npm - @pagopa/io-wallet-oid4vci - Versions diffs - 0.5.0 → 0.6.0 - Mend

@pagopa/io-wallet-oid4vci 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -63,10 +63,172 @@ const attestationJwt = await walletProvider.createItWalletAttestationJwt(attesta
 The wallet attestation JWT can then be used in the OID4VCI protocol flow to prove the wallet's identity and key possession.
+### `completeAuthorization`
+```typescript
+import { CompleteAuthorizationOptions, completeAuthorization } from "@pagopa/io-wallet-oid4ci"
+//Obtain a response uri from an OID4VP authorization flow
+const response_uri = "https://response.example.com"
+//Build the parameters
+const options : CompleteAuthorizationOptions = {
+  fetch,
+  response_uri
+}
+/**
+ * Result is in the following form:
+ * {
+ *    jwt : "ey...",
+ *    decodedJwt : {
+ *      header : {
+ *        alg : "ES256",
+ *        ...
+ *      },
+ *      payload : {
+ *        iss : "https://iss.example.com",
+ *        state : "EXAMPLE_STATE",
+ *        code : "ACCESS_CODE"
+ *      },
+ *      signature : "..."
+ *    }
+ * }
+ */
+const result = await completeAuthorization(options)
+```
+### `verifyAuthorizationResponse`
+```typescript
+import {verifyAuthorizationResponse, VerifyAuthorizationResponseOptions} from "@pagopa/io-wallet-oid4vci"
+// Obtain an authorizationResponse
+const response = {
+  code : "TEST_CODE",
+  iss : "http://iss.example.com",
+  state : "TEST_STATE"
+}
+//Retrieve the expected issuer and state sent at the start of the authorization flow
+const EXPECTED_ISS = "http://iss.example.com"
+const EXPECTED_STATE = "TEST_STATE"
+//Check if they are correct
+verifyAuthorizationResponse({
+  authorizationResponse : response,
+  iss : EXPECTED_ISS,
+  state: EXPECTED_STATE
+} satisfies VerifyAuthorizationResponseOptions)
+```
+### `verifyAuthorizationResponseFormPostJWT`
+```typescript
+import {verifyAuthorizationResponseFormPostJWT, VerifyAuthorizationResponseFormPostJWTOptions} from "@pagopa/io-wallet-oid4vci"
+import { JwtSignerJwk } from "@pagopa/io-wallet-oauth2"
+// Obtain a decoded jwt cotaining the authoization response...
+const decodedJwt = {
+  header : {
+    alg : "ES256",
+    ...
+  },
+  payload :{
+    code : "TEST_CODE",
+    iss : "http://iss.example.com",
+    state : "TEST_STATE"
+  },
+  signature : "..."
+}
+//...and its compact form
+const jwt = "ey..."
+//Retrieve the signer's public key and build the corrsponing Signer object
+const signer : JwtSignerJwk = {
+  mehtod: "jwk",
+  alg : "ES256",
+  publicJwk : {
+    kty : "EC",
+    ...
+  }
+}
+//Retrieve the expected issuer and state sent at the start of the authorization flow
+const EXPECTED_ISS = "http://iss.example.com"
+const EXPECTED_STATE = "TEST_STATE"
+//Check the iss and state fields match the expected values and verify jwt signature
+verifyAuthorizationResponseFormPostJWT({
+  authorizationResponseCompact : jwt,
+  authorizationResponseDecoded : decodedJwt,
+  callbacks : {
+    verifyJwt : (signer, {header, payload, compact}) => {
+      ... //Signature verification
+    }
+  }
+  iss : EXPECTED_ISS,
+  signer,
+  state: EXPECTED_STATE
+} satisfies VerifyAuthorizationResponseFormPostJWTOptions)
+```
+### `sendAuthorizationResponseAndExtractCode`
+```typescript
+import {sendAuthorizationResponseAndExtractCode, SendAuthorizationResponseAndExtractCodeOptions} from "@pagopa/io-wallet-oid4vci"
+//Retrieve the necessary parameters
+const baseOptions: SendAuthorizationResponseAndExtractCodeOptions = {
+  //Signature JARM
+  authorizationResponseJarm: "...",
+  callbacks: {
+    fetch,
+    verifyJwt: (signer, {header, payload, compact}) => {
+      ... //verify signature
+    },
+  },
+  //Issuance session's credential issuer
+  iss: "http://iss.example.com",
+  presentationResponseUri: "http://response.oidvp.example.com",
+  //Retrieve the form_post.jwt response's corresponsing public key and create its corresponding signer
+  signer: {
+    alg: "ES256",
+    method: "jwk",
+    publicJwk: {
+      kty: "EC",
+    },
+  },
+  //The authorization state
+  state: "TEST_STATE",
+};
+//Obtain the authorization code
+const {code, iss, state} = await sendAuthorizationResponseAndExtractCode(options)
+```
 ## API Reference
 `WalletProvider`: A class that extends Openid4vciWalletProvider to provide specialized methods for the Italian Wallet ecosystem.
+`completeAuthorization` : Method that completes the `form_post.jwt` based authorization process for credentials issuance following the ITWallet
+                          specification by retrieving the form from the provided uri, extracting and parsing the contained JWT and verifying the
+                          `iss` and `state` fields match the authorization session's expected values.
+`verifyAuthorizationResponse` : Utility that verifies if the returned Authorization Response's
+                                                      `iss` and `state` field match the Authorization Session ones
+`verifyAuthorizationResponseFormPostJWT` : Wrapper of `verifyAuthorizationResponse` that verifies the signature of the JWT containing
+                                           the authorization response and extracts the Authorization Response payload
+`sendAuthorizationResponseAndExtractCode` : Convenience method that combines `completeAuthorization`,
+                                            oid4vp package's `fetchAuthorizationResponse` and `verifyAuthorizationResponseFormPostJWT`
+                                            to retrieve the access code starting from the authorization response and the response uri
 ## Errors
 ```typescript

package/dist/index.d.mts CHANGED Viewed

@@ -1,6 +1,94 @@
-import { ClientAttestationJwtPayload } from '@openid4vc/oauth2';
+import { decodeJwt, CallbackContext, JwtSignerJwk, ClientAttestationJwtPayload } from '@openid4vc/oauth2';
+import { getJwtFromFormPost } from '@pagopa/io-wallet-oauth2';
+import { FetchAuthorizationResponseOptions } from '@pagopa/io-wallet-oid4vp';
+import z from 'zod';
 import { Openid4vciWalletProvider } from '@openid4vc/openid4vci';
+declare const zAuthorizationResponse: z.ZodObject<{
+    code: z.ZodString;
+    iss: z.ZodString;
+    state: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    code: string;
+    iss: string;
+    state: string;
+}, {
+    code: string;
+    iss: string;
+    state: string;
+}>;
+type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;
+interface VerifyAuthorizationResponseFormPostJWTOptions {
+    /**
+     * Compact AuthorizaitonResponse JWT
+     */
+    authorizationResponseCompact: string;
+    /**
+     * Authorization Response object containing the authorization
+     * code, the issuer and the session's state
+     */
+    authorizationResponseDecoded: ReturnType<typeof decodeJwt<undefined, typeof zAuthorizationResponse>>;
+    /**
+     * Callback for verifying the authorization jwt signature
+     */
+    callbacks: Pick<CallbackContext, "verifyJwt">;
+    /**
+     * The issuer the Wallet Instance started the
+     * authorization flow (either via PAR or directly) with
+     */
+    iss: string;
+    /**
+     * Signer of the form POST returned jwt
+     */
+    signer: JwtSignerJwk;
+    /**
+     * The state sent by the Wallet Instance at the start
+     * of the authorization flow (either via PAR or directly)
+     */
+    state: string;
+}
+interface CompleteAuthorizationOptions {
+    callbacks: Pick<CallbackContext, "fetch">;
+    /**
+     * The response_uri returned by the server after a successful
+     * OID4VP Authorization Response is sent
+     */
+    response_uri: string;
+}
+/**
+ * Combination of {@link CompleteAuthorizationOptions},
+ * {@link FetchAuthorizationResponseOptions} and
+ * {@link VerifyAuthorizationResponseFormPostJWTOptions}
+ */
+type SendAuthorizationResponseAndExtractCodeOptions = FetchAuthorizationResponseOptions & Omit<VerifyAuthorizationResponseFormPostJWTOptions, "authorizationResponseCompact" | "authorizationResponseDecoded"> & Omit<CompleteAuthorizationOptions, "response_uri">;
+/**
+ * Method that completes the form_post.jwt based authorization
+ * process for credentials issuance following the ITWallet
+ * specification by retrieving the form from the provided uri,
+ * extracting and parsing the contained JWT and verifying the
+ * iss and state fields match the authorization session's expected
+ * values.
+ * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#
+ * steps 6-7 for details.
+ *
+ * @param options {@link CompleteAuthorizationOptions}
+ * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code
+ *          necessary for access token issuance
+ */
+declare function completeAuthorization(options: CompleteAuthorizationOptions): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>>;
+/**
+ * Convenience method that combines {@link completeAuthorization},
+ * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the
+ * access code starting from the authorization response and the response uri
+ *
+ * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}
+ * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code
+ *          for necessary for access token issuance
+ */
+declare function sendAuthorizationResponseAndExtractCode(options: SendAuthorizationResponseAndExtractCodeOptions): Promise<AuthorizationResponse>;
 /**
  * Generic error thrown on Oid4vci operations
  */
@@ -24,6 +112,13 @@ declare class NonceRequestError extends Error {
     readonly statusCode?: number | undefined;
     constructor(message: string, statusCode?: number | undefined);
 }
+/**
+ * Error thrown when an unexpected error occurs during credential response fetching.
+ */
+declare class FetchCredentialResponseError extends Oid4vciError {
+    readonly originalError?: unknown;
+    constructor(message: string, originalError?: unknown);
+}
 /**
  * @interface WalletAttestationOptions
@@ -93,4 +188,4 @@ declare class WalletProvider extends Openid4vciWalletProvider {
     createItWalletAttestationJwt(options: WalletAttestationOptions): Promise<string>;
 }
-export { NonceRequestError, Oid4vciError, type WalletAttestationOptions, WalletProvider, WalletProviderError };
+export { type AuthorizationResponse, type CompleteAuthorizationOptions, FetchCredentialResponseError, NonceRequestError, Oid4vciError, type SendAuthorizationResponseAndExtractCodeOptions, type WalletAttestationOptions, WalletProvider, WalletProviderError, completeAuthorization, sendAuthorizationResponseAndExtractCode, zAuthorizationResponse };

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,94 @@
-import { ClientAttestationJwtPayload } from '@openid4vc/oauth2';
+import { decodeJwt, CallbackContext, JwtSignerJwk, ClientAttestationJwtPayload } from '@openid4vc/oauth2';
+import { getJwtFromFormPost } from '@pagopa/io-wallet-oauth2';
+import { FetchAuthorizationResponseOptions } from '@pagopa/io-wallet-oid4vp';
+import z from 'zod';
 import { Openid4vciWalletProvider } from '@openid4vc/openid4vci';
+declare const zAuthorizationResponse: z.ZodObject<{
+    code: z.ZodString;
+    iss: z.ZodString;
+    state: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    code: string;
+    iss: string;
+    state: string;
+}, {
+    code: string;
+    iss: string;
+    state: string;
+}>;
+type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;
+interface VerifyAuthorizationResponseFormPostJWTOptions {
+    /**
+     * Compact AuthorizaitonResponse JWT
+     */
+    authorizationResponseCompact: string;
+    /**
+     * Authorization Response object containing the authorization
+     * code, the issuer and the session's state
+     */
+    authorizationResponseDecoded: ReturnType<typeof decodeJwt<undefined, typeof zAuthorizationResponse>>;
+    /**
+     * Callback for verifying the authorization jwt signature
+     */
+    callbacks: Pick<CallbackContext, "verifyJwt">;
+    /**
+     * The issuer the Wallet Instance started the
+     * authorization flow (either via PAR or directly) with
+     */
+    iss: string;
+    /**
+     * Signer of the form POST returned jwt
+     */
+    signer: JwtSignerJwk;
+    /**
+     * The state sent by the Wallet Instance at the start
+     * of the authorization flow (either via PAR or directly)
+     */
+    state: string;
+}
+interface CompleteAuthorizationOptions {
+    callbacks: Pick<CallbackContext, "fetch">;
+    /**
+     * The response_uri returned by the server after a successful
+     * OID4VP Authorization Response is sent
+     */
+    response_uri: string;
+}
+/**
+ * Combination of {@link CompleteAuthorizationOptions},
+ * {@link FetchAuthorizationResponseOptions} and
+ * {@link VerifyAuthorizationResponseFormPostJWTOptions}
+ */
+type SendAuthorizationResponseAndExtractCodeOptions = FetchAuthorizationResponseOptions & Omit<VerifyAuthorizationResponseFormPostJWTOptions, "authorizationResponseCompact" | "authorizationResponseDecoded"> & Omit<CompleteAuthorizationOptions, "response_uri">;
+/**
+ * Method that completes the form_post.jwt based authorization
+ * process for credentials issuance following the ITWallet
+ * specification by retrieving the form from the provided uri,
+ * extracting and parsing the contained JWT and verifying the
+ * iss and state fields match the authorization session's expected
+ * values.
+ * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#
+ * steps 6-7 for details.
+ *
+ * @param options {@link CompleteAuthorizationOptions}
+ * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code
+ *          necessary for access token issuance
+ */
+declare function completeAuthorization(options: CompleteAuthorizationOptions): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>>;
+/**
+ * Convenience method that combines {@link completeAuthorization},
+ * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the
+ * access code starting from the authorization response and the response uri
+ *
+ * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}
+ * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code
+ *          for necessary for access token issuance
+ */
+declare function sendAuthorizationResponseAndExtractCode(options: SendAuthorizationResponseAndExtractCodeOptions): Promise<AuthorizationResponse>;
 /**
  * Generic error thrown on Oid4vci operations
  */
@@ -24,6 +112,13 @@ declare class NonceRequestError extends Error {
     readonly statusCode?: number | undefined;
     constructor(message: string, statusCode?: number | undefined);
 }
+/**
+ * Error thrown when an unexpected error occurs during credential response fetching.
+ */
+declare class FetchCredentialResponseError extends Oid4vciError {
+    readonly originalError?: unknown;
+    constructor(message: string, originalError?: unknown);
+}
 /**
  * @interface WalletAttestationOptions
@@ -93,4 +188,4 @@ declare class WalletProvider extends Openid4vciWalletProvider {
     createItWalletAttestationJwt(options: WalletAttestationOptions): Promise<string>;
 }
-export { NonceRequestError, Oid4vciError, type WalletAttestationOptions, WalletProvider, WalletProviderError };
+export { type AuthorizationResponse, type CompleteAuthorizationOptions, FetchCredentialResponseError, NonceRequestError, Oid4vciError, type SendAuthorizationResponseAndExtractCodeOptions, type WalletAttestationOptions, WalletProvider, WalletProviderError, completeAuthorization, sendAuthorizationResponseAndExtractCode, zAuthorizationResponse };

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,18 +17,36 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  FetchCredentialResponseError: () => FetchCredentialResponseError,
   NonceRequestError: () => NonceRequestError,
   Oid4vciError: () => Oid4vciError,
   WalletProvider: () => WalletProvider,
-  WalletProviderError: () => WalletProviderError
+  WalletProviderError: () => WalletProviderError,
+  completeAuthorization: () => completeAuthorization,
+  sendAuthorizationResponseAndExtractCode: () => sendAuthorizationResponseAndExtractCode,
+  zAuthorizationResponse: () => zAuthorizationResponse
 });
 module.exports = __toCommonJS(index_exports);
+// src/authorization-response/complete-authorization.ts
+var import_utils = require("@openid4vc/utils");
+var import_io_wallet_oauth2 = require("@pagopa/io-wallet-oauth2");
+var import_io_wallet_oid4vp = require("@pagopa/io-wallet-oid4vp");
+var import_io_wallet_utils = require("@pagopa/io-wallet-utils");
 // src/errors.ts
 var Oid4vciError = class extends Error {
   constructor(message, statusCode) {
@@ -49,10 +69,109 @@ var NonceRequestError = class extends Error {
     this.name = "NonceRequestError";
   }
 };
+var FetchCredentialResponseError = class extends Oid4vciError {
+  constructor(message, originalError) {
+    super(message);
+    this.originalError = originalError;
+    this.name = "FetchCredentialResponseError";
+  }
+};
+// src/authorization-response/verify-authorization-response.ts
+async function verifyAuthorizationResponse(options) {
+  if (options.authorizationResponse.iss !== options.iss)
+    throw new Oid4vciError(
+      `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`
+    );
+  if (options.authorizationResponse.state !== options.state)
+    throw new Oid4vciError(
+      `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`
+    );
+  return options.authorizationResponse;
+}
+async function verifyAuthorizationResponseFormPostJWT(options) {
+  try {
+    const decodedJwt = options.authorizationResponseDecoded;
+    const result = await options.callbacks.verifyJwt(options.signer, {
+      compact: options.authorizationResponseCompact,
+      ...decodedJwt
+    });
+    if (!result.verified) {
+      throw new Oid4vciError("Error verifying JWT signature");
+    }
+    return verifyAuthorizationResponse({
+      authorizationResponse: options.authorizationResponseDecoded.payload,
+      iss: options.iss,
+      state: options.state
+    });
+  } catch (error) {
+    if (error instanceof Oid4vciError) throw error;
+    throw new Oid4vciError(
+      `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`
+    );
+  }
+}
+// src/authorization-response/z-authorization-response.ts
+var import_zod = __toESM(require("zod"));
+var zAuthorizationResponse = import_zod.default.object({
+  code: import_zod.default.string(),
+  iss: import_zod.default.string(),
+  state: import_zod.default.string()
+});
+// src/authorization-response/complete-authorization.ts
+async function completeAuthorization(options) {
+  try {
+    const fetch = (0, import_utils.createFetcher)(options.callbacks.fetch);
+    const authorizationResponseResult = await fetch(options.response_uri);
+    await (0, import_io_wallet_utils.hasStatusOrThrow)(
+      200,
+      import_io_wallet_utils.UnexpectedStatusCodeError
+    )(authorizationResponseResult);
+    return await (0, import_io_wallet_oauth2.getJwtFromFormPost)({
+      formData: await authorizationResponseResult.text(),
+      schema: zAuthorizationResponse
+    });
+  } catch (error) {
+    if (error instanceof import_io_wallet_utils.UnexpectedStatusCodeError || error instanceof import_utils.ValidationError || error instanceof Oid4vciError) {
+      throw error;
+    }
+    throw new Oid4vciError(
+      `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`
+    );
+  }
+}
+async function sendAuthorizationResponseAndExtractCode(options) {
+  try {
+    const authorizationResult = await (0, import_io_wallet_oid4vp.fetchAuthorizationResponse)(options);
+    const jwtAndPayload = await completeAuthorization({
+      ...options,
+      response_uri: authorizationResult.redirect_uri
+    });
+    return verifyAuthorizationResponseFormPostJWT({
+      authorizationResponseCompact: jwtAndPayload.jwt,
+      authorizationResponseDecoded: jwtAndPayload.decodedJwt,
+      callbacks: {
+        verifyJwt: options.callbacks.verifyJwt
+      },
+      iss: options.iss,
+      signer: options.signer,
+      state: options.state
+    });
+  } catch (error) {
+    if (error instanceof import_io_wallet_utils.UnexpectedStatusCodeError || error instanceof import_utils.ValidationError || error instanceof Oid4vciError) {
+      throw error;
+    }
+    throw new Oid4vciError(
+      `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
 // src/wallet-provider/WalletProvider.ts
 var import_openid4vci = require("@openid4vc/openid4vci");
-var import_utils = require("@openid4vc/utils");
+var import_utils2 = require("@openid4vc/utils");
 var WalletProvider = class extends import_openid4vci.Openid4vciWalletProvider {
   /**
    * Creates a wallet attestation JWT.
@@ -76,7 +195,7 @@ var WalletProvider = class extends import_openid4vci.Openid4vciWalletProvider {
         // We use the same key for DPoP as the wallet attestation
         jwk: options.dpopJwkPublic
       },
-      expiresAt: options.expiresAt ?? (0, import_utils.addSecondsToDate)(/* @__PURE__ */ new Date(), 3600 * 24 * 60 * 60),
+      expiresAt: options.expiresAt ?? (0, import_utils2.addSecondsToDate)(/* @__PURE__ */ new Date(), 3600 * 24 * 60 * 60),
       issuer: options.issuer,
       signer: {
         alg: "ES256",
@@ -93,9 +212,13 @@ var WalletProvider = class extends import_openid4vci.Openid4vciWalletProvider {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  FetchCredentialResponseError,
   NonceRequestError,
   Oid4vciError,
   WalletProvider,
-  WalletProviderError
+  WalletProviderError,
+  completeAuthorization,
+  sendAuthorizationResponseAndExtractCode,
+  zAuthorizationResponse
 });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/errors.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["export * from \"./errors\";\nexport * from \"./wallet-provider/WalletProvider\";\n","/*\n Generic error thrown on Oid4vci operations\n /\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/\n Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n /\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/\n Error thrown when an unexpected error occurs during nonce request.\n /\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/\n @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n /\nexport interface WalletAttestationOptions {\n /\n The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n /\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /\n The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n /\n expiresAt?: Date;\n /\n The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n /\n issuer: string;\n\n signer: {\n /\n An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n /\n trustChain: [string, ...string[]];\n\n /\n The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n /\n walletProviderJwkPublicKid: string;\n };\n\n /\n An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n /\n walletLink?: string;\n\n /\n An optional display name for the wallet.\n * @type {string}\n /\n walletName?: string;\n}\n\n/\n @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n /\nexport class WalletProvider extends Openid4vciWalletProvider {\n /\n Creates a wallet attestation JWT.\n \n This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n \n @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n /\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACGO,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACtCA,wBAAyC;AACzC,mBAAiC;AA8D1B,IAAM,iBAAN,cAA6B,2CAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,iBAAa,+BAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts","../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["export * from \"./authorization-response\";\nexport * from \"./errors\";\nexport * from \"./wallet-provider/WalletProvider\";\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n FetchAuthorizationResponseOptions,\n fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n UnexpectedStatusCodeError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n VerifyAuthorizationResponseFormPostJWTOptions,\n verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /*\n The response_uri returned by the server after a successful\n * OID4VP Authorization Response is sent\n /\n response_uri: string;\n}\n\n/\n Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n /\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n FetchAuthorizationResponseOptions &\n Omit<\n VerifyAuthorizationResponseFormPostJWTOptions,\n \"authorizationResponseCompact\" \| \"authorizationResponseDecoded\"\n > &\n Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/\n Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n \n @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * necessary for access token issuance\n /\nexport async function completeAuthorization(\n options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const authorizationResponseResult = await fetch(options.response_uri);\n\n await hasStatusOrThrow(\n 200,\n UnexpectedStatusCodeError,\n )(authorizationResponseResult);\n\n return await getJwtFromFormPost({\n formData: await authorizationResponseResult.text(),\n schema: zAuthorizationResponse,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError \|\|\n error instanceof ValidationError \|\|\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n\n/\n Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n \n @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * for necessary for access token issuance\n /\nexport async function sendAuthorizationResponseAndExtractCode(\n options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n try {\n const authorizationResult = await fetchAuthorizationResponse(options);\n\n const jwtAndPayload = await completeAuthorization({\n ...options,\n response_uri: authorizationResult.redirect_uri,\n });\n\n return verifyAuthorizationResponseFormPostJWT({\n authorizationResponseCompact: jwtAndPayload.jwt,\n authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n callbacks: {\n verifyJwt: options.callbacks.verifyJwt,\n },\n iss: options.iss,\n signer: options.signer,\n state: options.state,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError \|\|\n error instanceof ValidationError \|\|\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/\n Generic error thrown on Oid4vci operations\n /\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/\n Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n /\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/\n Error thrown when an unexpected error occurs during nonce request.\n /\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n\n/\n Error thrown when an unexpected error occurs during credential response fetching.\n /\nexport class FetchCredentialResponseError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"FetchCredentialResponseError\";\n }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n /\n Authorization response object containing the authorization\n * code, the issuer and the session's state\n /\n authorizationResponse: AuthorizationResponse;\n\n /\n The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n /\n iss: string;\n\n /\n The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n /\n state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n /\n Compact AuthorizaitonResponse JWT\n /\n authorizationResponseCompact: string;\n\n /\n Authorization Response object containing the authorization\n * code, the issuer and the session's state\n /\n authorizationResponseDecoded: ReturnType<\n typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n >;\n\n /\n Callback for verifying the authorization jwt signature\n /\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /\n The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n /\n iss: string;\n\n /\n Signer of the form POST returned jwt\n /\n signer: JwtSignerJwk;\n\n /\n The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n /\n state: string;\n}\n\n/\n Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n * match the provided ones\n /\nexport async function verifyAuthorizationResponse(\n options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n if (options.authorizationResponse.iss !== options.iss)\n throw new Oid4vciError(\n `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n );\n if (options.authorizationResponse.state !== options.state)\n throw new Oid4vciError(\n `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n );\n\n return options.authorizationResponse;\n}\n\n/\n Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n * signature verification fails\n /\nexport async function verifyAuthorizationResponseFormPostJWT(\n options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n try {\n const decodedJwt = options.authorizationResponseDecoded;\n const result = await options.callbacks.verifyJwt(options.signer, {\n compact: options.authorizationResponseCompact,\n ...decodedJwt,\n });\n\n if (!result.verified) {\n throw new Oid4vciError(\"Error verifying JWT signature\");\n }\n\n return verifyAuthorizationResponse({\n authorizationResponse: options.authorizationResponseDecoded.payload,\n iss: options.iss,\n state: options.state,\n });\n } catch (error) {\n if (error instanceof Oid4vciError) throw error;\n\n throw new Oid4vciError(\n `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n code: z.string(),\n iss: z.string(),\n state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/\n @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n /\nexport interface WalletAttestationOptions {\n /\n The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n /\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /\n The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n /\n expiresAt?: Date;\n /\n The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n /\n issuer: string;\n\n signer: {\n /\n An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n /\n trustChain: [string, ...string[]];\n\n /\n The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n /\n walletProviderJwkPublicKid: string;\n };\n\n /\n An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n /\n walletLink?: string;\n\n /\n An optional display name for the wallet.\n * @type {string}\n /\n walletName?: string;\n}\n\n/\n @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n /\nexport class WalletProvider extends Openid4vciWalletProvider {\n /\n Creates a wallet attestation JWT.\n \n This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n \n @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n /\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,mBAA+C;AAC/C,8BAAmC;AACnC,8BAGO;AACP,6BAGO;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,iBAAc;AAEP,IAAM,yBAAyB,WAAAA,QAAE,OAAO;AAAA,EAC7C,MAAM,WAAAA,QAAE,OAAO;AAAA,EACf,KAAK,WAAAA,QAAE,OAAO;AAAA,EACd,OAAO,WAAAA,QAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,YAAQ,4BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,cAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,UAAM,4CAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,UAAM,oDAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,wBAAyC;AACzC,IAAAC,gBAAiC;AA8D1B,IAAM,iBAAN,cAA6B,2CAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,iBAAa,gCAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","import_utils"]}

package/dist/index.mjs CHANGED Viewed

@@ -1,3 +1,14 @@
+// src/authorization-response/complete-authorization.ts
+import { ValidationError, createFetcher } from "@openid4vc/utils";
+import { getJwtFromFormPost } from "@pagopa/io-wallet-oauth2";
+import {
+  fetchAuthorizationResponse
+} from "@pagopa/io-wallet-oid4vp";
+import {
+  UnexpectedStatusCodeError,
+  hasStatusOrThrow
+} from "@pagopa/io-wallet-utils";
 // src/errors.ts
 var Oid4vciError = class extends Error {
   constructor(message, statusCode) {
@@ -20,6 +31,105 @@ var NonceRequestError = class extends Error {
     this.name = "NonceRequestError";
   }
 };
+var FetchCredentialResponseError = class extends Oid4vciError {
+  constructor(message, originalError) {
+    super(message);
+    this.originalError = originalError;
+    this.name = "FetchCredentialResponseError";
+  }
+};
+// src/authorization-response/verify-authorization-response.ts
+async function verifyAuthorizationResponse(options) {
+  if (options.authorizationResponse.iss !== options.iss)
+    throw new Oid4vciError(
+      `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`
+    );
+  if (options.authorizationResponse.state !== options.state)
+    throw new Oid4vciError(
+      `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`
+    );
+  return options.authorizationResponse;
+}
+async function verifyAuthorizationResponseFormPostJWT(options) {
+  try {
+    const decodedJwt = options.authorizationResponseDecoded;
+    const result = await options.callbacks.verifyJwt(options.signer, {
+      compact: options.authorizationResponseCompact,
+      ...decodedJwt
+    });
+    if (!result.verified) {
+      throw new Oid4vciError("Error verifying JWT signature");
+    }
+    return verifyAuthorizationResponse({
+      authorizationResponse: options.authorizationResponseDecoded.payload,
+      iss: options.iss,
+      state: options.state
+    });
+  } catch (error) {
+    if (error instanceof Oid4vciError) throw error;
+    throw new Oid4vciError(
+      `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`
+    );
+  }
+}
+// src/authorization-response/z-authorization-response.ts
+import z from "zod";
+var zAuthorizationResponse = z.object({
+  code: z.string(),
+  iss: z.string(),
+  state: z.string()
+});
+// src/authorization-response/complete-authorization.ts
+async function completeAuthorization(options) {
+  try {
+    const fetch = createFetcher(options.callbacks.fetch);
+    const authorizationResponseResult = await fetch(options.response_uri);
+    await hasStatusOrThrow(
+      200,
+      UnexpectedStatusCodeError
+    )(authorizationResponseResult);
+    return await getJwtFromFormPost({
+      formData: await authorizationResponseResult.text(),
+      schema: zAuthorizationResponse
+    });
+  } catch (error) {
+    if (error instanceof UnexpectedStatusCodeError || error instanceof ValidationError || error instanceof Oid4vciError) {
+      throw error;
+    }
+    throw new Oid4vciError(
+      `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`
+    );
+  }
+}
+async function sendAuthorizationResponseAndExtractCode(options) {
+  try {
+    const authorizationResult = await fetchAuthorizationResponse(options);
+    const jwtAndPayload = await completeAuthorization({
+      ...options,
+      response_uri: authorizationResult.redirect_uri
+    });
+    return verifyAuthorizationResponseFormPostJWT({
+      authorizationResponseCompact: jwtAndPayload.jwt,
+      authorizationResponseDecoded: jwtAndPayload.decodedJwt,
+      callbacks: {
+        verifyJwt: options.callbacks.verifyJwt
+      },
+      iss: options.iss,
+      signer: options.signer,
+      state: options.state
+    });
+  } catch (error) {
+    if (error instanceof UnexpectedStatusCodeError || error instanceof ValidationError || error instanceof Oid4vciError) {
+      throw error;
+    }
+    throw new Oid4vciError(
+      `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
 // src/wallet-provider/WalletProvider.ts
 import { Openid4vciWalletProvider } from "@openid4vc/openid4vci";
@@ -63,9 +173,13 @@ var WalletProvider = class extends Openid4vciWalletProvider {
   }
 };
 export {
+  FetchCredentialResponseError,
   NonceRequestError,
   Oid4vciError,
   WalletProvider,
-  WalletProviderError
+  WalletProviderError,
+  completeAuthorization,
+  sendAuthorizationResponseAndExtractCode,
+  zAuthorizationResponse
 };
 //# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/errors.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["/*\n Generic error thrown on Oid4vci operations\n /\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/\n Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n /\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/\n Error thrown when an unexpected error occurs during nonce request.\n /\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/\n @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n /\nexport interface WalletAttestationOptions {\n /\n The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n /\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /\n The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n /\n expiresAt?: Date;\n /\n The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n /\n issuer: string;\n\n signer: {\n /\n An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n /\n trustChain: [string, ...string[]];\n\n /\n The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n /\n walletProviderJwkPublicKid: string;\n };\n\n /\n An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n /\n walletLink?: string;\n\n /\n An optional display name for the wallet.\n * @type {string}\n /\n walletName?: string;\n}\n\n/\n @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n /\nexport class WalletProvider extends Openid4vciWalletProvider {\n /\n Creates a wallet attestation JWT.\n \n This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n \n @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n /\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";AAGO,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACtCA,SAAS,gCAAgC;AACzC,SAAS,wBAAwB;AA8D1B,IAAM,iBAAN,cAA6B,yBAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,aAAa,iBAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n FetchAuthorizationResponseOptions,\n fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n UnexpectedStatusCodeError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n VerifyAuthorizationResponseFormPostJWTOptions,\n verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /*\n The response_uri returned by the server after a successful\n * OID4VP Authorization Response is sent\n /\n response_uri: string;\n}\n\n/\n Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n /\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n FetchAuthorizationResponseOptions &\n Omit<\n VerifyAuthorizationResponseFormPostJWTOptions,\n \"authorizationResponseCompact\" \| \"authorizationResponseDecoded\"\n > &\n Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/\n Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n \n @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * necessary for access token issuance\n /\nexport async function completeAuthorization(\n options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const authorizationResponseResult = await fetch(options.response_uri);\n\n await hasStatusOrThrow(\n 200,\n UnexpectedStatusCodeError,\n )(authorizationResponseResult);\n\n return await getJwtFromFormPost({\n formData: await authorizationResponseResult.text(),\n schema: zAuthorizationResponse,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError \|\|\n error instanceof ValidationError \|\|\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n\n/\n Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n \n @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * for necessary for access token issuance\n /\nexport async function sendAuthorizationResponseAndExtractCode(\n options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n try {\n const authorizationResult = await fetchAuthorizationResponse(options);\n\n const jwtAndPayload = await completeAuthorization({\n ...options,\n response_uri: authorizationResult.redirect_uri,\n });\n\n return verifyAuthorizationResponseFormPostJWT({\n authorizationResponseCompact: jwtAndPayload.jwt,\n authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n callbacks: {\n verifyJwt: options.callbacks.verifyJwt,\n },\n iss: options.iss,\n signer: options.signer,\n state: options.state,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError \|\|\n error instanceof ValidationError \|\|\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/\n Generic error thrown on Oid4vci operations\n /\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/\n Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n /\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/\n Error thrown when an unexpected error occurs during nonce request.\n /\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n\n/\n Error thrown when an unexpected error occurs during credential response fetching.\n /\nexport class FetchCredentialResponseError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"FetchCredentialResponseError\";\n }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n /\n Authorization response object containing the authorization\n * code, the issuer and the session's state\n /\n authorizationResponse: AuthorizationResponse;\n\n /\n The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n /\n iss: string;\n\n /\n The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n /\n state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n /\n Compact AuthorizaitonResponse JWT\n /\n authorizationResponseCompact: string;\n\n /\n Authorization Response object containing the authorization\n * code, the issuer and the session's state\n /\n authorizationResponseDecoded: ReturnType<\n typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n >;\n\n /\n Callback for verifying the authorization jwt signature\n /\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /\n The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n /\n iss: string;\n\n /\n Signer of the form POST returned jwt\n /\n signer: JwtSignerJwk;\n\n /\n The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n /\n state: string;\n}\n\n/\n Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n * match the provided ones\n /\nexport async function verifyAuthorizationResponse(\n options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n if (options.authorizationResponse.iss !== options.iss)\n throw new Oid4vciError(\n `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n );\n if (options.authorizationResponse.state !== options.state)\n throw new Oid4vciError(\n `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n );\n\n return options.authorizationResponse;\n}\n\n/\n Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n * signature verification fails\n /\nexport async function verifyAuthorizationResponseFormPostJWT(\n options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n try {\n const decodedJwt = options.authorizationResponseDecoded;\n const result = await options.callbacks.verifyJwt(options.signer, {\n compact: options.authorizationResponseCompact,\n ...decodedJwt,\n });\n\n if (!result.verified) {\n throw new Oid4vciError(\"Error verifying JWT signature\");\n }\n\n return verifyAuthorizationResponse({\n authorizationResponse: options.authorizationResponseDecoded.payload,\n iss: options.iss,\n state: options.state,\n });\n } catch (error) {\n if (error instanceof Oid4vciError) throw error;\n\n throw new Oid4vciError(\n `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n code: z.string(),\n iss: z.string(),\n state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/\n @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n /\nexport interface WalletAttestationOptions {\n /\n The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n /\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /\n The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n /\n expiresAt?: Date;\n /\n The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n /\n issuer: string;\n\n signer: {\n /\n An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n /\n trustChain: [string, ...string[]];\n\n /\n The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n /\n walletProviderJwkPublicKid: string;\n };\n\n /\n An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n /\n walletLink?: string;\n\n /\n An optional display name for the wallet.\n * @type {string}\n /\n walletName?: string;\n}\n\n/\n @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n /\nexport class WalletProvider extends Openid4vciWalletProvider {\n /\n Creates a wallet attestation JWT.\n \n This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n \n @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n /\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";AACA,SAAS,iBAAiB,qBAAqB;AAC/C,SAAS,0BAA0B;AACnC;AAAA,EAEE;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,OACK;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,OAAO,OAAO;AAEP,IAAM,yBAAyB,EAAE,OAAO;AAAA,EAC7C,MAAM,EAAE,OAAO;AAAA,EACf,KAAK,EAAE,OAAO;AAAA,EACd,OAAO,EAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,QAAQ,cAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,MAAM,mBAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,MAAM,2BAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,SAAS,gCAAgC;AACzC,SAAS,wBAAwB;AA8D1B,IAAM,iBAAN,cAA6B,yBAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,aAAa,iBAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-wallet-oid4vci",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "files": [
     "dist"
   ],
@@ -31,7 +31,12 @@
     "@openid4vc/openid4vci": "0.3.0-alpha-20250714110838",
     "@openid4vc/utils": "0.3.0-alpha-20250714110838",
     "zod": "^3.24.2",
-    "@pagopa/io-wallet-utils": "0.5.0"
+    "@pagopa/io-wallet-utils": "0.6.0",
+    "@pagopa/io-wallet-oauth2": "0.6.0",
+    "@pagopa/io-wallet-oid4vp": "0.6.0"
+  },
+  "devDependencies": {
+    "js-base64": "^3.7.8"
   },
   "scripts": {
     "build": "tsup src/index.ts --format cjs,esm --dts --sourcemap",