npm - @pagopa/io-react-native-wallet - Versions diffs - 2.3.0 → 2.4.0 - Mend

@pagopa/io-react-native-wallet 2.3.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/lib/module/credential/issuance/README.md CHANGED Viewed

@@ -23,30 +23,45 @@ graph TD;
     6[obtainCredential]
     7[verifyAndParseCredential]
     credSel{Is credential an eID?}
+    proofSel{Requires MRTD PoP?}
+    M1[continueUserAuthorizationWithMRTDPoPChallenge]
+    subgraph MRTD PoP flow
+    M2[verifyAndParseChallengeInfo]
+    M3[initChallenge]
+    M4[validateChallenge]
+    end
     0 --> 1
     1 --> 2
     2 --> 3
     3 --> credSel
-    credSel -->|Yes| E4
+    credSel -->|Yes| proofSel
     credSel -->|No| C4
+    proofSel --> |Yes| M1
+    proofSel --> |No| E4
     C4 --> C4.1
     C4.1 --> 5
     E4 --> 5
     5 --> 6
     6 --> 7
+    M1 --> M2
+    M2 --> M3
+    M3 --> M4
+    M4 --> E4
 ```
 ## Mapped results
 The following errors are mapped to a `IssuerResponseError` with specific codes.
-|HTTP Status|Error Code|Description|
-|-----------|----------|-----------|
-|`201 Created`|`ERR_CREDENTIAL_ISSUING_NOT_SYNCHRONOUS`| This response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time. Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous. This allows keeping the flow consistent and handle the case where the credential is not immediately available.|
-|`403 Forbidden`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the requested credential has an invalid status. It might contain more details in the `reason` property.|
-|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`| This response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential. It might contain more details in the `reason` property.|
-|`*`|`ERR_ISSUER_GENERIC_ERROR`|This is a generic error code to map unexpected errors that occurred when interacting with the Issuer.|
+| HTTP Status     | Error Code                               | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| --------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `201 Created`   | `ERR_CREDENTIAL_ISSUING_NOT_SYNCHRONOUS` | This response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time. Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous. This allows keeping the flow consistent and handle the case where the credential is not immediately available. |
+| `403 Forbidden` | `ERR_CREDENTIAL_INVALID_STATUS`          | This response is returned by the credential issuer when the requested credential has an invalid status. It might contain more details in the `reason` property.                                                                                                                                                                                                                                                                                                                                       |
+| `404 Not Found` | `ERR_CREDENTIAL_INVALID_STATUS`          | This response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential. It might contain more details in the `reason` property.                                                                                                                                                                                                                                                                                                           |
+| `*`             | `ERR_ISSUER_GENERIC_ERROR`               | This is a generic error code to map unexpected errors that occurred when interacting with the Issuer.                                                                                                                                                                                                                                                                                                                                                                                                 |
 ## Strong authentication for eID issuance (Query Mode)
@@ -60,6 +75,17 @@ CIE+PIN(L3) requires a different flow due to the physical card presence. Helper
 The expected result from the authentication process is in provided in the query string as defined in the [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/oauth-v2-jarm.html#name-response-mode-queryjwt).
+#### eID Substantial Authentication (L2+) with MRTD Verification
+MRTD Verification is a sub-flow of the Issuance flow and is used when the requested eID requires **eID Substantial Authentication (LoA3) with MRTD (Machine Readable Travel Document) Verification**. This method provides an alternative to CIEid LoA High authentication, requiring two distinct steps to complete the authorization:
+1. **Primary Authentication**: LoA3 electronic identification (SPID or CIEid L2).
+2. **MRTD Proof of Possession (PoP)**: Electronic document reading and cryptographic verification.
+This process is initiated by the Authorization Server responding to the primary authentication step with a redirect that includes a challenge in the query string, which is handled by the `continueUserAuthorizationWithMRTDPoPChallenge` function. Once the MRTD PoP is completed, the user must continue the PID issuance flow with the `completeUserAuthorizationWithQueryMode` function.
+Complete documentation for the MRTD PoP flow can be found here: [mrtd-pop](./mrtd-pop/README.md)
 ## Authentication through credentials (Form Post JWT Mode)
 When the credential is different than an eID, the flow requires the user to present other credentials in order to obtain the requested one. This is done through the `getRequestedCredentialToBePresented` followed by the `completeUserAuthorizationWithFormPostJwtMode`.
@@ -122,8 +148,9 @@ const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(issuerUrl);
 // Start user authorization
 const { issuerRequestUri, clientId, codeVerifier } =
   await Credential.Issuance.startUserAuthorization(
-    issuerConf,
-    [credentialId],
+    issuerConf,
+    [credentialId],
+    { proofType: "none" },
     {
       walletInstanceAttestation,
       redirectUri: REDIRECT_URI,
@@ -199,10 +226,10 @@ const { parsedCredential } =
     issuerConf,
     credential,
     credential_configuration_id,
-    {
-      credentialCryptoContext,
+    {
+      credentialCryptoContext,
       ignoreMissingAttributes: true,
-      includeUndefinedAttributes: false
+      includeUndefinedAttributes: false
     },
     mockX509CertRoot
   );
@@ -285,6 +312,7 @@ const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
   await Credential.Issuance.startUserAuthorization(
     issuerConf,
     [credentialId], // Request authorization for one or more credentials
+    { proofType: "none" },
     {
       walletInstanceAttestation,
       redirectUri,
@@ -296,12 +324,7 @@ const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
 // Complete the authorization process with query mode with the authorizationContext which opens the browser
 const { code } =
   await Credential.Issuance.completeUserAuthorizationWithQueryMode(
-    issuerRequestUri,
-    clientId,
-    issuerConf,
-    idpHint,
-    redirectUri,
-    authorizationContext
+    issuerRequestUri
   );
 // Create DPoP context which will be used for the whole issuance flow
@@ -372,3 +395,117 @@ return {
 The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
 </details>
+<details>
+  <summary>eID issuance flow with MRTD PoP validation</summary>
+```ts
+/**
+ *
+ * Previous steps are the sames as the "eID issuance flow" example
+ *
+ */
+// Start user authorization indicating "mrtd-pop" as the proof type with the idpHint of the
+// chosen identification method
+const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
+  await Credential.Issuance.startUserAuthorization(
+    issuerConf,
+    [credentialId],
+    { proofType: "mrtd-pop", idpHinting: idpHint },
+    {
+      walletInstanceAttestation,
+      redirectUri: redirectUri,
+      wiaCryptoContext,
+      appFetch,
+    }
+  );
+// Obtain the Authorization URL
+const { authUrl } = await Credential.Issuance.buildAuthorizationUrl(
+  issuerRequestUri,
+  clientId,
+  issuerConf,
+  idpHint
+);
+// Extract challenge info from the Authorization URL
+const { challenge_info } =
+  await Credential.Issuance.continueUserAuthorizationWithMRTDPoPChallenge(
+    authUrl
+  );
+// Verify and parse challenge info and extract challenge data: initialization url, session and nonce
+const {
+  htu: initUrl,
+  mrtd_auth_session,
+  mrtd_pop_jwt_nonce,
+} = await Credential.Issuance.MRTDPoP.verifyAndParseChallengeInfo(
+  issuerConf,
+  challenge_info,
+  { wiaCryptoContext }
+);
+// Initialize challenge and obtain the challenge text to sign the CIE PACE protocol and validation url
+const {
+  htu: validationUrl,
+  challenge,
+  mrtd_pop_nonce,
+} = await Credential.Issuance.MRTDPoP.initChallenge(
+  issuerConf,
+  initUrl,
+  mrtd_auth_session,
+  mrtd_pop_jwt_nonce,
+  {
+    walletInstanceAttestation,
+    wiaCryptoContext,
+    appFetch,
+  }
+);
+// CIE cryptographic interaction: you need to sign the challenge with the CIE through NFC interaction
+const { nis, mrtds } = /* NFC interactions functions */
+// Validate challenge
+const { mrtd_val_pop_nonce, redirect_uri } =
+  await Credential.Issuance.MRTDPoP.validateChallenge(
+    issuerConf,
+    validationUrl,
+    mrtd_auth_session,
+    mrtd_pop_nonce,
+    mrtd,
+    ias,
+    {
+      walletInstanceAttestation,
+      wiaCryptoContext,
+      appFetch,
+    }
+  );
+// Build the callback url
+const { callbackUrl } = await Credential.Issuance.buildChallengeCallbackUrl(
+  redirect_uri,
+  mrtd_val_pop_nonce,
+  mrtd_auth_session
+);
+// The generated authUrl must be used to open a browser or webview capable of catching the redirectSchema to perform a get request to the authorization endpoint.
+const authRedirectUrl = /* From a browser or webview redirect */
+// Complete the authorization process with query mode using the returned callback url
+const { code } =
+  await Credential.Issuance.completeUserAuthorizationWithQueryMode(
+    authRedirectUrl
+  );
+/**
+ *
+ * The next steps are the same as the "eID issuance flow" example
+ *
+ */
+};
+```
+The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
+</details>

package/lib/module/credential/issuance/index.js CHANGED Viewed

@@ -1,9 +1,10 @@
 import { evaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import { startUserAuthorization } from "./03-start-user-authorization";
-import { completeUserAuthorizationWithQueryMode, completeUserAuthorizationWithFormPostJwtMode, parseAuthorizationResponse, buildAuthorizationUrl, getRequestedCredentialToBePresented } from "./04-complete-user-authorization";
+import { continueUserAuthorizationWithMRTDPoPChallenge, completeUserAuthorizationWithQueryMode, completeUserAuthorizationWithFormPostJwtMode, parseAuthorizationResponse, buildAuthorizationUrl, getRequestedCredentialToBePresented } from "./04-complete-user-authorization";
 import { authorizeAccess } from "./05-authorize-access";
 import { obtainCredential } from "./06-obtain-credential";
 import { verifyAndParseCredential } from "./07-verify-and-parse-credential";
 import * as Errors from "./errors";
-export { evaluateIssuerTrust, startUserAuthorization, buildAuthorizationUrl, completeUserAuthorizationWithQueryMode, getRequestedCredentialToBePresented, completeUserAuthorizationWithFormPostJwtMode, authorizeAccess, obtainCredential, verifyAndParseCredential, parseAuthorizationResponse, Errors };
+import * as MRTDPoP from "./mrtd-pop";
+export { MRTDPoP, evaluateIssuerTrust, startUserAuthorization, buildAuthorizationUrl, completeUserAuthorizationWithQueryMode, continueUserAuthorizationWithMRTDPoPChallenge, getRequestedCredentialToBePresented, completeUserAuthorizationWithFormPostJwtMode, authorizeAccess, obtainCredential, verifyAndParseCredential, parseAuthorizationResponse, Errors };
 //# sourceMappingURL=index.js.map

package/lib/module/credential/issuance/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["evaluateIssuerTrust","startUserAuthorization","completeUserAuthorizationWithQueryMode","completeUserAuthorizationWithFormPostJwtMode","parseAuthorizationResponse","buildAuthorizationUrl","getRequestedCredentialToBePresented","authorizeAccess","obtainCredential","verifyAndParseCredential","Errors"],"sourceRoot":"../../../../src","sources":["credential/issuance/index.ts"],"mappings":"AACA,SACEA,mBAAmB,QAEd,4BAA4B;AACnC,SACEC,sBAAsB,QAEjB,+BAA+B;AACtC,SACEC,sCAAsC,EACtCC,4CAA4C,EAC5CC,0BAA0B,EAC1BC,qBAAqB,~~EAKrBC~~,mCAAmC,~~QAC9B~~,kCAAkC;AACzC,SAASC,eAAe,QAA8B,uBAAuB;AAC7E,SACEC,gBAAgB,QAEX,wBAAwB;AAC/B,SACEC,wBAAwB,QAEnB,kCAAkC;AACzC,OAAO,KAAKC,MAAM,MAAM,UAAU;~~AAElC~~,~~SACEV~~,mBAAmB,EACnBC,sBAAsB,~~EACtBI~~,qBAAqB,EACrBH,sCAAsC,~~EACtCI~~,mCAAmC,EACnCH,4CAA4C,EAC5CI,eAAe,EACfC,gBAAgB,EAChBC,wBAAwB,EACxBL,0BAA0B,EAC1BM,MAAM"}
1	+ {"version":3,"names":["evaluateIssuerTrust","startUserAuthorization","continueUserAuthorizationWithMRTDPoPChallenge","completeUserAuthorizationWithQueryMode","completeUserAuthorizationWithFormPostJwtMode","parseAuthorizationResponse","buildAuthorizationUrl","getRequestedCredentialToBePresented","authorizeAccess","obtainCredential","verifyAndParseCredential","Errors","MRTDPoP"],"sourceRoot":"../../../../src","sources":["credential/issuance/index.ts"],"mappings":"AACA,SACEA,mBAAmB,QAEd,4BAA4B;AACnC,SACEC,sBAAsB,QAEjB,+BAA+B;AACtC,SACEC,6CAA6C,EAC7CC,sCAAsC,EACtCC,4CAA4C,EAC5CC,0BAA0B,EAC1BC,qBAAqB,EACrBC,mCAAmC,QAM9B,kCAAkC;AACzC,SAASC,eAAe,QAA8B,uBAAuB;AAC7E,SACEC,gBAAgB,QAEX,wBAAwB;AAC/B,SACEC,wBAAwB,QAEnB,kCAAkC;AACzC,OAAO,KAAKC,MAAM,MAAM,UAAU;AAClC,OAAO,KAAKC,OAAO,MAAM,YAAY;AAErC,SACEA,OAAO,EACPZ,mBAAmB,EACnBC,sBAAsB,EACtBK,qBAAqB,EACrBH,sCAAsC,EACtCD,6CAA6C,EAC7CK,mCAAmC,EACnCH,4CAA4C,EAC5CI,eAAe,EACfC,gBAAgB,EAChBC,wBAAwB,EACxBL,0BAA0B,EAC1BM,MAAM"}

package/lib/module/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js ADDED Viewed

@@ -0,0 +1,50 @@
+import { decode as decodeJwt, verify as verifyJwt } from "@pagopa/io-react-native-jwt";
+import { MrtdProofChallengeInfo } from "./types";
+import { IoWalletError } from "../../../utils/errors";
+/**
+ * Verifies and parses the payload of a MRTD Proof Challenge Info JWT obtained after the primary authentication.
+ *
+ * This function performs the following steps:
+ * 1. Validates the JWT signature using the issuer's JWKS.
+ * 2. Decodes the JWT and parses its structure according to the {@link MrtdProofChallengeInfo} schema.
+ * 3. Verifies that the `aud` claim matches the client's public key ID.
+ * 4. Checks that the JWT is not expired and was not issued in the future.
+ *
+ * @param issuerConf - The issuer configuration containing the JWKS for signature verification.
+ * @param challengeInfoJwt - The JWT string representing the MRTD Proof Challenge Info.
+ * @param context - The context containing the WIA crypto context used to retrieve the client public key.
+ * @returns The parsed payload of the MRTD Proof Challenge Info JWT.
+ * @throws {Error} If the JWT signature is invalid, the structure is malformed, the `aud` claim does not match,
+ * or the JWT is expired/not yet valid.
+ */
+export const verifyAndParseChallengeInfo = async (issuerConf, challengeInfoJwt, _ref) => {
+  let {
+    wiaCryptoContext
+  } = _ref;
+  // Verify JWT signature
+  await verifyJwt(challengeInfoJwt, issuerConf.oauth_authorization_server.jwks.keys);
+  // Decode JWT
+  const challengeInfoDecoded = decodeJwt(challengeInfoJwt);
+  // Parse and validate structure
+  const challengeInfoParsed = MrtdProofChallengeInfo.safeParse(challengeInfoDecoded);
+  if (!challengeInfoParsed.success) {
+    throw new IoWalletError("Malformed challenge info.");
+  }
+  const payload = challengeInfoParsed.data.payload;
+  // Verify aud claim
+  const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
+  if (payload.aud !== clientId) {
+    throw new IoWalletError("aud claim does not match client_id.");
+  }
+  // Verify iat and exp
+  const now = Math.floor(Date.now() / 1000);
+  if (payload.iat > now || payload.exp < now) {
+    throw new IoWalletError("JWT is not valid (issued in future or expired).");
+  }
+  return payload;
+};
+//# sourceMappingURL=01-verify-and-parse-challenge-info.js.map

package/lib/module/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["decode","decodeJwt","verify","verifyJwt","MrtdProofChallengeInfo","IoWalletError","verifyAndParseChallengeInfo","issuerConf","challengeInfoJwt","_ref","wiaCryptoContext","oauth_authorization_server","jwks","keys","challengeInfoDecoded","challengeInfoParsed","safeParse","success","payload","data","clientId","getPublicKey","then","_","kid","aud","now","Math","floor","Date","iat","exp"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.ts"],"mappings":"AAAA,SACEA,MAAM,IAAIC,SAAS,EACnBC,MAAM,IAAIC,SAAS,QAEd,6BAA6B;AACpC,SAASC,sBAAsB,QAAQ,SAAS;AAGhD,SAASC,aAAa,QAAQ,uBAAuB;AAUrD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,2BAAwD,GAAG,MAAAA,CACtEC,UAAU,EACVC,gBAAwB,EAAAC,IAAA,KAErB;EAAA,IADH;IAAEC;EAAiB,CAAC,GAAAD,IAAA;EAEpB;EACA,MAAMN,SAAS,CACbK,gBAAgB,EAChBD,UAAU,CAACI,0BAA0B,CAACC,IAAI,CAACC,IAC7C,CAAC;;EAED;EACA,MAAMC,oBAAoB,GAAGb,SAAS,CAACO,gBAAgB,CAAC;;EAExD;EACA,MAAMO,mBAAmB,GACvBX,sBAAsB,CAACY,SAAS,CAACF,oBAAoB,CAAC;EACxD,IAAI,CAACC,mBAAmB,CAACE,OAAO,EAAE;IAChC,MAAM,IAAIZ,aAAa,CAAC,2BAA2B,CAAC;EACtD;EACA,MAAMa,OAAO,GAAGH,mBAAmB,CAACI,IAAI,CAACD,OAAO;;EAEhD;EACA,MAAME,QAAQ,GAAG,MAAMV,gBAAgB,CAACW,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,IAAIN,OAAO,CAACO,GAAG,KAAKL,QAAQ,EAAE;IAC5B,MAAM,IAAIf,aAAa,CAAC,qCAAqC,CAAC;EAChE;;EAEA;EACA,MAAMqB,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EACzC,IAAIR,OAAO,CAACY,GAAG,GAAGJ,GAAG,IAAIR,OAAO,CAACa,GAAG,GAAGL,GAAG,EAAE;IAC1C,MAAM,IAAIrB,aAAa,CAAC,iDAAiD,CAAC;EAC5E;EAEA,OAAOa,OAAO;AAChB,CAAC"}

package/lib/module/credential/issuance/mrtd-pop/02-init-challenge.js ADDED Viewed

@@ -0,0 +1,52 @@
+import { hasStatusOrThrow } from "../../../utils/misc";
+import { v4 as uuidv4 } from "uuid";
+import { createPopToken } from "../../../utils/pop";
+import * as WalletInstanceAttestation from "../../../wallet-instance-attestation";
+import { IssuerResponseError } from "../../../utils/errors";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import { MrtdPoPChallenge } from "./types";
+/**
+ * Initialaizes the MRTD challenge with the data received from the issuer after the primary authentication.
+ * This function must be called after {@link verifyAndParseChallengeInfo}.
+ *
+ * @param issuerConf - The issuer configuration containing the JWKS for signature verification.
+ * @param initUrl - The endpoint to call to initialize the challenge.
+ * @param mrtd_auth_session - Session identifier for session binding obtained from the MRTD Proof JWT.
+ * @param mrtd_pop_jwt_nonce - Nonce value obtained from the MRTD Proof JWT.
+ * @param context - The context containing the WIA crypto context used to retrieve the client public key,
+ * the wallet instance attestation and an optional fetch implementation.
+ * @returns The payload of the MRTD PoP Challenge JWT.
+ */
+export const initChallenge = async (issuerConf, initUrl, mrtd_auth_session, mrtd_pop_jwt_nonce, context) => {
+  const {
+    appFetch = fetch,
+    walletInstanceAttestation,
+    wiaCryptoContext
+  } = context;
+  const aud = issuerConf.openid_credential_issuer.credential_issuer;
+  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
+  const signedWiaPoP = await createPopToken({
+    jti: `${uuidv4()}`,
+    aud,
+    iss
+  }, wiaCryptoContext);
+  const requestBody = {
+    mrtd_auth_session,
+    mrtd_pop_jwt_nonce
+  };
+  const mrtdPoPChallengeJwt = await appFetch(initUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "OAuth-Client-Attestation": walletInstanceAttestation,
+      "OAuth-Client-Attestation-PoP": signedWiaPoP
+    },
+    body: JSON.stringify(requestBody)
+  }).then(hasStatusOrThrow(202, IssuerResponseError)).then(res => res.text());
+  const mrtdPoPChallengeDecoded = decodeJwt(mrtdPoPChallengeJwt);
+  const {
+    payload
+  } = MrtdPoPChallenge.parse(mrtdPoPChallengeDecoded);
+  return payload;
+};
+//# sourceMappingURL=02-init-challenge.js.map

package/lib/module/credential/issuance/mrtd-pop/02-init-challenge.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["hasStatusOrThrow","v4","uuidv4","createPopToken","WalletInstanceAttestation","IssuerResponseError","decode","decodeJwt","MrtdPoPChallenge","initChallenge","issuerConf","initUrl","mrtd_auth_session","mrtd_pop_jwt_nonce","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","aud","openid_credential_issuer","credential_issuer","iss","payload","cnf","jwk","kid","signedWiaPoP","jti","requestBody","mrtdPoPChallengeJwt","method","headers","body","JSON","stringify","then","res","text","mrtdPoPChallengeDecoded","parse"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/02-init-challenge.ts"],"mappings":"AAAA,SAASA,gBAAgB,QAAkB,qBAAqB;AAEhE,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,cAAc,QAAQ,oBAAoB;AACnD,OAAO,KAAKC,yBAAyB,MAAM,sCAAsC;AAEjF,SAASC,mBAAmB,QAAQ,uBAAuB;AAC3D,SAASC,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,gBAAgB,QAAQ,SAAS;AAc1C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,aAA4B,GAAG,MAAAA,CAC1CC,UAAU,EACVC,OAAO,EACPC,iBAAiB,EACjBC,kBAAkB,EAClBC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,GAAG,GAAGT,UAAU,CAACU,wBAAwB,CAACC,iBAAiB;EACjE,MAAMC,GAAG,GAAGlB,yBAAyB,CAACE,MAAM,CAACW,yBAAyB,CAAC,CACpEM,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,YAAY,GAAG,MAAMxB,cAAc,CACvC;IACEyB,GAAG,EAAG,GAAE1B,MAAM,CAAC,CAAE,EAAC;IAClBiB,GAAG;IACHG;EACF,CAAC,EACDJ,gBACF,CAAC;EAED,MAAMW,WAAW,GAAG;IAClBjB,iBAAiB;IACjBC;EACF,CAAC;EAED,MAAMiB,mBAAmB,GAAG,MAAMf,QAAQ,CAACJ,OAAO,EAAE;IAClDoB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClC,0BAA0B,EAAEf,yBAAyB;MACrD,8BAA8B,EAAEU;IAClC,CAAC;IACDM,IAAI,EAAEC,IAAI,CAACC,SAAS,CAACN,WAAW;EAClC,CAAC,CAAC,CACCO,IAAI,CAACpC,gBAAgB,CAAC,GAAG,EAAEK,mBAAmB,CAAC,CAAC,CAChD+B,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;EAE5B,MAAMC,uBAAuB,GAAGhC,SAAS,CAACuB,mBAAmB,CAAC;EAC9D,MAAM;IAAEP;EAAQ,CAAC,GAAGf,gBAAgB,CAACgC,KAAK,CAACD,uBAAuB,CAAC;EAEnE,OAAOhB,OAAO;AAChB,CAAC"}

package/lib/module/credential/issuance/mrtd-pop/03-validate-challenge.js ADDED Viewed

@@ -0,0 +1,85 @@
+import { SignJWT } from "@pagopa/io-react-native-jwt";
+import { v4 as uuidv4 } from "uuid";
+import { IssuerResponseError } from "../../../utils/errors";
+import { hasStatusOrThrow } from "../../../utils/misc";
+import { createPopToken } from "../../../utils/pop";
+import * as WalletInstanceAttestation from "../../../wallet-instance-attestation";
+import { MrtdPopVerificationResult } from "./types";
+/**
+ * Validates the MRTD signed challenge by sending the MRTD and IAS payloads to the issuer.
+ * This function must be called after {@link initChallenge} and after obtaining the MRTD and IAS payloads
+ * through the CIE PACE process.
+ *
+ * @param issuerConf - The issuer configuration containing the JWKS for signature verification.
+ * @param verifyUrl - The endpoint to call to validate the challenge.
+ * @param mrtd_auth_session - Session identifier for session binding obtained from the MRTD Proof JWT.
+ * @param mrtd_pop_nonce - Nonce value obtained from the MRTD Proof JWT.
+ * @param mrtd - MRTD validation data containing Data Groups and SOD.
+ * @param ias - IAS validation data containing Anti-Cloning Public Key, and SOD.
+ * @param context - The context containing the WIA crypto context used to retrieve the client public key,
+ * the wallet instance attestation and an optional fetch implementation.
+ * @returns The MRTD PoP Verification Result containing the validation nonce and redirect URI to complete the flow.
+ */
+export const validateChallenge = async (issuerConf, verifyUrl, mrtd_auth_session, mrtd_pop_nonce, mrtd, ias, context) => {
+  const {
+    appFetch = fetch,
+    walletInstanceAttestation,
+    wiaCryptoContext
+  } = context;
+  const aud = issuerConf.openid_credential_issuer.credential_issuer;
+  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
+  const signedWiaPoP = await createPopToken({
+    jti: `${uuidv4()}`,
+    aud,
+    iss
+  }, wiaCryptoContext);
+  const {
+    kid
+  } = await wiaCryptoContext.getPublicKey();
+  const mrtd_validation_jwt = await new SignJWT(wiaCryptoContext).setProtectedHeader({
+    typ: "mrtd-ias+jwt",
+    kid
+  }).setPayload({
+    iss,
+    aud,
+    document_type: "cie",
+    mrtd,
+    ias
+  }).setIssuedAt().setExpirationTime("5m").sign();
+  const requestBody = {
+    mrtd_validation_jwt,
+    mrtd_auth_session,
+    mrtd_pop_nonce
+  };
+  const verifyResult = await appFetch(verifyUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "OAuth-Client-Attestation": walletInstanceAttestation,
+      "OAuth-Client-Attestation-PoP": signedWiaPoP
+    },
+    body: JSON.stringify(requestBody)
+  }).then(hasStatusOrThrow(202, IssuerResponseError)).then(res => res.json());
+  const verifyResultParsed = MrtdPopVerificationResult.parse(verifyResult);
+  return verifyResultParsed;
+};
+/**
+ * WARNING: This function must be called after {@link validateChallenge}. The generated authUrl must be used to open a browser or webview capable of catching the redirectSchema to perform a get request to the authorization endpoint.
+ * Builds the callback URL to which the end user should be redirected to continue the authentication flow after the MRTD challenge validation.
+ * @param redirectUri - The redirect URI provided by the issuer after the challenge validation to continue the authentication flow.
+ * @param valPopNonce - The MRTD validation PoP nonce obtained from the challenge validation response.
+ * @param authSession - The MRTD authentication session identifier used for session binding.
+ * @returns An object containing the callback URL
+ */
+export const buildChallengeCallbackUrl = async (redirectUri, valPopNonce, authSession) => {
+  const params = new URLSearchParams({
+    mrtd_val_pop_nonce: valPopNonce,
+    mrtd_auth_session: authSession
+  });
+  const callbackUrl = `${redirectUri}?${params}`;
+  return {
+    callbackUrl
+  };
+};
+//# sourceMappingURL=03-validate-challenge.js.map

package/lib/module/credential/issuance/mrtd-pop/03-validate-challenge.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["SignJWT","v4","uuidv4","IssuerResponseError","hasStatusOrThrow","createPopToken","WalletInstanceAttestation","MrtdPopVerificationResult","validateChallenge","issuerConf","verifyUrl","mrtd_auth_session","mrtd_pop_nonce","mrtd","ias","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","aud","openid_credential_issuer","credential_issuer","iss","decode","payload","cnf","jwk","kid","signedWiaPoP","jti","getPublicKey","mrtd_validation_jwt","setProtectedHeader","typ","setPayload","document_type","setIssuedAt","setExpirationTime","sign","requestBody","verifyResult","method","headers","body","JSON","stringify","then","res","json","verifyResultParsed","parse","buildChallengeCallbackUrl","redirectUri","valPopNonce","authSession","params","URLSearchParams","mrtd_val_pop_nonce","callbackUrl"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/03-validate-challenge.ts"],"mappings":"AAAA,SAASA,OAAO,QAA4B,6BAA6B;AACzE,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,mBAAmB,QAAQ,uBAAuB;AAC3D,SAASC,gBAAgB,QAAkB,qBAAqB;AAChE,SAASC,cAAc,QAAQ,oBAAoB;AACnD,OAAO,KAAKC,yBAAyB,MAAM,sCAAsC;AAEjF,SACEC,yBAAyB,QAGpB,SAAS;AAyBhB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,iBAAoC,GAAG,MAAAA,CAClDC,UAAU,EACVC,SAAS,EACTC,iBAAiB,EACjBC,cAAc,EACdC,IAAI,EACJC,GAAG,EACHC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,GAAG,GAAGX,UAAU,CAACY,wBAAwB,CAACC,iBAAiB;EACjE,MAAMC,GAAG,GAAGjB,yBAAyB,CAACkB,MAAM,CAACN,yBAAyB,CAAC,CACpEO,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,YAAY,GAAG,MAAMxB,cAAc,CACvC;IACEyB,GAAG,EAAG,GAAE5B,MAAM,CAAC,CAAE,EAAC;IAClBkB,GAAG;IACHG;EACF,CAAC,EACDJ,gBACF,CAAC;EAED,MAAM;IAAES;EAAI,CAAC,GAAG,MAAMT,gBAAgB,CAACY,YAAY,CAAC,CAAC;EAErD,MAAMC,mBAAmB,GAAG,MAAM,IAAIhC,OAAO,CAACmB,gBAAgB,CAAC,CAC5Dc,kBAAkB,CAAC;IAClBC,GAAG,EAAE,cAAc;IACnBN;EACF,CAAC,CAAC,CACDO,UAAU,CAAC;IACVZ,GAAG;IACHH,GAAG;IACHgB,aAAa,EAAE,KAAK;IACpBvB,IAAI;IACJC;EACF,CAAC,CAAC,CACDuB,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;EAET,MAAMC,WAAW,GAAG;IAClBR,mBAAmB;IACnBrB,iBAAiB;IACjBC;EACF,CAAC;EAED,MAAM6B,YAAY,GAAG,MAAMzB,QAAQ,CAACN,SAAS,EAAE;IAC7CgC,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClC,0BAA0B,EAAEzB,yBAAyB;MACrD,8BAA8B,EAAEW;IAClC,CAAC;IACDe,IAAI,EAAEC,IAAI,CAACC,SAAS,CAACN,WAAW;EAClC,CAAC,CAAC,CACCO,IAAI,CAAC3C,gBAAgB,CAAC,GAAG,EAAED,mBAAmB,CAAC,CAAC,CAChD4C,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;EAE5B,MAAMC,kBAAkB,GAAG3C,yBAAyB,CAAC4C,KAAK,CAACV,YAAY,CAAC;EACxE,OAAOS,kBAAkB;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAME,yBAAoD,GAAG,MAAAA,CAClEC,WAAW,EACXC,WAAW,EACXC,WAAW,KACR;EACH,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,kBAAkB,EAAEJ,WAAW;IAC/B3C,iBAAiB,EAAE4C;EACrB,CAAC,CAAC;EAEF,MAAMI,WAAW,GAAI,GAAEN,WAAY,IAAGG,MAAO,EAAC;EAC9C,OAAO;IAAEG;EAAY,CAAC;AACxB,CAAC"}

package/lib/module/credential/issuance/mrtd-pop/README.md ADDED Viewed

@@ -0,0 +1,92 @@
+# MRTD PoP flow
+**MRTD-PoP (Machine Readable Travel Document - Proof of Possession)** flow for the IO Wallet, following the [eID Wallet L2+ Credential Issuance specification](https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-l2plus.html).
+The MRTD-PoP flow is used to prove possession of an MRTD (such as a CIE) during the issuance of high-assurance credentials. The process involves a challenge-response protocol between the wallet and the issuer, leveraging JWTs and cryptographic attestation.
+This flow is part of the [PID issuance flow](../README.md) and must be started after the `continueUserAuthorizationWithMRTDPoPChallenge` function. Once MRTD PoP is completed, the PID issuance flow must continue with the `completeUserAuthorizationWithQueryMode` function with the authorization url obtained from the validation.
+> **⚠️ Important**: The entire flow must be initiated and concluded within the same web context (e.g., the same WebView instance) to maintain session continuity. Using different contexts (such as switching between an external browser and a WebView) will result in session loss and authentication failures due to cookie/session mismatch (JSESSIONID).
+## Sequence Diagram
+```mermaid
+graph TD;
+    A@{ shape: subproc, label: "continueUserAuthorizationWithMRTDPoPChallenge" }
+    subgraph MRTD PoP
+    B[verifyAndParseChallengeInfo]
+    C[initChallenge]
+    E[validateChallenge]
+    end
+    F@{ shape: subproc, label: "completeUserAuthorizationWithQueryModeChallenge" }
+    A -.-> B
+    B --> C
+    C -->E
+    E -.-> F
+```
+## Example
+```typescript
+// Verify and parse challenge info and extract challenge data: initialization url, session and nonce
+const {
+  htu: initUrl,
+  mrtd_auth_session,
+  mrtd_pop_jwt_nonce,
+} = await Credential.Issuance.MRTDPoP.verifyAndParseChallengeInfo(
+  issuerConf,
+  challenge_info,
+  { wiaCryptoContext }
+);
+// Initialize challenge and obtain the challenge text to sign the CIE PACE protocol and validation url
+const {
+  htu: validationUrl,
+  challenge,
+  mrtd_pop_nonce,
+} = await Credential.Issuance.MRTDPoP.initChallenge(
+  issuerConf,
+  initUrl,
+  mrtd_auth_session,
+  mrtd_pop_jwt_nonce,
+  {
+    walletInstanceAttestation,
+    wiaCryptoContext,
+    appFetch,
+  }
+);
+// CIE cryptographic interaction: you need to sign the challenge with the CIE through NFC interaction
+const { nis, mrtds } = /* NFC interactions functions */
+// Validate challenge
+const { mrtd_val_pop_nonce, redirect_uri } =
+  await Credential.Issuance.MRTDPoP.validateChallenge(
+    issuerConf,
+    validationUrl,
+    mrtd_auth_session,
+    mrtd_pop_nonce,
+    mrtd,
+    ias,
+    {
+      walletInstanceAttestation,
+      wiaCryptoContext,
+      appFetch,
+    }
+  );
+// Build the callback url
+const { callbackUrl } = await Credential.Issuance.buildChallengeCallbackUrl(
+  redirect_uri,
+  mrtd_val_pop_nonce,
+  mrtd_auth_session
+);
+// The generated authUrl must be used to open a browser or webview capable of catching the redirectSchema to perform a get request to the authorization endpoint.
+const authRedirectUrl = /* From a browser or webview redirect */
+// Use the authRedirectUrl to continue the PID issuance flow
+```

package/lib/module/credential/issuance/mrtd-pop/index.js ADDED Viewed

@@ -0,0 +1,5 @@
+import { verifyAndParseChallengeInfo } from "./01-verify-and-parse-challenge-info";
+import { initChallenge } from "./02-init-challenge";
+import { validateChallenge, buildChallengeCallbackUrl } from "./03-validate-challenge";
+export { verifyAndParseChallengeInfo, initChallenge, validateChallenge, buildChallengeCallbackUrl };
+//# sourceMappingURL=index.js.map

package/lib/module/credential/issuance/mrtd-pop/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"names":["verifyAndParseChallengeInfo","initChallenge","validateChallenge","buildChallengeCallbackUrl"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/index.ts"],"mappings":"AAAA,SACEA,2BAA2B,QAEtB,sCAAsC;AAC7C,SAASC,aAAa,QAA4B,qBAAqB;AACvE,SACEC,iBAAiB,EACjBC,yBAAyB,QAGpB,yBAAyB;AAGhC,SACEH,2BAA2B,EAC3BC,aAAa,EACbC,iBAAiB,EACjBC,yBAAyB"}

package/lib/module/credential/issuance/mrtd-pop/types.js ADDED Viewed

@@ -0,0 +1,46 @@
+import * as z from "zod";
+export const MrtdProofChallengeInfo = z.object({
+  protectedHeader: z.object({
+    typ: z.literal("mrtd-ias+jwt"),
+    alg: z.string(),
+    kid: z.string()
+  }),
+  payload: z.object({
+    iss: z.string(),
+    aud: z.string(),
+    iat: z.number(),
+    exp: z.number(),
+    status: z.literal("require_interaction"),
+    type: z.literal("mrtd+ias"),
+    mrtd_auth_session: z.string(),
+    state: z.string(),
+    mrtd_pop_jwt_nonce: z.string(),
+    htu: z.string(),
+    htm: z.literal("POST")
+  })
+});
+export const MrtdPoPChallenge = z.object({
+  protectedHeader: z.object({
+    typ: z.literal("mrtd-ias-pop+jwt"),
+    alg: z.string(),
+    kid: z.string()
+  }),
+  payload: z.object({
+    iss: z.string(),
+    aud: z.string(),
+    iat: z.number(),
+    exp: z.number(),
+    challenge: z.string(),
+    mrtd_pop_nonce: z.string(),
+    mrz: z.string().optional(),
+    htu: z.string(),
+    htm: z.literal("POST")
+  })
+});
+export const MrtdPopVerificationResult = z.object({
+  status: z.literal("require_interaction"),
+  type: z.literal("redirect_to_web"),
+  mrtd_val_pop_nonce: z.string(),
+  redirect_uri: z.string()
+});
+//# sourceMappingURL=types.js.map

package/lib/module/credential/issuance/mrtd-pop/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["z","MrtdProofChallengeInfo","object","protectedHeader","typ","literal","alg","string","kid","payload","iss","aud","iat","number","exp","status","type","mrtd_auth_session","state","mrtd_pop_jwt_nonce","htu","htm","MrtdPoPChallenge","challenge","mrtd_pop_nonce","mrz","optional","MrtdPopVerificationResult","mrtd_val_pop_nonce","redirect_uri"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/types.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AAGxB,OAAO,MAAMC,sBAAsB,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC7CC,eAAe,EAAEH,CAAC,CAACE,MAAM,CAAC;IACxBE,GAAG,EAAEJ,CAAC,CAACK,OAAO,CAAC,cAAc,CAAC;IAC9BC,GAAG,EAAEN,CAAC,CAACO,MAAM,CAAC,CAAC;IACfC,GAAG,EAAER,CAAC,CAACO,MAAM,CAAC;EAChB,CAAC,CAAC;EACFE,OAAO,EAAET,CAAC,CAACE,MAAM,CAAC;IAChBQ,GAAG,EAAEV,CAAC,CAACO,MAAM,CAAC,CAAC;IACfI,GAAG,EAAEX,CAAC,CAACO,MAAM,CAAC,CAAC;IACfK,GAAG,EAAEZ,CAAC,CAACa,MAAM,CAAC,CAAC;IACfC,GAAG,EAAEd,CAAC,CAACa,MAAM,CAAC,CAAC;IACfE,MAAM,EAAEf,CAAC,CAACK,OAAO,CAAC,qBAAqB,CAAC;IACxCW,IAAI,EAAEhB,CAAC,CAACK,OAAO,CAAC,UAAU,CAAC;IAC3BY,iBAAiB,EAAEjB,CAAC,CAACO,MAAM,CAAC,CAAC;IAC7BW,KAAK,EAAElB,CAAC,CAACO,MAAM,CAAC,CAAC;IACjBY,kBAAkB,EAAEnB,CAAC,CAACO,MAAM,CAAC,CAAC;IAC9Ba,GAAG,EAAEpB,CAAC,CAACO,MAAM,CAAC,CAAC;IACfc,GAAG,EAAErB,CAAC,CAACK,OAAO,CAAC,MAAM;EACvB,CAAC;AACH,CAAC,CAAC;AAGF,OAAO,MAAMiB,gBAAgB,GAAGtB,CAAC,CAACE,MAAM,CAAC;EACvCC,eAAe,EAAEH,CAAC,CAACE,MAAM,CAAC;IACxBE,GAAG,EAAEJ,CAAC,CAACK,OAAO,CAAC,kBAAkB,CAAC;IAClCC,GAAG,EAAEN,CAAC,CAACO,MAAM,CAAC,CAAC;IACfC,GAAG,EAAER,CAAC,CAACO,MAAM,CAAC;EAChB,CAAC,CAAC;EACFE,OAAO,EAAET,CAAC,CAACE,MAAM,CAAC;IAChBQ,GAAG,EAAEV,CAAC,CAACO,MAAM,CAAC,CAAC;IACfI,GAAG,EAAEX,CAAC,CAACO,MAAM,CAAC,CAAC;IACfK,GAAG,EAAEZ,CAAC,CAACa,MAAM,CAAC,CAAC;IACfC,GAAG,EAAEd,CAAC,CAACa,MAAM,CAAC,CAAC;IACfU,SAAS,EAAEvB,CAAC,CAACO,MAAM,CAAC,CAAC;IACrBiB,cAAc,EAAExB,CAAC,CAACO,MAAM,CAAC,CAAC;IAC1BkB,GAAG,EAAEzB,CAAC,CAACO,MAAM,CAAC,CAAC,CAACmB,QAAQ,CAAC,CAAC;IAC1BN,GAAG,EAAEpB,CAAC,CAACO,MAAM,CAAC,CAAC;IACfc,GAAG,EAAErB,CAAC,CAACK,OAAO,CAAC,MAAM;EACvB,CAAC;AACH,CAAC,CAAC;AAiBF,OAAO,MAAMsB,yBAAyB,GAAG3B,CAAC,CAACE,MAAM,CAAC;EAChDa,MAAM,EAAEf,CAAC,CAACK,OAAO,CAAC,qBAAqB,CAAC;EACxCW,IAAI,EAAEhB,CAAC,CAACK,OAAO,CAAC,iBAAiB,CAAC;EAClCuB,kBAAkB,EAAE5B,CAAC,CAACO,MAAM,CAAC,CAAC;EAC9BsB,YAAY,EAAE7B,CAAC,CAACO,MAAM,CAAC;AACzB,CAAC,CAAC"}

package/lib/module/utils/auth.js CHANGED Viewed

@@ -32,4 +32,12 @@ export const AuthorizationErrorShape = z.object({
 /**
  * Type of the identification result.
  */
+/**
+ * MRTD PoP Challenge Info response structure
+ */
+export const AuthorizationChallengeResultShape = z.object({
+  challenge_info: z.string()
+});
 //# sourceMappingURL=auth.js.map

package/lib/module/utils/auth.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["z","AuthorizationResultShape","object","code","string","state","iss","optional","AuthorizationErrorShape","error","error_description","error_uri"],"sourceRoot":"../../../src","sources":["utils/auth.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;;AAExB;AACA;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA,OAAO,MAAMC,wBAAwB,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC/CC,IAAI,EAAEH,CAAC,CAACI,MAAM,CAAC,CAAC;EAChBC,KAAK,EAAEL,CAAC,CAACI,MAAM,CAAC,CAAC;EACjBE,GAAG,EAAEN,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC;AAC3B,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,uBAAuB,GAAGR,CAAC,CAACE,MAAM,CAAC;EAC9CO,KAAK,EAAET,CAAC,CAACI,MAAM,CAAC,CAAC;EAAE;EACnBM,iBAAiB,EAAEV,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EACxCI,SAAS,EAAEX,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAChCF,KAAK,EAAEL,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC;AAC7B,CAAC,CAAC;;AAEF;AACA;AACA"}
1	+ {"version":3,"names":["z","AuthorizationResultShape","object","code","string","state","iss","optional","AuthorizationErrorShape","error","error_description","error_uri","AuthorizationChallengeResultShape","challenge_info"],"sourceRoot":"../../../src","sources":["utils/auth.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;;AAExB;AACA;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA,OAAO,MAAMC,wBAAwB,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC/CC,IAAI,EAAEH,CAAC,CAACI,MAAM,CAAC,CAAC;EAChBC,KAAK,EAAEL,CAAC,CAACI,MAAM,CAAC,CAAC;EACjBE,GAAG,EAAEN,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC;AAC3B,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,uBAAuB,GAAGR,CAAC,CAACE,MAAM,CAAC;EAC9CO,KAAK,EAAET,CAAC,CAACI,MAAM,CAAC,CAAC;EAAE;EACnBM,iBAAiB,EAAEV,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EACxCI,SAAS,EAAEX,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC,CAAC;EAChCF,KAAK,EAAEL,CAAC,CAACI,MAAM,CAAC,CAAC,CAACG,QAAQ,CAAC;AAC7B,CAAC,CAAC;;AAEF;AACA;AACA;;AAGA;AACA;AACA;;AAEA,OAAO,MAAMK,iCAAiC,GAAGZ,CAAC,CAACE,MAAM,CAAC;EACxDW,cAAc,EAAEb,CAAC,CAACI,MAAM,CAAC;AAC3B,CAAC,CAAC"}