@pagopa/io-wallet-oid4vci 0.7.1 → 0.7.3

package/dist/index.d.mts

@@ -1,7 +1,7 @@
 import { decodeJwt, CallbackContext, JwtSignerJwk, ClientAttestationJwtPayload } from '@openid4vc/oauth2';
 import { getJwtFromFormPost } from '@pagopa/io-wallet-oauth2';
 import { FetchAuthorizationResponseOptions } from '@pagopa/io-wallet-oid4vp';
-import z from 'zod';
+import z, { z as z$1 } from 'zod';
 import { Openid4vciWalletProvider } from '@openid4vc/openid4vci';
 
 declare const zAuthorizationResponse: z.ZodObject<{
@@ -89,6 +89,162 @@ declare function completeAuthorization(options: CompleteAuthorizationOptions): R
  */
 declare function sendAuthorizationResponseAndExtractCode(options: SendAuthorizationResponseAndExtractCodeOptions): Promise<AuthorizationResponse>;
 
+declare const zCredentialRequest: z$1.ZodEffects<z$1.ZodObject<{
+    credential_configuration_id: z$1.ZodOptional<z$1.ZodString>;
+    credential_identifier: z$1.ZodOptional<z$1.ZodString>;
+    proof: z$1.ZodObject<{
+        jwt: z$1.ZodString;
+        proof_type: z$1.ZodLiteral<"jwt">;
+    }, "strip", z$1.ZodTypeAny, {
+        jwt: string;
+        proof_type: "jwt";
+    }, {
+        jwt: string;
+        proof_type: "jwt";
+    }>;
+    transaction_id: z$1.ZodOptional<z$1.ZodString>;
+}, "strip", z$1.ZodTypeAny, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}>, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}>;
+type CredentialRequest = z$1.infer<typeof zCredentialRequest>;
+declare const zCredentialResponse: z$1.ZodEffects<z$1.ZodObject<{
+    credentials: z$1.ZodOptional<z$1.ZodObject<{
+        credential: z$1.ZodString;
+    }, "strip", z$1.ZodTypeAny, {
+        credential: string;
+    }, {
+        credential: string;
+    }>>;
+    lead_time: z$1.ZodOptional<z$1.ZodNumber>;
+    notification_id: z$1.ZodOptional<z$1.ZodString>;
+    transaction_id: z$1.ZodOptional<z$1.ZodString>;
+}, "strip", z$1.ZodTypeAny, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}>, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}>;
+type CredentialResponse = z$1.infer<typeof zCredentialResponse>;
+
+interface CredentialRequestOptions {
+    /**
+     * Callbacks to use for signing proof
+     */
+    callbacks: Pick<CallbackContext, "signJwt">;
+    /**
+     * Client identifier of the OAuth2 Client making the Credential Request.
+     */
+    clientId: string;
+    /**
+     * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.
+     */
+    credential_identifier: string;
+    /**
+     * Identifier of the Credential Issuer, for ex: https://issuer.example.com.
+     */
+    issuerIdentifier: string;
+    /**
+     * A nonce value previously requested to associate a Client session with the Credential Request.
+     */
+    nonce: string;
+    /**
+     * The signer of the credential PoP JWT.
+     */
+    signer: JwtSignerJwk;
+}
+/**
+ * Create a Credential Request.
+ * @param options - Options to create the Credential Request
+ * @returns The created Credential Request
+ */
+declare const createCredentialRequest: (options: CredentialRequestOptions) => Promise<CredentialRequest>;
+
+interface FetchCredentialResponseOptions {
+    /**
+     * Access token to authorize the credential request for DPoP mechanism
+     */
+    accessToken: string;
+    /**
+     * Callbacks to use for requesting access token
+     */
+    callbacks: Pick<CallbackContext, "fetch">;
+    /**
+     * The credential endpoint URL
+     */
+    credentialEndpoint: string;
+    /**
+     * Credential request body
+     */
+    credentialRequest: CredentialRequest;
+    /**
+     * DPoP proof with addition of ath claim
+     */
+    dPoP: string;
+}
+/**
+ * Fetches a credential response from the credential endpoint.
+ *
+ * @param options - Options for fetching the credential response
+ * @returns The credential response
+ * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch
+ * @throws UnexpectedStatusCodeError if the response status code is not 200
+ * @throws ValidationError if the response cannot be parsed as a valid credential response
+ */
+declare function fetchCredentialResponse(options: FetchCredentialResponseOptions): Promise<CredentialResponse>;
+
 /**
  * Generic error thrown on Oid4vci operations
  */
@@ -188,4 +344,4 @@ declare class WalletProvider extends Openid4vciWalletProvider {
     createItWalletAttestationJwt(options: WalletAttestationOptions): Promise<string>;
 }
 
-export { type AuthorizationResponse, type CompleteAuthorizationOptions, FetchCredentialResponseError, NonceRequestError, Oid4vciError, type SendAuthorizationResponseAndExtractCodeOptions, type WalletAttestationOptions, WalletProvider, WalletProviderError, completeAuthorization, sendAuthorizationResponseAndExtractCode, zAuthorizationResponse };
+export { type AuthorizationResponse, type CompleteAuthorizationOptions, type CredentialRequest, type CredentialRequestOptions, type CredentialResponse, FetchCredentialResponseError, type FetchCredentialResponseOptions, NonceRequestError, Oid4vciError, type SendAuthorizationResponseAndExtractCodeOptions, type WalletAttestationOptions, WalletProvider, WalletProviderError, completeAuthorization, createCredentialRequest, fetchCredentialResponse, sendAuthorizationResponseAndExtractCode, zAuthorizationResponse, zCredentialRequest, zCredentialResponse };

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 import { decodeJwt, CallbackContext, JwtSignerJwk, ClientAttestationJwtPayload } from '@openid4vc/oauth2';
 import { getJwtFromFormPost } from '@pagopa/io-wallet-oauth2';
 import { FetchAuthorizationResponseOptions } from '@pagopa/io-wallet-oid4vp';
-import z from 'zod';
+import z, { z as z$1 } from 'zod';
 import { Openid4vciWalletProvider } from '@openid4vc/openid4vci';
 
 declare const zAuthorizationResponse: z.ZodObject<{
@@ -89,6 +89,162 @@ declare function completeAuthorization(options: CompleteAuthorizationOptions): R
  */
 declare function sendAuthorizationResponseAndExtractCode(options: SendAuthorizationResponseAndExtractCodeOptions): Promise<AuthorizationResponse>;
 
+declare const zCredentialRequest: z$1.ZodEffects<z$1.ZodObject<{
+    credential_configuration_id: z$1.ZodOptional<z$1.ZodString>;
+    credential_identifier: z$1.ZodOptional<z$1.ZodString>;
+    proof: z$1.ZodObject<{
+        jwt: z$1.ZodString;
+        proof_type: z$1.ZodLiteral<"jwt">;
+    }, "strip", z$1.ZodTypeAny, {
+        jwt: string;
+        proof_type: "jwt";
+    }, {
+        jwt: string;
+        proof_type: "jwt";
+    }>;
+    transaction_id: z$1.ZodOptional<z$1.ZodString>;
+}, "strip", z$1.ZodTypeAny, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}>, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}, {
+    proof: {
+        jwt: string;
+        proof_type: "jwt";
+    };
+    credential_configuration_id?: string | undefined;
+    credential_identifier?: string | undefined;
+    transaction_id?: string | undefined;
+}>;
+type CredentialRequest = z$1.infer<typeof zCredentialRequest>;
+declare const zCredentialResponse: z$1.ZodEffects<z$1.ZodObject<{
+    credentials: z$1.ZodOptional<z$1.ZodObject<{
+        credential: z$1.ZodString;
+    }, "strip", z$1.ZodTypeAny, {
+        credential: string;
+    }, {
+        credential: string;
+    }>>;
+    lead_time: z$1.ZodOptional<z$1.ZodNumber>;
+    notification_id: z$1.ZodOptional<z$1.ZodString>;
+    transaction_id: z$1.ZodOptional<z$1.ZodString>;
+}, "strip", z$1.ZodTypeAny, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}>, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}, {
+    transaction_id?: string | undefined;
+    credentials?: {
+        credential: string;
+    } | undefined;
+    lead_time?: number | undefined;
+    notification_id?: string | undefined;
+}>;
+type CredentialResponse = z$1.infer<typeof zCredentialResponse>;
+
+interface CredentialRequestOptions {
+    /**
+     * Callbacks to use for signing proof
+     */
+    callbacks: Pick<CallbackContext, "signJwt">;
+    /**
+     * Client identifier of the OAuth2 Client making the Credential Request.
+     */
+    clientId: string;
+    /**
+     * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.
+     */
+    credential_identifier: string;
+    /**
+     * Identifier of the Credential Issuer, for ex: https://issuer.example.com.
+     */
+    issuerIdentifier: string;
+    /**
+     * A nonce value previously requested to associate a Client session with the Credential Request.
+     */
+    nonce: string;
+    /**
+     * The signer of the credential PoP JWT.
+     */
+    signer: JwtSignerJwk;
+}
+/**
+ * Create a Credential Request.
+ * @param options - Options to create the Credential Request
+ * @returns The created Credential Request
+ */
+declare const createCredentialRequest: (options: CredentialRequestOptions) => Promise<CredentialRequest>;
+
+interface FetchCredentialResponseOptions {
+    /**
+     * Access token to authorize the credential request for DPoP mechanism
+     */
+    accessToken: string;
+    /**
+     * Callbacks to use for requesting access token
+     */
+    callbacks: Pick<CallbackContext, "fetch">;
+    /**
+     * The credential endpoint URL
+     */
+    credentialEndpoint: string;
+    /**
+     * Credential request body
+     */
+    credentialRequest: CredentialRequest;
+    /**
+     * DPoP proof with addition of ath claim
+     */
+    dPoP: string;
+}
+/**
+ * Fetches a credential response from the credential endpoint.
+ *
+ * @param options - Options for fetching the credential response
+ * @returns The credential response
+ * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch
+ * @throws UnexpectedStatusCodeError if the response status code is not 200
+ * @throws ValidationError if the response cannot be parsed as a valid credential response
+ */
+declare function fetchCredentialResponse(options: FetchCredentialResponseOptions): Promise<CredentialResponse>;
+
 /**
  * Generic error thrown on Oid4vci operations
  */
@@ -188,4 +344,4 @@ declare class WalletProvider extends Openid4vciWalletProvider {
     createItWalletAttestationJwt(options: WalletAttestationOptions): Promise<string>;
 }
 
-export { type AuthorizationResponse, type CompleteAuthorizationOptions, FetchCredentialResponseError, NonceRequestError, Oid4vciError, type SendAuthorizationResponseAndExtractCodeOptions, type WalletAttestationOptions, WalletProvider, WalletProviderError, completeAuthorization, sendAuthorizationResponseAndExtractCode, zAuthorizationResponse };
+export { type AuthorizationResponse, type CompleteAuthorizationOptions, type CredentialRequest, type CredentialRequestOptions, type CredentialResponse, FetchCredentialResponseError, type FetchCredentialResponseOptions, NonceRequestError, Oid4vciError, type SendAuthorizationResponseAndExtractCodeOptions, type WalletAttestationOptions, WalletProvider, WalletProviderError, completeAuthorization, createCredentialRequest, fetchCredentialResponse, sendAuthorizationResponseAndExtractCode, zAuthorizationResponse, zCredentialRequest, zCredentialResponse };

package/dist/index.js

@@ -36,8 +36,12 @@ __export(index_exports, {
   WalletProvider: () => WalletProvider,
   WalletProviderError: () => WalletProviderError,
   completeAuthorization: () => completeAuthorization,
+  createCredentialRequest: () => createCredentialRequest,
+  fetchCredentialResponse: () => fetchCredentialResponse,
   sendAuthorizationResponseAndExtractCode: () => sendAuthorizationResponseAndExtractCode,
-  zAuthorizationResponse: () => zAuthorizationResponse
+  zAuthorizationResponse: () => zAuthorizationResponse,
+  zCredentialRequest: () => zCredentialRequest,
+  zCredentialResponse: () => zCredentialResponse
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -169,9 +173,150 @@ async function sendAuthorizationResponseAndExtractCode(options) {
   }
 }
 
+// src/credential-request/create-credential-request.ts
+var import_utils2 = require("@openid4vc/utils");
+
+// src/credential-request/z-credential.ts
+var import_zod2 = require("zod");
+var ProofSchema = import_zod2.z.object({
+  jwt: import_zod2.z.string().min(1, "JWT must not be empty"),
+  proof_type: import_zod2.z.literal("jwt")
+  // MUST be "jwt"
+});
+var zCredentialRequest = import_zod2.z.object({
+  credential_configuration_id: import_zod2.z.string().optional().describe(
+    "REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise."
+  ),
+  credential_identifier: import_zod2.z.string().optional().describe(
+    "REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present."
+  ),
+  proof: ProofSchema.describe(
+    "REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt)."
+  ),
+  transaction_id: import_zod2.z.string().optional().describe(
+    "REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow."
+  )
+}).superRefine((data, ctx) => {
+  if (data.credential_identifier && data.credential_configuration_id) {
+    ctx.addIssue({
+      code: "custom",
+      message: "credential_identifier and credential_configuration_id MUST NOT be used together",
+      path: ["credential_identifier"]
+    });
+  }
+  if (!data.credential_identifier && !data.credential_configuration_id) {
+    ctx.addIssue({
+      code: "custom",
+      message: "One of credential_identifier or credential_configuration_id MUST be present",
+      path: ["credential_identifier"]
+    });
+  }
+});
+var CredentialsSchema = import_zod2.z.object({
+  credential: import_zod2.z.string().min(1, "credential must not be empty").describe(
+    "REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure."
+  )
+});
+var zCredentialResponse = import_zod2.z.object({
+  credentials: CredentialsSchema.optional().describe(
+    "REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise."
+  ),
+  lead_time: import_zod2.z.number().int().positive().optional().describe(
+    "REQUIRED if credentials is not present. MUST NOT be present otherwise."
+  ),
+  notification_id: import_zod2.z.string().optional().describe("OPTIONAL. MUST NOT be present if credentials is not present."),
+  transaction_id: import_zod2.z.string().optional().describe(
+    "REQUIRED if credentials is not present. MUST NOT be present otherwise."
+  )
+}).superRefine((data, ctx) => {
+  if (data.credentials && (data.lead_time || data.transaction_id)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "credentials MUST NOT be present if lead_time or transaction_id is provided",
+      path: ["credentials"]
+    });
+  }
+  if (!data.credentials && (!data.lead_time || !data.transaction_id)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "If credentials is absent, both lead_time and transaction_id MUST be present",
+      path: ["lead_time"]
+    });
+  }
+  if (!data.credentials && data.notification_id) {
+    ctx.addIssue({
+      code: "custom",
+      message: "notification_id MUST NOT be present if credentials is absent",
+      path: ["notification_id"]
+    });
+  }
+});
+
+// src/credential-request/create-credential-request.ts
+var createCredentialRequest = async (options) => {
+  try {
+    const { signJwt } = options.callbacks;
+    const proofJwt = await signJwt(options.signer, {
+      header: {
+        alg: options.signer.alg,
+        jwk: options.signer.publicJwk,
+        typ: "openid4vci-proof+jwt"
+      },
+      payload: {
+        aud: options.issuerIdentifier,
+        iat: (0, import_utils2.dateToSeconds)(/* @__PURE__ */ new Date()),
+        iss: options.clientId,
+        nonce: options.nonce
+      }
+    });
+    return (0, import_utils2.parseWithErrorHandling)(zCredentialRequest, {
+      credential_identifier: options.credential_identifier,
+      proof: {
+        jwt: proofJwt.jwt,
+        proof_type: "jwt"
+      }
+    });
+  } catch (error) {
+    throw new Oid4vciError(
+      `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+};
+
+// src/credential-request/fetch-credential-response.ts
+var import_utils3 = require("@openid4vc/utils");
+var import_io_wallet_utils2 = require("@pagopa/io-wallet-utils");
+async function fetchCredentialResponse(options) {
+  try {
+    const fetch = (0, import_utils3.createFetcher)(options.callbacks.fetch);
+    const credentialResponse = await fetch(options.credentialEndpoint, {
+      body: JSON.stringify(options.credentialRequest),
+      headers: {
+        [import_io_wallet_utils2.HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,
+        [import_io_wallet_utils2.HEADERS.CONTENT_TYPE]: import_io_wallet_utils2.CONTENT_TYPES.JSON,
+        [import_io_wallet_utils2.HEADERS.DPOP]: options.dPoP
+      },
+      method: "POST"
+    });
+    await (0, import_io_wallet_utils2.hasStatusOrThrow)(200, import_io_wallet_utils2.UnexpectedStatusCodeError)(credentialResponse);
+    return (0, import_utils3.parseWithErrorHandling)(
+      zCredentialResponse,
+      credentialResponse.json(),
+      `Failed to parse credential response`
+    );
+  } catch (error) {
+    if (error instanceof import_io_wallet_utils2.UnexpectedStatusCodeError || error instanceof import_io_wallet_utils2.ValidationError) {
+      throw error;
+    }
+    throw new FetchCredentialResponseError(
+      `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+
 // src/wallet-provider/WalletProvider.ts
 var import_openid4vci = require("@openid4vc/openid4vci");
-var import_utils2 = require("@openid4vc/utils");
+var import_utils4 = require("@openid4vc/utils");
 var WalletProvider = class extends import_openid4vci.Openid4vciWalletProvider {
   /**
    * Creates a wallet attestation JWT.
@@ -195,7 +340,7 @@ var WalletProvider = class extends import_openid4vci.Openid4vciWalletProvider {
         // We use the same key for DPoP as the wallet attestation
         jwk: options.dpopJwkPublic
       },
-      expiresAt: options.expiresAt ?? (0, import_utils2.addSecondsToDate)(/* @__PURE__ */ new Date(), 3600 * 24 * 60 * 60),
+      expiresAt: options.expiresAt ?? (0, import_utils4.addSecondsToDate)(/* @__PURE__ */ new Date(), 3600 * 24 * 60 * 60),
       issuer: options.issuer,
       signer: {
         alg: "ES256",
@@ -218,7 +363,11 @@ var WalletProvider = class extends import_openid4vci.Openid4vciWalletProvider {
   WalletProvider,
   WalletProviderError,
   completeAuthorization,
+  createCredentialRequest,
+  fetchCredentialResponse,
   sendAuthorizationResponseAndExtractCode,
-  zAuthorizationResponse
+  zAuthorizationResponse,
+  zCredentialRequest,
+  zCredentialResponse
 });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["export * from \"./authorization-response\";\nexport * from \"./errors\";\nexport * from \"./wallet-provider/WalletProvider\";\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n  FetchAuthorizationResponseOptions,\n  fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n  UnexpectedStatusCodeError,\n  hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  VerifyAuthorizationResponseFormPostJWTOptions,\n  verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n  callbacks: Pick<CallbackContext, \"fetch\">;\n\n  /**\n   * The response_uri returned by the server after a successful\n   * OID4VP Authorization Response is sent\n   */\n  response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n  FetchAuthorizationResponseOptions &\n    Omit<\n      VerifyAuthorizationResponseFormPostJWTOptions,\n      \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n    > &\n    Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          necessary for access token issuance\n */\nexport async function completeAuthorization(\n  options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n  try {\n    const fetch = createFetcher(options.callbacks.fetch);\n    const authorizationResponseResult = await fetch(options.response_uri);\n\n    await hasStatusOrThrow(\n      200,\n      UnexpectedStatusCodeError,\n    )(authorizationResponseResult);\n\n    return await getJwtFromFormPost({\n      formData: await authorizationResponseResult.text(),\n      schema: zAuthorizationResponse,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n  options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const authorizationResult = await fetchAuthorizationResponse(options);\n\n    const jwtAndPayload = await completeAuthorization({\n      ...options,\n      response_uri: authorizationResult.redirect_uri,\n    });\n\n    return verifyAuthorizationResponseFormPostJWT({\n      authorizationResponseCompact: jwtAndPayload.jwt,\n      authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n      callbacks: {\n        verifyJwt: options.callbacks.verifyJwt,\n      },\n      iss: options.iss,\n      signer: options.signer,\n      state: options.state,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"Oid4vciError\";\n  }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"WalletProviderError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"NonceRequestError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"FetchCredentialResponseError\";\n  }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n  /**\n   * Authorization response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponse: AuthorizationResponse;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n  /**\n   * Compact AuthorizaitonResponse JWT\n   */\n  authorizationResponseCompact: string;\n\n  /**\n   * Authorization Response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponseDecoded: ReturnType<\n    typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n  >;\n\n  /**\n   * Callback for verifying the authorization jwt signature\n   */\n  callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * Signer of the form POST returned jwt\n   */\n  signer: JwtSignerJwk;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n *         match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n  options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n  if (options.authorizationResponse.iss !== options.iss)\n    throw new Oid4vciError(\n      `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n    );\n  if (options.authorizationResponse.state !== options.state)\n    throw new Oid4vciError(\n      `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n    );\n\n  return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n *         signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n  options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const decodedJwt = options.authorizationResponseDecoded;\n    const result = await options.callbacks.verifyJwt(options.signer, {\n      compact: options.authorizationResponseCompact,\n      ...decodedJwt,\n    });\n\n    if (!result.verified) {\n      throw new Oid4vciError(\"Error verifying JWT signature\");\n    }\n\n    return verifyAuthorizationResponse({\n      authorizationResponse: options.authorizationResponseDecoded.payload,\n      iss: options.iss,\n      state: options.state,\n    });\n  } catch (error) {\n    if (error instanceof Oid4vciError) throw error;\n\n    throw new Oid4vciError(\n      `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n  code: z.string(),\n  iss: z.string(),\n  state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n  /**\n   * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n   * This key is used to bind the attestation to the client's session.\n   * @type {ClientAttestationJwtPayload['cnf']}\n   */\n  dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n  /**\n   * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n   * @type {Date}\n   */\n  expiresAt?: Date;\n  /**\n   * The issuer of the attestation, typically the Wallet Provider's identifier.\n   * @type {string}\n   */\n  issuer: string;\n\n  signer: {\n    /**\n     * An array of JWTs representing the chain of trust from the federation's trust anchor\n     * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n     * @type {[string, ...string[]]}\n     */\n    trustChain: [string, ...string[]];\n\n    /**\n     * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n     * @type {string}\n     */\n    walletProviderJwkPublicKid: string;\n  };\n\n  /**\n   * An optional deep link or URL that can be used to open or interact with the wallet.\n   * @type {string}\n   */\n  walletLink?: string;\n\n  /**\n   * An optional display name for the wallet.\n   * @type {string}\n   */\n  walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n  /**\n   * Creates a wallet attestation JWT.\n   *\n   * This method constructs a signed JWT that asserts the wallet's control over a specific\n   * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n   * presenting the credential offer is the legitimate wallet instance.\n   *\n   * @public\n   * @async\n   * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n   * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n   */\n  public async createItWalletAttestationJwt(\n    options: WalletAttestationOptions,\n  ): Promise<string> {\n    if (!options.dpopJwkPublic.kid) {\n      throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n    }\n\n    const walletAttestation = await this.createWalletAttestationJwt({\n      clientId: options.dpopJwkPublic.kid,\n      confirmation: {\n        // We use the same key for DPoP as the wallet attestation\n        jwk: options.dpopJwkPublic,\n      },\n      expiresAt:\n        options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n      issuer: options.issuer,\n      signer: {\n        alg: \"ES256\",\n        kid: options.signer.walletProviderJwkPublicKid,\n        method: \"federation\", // Indicates the validation method relies on a trust chain.\n        trustChain: options.signer.trustChain,\n      },\n      walletLink: options.walletLink,\n      walletName: options.walletName,\n    });\n\n    return walletAttestation;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,mBAA+C;AAC/C,8BAAmC;AACnC,8BAGO;AACP,6BAGO;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,iBAAc;AAEP,IAAM,yBAAyB,WAAAA,QAAE,OAAO;AAAA,EAC7C,MAAM,WAAAA,QAAE,OAAO;AAAA,EACf,KAAK,WAAAA,QAAE,OAAO;AAAA,EACd,OAAO,WAAAA,QAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,YAAQ,4BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,cAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,UAAM,4CAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,UAAM,oDAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,wBAAyC;AACzC,IAAAC,gBAAiC;AA8D1B,IAAM,iBAAN,cAA6B,2CAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,iBAAa,gCAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","import_utils"]}
+{"version":3,"sources":["../src/index.ts","../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/credential-request/create-credential-request.ts","../src/credential-request/z-credential.ts","../src/credential-request/fetch-credential-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["export * from \"./authorization-response\";\nexport * from \"./credential-request\";\nexport * from \"./errors\";\nexport * from \"./wallet-provider/WalletProvider\";\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n  FetchAuthorizationResponseOptions,\n  fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n  UnexpectedStatusCodeError,\n  hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  VerifyAuthorizationResponseFormPostJWTOptions,\n  verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n  callbacks: Pick<CallbackContext, \"fetch\">;\n\n  /**\n   * The response_uri returned by the server after a successful\n   * OID4VP Authorization Response is sent\n   */\n  response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n  FetchAuthorizationResponseOptions &\n    Omit<\n      VerifyAuthorizationResponseFormPostJWTOptions,\n      \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n    > &\n    Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          necessary for access token issuance\n */\nexport async function completeAuthorization(\n  options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n  try {\n    const fetch = createFetcher(options.callbacks.fetch);\n    const authorizationResponseResult = await fetch(options.response_uri);\n\n    await hasStatusOrThrow(\n      200,\n      UnexpectedStatusCodeError,\n    )(authorizationResponseResult);\n\n    return await getJwtFromFormPost({\n      formData: await authorizationResponseResult.text(),\n      schema: zAuthorizationResponse,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n  options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const authorizationResult = await fetchAuthorizationResponse(options);\n\n    const jwtAndPayload = await completeAuthorization({\n      ...options,\n      response_uri: authorizationResult.redirect_uri,\n    });\n\n    return verifyAuthorizationResponseFormPostJWT({\n      authorizationResponseCompact: jwtAndPayload.jwt,\n      authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n      callbacks: {\n        verifyJwt: options.callbacks.verifyJwt,\n      },\n      iss: options.iss,\n      signer: options.signer,\n      state: options.state,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"Oid4vciError\";\n  }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"WalletProviderError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"NonceRequestError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"FetchCredentialResponseError\";\n  }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n  /**\n   * Authorization response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponse: AuthorizationResponse;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n  /**\n   * Compact AuthorizaitonResponse JWT\n   */\n  authorizationResponseCompact: string;\n\n  /**\n   * Authorization Response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponseDecoded: ReturnType<\n    typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n  >;\n\n  /**\n   * Callback for verifying the authorization jwt signature\n   */\n  callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * Signer of the form POST returned jwt\n   */\n  signer: JwtSignerJwk;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n *         match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n  options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n  if (options.authorizationResponse.iss !== options.iss)\n    throw new Oid4vciError(\n      `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n    );\n  if (options.authorizationResponse.state !== options.state)\n    throw new Oid4vciError(\n      `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n    );\n\n  return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n *         signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n  options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const decodedJwt = options.authorizationResponseDecoded;\n    const result = await options.callbacks.verifyJwt(options.signer, {\n      compact: options.authorizationResponseCompact,\n      ...decodedJwt,\n    });\n\n    if (!result.verified) {\n      throw new Oid4vciError(\"Error verifying JWT signature\");\n    }\n\n    return verifyAuthorizationResponse({\n      authorizationResponse: options.authorizationResponseDecoded.payload,\n      iss: options.iss,\n      state: options.state,\n    });\n  } catch (error) {\n    if (error instanceof Oid4vciError) throw error;\n\n    throw new Oid4vciError(\n      `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n  code: z.string(),\n  iss: z.string(),\n  state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { CallbackContext, JwtSignerJwk } from \"@openid4vc/oauth2\";\nimport { dateToSeconds, parseWithErrorHandling } from \"@openid4vc/utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport { CredentialRequest, zCredentialRequest } from \"./z-credential\";\n\nexport interface CredentialRequestOptions {\n  /**\n   * Callbacks to use for signing proof\n   */\n  callbacks: Pick<CallbackContext, \"signJwt\">;\n\n  /**\n   * Client identifier of the OAuth2 Client making the Credential Request.\n   */\n  clientId: string;\n\n  /**\n   * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.\n   */\n  credential_identifier: string;\n\n  /**\n   * Identifier of the Credential Issuer, for ex: https://issuer.example.com.\n   */\n  issuerIdentifier: string;\n\n  /**\n   * A nonce value previously requested to associate a Client session with the Credential Request.\n   */\n  nonce: string;\n\n  /**\n   * The signer of the credential PoP JWT.\n   */\n  signer: JwtSignerJwk;\n}\n\n/**\n * Create a Credential Request.\n * @param options - Options to create the Credential Request\n * @returns The created Credential Request\n */\nexport const createCredentialRequest = async (\n  options: CredentialRequestOptions,\n): Promise<CredentialRequest> => {\n  try {\n    const { signJwt } = options.callbacks;\n    const proofJwt = await signJwt(options.signer, {\n      header: {\n        alg: options.signer.alg,\n        jwk: options.signer.publicJwk,\n        typ: \"openid4vci-proof+jwt\",\n      },\n      payload: {\n        aud: options.issuerIdentifier,\n        iat: dateToSeconds(new Date()),\n        iss: options.clientId,\n        nonce: options.nonce,\n      },\n    });\n\n    return parseWithErrorHandling(zCredentialRequest, {\n      credential_identifier: options.credential_identifier,\n      proof: {\n        jwt: proofJwt.jwt,\n        proof_type: \"jwt\",\n      },\n    } satisfies CredentialRequest);\n  } catch (error) {\n    throw new Oid4vciError(\n      `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n};\n","import { z } from \"zod\";\n\n// Proof object schema\nconst ProofSchema = z.object({\n  jwt: z.string().min(1, \"JWT must not be empty\"),\n  proof_type: z.literal(\"jwt\"), // MUST be \"jwt\"\n});\n\nexport const zCredentialRequest = z\n  .object({\n    credential_configuration_id: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise.\",\n      ),\n\n    credential_identifier: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present.\",\n      ),\n\n    proof: ProofSchema.describe(\n      \"REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt).\",\n    ),\n\n    transaction_id: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow.\",\n      ),\n  })\n  .superRefine((data, ctx) => {\n    // Exclusive OR between credential_identifier and credential_configuration_id\n    if (data.credential_identifier && data.credential_configuration_id) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"credential_identifier and credential_configuration_id MUST NOT be used together\",\n        path: [\"credential_identifier\"],\n      });\n    }\n\n    if (!data.credential_identifier && !data.credential_configuration_id) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"One of credential_identifier or credential_configuration_id MUST be present\",\n        path: [\"credential_identifier\"],\n      });\n    }\n  });\n\nexport type CredentialRequest = z.infer<typeof zCredentialRequest>;\n\nconst CredentialsSchema = z.object({\n  credential: z\n    .string()\n    .min(1, \"credential must not be empty\")\n    .describe(\n      \"REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure.\",\n    ),\n});\n\nexport const zCredentialResponse = z\n  .object({\n    credentials: CredentialsSchema.optional().describe(\n      \"REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise.\",\n    ),\n\n    lead_time: z\n      .number()\n      .int()\n      .positive()\n      .optional()\n      .describe(\n        \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n      ),\n\n    notification_id: z\n      .string()\n      .optional()\n      .describe(\"OPTIONAL. MUST NOT be present if credentials is not present.\"),\n\n    transaction_id: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n      ),\n  })\n  .superRefine((data, ctx) => {\n    // Enforce XOR: credentials vs (lead_time + transaction_id)\n    if (data.credentials && (data.lead_time || data.transaction_id)) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"credentials MUST NOT be present if lead_time or transaction_id is provided\",\n        path: [\"credentials\"],\n      });\n    }\n\n    if (!data.credentials && (!data.lead_time || !data.transaction_id)) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"If credentials is absent, both lead_time and transaction_id MUST be present\",\n        path: [\"lead_time\"],\n      });\n    }\n\n    // notification_id must only exist if credentials is present\n    if (!data.credentials && data.notification_id) {\n      ctx.addIssue({\n        code: \"custom\",\n        message: \"notification_id MUST NOT be present if credentials is absent\",\n        path: [\"notification_id\"],\n      });\n    }\n  });\n\nexport type CredentialResponse = z.infer<typeof zCredentialResponse>;\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { createFetcher, parseWithErrorHandling } from \"@openid4vc/utils\";\nimport {\n  CONTENT_TYPES,\n  HEADERS,\n  UnexpectedStatusCodeError,\n  ValidationError,\n  hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { FetchCredentialResponseError } from \"../errors\";\nimport {\n  CredentialRequest,\n  CredentialResponse,\n  zCredentialResponse,\n} from \"./z-credential\";\n\nexport interface FetchCredentialResponseOptions {\n  /**\n   * Access token to authorize the credential request for DPoP mechanism\n   */\n  accessToken: string;\n  /**\n   * Callbacks to use for requesting access token\n   */\n  callbacks: Pick<CallbackContext, \"fetch\">;\n\n  /**\n   * The credential endpoint URL\n   */\n  credentialEndpoint: string;\n\n  /**\n   * Credential request body\n   */\n  credentialRequest: CredentialRequest;\n\n  /**\n   * DPoP proof with addition of ath claim\n   */\n  dPoP: string;\n}\n\n/**\n * Fetches a credential response from the credential endpoint.\n *\n * @param options - Options for fetching the credential response\n * @returns The credential response\n * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch\n * @throws UnexpectedStatusCodeError if the response status code is not 200\n * @throws ValidationError if the response cannot be parsed as a valid credential response\n */\nexport async function fetchCredentialResponse(\n  options: FetchCredentialResponseOptions,\n): Promise<CredentialResponse> {\n  try {\n    const fetch = createFetcher(options.callbacks.fetch);\n    const credentialResponse = await fetch(options.credentialEndpoint, {\n      body: JSON.stringify(options.credentialRequest),\n      headers: {\n        [HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,\n        [HEADERS.CONTENT_TYPE]: CONTENT_TYPES.JSON,\n        [HEADERS.DPOP]: options.dPoP,\n      },\n      method: \"POST\",\n    });\n\n    await hasStatusOrThrow(200, UnexpectedStatusCodeError)(credentialResponse);\n\n    return parseWithErrorHandling(\n      zCredentialResponse,\n      credentialResponse.json(),\n      `Failed to parse credential response`,\n    );\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError\n    ) {\n      throw error;\n    }\n    throw new FetchCredentialResponseError(\n      `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n  /**\n   * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n   * This key is used to bind the attestation to the client's session.\n   * @type {ClientAttestationJwtPayload['cnf']}\n   */\n  dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n  /**\n   * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n   * @type {Date}\n   */\n  expiresAt?: Date;\n  /**\n   * The issuer of the attestation, typically the Wallet Provider's identifier.\n   * @type {string}\n   */\n  issuer: string;\n\n  signer: {\n    /**\n     * An array of JWTs representing the chain of trust from the federation's trust anchor\n     * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n     * @type {[string, ...string[]]}\n     */\n    trustChain: [string, ...string[]];\n\n    /**\n     * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n     * @type {string}\n     */\n    walletProviderJwkPublicKid: string;\n  };\n\n  /**\n   * An optional deep link or URL that can be used to open or interact with the wallet.\n   * @type {string}\n   */\n  walletLink?: string;\n\n  /**\n   * An optional display name for the wallet.\n   * @type {string}\n   */\n  walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n  /**\n   * Creates a wallet attestation JWT.\n   *\n   * This method constructs a signed JWT that asserts the wallet's control over a specific\n   * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n   * presenting the credential offer is the legitimate wallet instance.\n   *\n   * @public\n   * @async\n   * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n   * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n   */\n  public async createItWalletAttestationJwt(\n    options: WalletAttestationOptions,\n  ): Promise<string> {\n    if (!options.dpopJwkPublic.kid) {\n      throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n    }\n\n    const walletAttestation = await this.createWalletAttestationJwt({\n      clientId: options.dpopJwkPublic.kid,\n      confirmation: {\n        // We use the same key for DPoP as the wallet attestation\n        jwk: options.dpopJwkPublic,\n      },\n      expiresAt:\n        options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n      issuer: options.issuer,\n      signer: {\n        alg: \"ES256\",\n        kid: options.signer.walletProviderJwkPublicKid,\n        method: \"federation\", // Indicates the validation method relies on a trust chain.\n        trustChain: options.signer.trustChain,\n      },\n      walletLink: options.walletLink,\n      walletName: options.walletName,\n    });\n\n    return walletAttestation;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,mBAA+C;AAC/C,8BAAmC;AACnC,8BAGO;AACP,6BAGO;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,iBAAc;AAEP,IAAM,yBAAyB,WAAAA,QAAE,OAAO;AAAA,EAC7C,MAAM,WAAAA,QAAE,OAAO;AAAA,EACf,KAAK,WAAAA,QAAE,OAAO;AAAA,EACd,OAAO,WAAAA,QAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,YAAQ,4BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,cAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,UAAM,4CAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,UAAM,oDAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,IAAAC,gBAAsD;;;ACDtD,IAAAC,cAAkB;AAGlB,IAAM,cAAc,cAAE,OAAO;AAAA,EAC3B,KAAK,cAAE,OAAO,EAAE,IAAI,GAAG,uBAAuB;AAAA,EAC9C,YAAY,cAAE,QAAQ,KAAK;AAAA;AAC7B,CAAC;AAEM,IAAM,qBAAqB,cAC/B,OAAO;AAAA,EACN,6BAA6B,cAC1B,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,uBAAuB,cACpB,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,OAAO,YAAY;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,gBAAgB,cACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,yBAAyB,KAAK,6BAA6B;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,yBAAyB,CAAC,KAAK,6BAA6B;AACpE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AACF,CAAC;AAIH,IAAM,oBAAoB,cAAE,OAAO;AAAA,EACjC,YAAY,cACT,OAAO,EACP,IAAI,GAAG,8BAA8B,EACrC;AAAA,IACC;AAAA,EACF;AACJ,CAAC;AAEM,IAAM,sBAAsB,cAChC,OAAO;AAAA,EACN,aAAa,kBAAkB,SAAS,EAAE;AAAA,IACxC;AAAA,EACF;AAAA,EAEA,WAAW,cACR,OAAO,EACP,IAAI,EACJ,SAAS,EACT,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,iBAAiB,cACd,OAAO,EACP,SAAS,EACT,SAAS,8DAA8D;AAAA,EAE1E,gBAAgB,cACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,gBAAgB,KAAK,aAAa,KAAK,iBAAiB;AAC/D,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,aAAa;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,aAAa,CAAC,KAAK,iBAAiB;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,WAAW;AAAA,IACpB,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,KAAK,eAAe,KAAK,iBAAiB;AAC7C,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,iBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AACF,CAAC;;;AD/EI,IAAM,0BAA0B,OACrC,YAC+B;AAC/B,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,QAAQ;AAC5B,UAAM,WAAW,MAAM,QAAQ,QAAQ,QAAQ;AAAA,MAC7C,QAAQ;AAAA,QACN,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK;AAAA,MACP;AAAA,MACA,SAAS;AAAA,QACP,KAAK,QAAQ;AAAA,QACb,SAAK,6BAAc,oBAAI,KAAK,CAAC;AAAA,QAC7B,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AAED,eAAO,sCAAuB,oBAAoB;AAAA,MAChD,uBAAuB,QAAQ;AAAA,MAC/B,OAAO;AAAA,QACL,KAAK,SAAS;AAAA,QACd,YAAY;AAAA,MACd;AAAA,IACF,CAA6B;AAAA,EAC/B,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,sDAAsD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9G;AAAA,EACF;AACF;;;AEzEA,IAAAC,gBAAsD;AACtD,IAAAC,0BAMO;AA4CP,eAAsB,wBACpB,SAC6B;AAC7B,MAAI;AACF,UAAM,YAAQ,6BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,qBAAqB,MAAM,MAAM,QAAQ,oBAAoB;AAAA,MACjE,MAAM,KAAK,UAAU,QAAQ,iBAAiB;AAAA,MAC9C,SAAS;AAAA,QACP,CAAC,gCAAQ,aAAa,GAAG,QAAQ,QAAQ,WAAW;AAAA,QACpD,CAAC,gCAAQ,YAAY,GAAG,sCAAc;AAAA,QACtC,CAAC,gCAAQ,IAAI,GAAG,QAAQ;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,cAAM,0CAAiB,KAAK,iDAAyB,EAAE,kBAAkB;AAEzE,eAAO;AAAA,MACL;AAAA,MACA,mBAAmB,KAAK;AAAA,MACxB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QACE,iBAAiB,qDACjB,iBAAiB,yCACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,gDAAgD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IACxG;AAAA,EACF;AACF;;;ACpFA,wBAAyC;AACzC,IAAAC,gBAAiC;AA8D1B,IAAM,iBAAN,cAA6B,2CAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,iBAAa,gCAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","import_utils","import_zod","import_utils","import_io_wallet_utils","import_utils"]}

package/dist/index.mjs

@@ -131,6 +131,153 @@ async function sendAuthorizationResponseAndExtractCode(options) {
   }
 }
 
+// src/credential-request/create-credential-request.ts
+import { dateToSeconds, parseWithErrorHandling } from "@openid4vc/utils";
+
+// src/credential-request/z-credential.ts
+import { z as z2 } from "zod";
+var ProofSchema = z2.object({
+  jwt: z2.string().min(1, "JWT must not be empty"),
+  proof_type: z2.literal("jwt")
+  // MUST be "jwt"
+});
+var zCredentialRequest = z2.object({
+  credential_configuration_id: z2.string().optional().describe(
+    "REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise."
+  ),
+  credential_identifier: z2.string().optional().describe(
+    "REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present."
+  ),
+  proof: ProofSchema.describe(
+    "REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt)."
+  ),
+  transaction_id: z2.string().optional().describe(
+    "REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow."
+  )
+}).superRefine((data, ctx) => {
+  if (data.credential_identifier && data.credential_configuration_id) {
+    ctx.addIssue({
+      code: "custom",
+      message: "credential_identifier and credential_configuration_id MUST NOT be used together",
+      path: ["credential_identifier"]
+    });
+  }
+  if (!data.credential_identifier && !data.credential_configuration_id) {
+    ctx.addIssue({
+      code: "custom",
+      message: "One of credential_identifier or credential_configuration_id MUST be present",
+      path: ["credential_identifier"]
+    });
+  }
+});
+var CredentialsSchema = z2.object({
+  credential: z2.string().min(1, "credential must not be empty").describe(
+    "REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure."
+  )
+});
+var zCredentialResponse = z2.object({
+  credentials: CredentialsSchema.optional().describe(
+    "REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise."
+  ),
+  lead_time: z2.number().int().positive().optional().describe(
+    "REQUIRED if credentials is not present. MUST NOT be present otherwise."
+  ),
+  notification_id: z2.string().optional().describe("OPTIONAL. MUST NOT be present if credentials is not present."),
+  transaction_id: z2.string().optional().describe(
+    "REQUIRED if credentials is not present. MUST NOT be present otherwise."
+  )
+}).superRefine((data, ctx) => {
+  if (data.credentials && (data.lead_time || data.transaction_id)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "credentials MUST NOT be present if lead_time or transaction_id is provided",
+      path: ["credentials"]
+    });
+  }
+  if (!data.credentials && (!data.lead_time || !data.transaction_id)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "If credentials is absent, both lead_time and transaction_id MUST be present",
+      path: ["lead_time"]
+    });
+  }
+  if (!data.credentials && data.notification_id) {
+    ctx.addIssue({
+      code: "custom",
+      message: "notification_id MUST NOT be present if credentials is absent",
+      path: ["notification_id"]
+    });
+  }
+});
+
+// src/credential-request/create-credential-request.ts
+var createCredentialRequest = async (options) => {
+  try {
+    const { signJwt } = options.callbacks;
+    const proofJwt = await signJwt(options.signer, {
+      header: {
+        alg: options.signer.alg,
+        jwk: options.signer.publicJwk,
+        typ: "openid4vci-proof+jwt"
+      },
+      payload: {
+        aud: options.issuerIdentifier,
+        iat: dateToSeconds(/* @__PURE__ */ new Date()),
+        iss: options.clientId,
+        nonce: options.nonce
+      }
+    });
+    return parseWithErrorHandling(zCredentialRequest, {
+      credential_identifier: options.credential_identifier,
+      proof: {
+        jwt: proofJwt.jwt,
+        proof_type: "jwt"
+      }
+    });
+  } catch (error) {
+    throw new Oid4vciError(
+      `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+};
+
+// src/credential-request/fetch-credential-response.ts
+import { createFetcher as createFetcher2, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+import {
+  CONTENT_TYPES,
+  HEADERS,
+  UnexpectedStatusCodeError as UnexpectedStatusCodeError2,
+  ValidationError as ValidationError2,
+  hasStatusOrThrow as hasStatusOrThrow2
+} from "@pagopa/io-wallet-utils";
+async function fetchCredentialResponse(options) {
+  try {
+    const fetch = createFetcher2(options.callbacks.fetch);
+    const credentialResponse = await fetch(options.credentialEndpoint, {
+      body: JSON.stringify(options.credentialRequest),
+      headers: {
+        [HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,
+        [HEADERS.CONTENT_TYPE]: CONTENT_TYPES.JSON,
+        [HEADERS.DPOP]: options.dPoP
+      },
+      method: "POST"
+    });
+    await hasStatusOrThrow2(200, UnexpectedStatusCodeError2)(credentialResponse);
+    return parseWithErrorHandling2(
+      zCredentialResponse,
+      credentialResponse.json(),
+      `Failed to parse credential response`
+    );
+  } catch (error) {
+    if (error instanceof UnexpectedStatusCodeError2 || error instanceof ValidationError2) {
+      throw error;
+    }
+    throw new FetchCredentialResponseError(
+      `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+
 // src/wallet-provider/WalletProvider.ts
 import { Openid4vciWalletProvider } from "@openid4vc/openid4vci";
 import { addSecondsToDate } from "@openid4vc/utils";
@@ -179,7 +326,11 @@ export {
   WalletProvider,
   WalletProviderError,
   completeAuthorization,
+  createCredentialRequest,
+  fetchCredentialResponse,
   sendAuthorizationResponseAndExtractCode,
-  zAuthorizationResponse
+  zAuthorizationResponse,
+  zCredentialRequest,
+  zCredentialResponse
 };
 //# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n  FetchAuthorizationResponseOptions,\n  fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n  UnexpectedStatusCodeError,\n  hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  VerifyAuthorizationResponseFormPostJWTOptions,\n  verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n  callbacks: Pick<CallbackContext, \"fetch\">;\n\n  /**\n   * The response_uri returned by the server after a successful\n   * OID4VP Authorization Response is sent\n   */\n  response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n  FetchAuthorizationResponseOptions &\n    Omit<\n      VerifyAuthorizationResponseFormPostJWTOptions,\n      \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n    > &\n    Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          necessary for access token issuance\n */\nexport async function completeAuthorization(\n  options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n  try {\n    const fetch = createFetcher(options.callbacks.fetch);\n    const authorizationResponseResult = await fetch(options.response_uri);\n\n    await hasStatusOrThrow(\n      200,\n      UnexpectedStatusCodeError,\n    )(authorizationResponseResult);\n\n    return await getJwtFromFormPost({\n      formData: await authorizationResponseResult.text(),\n      schema: zAuthorizationResponse,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n  options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const authorizationResult = await fetchAuthorizationResponse(options);\n\n    const jwtAndPayload = await completeAuthorization({\n      ...options,\n      response_uri: authorizationResult.redirect_uri,\n    });\n\n    return verifyAuthorizationResponseFormPostJWT({\n      authorizationResponseCompact: jwtAndPayload.jwt,\n      authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n      callbacks: {\n        verifyJwt: options.callbacks.verifyJwt,\n      },\n      iss: options.iss,\n      signer: options.signer,\n      state: options.state,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"Oid4vciError\";\n  }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"WalletProviderError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"NonceRequestError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"FetchCredentialResponseError\";\n  }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n  /**\n   * Authorization response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponse: AuthorizationResponse;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n  /**\n   * Compact AuthorizaitonResponse JWT\n   */\n  authorizationResponseCompact: string;\n\n  /**\n   * Authorization Response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponseDecoded: ReturnType<\n    typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n  >;\n\n  /**\n   * Callback for verifying the authorization jwt signature\n   */\n  callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * Signer of the form POST returned jwt\n   */\n  signer: JwtSignerJwk;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n *         match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n  options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n  if (options.authorizationResponse.iss !== options.iss)\n    throw new Oid4vciError(\n      `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n    );\n  if (options.authorizationResponse.state !== options.state)\n    throw new Oid4vciError(\n      `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n    );\n\n  return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n *         signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n  options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const decodedJwt = options.authorizationResponseDecoded;\n    const result = await options.callbacks.verifyJwt(options.signer, {\n      compact: options.authorizationResponseCompact,\n      ...decodedJwt,\n    });\n\n    if (!result.verified) {\n      throw new Oid4vciError(\"Error verifying JWT signature\");\n    }\n\n    return verifyAuthorizationResponse({\n      authorizationResponse: options.authorizationResponseDecoded.payload,\n      iss: options.iss,\n      state: options.state,\n    });\n  } catch (error) {\n    if (error instanceof Oid4vciError) throw error;\n\n    throw new Oid4vciError(\n      `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n  code: z.string(),\n  iss: z.string(),\n  state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n  /**\n   * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n   * This key is used to bind the attestation to the client's session.\n   * @type {ClientAttestationJwtPayload['cnf']}\n   */\n  dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n  /**\n   * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n   * @type {Date}\n   */\n  expiresAt?: Date;\n  /**\n   * The issuer of the attestation, typically the Wallet Provider's identifier.\n   * @type {string}\n   */\n  issuer: string;\n\n  signer: {\n    /**\n     * An array of JWTs representing the chain of trust from the federation's trust anchor\n     * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n     * @type {[string, ...string[]]}\n     */\n    trustChain: [string, ...string[]];\n\n    /**\n     * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n     * @type {string}\n     */\n    walletProviderJwkPublicKid: string;\n  };\n\n  /**\n   * An optional deep link or URL that can be used to open or interact with the wallet.\n   * @type {string}\n   */\n  walletLink?: string;\n\n  /**\n   * An optional display name for the wallet.\n   * @type {string}\n   */\n  walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n  /**\n   * Creates a wallet attestation JWT.\n   *\n   * This method constructs a signed JWT that asserts the wallet's control over a specific\n   * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n   * presenting the credential offer is the legitimate wallet instance.\n   *\n   * @public\n   * @async\n   * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n   * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n   */\n  public async createItWalletAttestationJwt(\n    options: WalletAttestationOptions,\n  ): Promise<string> {\n    if (!options.dpopJwkPublic.kid) {\n      throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n    }\n\n    const walletAttestation = await this.createWalletAttestationJwt({\n      clientId: options.dpopJwkPublic.kid,\n      confirmation: {\n        // We use the same key for DPoP as the wallet attestation\n        jwk: options.dpopJwkPublic,\n      },\n      expiresAt:\n        options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n      issuer: options.issuer,\n      signer: {\n        alg: \"ES256\",\n        kid: options.signer.walletProviderJwkPublicKid,\n        method: \"federation\", // Indicates the validation method relies on a trust chain.\n        trustChain: options.signer.trustChain,\n      },\n      walletLink: options.walletLink,\n      walletName: options.walletName,\n    });\n\n    return walletAttestation;\n  }\n}\n"],"mappings":";AACA,SAAS,iBAAiB,qBAAqB;AAC/C,SAAS,0BAA0B;AACnC;AAAA,EAEE;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,OACK;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,OAAO,OAAO;AAEP,IAAM,yBAAyB,EAAE,OAAO;AAAA,EAC7C,MAAM,EAAE,OAAO;AAAA,EACf,KAAK,EAAE,OAAO;AAAA,EACd,OAAO,EAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,QAAQ,cAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,MAAM,mBAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,MAAM,2BAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,SAAS,gCAAgC;AACzC,SAAS,wBAAwB;AA8D1B,IAAM,iBAAN,cAA6B,yBAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,aAAa,iBAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":[]}
+{"version":3,"sources":["../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/credential-request/create-credential-request.ts","../src/credential-request/z-credential.ts","../src/credential-request/fetch-credential-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n  FetchAuthorizationResponseOptions,\n  fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n  UnexpectedStatusCodeError,\n  hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  VerifyAuthorizationResponseFormPostJWTOptions,\n  verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n  callbacks: Pick<CallbackContext, \"fetch\">;\n\n  /**\n   * The response_uri returned by the server after a successful\n   * OID4VP Authorization Response is sent\n   */\n  response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n  FetchAuthorizationResponseOptions &\n    Omit<\n      VerifyAuthorizationResponseFormPostJWTOptions,\n      \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n    > &\n    Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          necessary for access token issuance\n */\nexport async function completeAuthorization(\n  options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n  try {\n    const fetch = createFetcher(options.callbacks.fetch);\n    const authorizationResponseResult = await fetch(options.response_uri);\n\n    await hasStatusOrThrow(\n      200,\n      UnexpectedStatusCodeError,\n    )(authorizationResponseResult);\n\n    return await getJwtFromFormPost({\n      formData: await authorizationResponseResult.text(),\n      schema: zAuthorizationResponse,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n *          for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n  options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const authorizationResult = await fetchAuthorizationResponse(options);\n\n    const jwtAndPayload = await completeAuthorization({\n      ...options,\n      response_uri: authorizationResult.redirect_uri,\n    });\n\n    return verifyAuthorizationResponseFormPostJWT({\n      authorizationResponseCompact: jwtAndPayload.jwt,\n      authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n      callbacks: {\n        verifyJwt: options.callbacks.verifyJwt,\n      },\n      iss: options.iss,\n      signer: options.signer,\n      state: options.state,\n    });\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError ||\n      error instanceof Oid4vciError\n    ) {\n      throw error;\n    }\n    throw new Oid4vciError(\n      `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"Oid4vciError\";\n  }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"WalletProviderError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n  ) {\n    super(message);\n    this.name = \"NonceRequestError\";\n  }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n  constructor(\n    message: string,\n    public readonly originalError?: unknown,\n  ) {\n    super(message);\n    this.name = \"FetchCredentialResponseError\";\n  }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n  AuthorizationResponse,\n  zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n  /**\n   * Authorization response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponse: AuthorizationResponse;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n  /**\n   * Compact AuthorizaitonResponse JWT\n   */\n  authorizationResponseCompact: string;\n\n  /**\n   * Authorization Response object containing the authorization\n   * code, the issuer and the session's state\n   */\n  authorizationResponseDecoded: ReturnType<\n    typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n  >;\n\n  /**\n   * Callback for verifying the authorization jwt signature\n   */\n  callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n  /**\n   * The issuer the Wallet Instance started the\n   * authorization flow (either via PAR or directly) with\n   */\n  iss: string;\n\n  /**\n   * Signer of the form POST returned jwt\n   */\n  signer: JwtSignerJwk;\n\n  /**\n   * The state sent by the Wallet Instance at the start\n   * of the authorization flow (either via PAR or directly)\n   */\n  state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n *         match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n  options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n  if (options.authorizationResponse.iss !== options.iss)\n    throw new Oid4vciError(\n      `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n    );\n  if (options.authorizationResponse.state !== options.state)\n    throw new Oid4vciError(\n      `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n    );\n\n  return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n *         signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n  options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n  try {\n    const decodedJwt = options.authorizationResponseDecoded;\n    const result = await options.callbacks.verifyJwt(options.signer, {\n      compact: options.authorizationResponseCompact,\n      ...decodedJwt,\n    });\n\n    if (!result.verified) {\n      throw new Oid4vciError(\"Error verifying JWT signature\");\n    }\n\n    return verifyAuthorizationResponse({\n      authorizationResponse: options.authorizationResponseDecoded.payload,\n      iss: options.iss,\n      state: options.state,\n    });\n  } catch (error) {\n    if (error instanceof Oid4vciError) throw error;\n\n    throw new Oid4vciError(\n      `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n    );\n  }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n  code: z.string(),\n  iss: z.string(),\n  state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { CallbackContext, JwtSignerJwk } from \"@openid4vc/oauth2\";\nimport { dateToSeconds, parseWithErrorHandling } from \"@openid4vc/utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport { CredentialRequest, zCredentialRequest } from \"./z-credential\";\n\nexport interface CredentialRequestOptions {\n  /**\n   * Callbacks to use for signing proof\n   */\n  callbacks: Pick<CallbackContext, \"signJwt\">;\n\n  /**\n   * Client identifier of the OAuth2 Client making the Credential Request.\n   */\n  clientId: string;\n\n  /**\n   * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.\n   */\n  credential_identifier: string;\n\n  /**\n   * Identifier of the Credential Issuer, for ex: https://issuer.example.com.\n   */\n  issuerIdentifier: string;\n\n  /**\n   * A nonce value previously requested to associate a Client session with the Credential Request.\n   */\n  nonce: string;\n\n  /**\n   * The signer of the credential PoP JWT.\n   */\n  signer: JwtSignerJwk;\n}\n\n/**\n * Create a Credential Request.\n * @param options - Options to create the Credential Request\n * @returns The created Credential Request\n */\nexport const createCredentialRequest = async (\n  options: CredentialRequestOptions,\n): Promise<CredentialRequest> => {\n  try {\n    const { signJwt } = options.callbacks;\n    const proofJwt = await signJwt(options.signer, {\n      header: {\n        alg: options.signer.alg,\n        jwk: options.signer.publicJwk,\n        typ: \"openid4vci-proof+jwt\",\n      },\n      payload: {\n        aud: options.issuerIdentifier,\n        iat: dateToSeconds(new Date()),\n        iss: options.clientId,\n        nonce: options.nonce,\n      },\n    });\n\n    return parseWithErrorHandling(zCredentialRequest, {\n      credential_identifier: options.credential_identifier,\n      proof: {\n        jwt: proofJwt.jwt,\n        proof_type: \"jwt\",\n      },\n    } satisfies CredentialRequest);\n  } catch (error) {\n    throw new Oid4vciError(\n      `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n};\n","import { z } from \"zod\";\n\n// Proof object schema\nconst ProofSchema = z.object({\n  jwt: z.string().min(1, \"JWT must not be empty\"),\n  proof_type: z.literal(\"jwt\"), // MUST be \"jwt\"\n});\n\nexport const zCredentialRequest = z\n  .object({\n    credential_configuration_id: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise.\",\n      ),\n\n    credential_identifier: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present.\",\n      ),\n\n    proof: ProofSchema.describe(\n      \"REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt).\",\n    ),\n\n    transaction_id: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow.\",\n      ),\n  })\n  .superRefine((data, ctx) => {\n    // Exclusive OR between credential_identifier and credential_configuration_id\n    if (data.credential_identifier && data.credential_configuration_id) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"credential_identifier and credential_configuration_id MUST NOT be used together\",\n        path: [\"credential_identifier\"],\n      });\n    }\n\n    if (!data.credential_identifier && !data.credential_configuration_id) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"One of credential_identifier or credential_configuration_id MUST be present\",\n        path: [\"credential_identifier\"],\n      });\n    }\n  });\n\nexport type CredentialRequest = z.infer<typeof zCredentialRequest>;\n\nconst CredentialsSchema = z.object({\n  credential: z\n    .string()\n    .min(1, \"credential must not be empty\")\n    .describe(\n      \"REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure.\",\n    ),\n});\n\nexport const zCredentialResponse = z\n  .object({\n    credentials: CredentialsSchema.optional().describe(\n      \"REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise.\",\n    ),\n\n    lead_time: z\n      .number()\n      .int()\n      .positive()\n      .optional()\n      .describe(\n        \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n      ),\n\n    notification_id: z\n      .string()\n      .optional()\n      .describe(\"OPTIONAL. MUST NOT be present if credentials is not present.\"),\n\n    transaction_id: z\n      .string()\n      .optional()\n      .describe(\n        \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n      ),\n  })\n  .superRefine((data, ctx) => {\n    // Enforce XOR: credentials vs (lead_time + transaction_id)\n    if (data.credentials && (data.lead_time || data.transaction_id)) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"credentials MUST NOT be present if lead_time or transaction_id is provided\",\n        path: [\"credentials\"],\n      });\n    }\n\n    if (!data.credentials && (!data.lead_time || !data.transaction_id)) {\n      ctx.addIssue({\n        code: \"custom\",\n        message:\n          \"If credentials is absent, both lead_time and transaction_id MUST be present\",\n        path: [\"lead_time\"],\n      });\n    }\n\n    // notification_id must only exist if credentials is present\n    if (!data.credentials && data.notification_id) {\n      ctx.addIssue({\n        code: \"custom\",\n        message: \"notification_id MUST NOT be present if credentials is absent\",\n        path: [\"notification_id\"],\n      });\n    }\n  });\n\nexport type CredentialResponse = z.infer<typeof zCredentialResponse>;\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { createFetcher, parseWithErrorHandling } from \"@openid4vc/utils\";\nimport {\n  CONTENT_TYPES,\n  HEADERS,\n  UnexpectedStatusCodeError,\n  ValidationError,\n  hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { FetchCredentialResponseError } from \"../errors\";\nimport {\n  CredentialRequest,\n  CredentialResponse,\n  zCredentialResponse,\n} from \"./z-credential\";\n\nexport interface FetchCredentialResponseOptions {\n  /**\n   * Access token to authorize the credential request for DPoP mechanism\n   */\n  accessToken: string;\n  /**\n   * Callbacks to use for requesting access token\n   */\n  callbacks: Pick<CallbackContext, \"fetch\">;\n\n  /**\n   * The credential endpoint URL\n   */\n  credentialEndpoint: string;\n\n  /**\n   * Credential request body\n   */\n  credentialRequest: CredentialRequest;\n\n  /**\n   * DPoP proof with addition of ath claim\n   */\n  dPoP: string;\n}\n\n/**\n * Fetches a credential response from the credential endpoint.\n *\n * @param options - Options for fetching the credential response\n * @returns The credential response\n * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch\n * @throws UnexpectedStatusCodeError if the response status code is not 200\n * @throws ValidationError if the response cannot be parsed as a valid credential response\n */\nexport async function fetchCredentialResponse(\n  options: FetchCredentialResponseOptions,\n): Promise<CredentialResponse> {\n  try {\n    const fetch = createFetcher(options.callbacks.fetch);\n    const credentialResponse = await fetch(options.credentialEndpoint, {\n      body: JSON.stringify(options.credentialRequest),\n      headers: {\n        [HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,\n        [HEADERS.CONTENT_TYPE]: CONTENT_TYPES.JSON,\n        [HEADERS.DPOP]: options.dPoP,\n      },\n      method: \"POST\",\n    });\n\n    await hasStatusOrThrow(200, UnexpectedStatusCodeError)(credentialResponse);\n\n    return parseWithErrorHandling(\n      zCredentialResponse,\n      credentialResponse.json(),\n      `Failed to parse credential response`,\n    );\n  } catch (error) {\n    if (\n      error instanceof UnexpectedStatusCodeError ||\n      error instanceof ValidationError\n    ) {\n      throw error;\n    }\n    throw new FetchCredentialResponseError(\n      `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n  /**\n   * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n   * This key is used to bind the attestation to the client's session.\n   * @type {ClientAttestationJwtPayload['cnf']}\n   */\n  dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n  /**\n   * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n   * @type {Date}\n   */\n  expiresAt?: Date;\n  /**\n   * The issuer of the attestation, typically the Wallet Provider's identifier.\n   * @type {string}\n   */\n  issuer: string;\n\n  signer: {\n    /**\n     * An array of JWTs representing the chain of trust from the federation's trust anchor\n     * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n     * @type {[string, ...string[]]}\n     */\n    trustChain: [string, ...string[]];\n\n    /**\n     * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n     * @type {string}\n     */\n    walletProviderJwkPublicKid: string;\n  };\n\n  /**\n   * An optional deep link or URL that can be used to open or interact with the wallet.\n   * @type {string}\n   */\n  walletLink?: string;\n\n  /**\n   * An optional display name for the wallet.\n   * @type {string}\n   */\n  walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n  /**\n   * Creates a wallet attestation JWT.\n   *\n   * This method constructs a signed JWT that asserts the wallet's control over a specific\n   * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n   * presenting the credential offer is the legitimate wallet instance.\n   *\n   * @public\n   * @async\n   * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n   * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n   */\n  public async createItWalletAttestationJwt(\n    options: WalletAttestationOptions,\n  ): Promise<string> {\n    if (!options.dpopJwkPublic.kid) {\n      throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n    }\n\n    const walletAttestation = await this.createWalletAttestationJwt({\n      clientId: options.dpopJwkPublic.kid,\n      confirmation: {\n        // We use the same key for DPoP as the wallet attestation\n        jwk: options.dpopJwkPublic,\n      },\n      expiresAt:\n        options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n      issuer: options.issuer,\n      signer: {\n        alg: \"ES256\",\n        kid: options.signer.walletProviderJwkPublicKid,\n        method: \"federation\", // Indicates the validation method relies on a trust chain.\n        trustChain: options.signer.trustChain,\n      },\n      walletLink: options.walletLink,\n      walletName: options.walletName,\n    });\n\n    return walletAttestation;\n  }\n}\n"],"mappings":";AACA,SAAS,iBAAiB,qBAAqB;AAC/C,SAAS,0BAA0B;AACnC;AAAA,EAEE;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,OACK;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,OAAO,OAAO;AAEP,IAAM,yBAAyB,EAAE,OAAO;AAAA,EAC7C,MAAM,EAAE,OAAO;AAAA,EACf,KAAK,EAAE,OAAO;AAAA,EACd,OAAO,EAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,QAAQ,cAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,MAAM,mBAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,MAAM,2BAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,SAAS,eAAe,8BAA8B;;;ACDtD,SAAS,KAAAA,UAAS;AAGlB,IAAM,cAAcA,GAAE,OAAO;AAAA,EAC3B,KAAKA,GAAE,OAAO,EAAE,IAAI,GAAG,uBAAuB;AAAA,EAC9C,YAAYA,GAAE,QAAQ,KAAK;AAAA;AAC7B,CAAC;AAEM,IAAM,qBAAqBA,GAC/B,OAAO;AAAA,EACN,6BAA6BA,GAC1B,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,uBAAuBA,GACpB,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,OAAO,YAAY;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,gBAAgBA,GACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,yBAAyB,KAAK,6BAA6B;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,yBAAyB,CAAC,KAAK,6BAA6B;AACpE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AACF,CAAC;AAIH,IAAM,oBAAoBA,GAAE,OAAO;AAAA,EACjC,YAAYA,GACT,OAAO,EACP,IAAI,GAAG,8BAA8B,EACrC;AAAA,IACC;AAAA,EACF;AACJ,CAAC;AAEM,IAAM,sBAAsBA,GAChC,OAAO;AAAA,EACN,aAAa,kBAAkB,SAAS,EAAE;AAAA,IACxC;AAAA,EACF;AAAA,EAEA,WAAWA,GACR,OAAO,EACP,IAAI,EACJ,SAAS,EACT,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,iBAAiBA,GACd,OAAO,EACP,SAAS,EACT,SAAS,8DAA8D;AAAA,EAE1E,gBAAgBA,GACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,gBAAgB,KAAK,aAAa,KAAK,iBAAiB;AAC/D,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,aAAa;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,aAAa,CAAC,KAAK,iBAAiB;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,WAAW;AAAA,IACpB,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,KAAK,eAAe,KAAK,iBAAiB;AAC7C,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,iBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AACF,CAAC;;;AD/EI,IAAM,0BAA0B,OACrC,YAC+B;AAC/B,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,QAAQ;AAC5B,UAAM,WAAW,MAAM,QAAQ,QAAQ,QAAQ;AAAA,MAC7C,QAAQ;AAAA,QACN,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK;AAAA,MACP;AAAA,MACA,SAAS;AAAA,QACP,KAAK,QAAQ;AAAA,QACb,KAAK,cAAc,oBAAI,KAAK,CAAC;AAAA,QAC7B,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AAED,WAAO,uBAAuB,oBAAoB;AAAA,MAChD,uBAAuB,QAAQ;AAAA,MAC/B,OAAO;AAAA,QACL,KAAK,SAAS;AAAA,QACd,YAAY;AAAA,MACd;AAAA,IACF,CAA6B;AAAA,EAC/B,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,sDAAsD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9G;AAAA,EACF;AACF;;;AEzEA,SAAS,iBAAAC,gBAAe,0BAAAC,+BAA8B;AACtD;AAAA,EACE;AAAA,EACA;AAAA,EACA,6BAAAC;AAAA,EACA,mBAAAC;AAAA,EACA,oBAAAC;AAAA,OACK;AA4CP,eAAsB,wBACpB,SAC6B;AAC7B,MAAI;AACF,UAAM,QAAQC,eAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,qBAAqB,MAAM,MAAM,QAAQ,oBAAoB;AAAA,MACjE,MAAM,KAAK,UAAU,QAAQ,iBAAiB;AAAA,MAC9C,SAAS;AAAA,QACP,CAAC,QAAQ,aAAa,GAAG,QAAQ,QAAQ,WAAW;AAAA,QACpD,CAAC,QAAQ,YAAY,GAAG,cAAc;AAAA,QACtC,CAAC,QAAQ,IAAI,GAAG,QAAQ;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAMC,kBAAiB,KAAKC,0BAAyB,EAAE,kBAAkB;AAEzE,WAAOC;AAAA,MACL;AAAA,MACA,mBAAmB,KAAK;AAAA,MACxB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QACE,iBAAiBD,8BACjB,iBAAiBE,kBACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,gDAAgD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IACxG;AAAA,EACF;AACF;;;ACpFA,SAAS,gCAAgC;AACzC,SAAS,wBAAwB;AA8D1B,IAAM,iBAAN,cAA6B,yBAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,aAAa,iBAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","createFetcher","parseWithErrorHandling","UnexpectedStatusCodeError","ValidationError","hasStatusOrThrow","createFetcher","hasStatusOrThrow","UnexpectedStatusCodeError","parseWithErrorHandling","ValidationError"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-wallet-oid4vci",
-  "version": "0.7.1",
+  "version": "0.7.3",
   "files": [
     "dist"
   ],
@@ -31,9 +31,9 @@
     "@openid4vc/openid4vci": "0.3.0-alpha-20250714110838",
     "@openid4vc/utils": "0.3.0-alpha-20250714110838",
     "zod": "^3.24.2",
-    "@pagopa/io-wallet-utils": "0.7.1",
-    "@pagopa/io-wallet-oauth2": "0.7.1",
-    "@pagopa/io-wallet-oid4vp": "0.7.1"
+    "@pagopa/io-wallet-utils": "0.7.3",
+    "@pagopa/io-wallet-oauth2": "0.7.3",
+    "@pagopa/io-wallet-oid4vp": "0.7.3"
   },
   "devDependencies": {
     "js-base64": "^3.7.8"