npm - @pagopa/io-wallet-oauth2 - Versions diffs - 0.3.0 - Mend

@pagopa/io-wallet-oauth2 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,171 @@
+import { CallbackContext, AuthorizationServerMetadata, RequestDpopOptions } from '@openid4vc/oauth2';
+import z from 'zod';
+declare enum PkceCodeChallengeMethod {
+    Plain = "plain",
+    S256 = "S256"
+}
+interface CreatePkceOptions {
+    /**
+     * Also allows string values so it can be directly passed from the
+     * 'code_challenge_methods_supported' metadata parameter
+     */
+    allowedCodeChallengeMethods?: Array<string | PkceCodeChallengeMethod>;
+    /**
+     * Code verifier to use. If not provided a value will be generated.
+     */
+    codeVerifier?: string;
+    callbacks: Pick<CallbackContext, 'hash' | 'generateRandom'>;
+}
+interface CreatePkceReturn {
+    codeVerifier: string;
+    codeChallenge: string;
+    codeChallengeMethod: PkceCodeChallengeMethod;
+}
+declare function createPkce(options: CreatePkceOptions): Promise<CreatePkceReturn>;
+interface VerifyPkceOptions {
+    /**
+     * secure random code verifier
+     */
+    codeVerifier: string;
+    codeChallenge: string;
+    codeChallengeMethod: PkceCodeChallengeMethod;
+    callbacks: Pick<CallbackContext, 'hash'>;
+}
+declare function verifyPkce(options: VerifyPkceOptions): Promise<void>;
+declare const zAuthorizationRequest: z.ZodObject<{
+    response_type: z.ZodString;
+    response_mode: z.ZodString;
+    client_id: z.ZodString;
+    state: z.ZodString;
+    code_challenge: z.ZodString;
+    code_challenge_method: z.ZodString;
+    scope: z.ZodString;
+    authorization_details: z.ZodArray<z.ZodObject<{
+        type: z.ZodLiteral<"openid_credential">;
+        credential_configuration_id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }>, "many">;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    issuer_state: z.ZodOptional<z.ZodString>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    response_type: z.ZodString;
+    response_mode: z.ZodString;
+    client_id: z.ZodString;
+    state: z.ZodString;
+    code_challenge: z.ZodString;
+    code_challenge_method: z.ZodString;
+    scope: z.ZodString;
+    authorization_details: z.ZodArray<z.ZodObject<{
+        type: z.ZodLiteral<"openid_credential">;
+        credential_configuration_id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }>, "many">;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    issuer_state: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    response_type: z.ZodString;
+    response_mode: z.ZodString;
+    client_id: z.ZodString;
+    state: z.ZodString;
+    code_challenge: z.ZodString;
+    code_challenge_method: z.ZodString;
+    scope: z.ZodString;
+    authorization_details: z.ZodArray<z.ZodObject<{
+        type: z.ZodLiteral<"openid_credential">;
+        credential_configuration_id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }>, "many">;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    issuer_state: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">>;
+type AuthorizationRequest = z.infer<typeof zAuthorizationRequest>;
+declare const zPushedAuthorizationRequestSigned: z.ZodObject<{
+    request: z.ZodString;
+    client_id: z.ZodString;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    request: z.ZodString;
+    client_id: z.ZodString;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    request: z.ZodString;
+    client_id: z.ZodString;
+}, z.ZodTypeAny, "passthrough">>;
+type PushedAuthorizationRequestSigned = z.infer<typeof zPushedAuthorizationRequestSigned>;
+declare const zPushedAuthorizationResponse: z.ZodObject<{
+    request_uri: z.ZodString;
+    expires_in: z.ZodNumber;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    request_uri: z.ZodString;
+    expires_in: z.ZodNumber;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    request_uri: z.ZodString;
+    expires_in: z.ZodNumber;
+}, z.ZodTypeAny, "passthrough">>;
+type PushedAuthorizationResponse = z.infer<typeof zPushedAuthorizationResponse>;
+interface CreatePushedAuthorizationRequestOptions {
+    /**
+     * Callback context mostly for crypto related functionality
+     */
+    callbacks: Pick<CallbackContext, 'hash' | 'generateRandom' | 'signJwt'>;
+    codeChallengeMethodsSupported: AuthorizationServerMetadata["code_challenge_methods_supported"];
+    /**
+     * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.
+     */
+    clientId: string;
+    /**
+     * It MUST be set to the identifier of the Credential Issuer.
+     */
+    audience: string;
+    /**
+     * Scope to request for the authorization request
+     */
+    scope: string;
+    /**
+     * It MUST be one of the supported values (response_modes_supported) provided in the metadata of the Credential Issuer.
+     */
+    responseMode: string;
+    /**
+     * Redirect uri to include in the authorization request
+     */
+    redirectUri: string;
+    /**
+     * Allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures
+     */
+    authorization_details: Record<string, unknown>[];
+    /**
+     * state parameter to use for PAR. If not provided a value will generated automatically
+     */
+    state?: string;
+    /**
+     * jti parameter to use for PAR. If not provided a value will generated automatically
+     */
+    jti?: string;
+    /**
+     * Code verifier to use for pkce. If not provided a value will generated when pkce is supported
+     */
+    pkceCodeVerifier?: string;
+    /**
+     * DPoP options
+     */
+    dpop: RequestDpopOptions;
+}
+declare function createPushedAuthorizationRequest(options: CreatePushedAuthorizationRequestOptions): Promise<PushedAuthorizationRequestSigned>;
+export { type AuthorizationRequest, type CreatePkceOptions, type CreatePkceReturn, type CreatePushedAuthorizationRequestOptions, PkceCodeChallengeMethod, type PushedAuthorizationRequestSigned, type PushedAuthorizationResponse, type VerifyPkceOptions, createPkce, createPushedAuthorizationRequest, verifyPkce, zAuthorizationRequest, zPushedAuthorizationRequestSigned, zPushedAuthorizationResponse };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,171 @@
+import { CallbackContext, AuthorizationServerMetadata, RequestDpopOptions } from '@openid4vc/oauth2';
+import z from 'zod';
+declare enum PkceCodeChallengeMethod {
+    Plain = "plain",
+    S256 = "S256"
+}
+interface CreatePkceOptions {
+    /**
+     * Also allows string values so it can be directly passed from the
+     * 'code_challenge_methods_supported' metadata parameter
+     */
+    allowedCodeChallengeMethods?: Array<string | PkceCodeChallengeMethod>;
+    /**
+     * Code verifier to use. If not provided a value will be generated.
+     */
+    codeVerifier?: string;
+    callbacks: Pick<CallbackContext, 'hash' | 'generateRandom'>;
+}
+interface CreatePkceReturn {
+    codeVerifier: string;
+    codeChallenge: string;
+    codeChallengeMethod: PkceCodeChallengeMethod;
+}
+declare function createPkce(options: CreatePkceOptions): Promise<CreatePkceReturn>;
+interface VerifyPkceOptions {
+    /**
+     * secure random code verifier
+     */
+    codeVerifier: string;
+    codeChallenge: string;
+    codeChallengeMethod: PkceCodeChallengeMethod;
+    callbacks: Pick<CallbackContext, 'hash'>;
+}
+declare function verifyPkce(options: VerifyPkceOptions): Promise<void>;
+declare const zAuthorizationRequest: z.ZodObject<{
+    response_type: z.ZodString;
+    response_mode: z.ZodString;
+    client_id: z.ZodString;
+    state: z.ZodString;
+    code_challenge: z.ZodString;
+    code_challenge_method: z.ZodString;
+    scope: z.ZodString;
+    authorization_details: z.ZodArray<z.ZodObject<{
+        type: z.ZodLiteral<"openid_credential">;
+        credential_configuration_id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }>, "many">;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    issuer_state: z.ZodOptional<z.ZodString>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    response_type: z.ZodString;
+    response_mode: z.ZodString;
+    client_id: z.ZodString;
+    state: z.ZodString;
+    code_challenge: z.ZodString;
+    code_challenge_method: z.ZodString;
+    scope: z.ZodString;
+    authorization_details: z.ZodArray<z.ZodObject<{
+        type: z.ZodLiteral<"openid_credential">;
+        credential_configuration_id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }>, "many">;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    issuer_state: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    response_type: z.ZodString;
+    response_mode: z.ZodString;
+    client_id: z.ZodString;
+    state: z.ZodString;
+    code_challenge: z.ZodString;
+    code_challenge_method: z.ZodString;
+    scope: z.ZodString;
+    authorization_details: z.ZodArray<z.ZodObject<{
+        type: z.ZodLiteral<"openid_credential">;
+        credential_configuration_id: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }, {
+        type?: "openid_credential";
+        credential_configuration_id?: string;
+    }>, "many">;
+    redirect_uri: z.ZodOptional<z.ZodString>;
+    issuer_state: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">>;
+type AuthorizationRequest = z.infer<typeof zAuthorizationRequest>;
+declare const zPushedAuthorizationRequestSigned: z.ZodObject<{
+    request: z.ZodString;
+    client_id: z.ZodString;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    request: z.ZodString;
+    client_id: z.ZodString;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    request: z.ZodString;
+    client_id: z.ZodString;
+}, z.ZodTypeAny, "passthrough">>;
+type PushedAuthorizationRequestSigned = z.infer<typeof zPushedAuthorizationRequestSigned>;
+declare const zPushedAuthorizationResponse: z.ZodObject<{
+    request_uri: z.ZodString;
+    expires_in: z.ZodNumber;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    request_uri: z.ZodString;
+    expires_in: z.ZodNumber;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    request_uri: z.ZodString;
+    expires_in: z.ZodNumber;
+}, z.ZodTypeAny, "passthrough">>;
+type PushedAuthorizationResponse = z.infer<typeof zPushedAuthorizationResponse>;
+interface CreatePushedAuthorizationRequestOptions {
+    /**
+     * Callback context mostly for crypto related functionality
+     */
+    callbacks: Pick<CallbackContext, 'hash' | 'generateRandom' | 'signJwt'>;
+    codeChallengeMethodsSupported: AuthorizationServerMetadata["code_challenge_methods_supported"];
+    /**
+     * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.
+     */
+    clientId: string;
+    /**
+     * It MUST be set to the identifier of the Credential Issuer.
+     */
+    audience: string;
+    /**
+     * Scope to request for the authorization request
+     */
+    scope: string;
+    /**
+     * It MUST be one of the supported values (response_modes_supported) provided in the metadata of the Credential Issuer.
+     */
+    responseMode: string;
+    /**
+     * Redirect uri to include in the authorization request
+     */
+    redirectUri: string;
+    /**
+     * Allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures
+     */
+    authorization_details: Record<string, unknown>[];
+    /**
+     * state parameter to use for PAR. If not provided a value will generated automatically
+     */
+    state?: string;
+    /**
+     * jti parameter to use for PAR. If not provided a value will generated automatically
+     */
+    jti?: string;
+    /**
+     * Code verifier to use for pkce. If not provided a value will generated when pkce is supported
+     */
+    pkceCodeVerifier?: string;
+    /**
+     * DPoP options
+     */
+    dpop: RequestDpopOptions;
+}
+declare function createPushedAuthorizationRequest(options: CreatePushedAuthorizationRequestOptions): Promise<PushedAuthorizationRequestSigned>;
+export { type AuthorizationRequest, type CreatePkceOptions, type CreatePkceReturn, type CreatePushedAuthorizationRequestOptions, PkceCodeChallengeMethod, type PushedAuthorizationRequestSigned, type PushedAuthorizationResponse, type VerifyPkceOptions, createPkce, createPushedAuthorizationRequest, verifyPkce, zAuthorizationRequest, zPushedAuthorizationRequestSigned, zPushedAuthorizationResponse };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,180 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  PkceCodeChallengeMethod: () => PkceCodeChallengeMethod,
+  createPkce: () => createPkce,
+  createPushedAuthorizationRequest: () => createPushedAuthorizationRequest,
+  verifyPkce: () => verifyPkce,
+  zAuthorizationRequest: () => zAuthorizationRequest,
+  zPushedAuthorizationRequestSigned: () => zPushedAuthorizationRequestSigned,
+  zPushedAuthorizationResponse: () => zPushedAuthorizationResponse
+});
+module.exports = __toCommonJS(index_exports);
+// src/pkce.ts
+var import_oauth2 = require("@openid4vc/oauth2");
+var import_utils = require("@openid4vc/utils");
+var PkceCodeChallengeMethod = /* @__PURE__ */ ((PkceCodeChallengeMethod2) => {
+  PkceCodeChallengeMethod2["Plain"] = "plain";
+  PkceCodeChallengeMethod2["S256"] = "S256";
+  return PkceCodeChallengeMethod2;
+})(PkceCodeChallengeMethod || {});
+async function createPkce(options) {
+  const allowedCodeChallengeMethods = options.allowedCodeChallengeMethods ?? [
+    "S256" /* S256 */,
+    "plain" /* Plain */
+  ];
+  if (allowedCodeChallengeMethods.length === 0) {
+    throw new import_oauth2.Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`);
+  }
+  const codeChallengeMethod = allowedCodeChallengeMethods.includes("S256" /* S256 */) ? "S256" /* S256 */ : "plain" /* Plain */;
+  const codeVerifier = options.codeVerifier ?? (0, import_utils.encodeToBase64Url)(await options.callbacks.generateRandom(64));
+  return {
+    codeVerifier,
+    codeChallenge: await calculateCodeChallenge({
+      codeChallengeMethod,
+      codeVerifier,
+      hashCallback: options.callbacks.hash
+    }),
+    codeChallengeMethod
+  };
+}
+async function verifyPkce(options) {
+  const calculatedCodeChallenge = await calculateCodeChallenge({
+    codeChallengeMethod: options.codeChallengeMethod,
+    codeVerifier: options.codeVerifier,
+    hashCallback: options.callbacks.hash
+  });
+  if (options.codeChallenge !== calculatedCodeChallenge) {
+    throw new import_oauth2.Oauth2Error(
+      `Derived code challenge '${calculatedCodeChallenge}' from code_verifier '${options.codeVerifier}' using code challenge method '${options.codeChallengeMethod}' does not match the expected code challenge.`
+    );
+  }
+}
+async function calculateCodeChallenge(options) {
+  if (options.codeChallengeMethod === "plain" /* Plain */) {
+    return options.codeVerifier;
+  }
+  if (options.codeChallengeMethod === "S256" /* S256 */) {
+    return (0, import_utils.encodeToBase64Url)(await options.hashCallback((0, import_utils.decodeUtf8String)(options.codeVerifier), import_oauth2.HashAlgorithm.Sha256));
+  }
+  throw new import_oauth2.Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`);
+}
+// src/authorization-request/z-authorization-request.ts
+var import_zod = __toESM(require("zod"));
+var zAuthorizationRequest = import_zod.default.object({
+  response_type: import_zod.default.string(),
+  response_mode: import_zod.default.string(),
+  client_id: import_zod.default.string(),
+  state: import_zod.default.string(),
+  code_challenge: import_zod.default.string(),
+  code_challenge_method: import_zod.default.string(),
+  scope: import_zod.default.string(),
+  authorization_details: import_zod.default.array(import_zod.default.object({
+    type: import_zod.default.literal("openid_credential"),
+    credential_configuration_id: import_zod.default.string()
+  })),
+  redirect_uri: import_zod.default.string().url().optional(),
+  issuer_state: import_zod.default.optional(import_zod.default.string())
+}).passthrough();
+var zPushedAuthorizationRequestSigned = import_zod.default.object({
+  /*
+  * It MUST be a signed JWT. The private key corresponding to the public one in the cnf parameter inside the Wallet Attestation MUST be used for signing the Request Object.
+  */
+  request: import_zod.default.string(),
+  /*
+  * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.
+  */
+  client_id: import_zod.default.string()
+}).passthrough();
+var zPushedAuthorizationResponse = import_zod.default.object({
+  request_uri: import_zod.default.string(),
+  expires_in: import_zod.default.number().int()
+}).passthrough();
+// src/authorization-request/create-authorization-request.ts
+var import_utils2 = require("@openid4vc/utils");
+var JWT_EXPIRY_SECONDS = 3600;
+var RANDOM_BYTES_SIZE = 32;
+async function createPushedAuthorizationRequest(options) {
+  const pkce = await createPkce({
+    allowedCodeChallengeMethods: options.codeChallengeMethodsSupported,
+    callbacks: options.callbacks,
+    codeVerifier: options.pkceCodeVerifier
+  });
+  const authorizationRequest = {
+    response_type: "code",
+    response_mode: options.responseMode,
+    state: options.state ?? (0, import_utils2.encodeToBase64Url)(await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),
+    client_id: options.clientId,
+    redirect_uri: options.redirectUri,
+    scope: options.scope,
+    authorization_details: options.authorization_details,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: pkce.codeChallengeMethod
+  };
+  const { dpop } = options;
+  if (!dpop.signer.alg || !dpop.signer.publicJwk?.kid) {
+    throw new Error("DPoP signer must have alg and publicJwk.kid properties");
+  }
+  const iat = Math.floor(Date.now());
+  const requestJwt = await options.callbacks.signJwt(dpop.signer, {
+    header: {
+      alg: dpop.signer.alg,
+      kid: dpop.signer.publicJwk.kid,
+      typ: "jwt"
+    },
+    payload: {
+      aud: options.audience,
+      exp: iat + JWT_EXPIRY_SECONDS,
+      iat,
+      iss: dpop.signer.publicJwk.kid,
+      jti: options.jti ?? (0, import_utils2.encodeToBase64Url)(await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),
+      ...authorizationRequest
+    }
+  });
+  return {
+    client_id: options.clientId,
+    request: requestJwt.jwt
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PkceCodeChallengeMethod,
+  createPkce,
+  createPushedAuthorizationRequest,
+  verifyPkce,
+  zAuthorizationRequest,
+  zPushedAuthorizationRequestSigned,
+  zPushedAuthorizationResponse
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/pkce.ts","../src/authorization-request/z-authorization-request.ts","../src/authorization-request/create-authorization-request.ts"],"sourcesContent":["export * from \"./pkce\";\nexport * from \"./authorization-request\"","import { CallbackContext, HashAlgorithm, HashCallback, Oauth2Error } from '@openid4vc/oauth2'\nimport { decodeUtf8String, encodeToBase64Url } from '@openid4vc/utils'\n\nexport enum PkceCodeChallengeMethod {\n Plain = 'plain',\n S256 = 'S256',\n}\n\nexport interface CreatePkceOptions {\n /**\n * Also allows string values so it can be directly passed from the\n * 'code_challenge_methods_supported' metadata parameter\n */\n allowedCodeChallengeMethods?: Array<string | PkceCodeChallengeMethod>\n\n /**\n * Code verifier to use. If not provided a value will be generated.\n */\n codeVerifier?: string\n\n callbacks: Pick<CallbackContext, 'hash' | 'generateRandom'>\n}\n\nexport interface CreatePkceReturn {\n codeVerifier: string\n codeChallenge: string\n codeChallengeMethod: PkceCodeChallengeMethod\n}\n\nexport async function createPkce(options: CreatePkceOptions): Promise<CreatePkceReturn> {\n const allowedCodeChallengeMethods = options.allowedCodeChallengeMethods ?? [\n PkceCodeChallengeMethod.S256,\n PkceCodeChallengeMethod.Plain,\n ]\n\n if (allowedCodeChallengeMethods.length === 0) {\n throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`)\n }\n\n const codeChallengeMethod = allowedCodeChallengeMethods.includes(PkceCodeChallengeMethod.S256)\n ? PkceCodeChallengeMethod.S256\n : PkceCodeChallengeMethod.Plain\n\n const codeVerifier = options.codeVerifier ?? encodeToBase64Url(await options.callbacks.generateRandom(64))\n return {\n codeVerifier,\n codeChallenge: await calculateCodeChallenge({\n codeChallengeMethod,\n codeVerifier,\n hashCallback: options.callbacks.hash,\n }),\n codeChallengeMethod,\n }\n}\n\nexport interface VerifyPkceOptions {\n /**\n * secure random code verifier\n */\n codeVerifier: string\n\n codeChallenge: string\n codeChallengeMethod: PkceCodeChallengeMethod\n\n callbacks: Pick<CallbackContext, 'hash'>\n}\n\nexport async function verifyPkce(options: VerifyPkceOptions) {\n const calculatedCodeChallenge = await calculateCodeChallenge({\n codeChallengeMethod: options.codeChallengeMethod,\n codeVerifier: options.codeVerifier,\n hashCallback: options.callbacks.hash,\n })\n\n if (options.codeChallenge !== calculatedCodeChallenge) {\n throw new Oauth2Error(\n `Derived code challenge '${calculatedCodeChallenge}' from code_verifier '${options.codeVerifier}' using code challenge method '${options.codeChallengeMethod}' does not match the expected code challenge.`\n )\n }\n}\n\nasync function calculateCodeChallenge(options: {\n codeVerifier: string\n codeChallengeMethod: PkceCodeChallengeMethod\n hashCallback: HashCallback\n}) {\n if (options.codeChallengeMethod === PkceCodeChallengeMethod.Plain) {\n return options.codeVerifier\n }\n\n if (options.codeChallengeMethod === PkceCodeChallengeMethod.S256) {\n return encodeToBase64Url(await options.hashCallback(decodeUtf8String(options.codeVerifier), HashAlgorithm.Sha256))\n }\n\n throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`)\n}\n","import z from 'zod'\n\nexport const zAuthorizationRequest = z\n .object({\n response_type: z.string(),\n response_mode: z.string(),\n client_id: z.string(),\n state: z.string(),\n code_challenge: z.string(),\n code_challenge_method: z.string(),\n scope: z.string(),\n authorization_details: z.array(z.object({\n type: z.literal(\"openid_credential\"),\n credential_configuration_id: z.string()\n })),\n redirect_uri: z.string().url().optional(),\n issuer_state: z.optional(z.string()),\n\n })\n .passthrough()\nexport type AuthorizationRequest = z.infer<typeof zAuthorizationRequest>\n\nexport const zPushedAuthorizationRequestSigned = z\n .object({\n /* \n * It MUST be a signed JWT. The private key corresponding to the public one in the cnf parameter inside the Wallet Attestation MUST be used for signing the Request Object.\n */\n request: z.string(),\n /* \n * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.\n */\n client_id: z.string(),\n })\n .passthrough()\nexport type PushedAuthorizationRequestSigned = z.infer<typeof zPushedAuthorizationRequestSigned>\n\nexport const zPushedAuthorizationResponse = z\n .object({\n request_uri: z.string(),\n expires_in: z.number().int(),\n })\n .passthrough()\nexport type PushedAuthorizationResponse = z.infer<typeof zPushedAuthorizationResponse>\n","import { encodeToBase64Url } from '@openid4vc/utils'\nimport { AuthorizationServerMetadata, CallbackContext, RequestDpopOptions } from \"@openid4vc/oauth2\";\nimport { createPkce } from '../pkce';\nimport { AuthorizationRequest, PushedAuthorizationRequestSigned } from './z-authorization-request';\n\nconst JWT_EXPIRY_SECONDS = 3600; // 1 hour\nconst RANDOM_BYTES_SIZE = 32;\n\nexport interface CreatePushedAuthorizationRequestOptions {\n /**\n * Callback context mostly for crypto related functionality\n */\n callbacks: Pick<CallbackContext, 'hash' | 'generateRandom' | 'signJwt' >\n\n codeChallengeMethodsSupported: AuthorizationServerMetadata[\"code_challenge_methods_supported\"]\n\n /**\n * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.\n */\n clientId: string\n\n /**\n * It MUST be set to the identifier of the Credential Issuer.\n */\n audience: string\n\n /**\n * Scope to request for the authorization request\n */\n scope: string\n\n /**\n * It MUST be one of the supported values (response_modes_supported) provided in the metadata of the Credential Issuer.\n */\n responseMode: string\n\n /**\n * Redirect uri to include in the authorization request\n */\n redirectUri: string\n\n /**\n * Allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures\n */\n authorization_details: Record<string, unknown>[]\n\n /**\n * state parameter to use for PAR. If not provided a value will generated automatically\n */\n state?: string\n\n /**\n * jti parameter to use for PAR. If not provided a value will generated automatically\n */\n jti?: string\n\n /**\n * Code verifier to use for pkce. If not provided a value will generated when pkce is supported\n */\n pkceCodeVerifier?: string\n\n /**\n * DPoP options\n */\n dpop: RequestDpopOptions\n}\n\nexport async function createPushedAuthorizationRequest(options: CreatePushedAuthorizationRequestOptions) : Promise<PushedAuthorizationRequestSigned> {\n\n // PKCE\n const pkce = await createPkce({\n allowedCodeChallengeMethods: options.codeChallengeMethodsSupported,\n callbacks: options.callbacks,\n codeVerifier: options.pkceCodeVerifier,\n });\n\n const authorizationRequest: AuthorizationRequest = {\n response_type: 'code',\n response_mode: options.responseMode,\n state: options.state ?? encodeToBase64Url( await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),\n client_id: options.clientId,\n redirect_uri: options.redirectUri,\n scope: options.scope,\n authorization_details: options.authorization_details,\n code_challenge: pkce.codeChallenge,\n code_challenge_method: pkce.codeChallengeMethod,\n }\n\n const { dpop } = options;\n if (!dpop.signer.alg || !dpop.signer.publicJwk?.kid) {\n throw new Error('DPoP signer must have alg and publicJwk.kid properties');\n }\n\n const iat = Math.floor(Date.now())\n const requestJwt = await options.callbacks.signJwt(dpop.signer, {\n header: {\n alg: dpop.signer.alg,\n kid: dpop.signer.publicJwk.kid,\n typ: \"jwt\",\n },\n payload: {\n aud: options.audience,\n exp: iat + JWT_EXPIRY_SECONDS,\n iat,\n iss: dpop.signer.publicJwk.kid,\n jti: options.jti ?? encodeToBase64Url(await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),\n ...authorizationRequest\n },\n });\n\n return {\n client_id: options.clientId,\n request: requestJwt.jwt\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA0E;AAC1E,mBAAoD;AAE7C,IAAK,0BAAL,kBAAKA,6BAAL;AACL,EAAAA,yBAAA,WAAQ;AACR,EAAAA,yBAAA,UAAO;AAFG,SAAAA;AAAA,GAAA;AA0BZ,eAAsB,WAAW,SAAuD;AACtF,QAAM,8BAA8B,QAAQ,+BAA+B;AAAA,IACzE;AAAA,IACA;AAAA,EACF;AAEA,MAAI,4BAA4B,WAAW,GAAG;AAC5C,UAAM,IAAI,0BAAY,uFAAuF;AAAA,EAC/G;AAEA,QAAM,sBAAsB,4BAA4B,SAAS,iBAA4B,IACzF,oBACA;AAEJ,QAAM,eAAe,QAAQ,oBAAgB,gCAAkB,MAAM,QAAQ,UAAU,eAAe,EAAE,CAAC;AACzG,SAAO;AAAA,IACL;AAAA,IACA,eAAe,MAAM,uBAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,cAAc,QAAQ,UAAU;AAAA,IAClC,CAAC;AAAA,IACD;AAAA,EACF;AACF;AAcA,eAAsB,WAAW,SAA4B;AAC3D,QAAM,0BAA0B,MAAM,uBAAuB;AAAA,IAC3D,qBAAqB,QAAQ;AAAA,IAC7B,cAAc,QAAQ;AAAA,IACtB,cAAc,QAAQ,UAAU;AAAA,EAClC,CAAC;AAED,MAAI,QAAQ,kBAAkB,yBAAyB;AACrD,UAAM,IAAI;AAAA,MACR,2BAA2B,uBAAuB,yBAAyB,QAAQ,YAAY,kCAAkC,QAAQ,mBAAmB;AAAA,IAC9J;AAAA,EACF;AACF;AAEA,eAAe,uBAAuB,SAInC;AACD,MAAI,QAAQ,wBAAwB,qBAA+B;AACjE,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,QAAQ,wBAAwB,mBAA8B;AAChE,eAAO,gCAAkB,MAAM,QAAQ,iBAAa,+BAAiB,QAAQ,YAAY,GAAG,4BAAc,MAAM,CAAC;AAAA,EACnH;AAEA,QAAM,IAAI,0BAAY,qCAAqC,QAAQ,mBAAmB,EAAE;AAC1F;;;AC/FA,iBAAc;AAEP,IAAM,wBAAwB,WAAAC,QAClC,OAAO;AAAA,EACN,eAAe,WAAAA,QAAE,OAAO;AAAA,EACxB,eAAe,WAAAA,QAAE,OAAO;AAAA,EACxB,WAAW,WAAAA,QAAE,OAAO;AAAA,EACpB,OAAO,WAAAA,QAAE,OAAO;AAAA,EAChB,gBAAgB,WAAAA,QAAE,OAAO;AAAA,EACzB,uBAAuB,WAAAA,QAAE,OAAO;AAAA,EAChC,OAAO,WAAAA,QAAE,OAAO;AAAA,EAChB,uBAAuB,WAAAA,QAAE,MAAM,WAAAA,QAAE,OAAO;AAAA,IACtC,MAAM,WAAAA,QAAE,QAAQ,mBAAmB;AAAA,IACnC,6BAA6B,WAAAA,QAAE,OAAO;AAAA,EACxC,CAAC,CAAC;AAAA,EACF,cAAc,WAAAA,QAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,cAAc,WAAAA,QAAE,SAAS,WAAAA,QAAE,OAAO,CAAC;AAErC,CAAC,EACA,YAAY;AAGR,IAAM,oCAAoC,WAAAA,QAC9C,OAAO;AAAA;AAAA;AAAA;AAAA,EAIN,SAAS,WAAAA,QAAE,OAAO;AAAA;AAAA;AAAA;AAAA,EAIlB,WAAW,WAAAA,QAAE,OAAO;AACtB,CAAC,EACA,YAAY;AAGR,IAAM,+BAA+B,WAAAA,QACzC,OAAO;AAAA,EACN,aAAa,WAAAA,QAAE,OAAO;AAAA,EACtB,YAAY,WAAAA,QAAE,OAAO,EAAE,IAAI;AAC7B,CAAC,EACA,YAAY;;;ACzCf,IAAAC,gBAAkC;AAKlC,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AA6D1B,eAAsB,iCAAiC,SAA8F;AAGnJ,QAAM,OAAO,MAAM,WAAW;AAAA,IAC5B,6BAA6B,QAAQ;AAAA,IACrC,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,EACxB,CAAC;AAED,QAAM,uBAA6C;AAAA,IACjD,eAAe;AAAA,IACf,eAAe,QAAQ;AAAA,IACvB,OAAO,QAAQ,aAAS,iCAAmB,MAAM,QAAQ,UAAU,eAAe,iBAAiB,CAAC;AAAA,IACpG,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,IACtB,OAAO,QAAQ;AAAA,IACf,uBAAuB,QAAQ;AAAA,IAC/B,gBAAgB,KAAK;AAAA,IACrB,uBAAuB,KAAK;AAAA,EAC9B;AAEA,QAAM,EAAE,KAAK,IAAI;AACjB,MAAI,CAAC,KAAK,OAAO,OAAO,CAAC,KAAK,OAAO,WAAW,KAAK;AACnD,UAAM,IAAI,MAAM,wDAAwD;AAAA,EAC1E;AAEA,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,CAAC;AACjC,QAAM,aAAa,MAAM,QAAQ,UAAU,QAAQ,KAAK,QAAQ;AAAA,IAC5D,QAAQ;AAAA,MACN,KAAK,KAAK,OAAO;AAAA,MACjB,KAAK,KAAK,OAAO,UAAU;AAAA,MAC3B,KAAK;AAAA,IACP;AAAA,IACA,SAAS;AAAA,MACP,KAAK,QAAQ;AAAA,MACb,KAAK,MAAM;AAAA,MACX;AAAA,MACA,KAAK,KAAK,OAAO,UAAU;AAAA,MAC3B,KAAK,QAAQ,WAAO,iCAAkB,MAAM,QAAQ,UAAU,eAAe,iBAAiB,CAAC;AAAA,MAC/F,GAAG;AAAA,IACL;AAAA,EACF,CAAC;AAEH,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,SAAS,WAAW;AAAA,EACtB;AACF;","names":["PkceCodeChallengeMethod","z","import_utils"]}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,138 @@
+// src/pkce.ts
+import { HashAlgorithm, Oauth2Error } from "@openid4vc/oauth2";
+import { decodeUtf8String, encodeToBase64Url } from "@openid4vc/utils";
+var PkceCodeChallengeMethod = /* @__PURE__ */ ((PkceCodeChallengeMethod2) => {
+  PkceCodeChallengeMethod2["Plain"] = "plain";
+  PkceCodeChallengeMethod2["S256"] = "S256";
+  return PkceCodeChallengeMethod2;
+})(PkceCodeChallengeMethod || {});
+async function createPkce(options) {
+  const allowedCodeChallengeMethods = options.allowedCodeChallengeMethods ?? [
+    "S256" /* S256 */,
+    "plain" /* Plain */
+  ];
+  if (allowedCodeChallengeMethods.length === 0) {
+    throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`);
+  }
+  const codeChallengeMethod = allowedCodeChallengeMethods.includes("S256" /* S256 */) ? "S256" /* S256 */ : "plain" /* Plain */;
+  const codeVerifier = options.codeVerifier ?? encodeToBase64Url(await options.callbacks.generateRandom(64));
+  return {
+    codeVerifier,
+    codeChallenge: await calculateCodeChallenge({
+      codeChallengeMethod,
+      codeVerifier,
+      hashCallback: options.callbacks.hash
+    }),
+    codeChallengeMethod
+  };
+}
+async function verifyPkce(options) {
+  const calculatedCodeChallenge = await calculateCodeChallenge({
+    codeChallengeMethod: options.codeChallengeMethod,
+    codeVerifier: options.codeVerifier,
+    hashCallback: options.callbacks.hash
+  });
+  if (options.codeChallenge !== calculatedCodeChallenge) {
+    throw new Oauth2Error(
+      `Derived code challenge '${calculatedCodeChallenge}' from code_verifier '${options.codeVerifier}' using code challenge method '${options.codeChallengeMethod}' does not match the expected code challenge.`
+    );
+  }
+}
+async function calculateCodeChallenge(options) {
+  if (options.codeChallengeMethod === "plain" /* Plain */) {
+    return options.codeVerifier;
+  }
+  if (options.codeChallengeMethod === "S256" /* S256 */) {
+    return encodeToBase64Url(await options.hashCallback(decodeUtf8String(options.codeVerifier), HashAlgorithm.Sha256));
+  }
+  throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`);
+}
+// src/authorization-request/z-authorization-request.ts
+import z from "zod";
+var zAuthorizationRequest = z.object({
+  response_type: z.string(),
+  response_mode: z.string(),
+  client_id: z.string(),
+  state: z.string(),
+  code_challenge: z.string(),
+  code_challenge_method: z.string(),
+  scope: z.string(),
+  authorization_details: z.array(z.object({
+    type: z.literal("openid_credential"),
+    credential_configuration_id: z.string()
+  })),
+  redirect_uri: z.string().url().optional(),
+  issuer_state: z.optional(z.string())
+}).passthrough();
+var zPushedAuthorizationRequestSigned = z.object({
+  /*
+  * It MUST be a signed JWT. The private key corresponding to the public one in the cnf parameter inside the Wallet Attestation MUST be used for signing the Request Object.
+  */
+  request: z.string(),
+  /*
+  * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.
+  */
+  client_id: z.string()
+}).passthrough();
+var zPushedAuthorizationResponse = z.object({
+  request_uri: z.string(),
+  expires_in: z.number().int()
+}).passthrough();
+// src/authorization-request/create-authorization-request.ts
+import { encodeToBase64Url as encodeToBase64Url2 } from "@openid4vc/utils";
+var JWT_EXPIRY_SECONDS = 3600;
+var RANDOM_BYTES_SIZE = 32;
+async function createPushedAuthorizationRequest(options) {
+  const pkce = await createPkce({
+    allowedCodeChallengeMethods: options.codeChallengeMethodsSupported,
+    callbacks: options.callbacks,
+    codeVerifier: options.pkceCodeVerifier
+  });
+  const authorizationRequest = {
+    response_type: "code",
+    response_mode: options.responseMode,
+    state: options.state ?? encodeToBase64Url2(await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),
+    client_id: options.clientId,
+    redirect_uri: options.redirectUri,
+    scope: options.scope,
+    authorization_details: options.authorization_details,
+    code_challenge: pkce.codeChallenge,
+    code_challenge_method: pkce.codeChallengeMethod
+  };
+  const { dpop } = options;
+  if (!dpop.signer.alg || !dpop.signer.publicJwk?.kid) {
+    throw new Error("DPoP signer must have alg and publicJwk.kid properties");
+  }
+  const iat = Math.floor(Date.now());
+  const requestJwt = await options.callbacks.signJwt(dpop.signer, {
+    header: {
+      alg: dpop.signer.alg,
+      kid: dpop.signer.publicJwk.kid,
+      typ: "jwt"
+    },
+    payload: {
+      aud: options.audience,
+      exp: iat + JWT_EXPIRY_SECONDS,
+      iat,
+      iss: dpop.signer.publicJwk.kid,
+      jti: options.jti ?? encodeToBase64Url2(await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),
+      ...authorizationRequest
+    }
+  });
+  return {
+    client_id: options.clientId,
+    request: requestJwt.jwt
+  };
+}
+export {
+  PkceCodeChallengeMethod,
+  createPkce,
+  createPushedAuthorizationRequest,
+  verifyPkce,
+  zAuthorizationRequest,
+  zPushedAuthorizationRequestSigned,
+  zPushedAuthorizationResponse
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/pkce.ts","../src/authorization-request/z-authorization-request.ts","../src/authorization-request/create-authorization-request.ts"],"sourcesContent":["import { CallbackContext, HashAlgorithm, HashCallback, Oauth2Error } from '@openid4vc/oauth2'\nimport { decodeUtf8String, encodeToBase64Url } from '@openid4vc/utils'\n\nexport enum PkceCodeChallengeMethod {\n Plain = 'plain',\n S256 = 'S256',\n}\n\nexport interface CreatePkceOptions {\n /**\n * Also allows string values so it can be directly passed from the\n * 'code_challenge_methods_supported' metadata parameter\n */\n allowedCodeChallengeMethods?: Array<string | PkceCodeChallengeMethod>\n\n /**\n * Code verifier to use. If not provided a value will be generated.\n */\n codeVerifier?: string\n\n callbacks: Pick<CallbackContext, 'hash' | 'generateRandom'>\n}\n\nexport interface CreatePkceReturn {\n codeVerifier: string\n codeChallenge: string\n codeChallengeMethod: PkceCodeChallengeMethod\n}\n\nexport async function createPkce(options: CreatePkceOptions): Promise<CreatePkceReturn> {\n const allowedCodeChallengeMethods = options.allowedCodeChallengeMethods ?? [\n PkceCodeChallengeMethod.S256,\n PkceCodeChallengeMethod.Plain,\n ]\n\n if (allowedCodeChallengeMethods.length === 0) {\n throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`)\n }\n\n const codeChallengeMethod = allowedCodeChallengeMethods.includes(PkceCodeChallengeMethod.S256)\n ? PkceCodeChallengeMethod.S256\n : PkceCodeChallengeMethod.Plain\n\n const codeVerifier = options.codeVerifier ?? encodeToBase64Url(await options.callbacks.generateRandom(64))\n return {\n codeVerifier,\n codeChallenge: await calculateCodeChallenge({\n codeChallengeMethod,\n codeVerifier,\n hashCallback: options.callbacks.hash,\n }),\n codeChallengeMethod,\n }\n}\n\nexport interface VerifyPkceOptions {\n /**\n * secure random code verifier\n */\n codeVerifier: string\n\n codeChallenge: string\n codeChallengeMethod: PkceCodeChallengeMethod\n\n callbacks: Pick<CallbackContext, 'hash'>\n}\n\nexport async function verifyPkce(options: VerifyPkceOptions) {\n const calculatedCodeChallenge = await calculateCodeChallenge({\n codeChallengeMethod: options.codeChallengeMethod,\n codeVerifier: options.codeVerifier,\n hashCallback: options.callbacks.hash,\n })\n\n if (options.codeChallenge !== calculatedCodeChallenge) {\n throw new Oauth2Error(\n `Derived code challenge '${calculatedCodeChallenge}' from code_verifier '${options.codeVerifier}' using code challenge method '${options.codeChallengeMethod}' does not match the expected code challenge.`\n )\n }\n}\n\nasync function calculateCodeChallenge(options: {\n codeVerifier: string\n codeChallengeMethod: PkceCodeChallengeMethod\n hashCallback: HashCallback\n}) {\n if (options.codeChallengeMethod === PkceCodeChallengeMethod.Plain) {\n return options.codeVerifier\n }\n\n if (options.codeChallengeMethod === PkceCodeChallengeMethod.S256) {\n return encodeToBase64Url(await options.hashCallback(decodeUtf8String(options.codeVerifier), HashAlgorithm.Sha256))\n }\n\n throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`)\n}\n","import z from 'zod'\n\nexport const zAuthorizationRequest = z\n .object({\n response_type: z.string(),\n response_mode: z.string(),\n client_id: z.string(),\n state: z.string(),\n code_challenge: z.string(),\n code_challenge_method: z.string(),\n scope: z.string(),\n authorization_details: z.array(z.object({\n type: z.literal(\"openid_credential\"),\n credential_configuration_id: z.string()\n })),\n redirect_uri: z.string().url().optional(),\n issuer_state: z.optional(z.string()),\n\n })\n .passthrough()\nexport type AuthorizationRequest = z.infer<typeof zAuthorizationRequest>\n\nexport const zPushedAuthorizationRequestSigned = z\n .object({\n /* \n * It MUST be a signed JWT. The private key corresponding to the public one in the cnf parameter inside the Wallet Attestation MUST be used for signing the Request Object.\n */\n request: z.string(),\n /* \n * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.\n */\n client_id: z.string(),\n })\n .passthrough()\nexport type PushedAuthorizationRequestSigned = z.infer<typeof zPushedAuthorizationRequestSigned>\n\nexport const zPushedAuthorizationResponse = z\n .object({\n request_uri: z.string(),\n expires_in: z.number().int(),\n })\n .passthrough()\nexport type PushedAuthorizationResponse = z.infer<typeof zPushedAuthorizationResponse>\n","import { encodeToBase64Url } from '@openid4vc/utils'\nimport { AuthorizationServerMetadata, CallbackContext, RequestDpopOptions } from \"@openid4vc/oauth2\";\nimport { createPkce } from '../pkce';\nimport { AuthorizationRequest, PushedAuthorizationRequestSigned } from './z-authorization-request';\n\nconst JWT_EXPIRY_SECONDS = 3600; // 1 hour\nconst RANDOM_BYTES_SIZE = 32;\n\nexport interface CreatePushedAuthorizationRequestOptions {\n /**\n * Callback context mostly for crypto related functionality\n */\n callbacks: Pick<CallbackContext, 'hash' | 'generateRandom' | 'signJwt' >\n\n codeChallengeMethodsSupported: AuthorizationServerMetadata[\"code_challenge_methods_supported\"]\n\n /**\n * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.\n */\n clientId: string\n\n /**\n * It MUST be set to the identifier of the Credential Issuer.\n */\n audience: string\n\n /**\n * Scope to request for the authorization request\n */\n scope: string\n\n /**\n * It MUST be one of the supported values (response_modes_supported) provided in the metadata of the Credential Issuer.\n */\n responseMode: string\n\n /**\n * Redirect uri to include in the authorization request\n */\n redirectUri: string\n\n /**\n * Allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures\n */\n authorization_details: Record<string, unknown>[]\n\n /**\n * state parameter to use for PAR. If not provided a value will generated automatically\n */\n state?: string\n\n /**\n * jti parameter to use for PAR. If not provided a value will generated automatically\n */\n jti?: string\n\n /**\n * Code verifier to use for pkce. If not provided a value will generated when pkce is supported\n */\n pkceCodeVerifier?: string\n\n /**\n * DPoP options\n */\n dpop: RequestDpopOptions\n}\n\nexport async function createPushedAuthorizationRequest(options: CreatePushedAuthorizationRequestOptions) : Promise<PushedAuthorizationRequestSigned> {\n\n // PKCE\n const pkce = await createPkce({\n allowedCodeChallengeMethods: options.codeChallengeMethodsSupported,\n callbacks: options.callbacks,\n codeVerifier: options.pkceCodeVerifier,\n });\n\n const authorizationRequest: AuthorizationRequest = {\n response_type: 'code',\n response_mode: options.responseMode,\n state: options.state ?? encodeToBase64Url( await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),\n client_id: options.clientId,\n redirect_uri: options.redirectUri,\n scope: options.scope,\n authorization_details: options.authorization_details,\n code_challenge: pkce.codeChallenge,\n code_challenge_method: pkce.codeChallengeMethod,\n }\n\n const { dpop } = options;\n if (!dpop.signer.alg || !dpop.signer.publicJwk?.kid) {\n throw new Error('DPoP signer must have alg and publicJwk.kid properties');\n }\n\n const iat = Math.floor(Date.now())\n const requestJwt = await options.callbacks.signJwt(dpop.signer, {\n header: {\n alg: dpop.signer.alg,\n kid: dpop.signer.publicJwk.kid,\n typ: \"jwt\",\n },\n payload: {\n aud: options.audience,\n exp: iat + JWT_EXPIRY_SECONDS,\n iat,\n iss: dpop.signer.publicJwk.kid,\n jti: options.jti ?? encodeToBase64Url(await options.callbacks.generateRandom(RANDOM_BYTES_SIZE)),\n ...authorizationRequest\n },\n });\n\n return {\n client_id: options.clientId,\n request: requestJwt.jwt\n }\n}\n"],"mappings":";AAAA,SAA0B,eAA6B,mBAAmB;AAC1E,SAAS,kBAAkB,yBAAyB;AAE7C,IAAK,0BAAL,kBAAKA,6BAAL;AACL,EAAAA,yBAAA,WAAQ;AACR,EAAAA,yBAAA,UAAO;AAFG,SAAAA;AAAA,GAAA;AA0BZ,eAAsB,WAAW,SAAuD;AACtF,QAAM,8BAA8B,QAAQ,+BAA+B;AAAA,IACzE;AAAA,IACA;AAAA,EACF;AAEA,MAAI,4BAA4B,WAAW,GAAG;AAC5C,UAAM,IAAI,YAAY,uFAAuF;AAAA,EAC/G;AAEA,QAAM,sBAAsB,4BAA4B,SAAS,iBAA4B,IACzF,oBACA;AAEJ,QAAM,eAAe,QAAQ,gBAAgB,kBAAkB,MAAM,QAAQ,UAAU,eAAe,EAAE,CAAC;AACzG,SAAO;AAAA,IACL;AAAA,IACA,eAAe,MAAM,uBAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,cAAc,QAAQ,UAAU;AAAA,IAClC,CAAC;AAAA,IACD;AAAA,EACF;AACF;AAcA,eAAsB,WAAW,SAA4B;AAC3D,QAAM,0BAA0B,MAAM,uBAAuB;AAAA,IAC3D,qBAAqB,QAAQ;AAAA,IAC7B,cAAc,QAAQ;AAAA,IACtB,cAAc,QAAQ,UAAU;AAAA,EAClC,CAAC;AAED,MAAI,QAAQ,kBAAkB,yBAAyB;AACrD,UAAM,IAAI;AAAA,MACR,2BAA2B,uBAAuB,yBAAyB,QAAQ,YAAY,kCAAkC,QAAQ,mBAAmB;AAAA,IAC9J;AAAA,EACF;AACF;AAEA,eAAe,uBAAuB,SAInC;AACD,MAAI,QAAQ,wBAAwB,qBAA+B;AACjE,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,QAAQ,wBAAwB,mBAA8B;AAChE,WAAO,kBAAkB,MAAM,QAAQ,aAAa,iBAAiB,QAAQ,YAAY,GAAG,cAAc,MAAM,CAAC;AAAA,EACnH;AAEA,QAAM,IAAI,YAAY,qCAAqC,QAAQ,mBAAmB,EAAE;AAC1F;;;AC/FA,OAAO,OAAO;AAEP,IAAM,wBAAwB,EAClC,OAAO;AAAA,EACN,eAAe,EAAE,OAAO;AAAA,EACxB,eAAe,EAAE,OAAO;AAAA,EACxB,WAAW,EAAE,OAAO;AAAA,EACpB,OAAO,EAAE,OAAO;AAAA,EAChB,gBAAgB,EAAE,OAAO;AAAA,EACzB,uBAAuB,EAAE,OAAO;AAAA,EAChC,OAAO,EAAE,OAAO;AAAA,EAChB,uBAAuB,EAAE,MAAM,EAAE,OAAO;AAAA,IACtC,MAAM,EAAE,QAAQ,mBAAmB;AAAA,IACnC,6BAA6B,EAAE,OAAO;AAAA,EACxC,CAAC,CAAC;AAAA,EACF,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,cAAc,EAAE,SAAS,EAAE,OAAO,CAAC;AAErC,CAAC,EACA,YAAY;AAGR,IAAM,oCAAoC,EAC9C,OAAO;AAAA;AAAA;AAAA;AAAA,EAIN,SAAS,EAAE,OAAO;AAAA;AAAA;AAAA;AAAA,EAIlB,WAAW,EAAE,OAAO;AACtB,CAAC,EACA,YAAY;AAGR,IAAM,+BAA+B,EACzC,OAAO;AAAA,EACN,aAAa,EAAE,OAAO;AAAA,EACtB,YAAY,EAAE,OAAO,EAAE,IAAI;AAC7B,CAAC,EACA,YAAY;;;ACzCf,SAAS,qBAAAC,0BAAyB;AAKlC,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AA6D1B,eAAsB,iCAAiC,SAA8F;AAGnJ,QAAM,OAAO,MAAM,WAAW;AAAA,IAC5B,6BAA6B,QAAQ;AAAA,IACrC,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,EACxB,CAAC;AAED,QAAM,uBAA6C;AAAA,IACjD,eAAe;AAAA,IACf,eAAe,QAAQ;AAAA,IACvB,OAAO,QAAQ,SAASC,mBAAmB,MAAM,QAAQ,UAAU,eAAe,iBAAiB,CAAC;AAAA,IACpG,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,IACtB,OAAO,QAAQ;AAAA,IACf,uBAAuB,QAAQ;AAAA,IAC/B,gBAAgB,KAAK;AAAA,IACrB,uBAAuB,KAAK;AAAA,EAC9B;AAEA,QAAM,EAAE,KAAK,IAAI;AACjB,MAAI,CAAC,KAAK,OAAO,OAAO,CAAC,KAAK,OAAO,WAAW,KAAK;AACnD,UAAM,IAAI,MAAM,wDAAwD;AAAA,EAC1E;AAEA,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,CAAC;AACjC,QAAM,aAAa,MAAM,QAAQ,UAAU,QAAQ,KAAK,QAAQ;AAAA,IAC5D,QAAQ;AAAA,MACN,KAAK,KAAK,OAAO;AAAA,MACjB,KAAK,KAAK,OAAO,UAAU;AAAA,MAC3B,KAAK;AAAA,IACP;AAAA,IACA,SAAS;AAAA,MACP,KAAK,QAAQ;AAAA,MACb,KAAK,MAAM;AAAA,MACX;AAAA,MACA,KAAK,KAAK,OAAO,UAAU;AAAA,MAC3B,KAAK,QAAQ,OAAOA,mBAAkB,MAAM,QAAQ,UAAU,eAAe,iBAAiB,CAAC;AAAA,MAC/F,GAAG;AAAA,IACL;AAAA,EACF,CAAC;AAEH,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,SAAS,WAAW;AAAA,EACtB;AACF;","names":["PkceCodeChallengeMethod","encodeToBase64Url","encodeToBase64Url"]}

package/package.json ADDED Viewed

@@ -0,0 +1,34 @@
+{
+  "name": "@pagopa/io-wallet-oauth2",
+  "version": "0.3.0",
+  "files": [
+    "dist"
+  ],
+  "license": "Apache-2.0",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./package.json": "./package.json"
+  },
+  "homepage": "https://github.com/pagopa/io-wallet-sdk/tree/main/packages/oauth2",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/pagopa/io-wallet-sdk",
+    "directory": "packages/oauth2"
+  },
+  "dependencies": {
+    "@openid4vc/oauth2": "^0.2.0",
+    "@openid4vc/utils": "^0.2.0",
+    "zod": "^3.24.2"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs,esm --dts --clean --sourcemap",
+    "test": "vitest"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts"
+}