {
|
|
141
136
|
let {
|
|
142
137
|
credentialCryptoContext,
|
|
143
138
|
ignoreMissingAttributes,
|
|
144
139
|
includeUndefinedAttributes
|
|
145
|
-
} =
|
|
140
|
+
} = _ref7;
|
|
146
141
|
const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
|
|
147
142
|
_logging.Logger.log(_logging.LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
|
|
148
|
-
const
|
|
143
|
+
const credentialConfig = issuerConf.openid_credential_issuer.credential_configurations_supported[credentialConfigurationId];
|
|
144
|
+
if (!credentialConfig) {
|
|
145
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, `Credential type not supported by the issuer: ${credentialConfigurationId}`);
|
|
146
|
+
throw new _errors.IoWalletError("Credential type not supported by the issuer");
|
|
147
|
+
}
|
|
148
|
+
const parsedCredential = parseCredentialSdJwt(credentialConfig, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
|
|
149
149
|
const maybeIssuedAt = (0, _converters.getValueFromDisclosures)(decoded.disclosures, "iat");
|
|
150
150
|
_logging.Logger.log(_logging.LogLevel.DEBUG, `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${maybeIssuedAt}`);
|
|
151
151
|
return {
|
|
@@ -159,7 +159,7 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
|
|
|
159
159
|
* Verify and parse an encoded credential.
|
|
160
160
|
* @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
|
|
161
161
|
* @param credential The encoded credential returned by {@link obtainCredential}
|
|
162
|
-
* @param
|
|
162
|
+
* @param credentialConfigurationId The credential configuration ID that defines the provided credential
|
|
163
163
|
* @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
|
|
164
164
|
* @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
|
|
165
165
|
* @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
|
|
@@ -168,13 +168,16 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
|
|
|
168
168
|
* @throws {IoWalletError} If the credential is not bound to the provided user key
|
|
169
169
|
* @throws {IoWalletError} If the credential data fail to parse
|
|
170
170
|
*/
|
|
171
|
-
const verifyAndParseCredential = async (issuerConf, credential,
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
171
|
+
const verifyAndParseCredential = async (issuerConf, credential, credentialConfigurationId, context) => {
|
|
172
|
+
var _issuerConf$openid_cr;
|
|
173
|
+
const format = (_issuerConf$openid_cr = issuerConf.openid_credential_issuer.credential_configurations_supported[credentialConfigurationId]) === null || _issuerConf$openid_cr === void 0 ? void 0 : _issuerConf$openid_cr.format;
|
|
174
|
+
if (format === "dc+sd-jwt") {
|
|
175
|
+
_logging.Logger.log(_logging.LogLevel.DEBUG, "Parsing credential in dc+sd-jwt format");
|
|
176
|
+
return verifyAndParseCredentialSdJwt(issuerConf, credential, credentialConfigurationId, context);
|
|
175
177
|
}
|
|
176
|
-
|
|
177
|
-
|
|
178
|
+
const message = `Unsupported credential format: ${format}`;
|
|
179
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, message);
|
|
180
|
+
throw new _errors.IoWalletError(message);
|
|
178
181
|
};
|
|
179
182
|
exports.verifyAndParseCredential = verifyAndParseCredential;
|
|
180
183
|
//# sourceMappingURL=07-verify-and-parse-credential.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_errors","require","_types","_sdJwt","_converters","_logging","parseCredentialSdJwt","
|
|
1
|
+
{"version":3,"names":["_errors","require","_types","_sdJwt","_converters","_logging","parseCredentialSdJwt","credentialConfig","_ref","sdJwt","disclosures","ignoreMissingAttributes","arguments","length","undefined","includeUndefinedAttributes","format","header","typ","message","Logger","log","LogLevel","ERROR","IoWalletError","claims","attrDefinitions","attrsNotInDisclosures","filter","definition","some","_ref2","name","path","missing","map","_","join","received","definedValues","Object","fromEntries","_ref3","_disclosures$find","value","find","_ref4","attrKey","display","reduce","names","_ref5","locale","undefinedValues","keys","includes","_ref6","key","verifyCredentialSdJwt","rawCredential","issuerKeys","holderBindingContext","decodedCredential","holderBindingKey","Promise","all","verifySdJwt","SdJwt4VC","getPublicKey","cnf","payload","jwk","kid","verifyAndParseCredentialSdJwt","issuerConf","credential","credentialConfigurationId","_ref7","credentialCryptoContext","decoded","openid_credential_issuer","jwks","DEBUG","JSON","stringify","credential_configurations_supported","parsedCredential","maybeIssuedAt","getValueFromDisclosures","expiration","Date","exp","issuedAt","verifyAndParseCredential","context","_issuerConf$openid_cr","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/07-verify-and-parse-credential.ts"],"mappings":";;;;;;AAGA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,MAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,WAAA,GAAAH,OAAA;AAGA,IAAAI,QAAA,GAAAJ,OAAA;AA2BA;;AAkBA;;AAKA,MAAMK,oBAAoB,GAAG,SAAAA,CAE3BC,gBAAgC,EAAAC,IAAA,EAIX;EAAA,IAHrB;IAAEC,KAAK;IAAEC;EAAoC,CAAC,GAAAF,IAAA;EAAA,IAC9CG,uBAAgC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAAA,IACxCG,0BAAmC,GAAAH,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,KAAK;EAE3C,IAAIL,gBAAgB,CAACS,MAAM,KAAKP,KAAK,CAACQ,MAAM,CAACC,GAAG,EAAE;IAChD,MAAMC,OAAO,GAAI,gEAA+DZ,gBAAgB,CAACS,MAAO,gBAAeP,KAAK,CAACQ,MAAM,CAACC,GAAI,GAAE;IAC1IE,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAEJ,OAAO,CAAC;IACnC,MAAM,IAAIK,qBAAa,CAACL,OAAO,CAAC;EAClC;EAEA,IAAI,CAACZ,gBAAgB,CAACkB,MAAM,EAAE;IAC5BL,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAE,0CAA0C,CAAC;IACtE,MAAM,IAAIC,qBAAa,CAAC,0CAA0C,CAAC,CAAC,CAAC;EACvE;;EACA,MAAME,eAAe,GAAGnB,gBAAgB,CAACkB,MAAM;;EAE/C;EACA,MAAME,qBAAqB,GAAGD,eAAe,CAACE,MAAM,CACjDC,UAAU,IAAK,CAACnB,WAAW,CAACoB,IAAI,CAACC,KAAA;IAAA,IAAC,GAAGC,IAAI,CAAC,GAAAD,KAAA;IAAA,OAAKC,IAAI,KAAKH,UAAU,CAACI,IAAI,CAAC,CAAC,CAAC;EAAA,EAAC,CAAC;EAC/E,CAAC;;EACD,IAAIN,qBAAqB,CAACd,MAAM,GAAG,CAAC,EAAE;IACpC,MAAMqB,OAAO,GAAGP,qBAAqB,CAACQ,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAACH,IAAI,CAAC,CAAC,CAAC,CAAC,CAACI,IAAI,CAAC,IAAI,CAAC;IACtE,MAAMC,QAAQ,GAAG5B,WAAW,CAACyB,GAAG,CAAEC,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAACC,IAAI,CAAC,IAAI,CAAC;IACnE,IAAI,CAAC1B,uBAAuB,EAAE;MAC5B,MAAMQ,OAAO,GAAI,4DAA2De,OAAQ,iBAAgBI,QAAS,GAAE;MAC/GlB,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAEJ,OAAO,CAAC;MACnC,MAAM,IAAIK,qBAAa,CAACL,OAAO,CAAC;IAClC;EACF;;EAEA;EACA;EACA,MAAMoB,aAAa,GAAGC,MAAM,CAACC,WAAW,CACtCf;EACE;EAAA,CACCS,GAAG,CACFO,KAAA;IAAA,IAAAC,iBAAA;IAAA,IAAC;MAAEV,IAAI;MAAE,GAAGJ;IAAW,CAAC,GAAAa,KAAA;IAAA,OACtB,CACET,IAAI,CAAC,CAAC,CAAC,EACP;MACE,GAAGJ,UAAU;MACbe,KAAK,GAAAD,iBAAA,GAAEjC,WAAW,CAACmC,IAAI,CACpBT,CAAC,IAAKA,CAAC,CAAC,CAAC,CAAC,WAAW,KAAKH,IAAI,CAAC,CAAC,CACnC,CAAC,cAAAU,iBAAA,uBAFMA,iBAAA,CAEH,CAAC,CAAC;IACR,CAAC,CACF;EAAA,CACL;EACA;EACA;EAAA,CACCR,GAAG,CACFW,KAAA;IAAA,IAAC,CAACC,OAAO,EAAE;MAAEC,OAAO;MAAE,GAAGnB;IAAW,CAAC,CAAC,GAAAiB,KAAA;IAAA,OACpC,CACEC,OAAO,EACP;MACE,GAAGlB,UAAU;MACbG,IAAI,EAAEgB,OAAO,CAACC,MAAM,CAClB,CAACC,KAAK,EAAAC,KAAA;QAAA,IAAE;UAAEC,MAAM;UAAEpB;QAAK,CAAC,GAAAmB,KAAA;QAAA,OAAM;UAAE,GAAGD,KAAK;UAAE,CAACE,MAAM,GAAGpB;QAAK,CAAC;MAAA,CAAC,EAC3D,CAAC,CACH;IACF,CAAC,CACF;EAAA,CACL,CACJ,CAAC;EAED,IAAIjB,0BAA0B,EAAE;IAC9B;IACA;IACA,MAAMsC,eAAe,GAAGb,MAAM,CAACC,WAAW,CACxC/B,WAAW,CACRkB,MAAM,CAAEQ,CAAC,IAAK,CAACI,MAAM,CAACc,IAAI,CAACf,aAAa,CAAC,CAACgB,QAAQ,CAACnB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACzDD,GAAG,CAACqB,KAAA;MAAA,IAAC,GAAGC,GAAG,EAAEb,KAAK,CAAC,GAAAY,KAAA;MAAA,OAAK,CAACC,GAAG,EAAE;QAAEb,KAAK;QAAEZ,IAAI,EAAEyB;MAAI,CAAC,CAAC;IAAA,EACxD,CAAC;IACD,OAAO;MACL,GAAGlB,aAAa;MAChB,GAAGc;IACL,CAAC;EACH;EAEA,OAAOd,aAAa;AACtB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAemB,qBAAqBA,CAClCC,aAAqB,EACrBC,UAAiB,EACjBC,oBAAmC,EACF;EACjC,MAAM,CAACC,iBAAiB,EAAEC,gBAAgB,CAAC;EACzC;EACA,MAAMC,OAAO,CAACC,GAAG,CAAC,CAChB,IAAAC,aAAW,EAACP,aAAa,EAAEC,UAAU,EAAEO,eAAQ,CAAC,EAChDN,oBAAoB,CAACO,YAAY,CAAC,CAAC,CACpC,CAAC;EAEJ,MAAM;IAAEC;EAAI,CAAC,GAAGP,iBAAiB,CAACrD,KAAK,CAAC6D,OAAO;EAE/C,IAAI,CAACD,GAAG,CAACE,GAAG,CAACC,GAAG,IAAIH,GAAG,CAACE,GAAG,CAACC,GAAG,KAAKT,gBAAgB,CAACS,GAAG,EAAE;IACxD,MAAMrD,OAAO,GAAI,kDAAiD4C,gBAAgB,CAACS,GAAI,UAASV,iBAAiB,CAACrD,KAAK,CAAC6D,OAAO,CAACD,GAAG,CAACE,GAAG,CAACC,GAAI,EAAC;IAC7IpD,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAEJ,OAAO,CAAC;IACnC,MAAM,IAAIK,qBAAa,CAACL,OAAO,CAAC;EAClC;EAEA,OAAO2C,iBAAiB;AAC1B;AAEA,MAAMW,6BAAuD,GAAG,MAAAA,CAC9DC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EAAAC,KAAA,KAMtB;EAAA,IALH;IACEC,uBAAuB;IACvBnE,uBAAuB;IACvBI;EACF,CAAC,GAAA8D,KAAA;EAED,MAAME,OAAO,GAAG,MAAMrB,qBAAqB,CACzCiB,UAAU,EACVD,UAAU,CAACM,wBAAwB,CAACC,IAAI,CAAC3B,IAAI,EAC7CwB,uBACF,CAAC;EAED1D,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAAC4D,KAAK,EAAG,uBAAsBC,IAAI,CAACC,SAAS,CAACL,OAAO,CAAE,EAAC,CAAC;EAE5E,MAAMxE,gBAAgB,GACpBmE,UAAU,CAACM,wBAAwB,CAACK,mCAAmC,CACrET,yBAAyB,CAC1B;EAEH,IAAI,CAACrE,gBAAgB,EAAE;IACrBa,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,gDAA+CqD,yBAA0B,EAC5E,CAAC;IACD,MAAM,IAAIpD,qBAAa,CAAC,6CAA6C,CAAC;EACxE;EAEA,MAAM8D,gBAAgB,GAAGhF,oBAAoB,CAC3CC,gBAAgB,EAChBwE,OAAO,EACPpE,uBAAuB,EACvBI,0BACF,CAAC;EACD,MAAMwE,aAAa,GAAG,IAAAC,mCAAuB,EAACT,OAAO,CAACrE,WAAW,EAAE,KAAK,CAAC;EAEzEU,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAAC4D,KAAK,EACb,sBAAqBC,IAAI,CAACC,SAAS,CAACE,gBAAgB,CAAE,gBAAeC,aAAc,EACtF,CAAC;EAED,OAAO;IACLD,gBAAgB;IAChBG,UAAU,EAAE,IAAIC,IAAI,CAACX,OAAO,CAACtE,KAAK,CAAC6D,OAAO,CAACqB,GAAG,GAAG,IAAI,CAAC;IACtDC,QAAQ,EACN,OAAOL,aAAa,KAAK,QAAQ,GAC7B,IAAIG,IAAI,CAACH,aAAa,GAAG,IAAI,CAAC,GAC9BzE;EACR,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAM+E,wBAAkD,GAAG,MAAAA,CAChEnB,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBkB,OAAO,KACJ;EAAA,IAAAC,qBAAA;EACH,MAAM/E,MAAM,IAAA+E,qBAAA,GACVrB,UAAU,CAACM,wBAAwB,CAACK,mCAAmC,CACrET,yBAAyB,CAC1B,cAAAmB,qBAAA,uBAFDA,qBAAA,CAEG/E,MAAM;EAEX,IAAIA,MAAM,KAAK,WAAW,EAAE;IAC1BI,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAAC4D,KAAK,EAAE,wCAAwC,CAAC;IACpE,OAAOT,6BAA6B,CAClCC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBkB,OACF,CAAC;EACH;EAEA,MAAM3E,OAAO,GAAI,kCAAiCH,MAAO,EAAC;EAC1DI,eAAM,CAACC,GAAG,CAACC,iBAAQ,CAACC,KAAK,EAAEJ,OAAO,CAAC;EACnC,MAAM,IAAIK,qBAAa,CAACL,OAAO,CAAC;AAClC,CAAC;AAAC6E,OAAA,CAAAH,wBAAA,GAAAA,wBAAA"}
|