@pagopa/io-wallet-oid4vci 0.7.3 → 0.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +6 -6
  2. package/dist/index.d.ts +6 -6
  3. package/dist/index.js +14 -6
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +14 -6
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +4 -4
package/dist/index.d.mts CHANGED
@@ -138,13 +138,13 @@ declare const zCredentialRequest: z$1.ZodEffects<z$1.ZodObject<{
138
138
  }>;
139
139
  type CredentialRequest = z$1.infer<typeof zCredentialRequest>;
140
140
  declare const zCredentialResponse: z$1.ZodEffects<z$1.ZodObject<{
141
- credentials: z$1.ZodOptional<z$1.ZodObject<{
141
+ credentials: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
142
142
  credential: z$1.ZodString;
143
143
  }, "strip", z$1.ZodTypeAny, {
144
144
  credential: string;
145
145
  }, {
146
146
  credential: string;
147
- }>>;
147
+ }>, "many">>;
148
148
  lead_time: z$1.ZodOptional<z$1.ZodNumber>;
149
149
  notification_id: z$1.ZodOptional<z$1.ZodString>;
150
150
  transaction_id: z$1.ZodOptional<z$1.ZodString>;
@@ -152,28 +152,28 @@ declare const zCredentialResponse: z$1.ZodEffects<z$1.ZodObject<{
152
152
  transaction_id?: string | undefined;
153
153
  credentials?: {
154
154
  credential: string;
155
- } | undefined;
155
+ }[] | undefined;
156
156
  lead_time?: number | undefined;
157
157
  notification_id?: string | undefined;
158
158
  }, {
159
159
  transaction_id?: string | undefined;
160
160
  credentials?: {
161
161
  credential: string;
162
- } | undefined;
162
+ }[] | undefined;
163
163
  lead_time?: number | undefined;
164
164
  notification_id?: string | undefined;
165
165
  }>, {
166
166
  transaction_id?: string | undefined;
167
167
  credentials?: {
168
168
  credential: string;
169
- } | undefined;
169
+ }[] | undefined;
170
170
  lead_time?: number | undefined;
171
171
  notification_id?: string | undefined;
172
172
  }, {
173
173
  transaction_id?: string | undefined;
174
174
  credentials?: {
175
175
  credential: string;
176
- } | undefined;
176
+ }[] | undefined;
177
177
  lead_time?: number | undefined;
178
178
  notification_id?: string | undefined;
179
179
  }>;
package/dist/index.d.ts CHANGED
@@ -138,13 +138,13 @@ declare const zCredentialRequest: z$1.ZodEffects<z$1.ZodObject<{
138
138
  }>;
139
139
  type CredentialRequest = z$1.infer<typeof zCredentialRequest>;
140
140
  declare const zCredentialResponse: z$1.ZodEffects<z$1.ZodObject<{
141
- credentials: z$1.ZodOptional<z$1.ZodObject<{
141
+ credentials: z$1.ZodOptional<z$1.ZodArray<z$1.ZodObject<{
142
142
  credential: z$1.ZodString;
143
143
  }, "strip", z$1.ZodTypeAny, {
144
144
  credential: string;
145
145
  }, {
146
146
  credential: string;
147
- }>>;
147
+ }>, "many">>;
148
148
  lead_time: z$1.ZodOptional<z$1.ZodNumber>;
149
149
  notification_id: z$1.ZodOptional<z$1.ZodString>;
150
150
  transaction_id: z$1.ZodOptional<z$1.ZodString>;
@@ -152,28 +152,28 @@ declare const zCredentialResponse: z$1.ZodEffects<z$1.ZodObject<{
152
152
  transaction_id?: string | undefined;
153
153
  credentials?: {
154
154
  credential: string;
155
- } | undefined;
155
+ }[] | undefined;
156
156
  lead_time?: number | undefined;
157
157
  notification_id?: string | undefined;
158
158
  }, {
159
159
  transaction_id?: string | undefined;
160
160
  credentials?: {
161
161
  credential: string;
162
- } | undefined;
162
+ }[] | undefined;
163
163
  lead_time?: number | undefined;
164
164
  notification_id?: string | undefined;
165
165
  }>, {
166
166
  transaction_id?: string | undefined;
167
167
  credentials?: {
168
168
  credential: string;
169
- } | undefined;
169
+ }[] | undefined;
170
170
  lead_time?: number | undefined;
171
171
  notification_id?: string | undefined;
172
172
  }, {
173
173
  transaction_id?: string | undefined;
174
174
  credentials?: {
175
175
  credential: string;
176
- } | undefined;
176
+ }[] | undefined;
177
177
  lead_time?: number | undefined;
178
178
  notification_id?: string | undefined;
179
179
  }>;
package/dist/index.js CHANGED
@@ -149,6 +149,11 @@ async function completeAuthorization(options) {
149
149
  async function sendAuthorizationResponseAndExtractCode(options) {
150
150
  try {
151
151
  const authorizationResult = await (0, import_io_wallet_oid4vp.fetchAuthorizationResponse)(options);
152
+ if (!authorizationResult.redirect_uri) {
153
+ throw new Oid4vciError(
154
+ "The authorization response did not contain a redirect_uri"
155
+ );
156
+ }
152
157
  const jwtAndPayload = await completeAuthorization({
153
158
  ...options,
154
159
  response_uri: authorizationResult.redirect_uri
@@ -212,11 +217,13 @@ var zCredentialRequest = import_zod2.z.object({
212
217
  });
213
218
  }
214
219
  });
215
- var CredentialsSchema = import_zod2.z.object({
216
- credential: import_zod2.z.string().min(1, "credential must not be empty").describe(
217
- "REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure."
218
- )
219
- });
220
+ var CredentialsSchema = import_zod2.z.array(
221
+ import_zod2.z.object({
222
+ credential: import_zod2.z.string().describe(
223
+ "REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure."
224
+ )
225
+ })
226
+ );
220
227
  var zCredentialResponse = import_zod2.z.object({
221
228
  credentials: CredentialsSchema.optional().describe(
222
229
  "REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise."
@@ -299,9 +306,10 @@ async function fetchCredentialResponse(options) {
299
306
  method: "POST"
300
307
  });
301
308
  await (0, import_io_wallet_utils2.hasStatusOrThrow)(200, import_io_wallet_utils2.UnexpectedStatusCodeError)(credentialResponse);
309
+ const credentialResponseJson = await credentialResponse.json();
302
310
  return (0, import_utils3.parseWithErrorHandling)(
303
311
  zCredentialResponse,
304
- credentialResponse.json(),
312
+ credentialResponseJson,
305
313
  `Failed to parse credential response`
306
314
  );
307
315
  } catch (error) {
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/credential-request/create-credential-request.ts","../src/credential-request/z-credential.ts","../src/credential-request/fetch-credential-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["export * from \"./authorization-response\";\nexport * from \"./credential-request\";\nexport * from \"./errors\";\nexport * from \"./wallet-provider/WalletProvider\";\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n FetchAuthorizationResponseOptions,\n fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n UnexpectedStatusCodeError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n VerifyAuthorizationResponseFormPostJWTOptions,\n verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The response_uri returned by the server after a successful\n * OID4VP Authorization Response is sent\n */\n response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n FetchAuthorizationResponseOptions &\n Omit<\n VerifyAuthorizationResponseFormPostJWTOptions,\n \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n > &\n Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * necessary for access token issuance\n */\nexport async function completeAuthorization(\n options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const authorizationResponseResult = await fetch(options.response_uri);\n\n await hasStatusOrThrow(\n 200,\n UnexpectedStatusCodeError,\n )(authorizationResponseResult);\n\n return await getJwtFromFormPost({\n formData: await authorizationResponseResult.text(),\n schema: zAuthorizationResponse,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n try {\n const authorizationResult = await fetchAuthorizationResponse(options);\n\n const jwtAndPayload = await completeAuthorization({\n ...options,\n response_uri: authorizationResult.redirect_uri,\n });\n\n return verifyAuthorizationResponseFormPostJWT({\n authorizationResponseCompact: jwtAndPayload.jwt,\n authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n callbacks: {\n verifyJwt: options.callbacks.verifyJwt,\n },\n iss: options.iss,\n signer: options.signer,\n state: options.state,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"FetchCredentialResponseError\";\n }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n /**\n * Authorization response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponse: AuthorizationResponse;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n /**\n * Compact AuthorizaitonResponse JWT\n */\n authorizationResponseCompact: string;\n\n /**\n * Authorization Response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponseDecoded: ReturnType<\n typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n >;\n\n /**\n * Callback for verifying the authorization jwt signature\n */\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * Signer of the form POST returned jwt\n */\n signer: JwtSignerJwk;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n * match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n if (options.authorizationResponse.iss !== options.iss)\n throw new Oid4vciError(\n `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n );\n if (options.authorizationResponse.state !== options.state)\n throw new Oid4vciError(\n `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n );\n\n return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n * signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n try {\n const decodedJwt = options.authorizationResponseDecoded;\n const result = await options.callbacks.verifyJwt(options.signer, {\n compact: options.authorizationResponseCompact,\n ...decodedJwt,\n });\n\n if (!result.verified) {\n throw new Oid4vciError(\"Error verifying JWT signature\");\n }\n\n return verifyAuthorizationResponse({\n authorizationResponse: options.authorizationResponseDecoded.payload,\n iss: options.iss,\n state: options.state,\n });\n } catch (error) {\n if (error instanceof Oid4vciError) throw error;\n\n throw new Oid4vciError(\n `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n code: z.string(),\n iss: z.string(),\n state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { CallbackContext, JwtSignerJwk } from \"@openid4vc/oauth2\";\nimport { dateToSeconds, parseWithErrorHandling } from \"@openid4vc/utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport { CredentialRequest, zCredentialRequest } from \"./z-credential\";\n\nexport interface CredentialRequestOptions {\n /**\n * Callbacks to use for signing proof\n */\n callbacks: Pick<CallbackContext, \"signJwt\">;\n\n /**\n * Client identifier of the OAuth2 Client making the Credential Request.\n */\n clientId: string;\n\n /**\n * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.\n */\n credential_identifier: string;\n\n /**\n * Identifier of the Credential Issuer, for ex: https://issuer.example.com.\n */\n issuerIdentifier: string;\n\n /**\n * A nonce value previously requested to associate a Client session with the Credential Request.\n */\n nonce: string;\n\n /**\n * The signer of the credential PoP JWT.\n */\n signer: JwtSignerJwk;\n}\n\n/**\n * Create a Credential Request.\n * @param options - Options to create the Credential Request\n * @returns The created Credential Request\n */\nexport const createCredentialRequest = async (\n options: CredentialRequestOptions,\n): Promise<CredentialRequest> => {\n try {\n const { signJwt } = options.callbacks;\n const proofJwt = await signJwt(options.signer, {\n header: {\n alg: options.signer.alg,\n jwk: options.signer.publicJwk,\n typ: \"openid4vci-proof+jwt\",\n },\n payload: {\n aud: options.issuerIdentifier,\n iat: dateToSeconds(new Date()),\n iss: options.clientId,\n nonce: options.nonce,\n },\n });\n\n return parseWithErrorHandling(zCredentialRequest, {\n credential_identifier: options.credential_identifier,\n proof: {\n jwt: proofJwt.jwt,\n proof_type: \"jwt\",\n },\n } satisfies CredentialRequest);\n } catch (error) {\n throw new Oid4vciError(\n `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n};\n","import { z } from \"zod\";\n\n// Proof object schema\nconst ProofSchema = z.object({\n jwt: z.string().min(1, \"JWT must not be empty\"),\n proof_type: z.literal(\"jwt\"), // MUST be \"jwt\"\n});\n\nexport const zCredentialRequest = z\n .object({\n credential_configuration_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise.\",\n ),\n\n credential_identifier: z\n .string()\n .optional()\n .describe(\n \"REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present.\",\n ),\n\n proof: ProofSchema.describe(\n \"REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt).\",\n ),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Exclusive OR between credential_identifier and credential_configuration_id\n if (data.credential_identifier && data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credential_identifier and credential_configuration_id MUST NOT be used together\",\n path: [\"credential_identifier\"],\n });\n }\n\n if (!data.credential_identifier && !data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"One of credential_identifier or credential_configuration_id MUST be present\",\n path: [\"credential_identifier\"],\n });\n }\n });\n\nexport type CredentialRequest = z.infer<typeof zCredentialRequest>;\n\nconst CredentialsSchema = z.object({\n credential: z\n .string()\n .min(1, \"credential must not be empty\")\n .describe(\n \"REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure.\",\n ),\n});\n\nexport const zCredentialResponse = z\n .object({\n credentials: CredentialsSchema.optional().describe(\n \"REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise.\",\n ),\n\n lead_time: z\n .number()\n .int()\n .positive()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n\n notification_id: z\n .string()\n .optional()\n .describe(\"OPTIONAL. MUST NOT be present if credentials is not present.\"),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Enforce XOR: credentials vs (lead_time + transaction_id)\n if (data.credentials && (data.lead_time || data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credentials MUST NOT be present if lead_time or transaction_id is provided\",\n path: [\"credentials\"],\n });\n }\n\n if (!data.credentials && (!data.lead_time || !data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"If credentials is absent, both lead_time and transaction_id MUST be present\",\n path: [\"lead_time\"],\n });\n }\n\n // notification_id must only exist if credentials is present\n if (!data.credentials && data.notification_id) {\n ctx.addIssue({\n code: \"custom\",\n message: \"notification_id MUST NOT be present if credentials is absent\",\n path: [\"notification_id\"],\n });\n }\n });\n\nexport type CredentialResponse = z.infer<typeof zCredentialResponse>;\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { createFetcher, parseWithErrorHandling } from \"@openid4vc/utils\";\nimport {\n CONTENT_TYPES,\n HEADERS,\n UnexpectedStatusCodeError,\n ValidationError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { FetchCredentialResponseError } from \"../errors\";\nimport {\n CredentialRequest,\n CredentialResponse,\n zCredentialResponse,\n} from \"./z-credential\";\n\nexport interface FetchCredentialResponseOptions {\n /**\n * Access token to authorize the credential request for DPoP mechanism\n */\n accessToken: string;\n /**\n * Callbacks to use for requesting access token\n */\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The credential endpoint URL\n */\n credentialEndpoint: string;\n\n /**\n * Credential request body\n */\n credentialRequest: CredentialRequest;\n\n /**\n * DPoP proof with addition of ath claim\n */\n dPoP: string;\n}\n\n/**\n * Fetches a credential response from the credential endpoint.\n *\n * @param options - Options for fetching the credential response\n * @returns The credential response\n * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch\n * @throws UnexpectedStatusCodeError if the response status code is not 200\n * @throws ValidationError if the response cannot be parsed as a valid credential response\n */\nexport async function fetchCredentialResponse(\n options: FetchCredentialResponseOptions,\n): Promise<CredentialResponse> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const credentialResponse = await fetch(options.credentialEndpoint, {\n body: JSON.stringify(options.credentialRequest),\n headers: {\n [HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,\n [HEADERS.CONTENT_TYPE]: CONTENT_TYPES.JSON,\n [HEADERS.DPOP]: options.dPoP,\n },\n method: \"POST\",\n });\n\n await hasStatusOrThrow(200, UnexpectedStatusCodeError)(credentialResponse);\n\n return parseWithErrorHandling(\n zCredentialResponse,\n credentialResponse.json(),\n `Failed to parse credential response`,\n );\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError\n ) {\n throw error;\n }\n throw new FetchCredentialResponseError(\n `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n /**\n * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n */\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /**\n * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n */\n expiresAt?: Date;\n /**\n * The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n */\n issuer: string;\n\n signer: {\n /**\n * An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n */\n trustChain: [string, ...string[]];\n\n /**\n * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n */\n walletProviderJwkPublicKid: string;\n };\n\n /**\n * An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n */\n walletLink?: string;\n\n /**\n * An optional display name for the wallet.\n * @type {string}\n */\n walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n /**\n * Creates a wallet attestation JWT.\n *\n * This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n *\n * @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n */\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,mBAA+C;AAC/C,8BAAmC;AACnC,8BAGO;AACP,6BAGO;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,iBAAc;AAEP,IAAM,yBAAyB,WAAAA,QAAE,OAAO;AAAA,EAC7C,MAAM,WAAAA,QAAE,OAAO;AAAA,EACf,KAAK,WAAAA,QAAE,OAAO;AAAA,EACd,OAAO,WAAAA,QAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,YAAQ,4BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,cAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,UAAM,4CAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,UAAM,oDAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,IAAAC,gBAAsD;;;ACDtD,IAAAC,cAAkB;AAGlB,IAAM,cAAc,cAAE,OAAO;AAAA,EAC3B,KAAK,cAAE,OAAO,EAAE,IAAI,GAAG,uBAAuB;AAAA,EAC9C,YAAY,cAAE,QAAQ,KAAK;AAAA;AAC7B,CAAC;AAEM,IAAM,qBAAqB,cAC/B,OAAO;AAAA,EACN,6BAA6B,cAC1B,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,uBAAuB,cACpB,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,OAAO,YAAY;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,gBAAgB,cACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,yBAAyB,KAAK,6BAA6B;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,yBAAyB,CAAC,KAAK,6BAA6B;AACpE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AACF,CAAC;AAIH,IAAM,oBAAoB,cAAE,OAAO;AAAA,EACjC,YAAY,cACT,OAAO,EACP,IAAI,GAAG,8BAA8B,EACrC;AAAA,IACC;AAAA,EACF;AACJ,CAAC;AAEM,IAAM,sBAAsB,cAChC,OAAO;AAAA,EACN,aAAa,kBAAkB,SAAS,EAAE;AAAA,IACxC;AAAA,EACF;AAAA,EAEA,WAAW,cACR,OAAO,EACP,IAAI,EACJ,SAAS,EACT,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,iBAAiB,cACd,OAAO,EACP,SAAS,EACT,SAAS,8DAA8D;AAAA,EAE1E,gBAAgB,cACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,gBAAgB,KAAK,aAAa,KAAK,iBAAiB;AAC/D,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,aAAa;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,aAAa,CAAC,KAAK,iBAAiB;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,WAAW;AAAA,IACpB,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,KAAK,eAAe,KAAK,iBAAiB;AAC7C,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,iBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AACF,CAAC;;;AD/EI,IAAM,0BAA0B,OACrC,YAC+B;AAC/B,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,QAAQ;AAC5B,UAAM,WAAW,MAAM,QAAQ,QAAQ,QAAQ;AAAA,MAC7C,QAAQ;AAAA,QACN,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK;AAAA,MACP;AAAA,MACA,SAAS;AAAA,QACP,KAAK,QAAQ;AAAA,QACb,SAAK,6BAAc,oBAAI,KAAK,CAAC;AAAA,QAC7B,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AAED,eAAO,sCAAuB,oBAAoB;AAAA,MAChD,uBAAuB,QAAQ;AAAA,MAC/B,OAAO;AAAA,QACL,KAAK,SAAS;AAAA,QACd,YAAY;AAAA,MACd;AAAA,IACF,CAA6B;AAAA,EAC/B,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,sDAAsD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9G;AAAA,EACF;AACF;;;AEzEA,IAAAC,gBAAsD;AACtD,IAAAC,0BAMO;AA4CP,eAAsB,wBACpB,SAC6B;AAC7B,MAAI;AACF,UAAM,YAAQ,6BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,qBAAqB,MAAM,MAAM,QAAQ,oBAAoB;AAAA,MACjE,MAAM,KAAK,UAAU,QAAQ,iBAAiB;AAAA,MAC9C,SAAS;AAAA,QACP,CAAC,gCAAQ,aAAa,GAAG,QAAQ,QAAQ,WAAW;AAAA,QACpD,CAAC,gCAAQ,YAAY,GAAG,sCAAc;AAAA,QACtC,CAAC,gCAAQ,IAAI,GAAG,QAAQ;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,cAAM,0CAAiB,KAAK,iDAAyB,EAAE,kBAAkB;AAEzE,eAAO;AAAA,MACL;AAAA,MACA,mBAAmB,KAAK;AAAA,MACxB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QACE,iBAAiB,qDACjB,iBAAiB,yCACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,gDAAgD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IACxG;AAAA,EACF;AACF;;;ACpFA,wBAAyC;AACzC,IAAAC,gBAAiC;AA8D1B,IAAM,iBAAN,cAA6B,2CAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,iBAAa,gCAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","import_utils","import_zod","import_utils","import_io_wallet_utils","import_utils"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/credential-request/create-credential-request.ts","../src/credential-request/z-credential.ts","../src/credential-request/fetch-credential-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["export * from \"./authorization-response\";\nexport * from \"./credential-request\";\nexport * from \"./errors\";\nexport * from \"./wallet-provider/WalletProvider\";\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n FetchAuthorizationResponseOptions,\n fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n UnexpectedStatusCodeError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n VerifyAuthorizationResponseFormPostJWTOptions,\n verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The response_uri returned by the server after a successful\n * OID4VP Authorization Response is sent\n */\n response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n FetchAuthorizationResponseOptions &\n Omit<\n VerifyAuthorizationResponseFormPostJWTOptions,\n \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n > &\n Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * necessary for access token issuance\n */\nexport async function completeAuthorization(\n options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const authorizationResponseResult = await fetch(options.response_uri);\n\n await hasStatusOrThrow(\n 200,\n UnexpectedStatusCodeError,\n )(authorizationResponseResult);\n\n return await getJwtFromFormPost({\n formData: await authorizationResponseResult.text(),\n schema: zAuthorizationResponse,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n try {\n const authorizationResult = await fetchAuthorizationResponse(options);\n\n if (!authorizationResult.redirect_uri) {\n throw new Oid4vciError(\n \"The authorization response did not contain a redirect_uri\",\n );\n }\n\n const jwtAndPayload = await completeAuthorization({\n ...options,\n response_uri: authorizationResult.redirect_uri,\n });\n\n return verifyAuthorizationResponseFormPostJWT({\n authorizationResponseCompact: jwtAndPayload.jwt,\n authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n callbacks: {\n verifyJwt: options.callbacks.verifyJwt,\n },\n iss: options.iss,\n signer: options.signer,\n state: options.state,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"FetchCredentialResponseError\";\n }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n /**\n * Authorization response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponse: AuthorizationResponse;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n /**\n * Compact AuthorizaitonResponse JWT\n */\n authorizationResponseCompact: string;\n\n /**\n * Authorization Response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponseDecoded: ReturnType<\n typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n >;\n\n /**\n * Callback for verifying the authorization jwt signature\n */\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * Signer of the form POST returned jwt\n */\n signer: JwtSignerJwk;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n * match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n if (options.authorizationResponse.iss !== options.iss)\n throw new Oid4vciError(\n `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n );\n if (options.authorizationResponse.state !== options.state)\n throw new Oid4vciError(\n `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n );\n\n return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n * signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n try {\n const decodedJwt = options.authorizationResponseDecoded;\n const result = await options.callbacks.verifyJwt(options.signer, {\n compact: options.authorizationResponseCompact,\n ...decodedJwt,\n });\n\n if (!result.verified) {\n throw new Oid4vciError(\"Error verifying JWT signature\");\n }\n\n return verifyAuthorizationResponse({\n authorizationResponse: options.authorizationResponseDecoded.payload,\n iss: options.iss,\n state: options.state,\n });\n } catch (error) {\n if (error instanceof Oid4vciError) throw error;\n\n throw new Oid4vciError(\n `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n code: z.string(),\n iss: z.string(),\n state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { CallbackContext, JwtSignerJwk } from \"@openid4vc/oauth2\";\nimport { dateToSeconds, parseWithErrorHandling } from \"@openid4vc/utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport { CredentialRequest, zCredentialRequest } from \"./z-credential\";\n\nexport interface CredentialRequestOptions {\n /**\n * Callbacks to use for signing proof\n */\n callbacks: Pick<CallbackContext, \"signJwt\">;\n\n /**\n * Client identifier of the OAuth2 Client making the Credential Request.\n */\n clientId: string;\n\n /**\n * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.\n */\n credential_identifier: string;\n\n /**\n * Identifier of the Credential Issuer, for ex: https://issuer.example.com.\n */\n issuerIdentifier: string;\n\n /**\n * A nonce value previously requested to associate a Client session with the Credential Request.\n */\n nonce: string;\n\n /**\n * The signer of the credential PoP JWT.\n */\n signer: JwtSignerJwk;\n}\n\n/**\n * Create a Credential Request.\n * @param options - Options to create the Credential Request\n * @returns The created Credential Request\n */\nexport const createCredentialRequest = async (\n options: CredentialRequestOptions,\n): Promise<CredentialRequest> => {\n try {\n const { signJwt } = options.callbacks;\n const proofJwt = await signJwt(options.signer, {\n header: {\n alg: options.signer.alg,\n jwk: options.signer.publicJwk,\n typ: \"openid4vci-proof+jwt\",\n },\n payload: {\n aud: options.issuerIdentifier,\n iat: dateToSeconds(new Date()),\n iss: options.clientId,\n nonce: options.nonce,\n },\n });\n\n return parseWithErrorHandling(zCredentialRequest, {\n credential_identifier: options.credential_identifier,\n proof: {\n jwt: proofJwt.jwt,\n proof_type: \"jwt\",\n },\n } satisfies CredentialRequest);\n } catch (error) {\n throw new Oid4vciError(\n `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n};\n","import { z } from \"zod\";\n\n// Proof object schema\nconst ProofSchema = z.object({\n jwt: z.string().min(1, \"JWT must not be empty\"),\n proof_type: z.literal(\"jwt\"), // MUST be \"jwt\"\n});\n\nexport const zCredentialRequest = z\n .object({\n credential_configuration_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise.\",\n ),\n\n credential_identifier: z\n .string()\n .optional()\n .describe(\n \"REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present.\",\n ),\n\n proof: ProofSchema.describe(\n \"REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt).\",\n ),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Exclusive OR between credential_identifier and credential_configuration_id\n if (data.credential_identifier && data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credential_identifier and credential_configuration_id MUST NOT be used together\",\n path: [\"credential_identifier\"],\n });\n }\n\n if (!data.credential_identifier && !data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"One of credential_identifier or credential_configuration_id MUST be present\",\n path: [\"credential_identifier\"],\n });\n }\n });\n\nexport type CredentialRequest = z.infer<typeof zCredentialRequest>;\n\nconst CredentialsSchema = z.array(\n z.object({\n credential: z\n .string()\n .describe(\n \"REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure.\",\n ),\n }),\n);\n\nexport const zCredentialResponse = z\n .object({\n credentials: CredentialsSchema.optional().describe(\n \"REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise.\",\n ),\n\n lead_time: z\n .number()\n .int()\n .positive()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n\n notification_id: z\n .string()\n .optional()\n .describe(\"OPTIONAL. MUST NOT be present if credentials is not present.\"),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Enforce XOR: credentials vs (lead_time + transaction_id)\n if (data.credentials && (data.lead_time || data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credentials MUST NOT be present if lead_time or transaction_id is provided\",\n path: [\"credentials\"],\n });\n }\n\n if (!data.credentials && (!data.lead_time || !data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"If credentials is absent, both lead_time and transaction_id MUST be present\",\n path: [\"lead_time\"],\n });\n }\n\n // notification_id must only exist if credentials is present\n if (!data.credentials && data.notification_id) {\n ctx.addIssue({\n code: \"custom\",\n message: \"notification_id MUST NOT be present if credentials is absent\",\n path: [\"notification_id\"],\n });\n }\n });\n\nexport type CredentialResponse = z.infer<typeof zCredentialResponse>;\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { createFetcher, parseWithErrorHandling } from \"@openid4vc/utils\";\nimport {\n CONTENT_TYPES,\n HEADERS,\n UnexpectedStatusCodeError,\n ValidationError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { FetchCredentialResponseError } from \"../errors\";\nimport {\n CredentialRequest,\n CredentialResponse,\n zCredentialResponse,\n} from \"./z-credential\";\n\nexport interface FetchCredentialResponseOptions {\n /**\n * Access token to authorize the credential request for DPoP mechanism\n */\n accessToken: string;\n /**\n * Callbacks to use for requesting access token\n */\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The credential endpoint URL\n */\n credentialEndpoint: string;\n\n /**\n * Credential request body\n */\n credentialRequest: CredentialRequest;\n\n /**\n * DPoP proof with addition of ath claim\n */\n dPoP: string;\n}\n\n/**\n * Fetches a credential response from the credential endpoint.\n *\n * @param options - Options for fetching the credential response\n * @returns The credential response\n * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch\n * @throws UnexpectedStatusCodeError if the response status code is not 200\n * @throws ValidationError if the response cannot be parsed as a valid credential response\n */\nexport async function fetchCredentialResponse(\n options: FetchCredentialResponseOptions,\n): Promise<CredentialResponse> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const credentialResponse = await fetch(options.credentialEndpoint, {\n body: JSON.stringify(options.credentialRequest),\n headers: {\n [HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,\n [HEADERS.CONTENT_TYPE]: CONTENT_TYPES.JSON,\n [HEADERS.DPOP]: options.dPoP,\n },\n method: \"POST\",\n });\n\n await hasStatusOrThrow(200, UnexpectedStatusCodeError)(credentialResponse);\n\n const credentialResponseJson = await credentialResponse.json();\n\n return parseWithErrorHandling(\n zCredentialResponse,\n credentialResponseJson,\n `Failed to parse credential response`,\n );\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError\n ) {\n throw error;\n }\n throw new FetchCredentialResponseError(\n `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n /**\n * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n */\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /**\n * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n */\n expiresAt?: Date;\n /**\n * The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n */\n issuer: string;\n\n signer: {\n /**\n * An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n */\n trustChain: [string, ...string[]];\n\n /**\n * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n */\n walletProviderJwkPublicKid: string;\n };\n\n /**\n * An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n */\n walletLink?: string;\n\n /**\n * An optional display name for the wallet.\n * @type {string}\n */\n walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n /**\n * Creates a wallet attestation JWT.\n *\n * This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n *\n * @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n */\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,mBAA+C;AAC/C,8BAAmC;AACnC,8BAGO;AACP,6BAGO;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,iBAAc;AAEP,IAAM,yBAAyB,WAAAA,QAAE,OAAO;AAAA,EAC7C,MAAM,WAAAA,QAAE,OAAO;AAAA,EACf,KAAK,WAAAA,QAAE,OAAO;AAAA,EACd,OAAO,WAAAA,QAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,YAAQ,4BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,cAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,UAAM,4CAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,UAAM,oDAA2B,OAAO;AAEpE,QAAI,CAAC,oBAAoB,cAAc;AACrC,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,oDACjB,iBAAiB,gCACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIxIA,IAAAC,gBAAsD;;;ACDtD,IAAAC,cAAkB;AAGlB,IAAM,cAAc,cAAE,OAAO;AAAA,EAC3B,KAAK,cAAE,OAAO,EAAE,IAAI,GAAG,uBAAuB;AAAA,EAC9C,YAAY,cAAE,QAAQ,KAAK;AAAA;AAC7B,CAAC;AAEM,IAAM,qBAAqB,cAC/B,OAAO;AAAA,EACN,6BAA6B,cAC1B,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,uBAAuB,cACpB,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,OAAO,YAAY;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,gBAAgB,cACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,yBAAyB,KAAK,6BAA6B;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,yBAAyB,CAAC,KAAK,6BAA6B;AACpE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AACF,CAAC;AAIH,IAAM,oBAAoB,cAAE;AAAA,EAC1B,cAAE,OAAO;AAAA,IACP,YAAY,cACT,OAAO,EACP;AAAA,MACC;AAAA,IACF;AAAA,EACJ,CAAC;AACH;AAEO,IAAM,sBAAsB,cAChC,OAAO;AAAA,EACN,aAAa,kBAAkB,SAAS,EAAE;AAAA,IACxC;AAAA,EACF;AAAA,EAEA,WAAW,cACR,OAAO,EACP,IAAI,EACJ,SAAS,EACT,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,iBAAiB,cACd,OAAO,EACP,SAAS,EACT,SAAS,8DAA8D;AAAA,EAE1E,gBAAgB,cACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,gBAAgB,KAAK,aAAa,KAAK,iBAAiB;AAC/D,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,aAAa;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,aAAa,CAAC,KAAK,iBAAiB;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,WAAW;AAAA,IACpB,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,KAAK,eAAe,KAAK,iBAAiB;AAC7C,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,iBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AACF,CAAC;;;ADhFI,IAAM,0BAA0B,OACrC,YAC+B;AAC/B,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,QAAQ;AAC5B,UAAM,WAAW,MAAM,QAAQ,QAAQ,QAAQ;AAAA,MAC7C,QAAQ;AAAA,QACN,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK;AAAA,MACP;AAAA,MACA,SAAS;AAAA,QACP,KAAK,QAAQ;AAAA,QACb,SAAK,6BAAc,oBAAI,KAAK,CAAC;AAAA,QAC7B,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AAED,eAAO,sCAAuB,oBAAoB;AAAA,MAChD,uBAAuB,QAAQ;AAAA,MAC/B,OAAO;AAAA,QACL,KAAK,SAAS;AAAA,QACd,YAAY;AAAA,MACd;AAAA,IACF,CAA6B;AAAA,EAC/B,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,sDAAsD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9G;AAAA,EACF;AACF;;;AEzEA,IAAAC,gBAAsD;AACtD,IAAAC,0BAMO;AA4CP,eAAsB,wBACpB,SAC6B;AAC7B,MAAI;AACF,UAAM,YAAQ,6BAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,qBAAqB,MAAM,MAAM,QAAQ,oBAAoB;AAAA,MACjE,MAAM,KAAK,UAAU,QAAQ,iBAAiB;AAAA,MAC9C,SAAS;AAAA,QACP,CAAC,gCAAQ,aAAa,GAAG,QAAQ,QAAQ,WAAW;AAAA,QACpD,CAAC,gCAAQ,YAAY,GAAG,sCAAc;AAAA,QACtC,CAAC,gCAAQ,IAAI,GAAG,QAAQ;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,cAAM,0CAAiB,KAAK,iDAAyB,EAAE,kBAAkB;AAEzE,UAAM,yBAAyB,MAAM,mBAAmB,KAAK;AAE7D,eAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QACE,iBAAiB,qDACjB,iBAAiB,yCACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,gDAAgD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IACxG;AAAA,EACF;AACF;;;ACtFA,wBAAyC;AACzC,IAAAC,gBAAiC;AA8D1B,IAAM,iBAAN,cAA6B,2CAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,iBAAa,gCAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","import_utils","import_zod","import_utils","import_io_wallet_utils","import_utils"]}
package/dist/index.mjs CHANGED
@@ -107,6 +107,11 @@ async function completeAuthorization(options) {
107
107
  async function sendAuthorizationResponseAndExtractCode(options) {
108
108
  try {
109
109
  const authorizationResult = await fetchAuthorizationResponse(options);
110
+ if (!authorizationResult.redirect_uri) {
111
+ throw new Oid4vciError(
112
+ "The authorization response did not contain a redirect_uri"
113
+ );
114
+ }
110
115
  const jwtAndPayload = await completeAuthorization({
111
116
  ...options,
112
117
  response_uri: authorizationResult.redirect_uri
@@ -170,11 +175,13 @@ var zCredentialRequest = z2.object({
170
175
  });
171
176
  }
172
177
  });
173
- var CredentialsSchema = z2.object({
174
- credential: z2.string().min(1, "credential must not be empty").describe(
175
- "REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure."
176
- )
177
- });
178
+ var CredentialsSchema = z2.array(
179
+ z2.object({
180
+ credential: z2.string().describe(
181
+ "REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure."
182
+ )
183
+ })
184
+ );
178
185
  var zCredentialResponse = z2.object({
179
186
  credentials: CredentialsSchema.optional().describe(
180
187
  "REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise."
@@ -263,9 +270,10 @@ async function fetchCredentialResponse(options) {
263
270
  method: "POST"
264
271
  });
265
272
  await hasStatusOrThrow2(200, UnexpectedStatusCodeError2)(credentialResponse);
273
+ const credentialResponseJson = await credentialResponse.json();
266
274
  return parseWithErrorHandling2(
267
275
  zCredentialResponse,
268
- credentialResponse.json(),
276
+ credentialResponseJson,
269
277
  `Failed to parse credential response`
270
278
  );
271
279
  } catch (error) {
package/dist/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/credential-request/create-credential-request.ts","../src/credential-request/z-credential.ts","../src/credential-request/fetch-credential-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n FetchAuthorizationResponseOptions,\n fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n UnexpectedStatusCodeError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n VerifyAuthorizationResponseFormPostJWTOptions,\n verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The response_uri returned by the server after a successful\n * OID4VP Authorization Response is sent\n */\n response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n FetchAuthorizationResponseOptions &\n Omit<\n VerifyAuthorizationResponseFormPostJWTOptions,\n \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n > &\n Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * necessary for access token issuance\n */\nexport async function completeAuthorization(\n options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const authorizationResponseResult = await fetch(options.response_uri);\n\n await hasStatusOrThrow(\n 200,\n UnexpectedStatusCodeError,\n )(authorizationResponseResult);\n\n return await getJwtFromFormPost({\n formData: await authorizationResponseResult.text(),\n schema: zAuthorizationResponse,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n try {\n const authorizationResult = await fetchAuthorizationResponse(options);\n\n const jwtAndPayload = await completeAuthorization({\n ...options,\n response_uri: authorizationResult.redirect_uri,\n });\n\n return verifyAuthorizationResponseFormPostJWT({\n authorizationResponseCompact: jwtAndPayload.jwt,\n authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n callbacks: {\n verifyJwt: options.callbacks.verifyJwt,\n },\n iss: options.iss,\n signer: options.signer,\n state: options.state,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"FetchCredentialResponseError\";\n }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n /**\n * Authorization response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponse: AuthorizationResponse;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n /**\n * Compact AuthorizaitonResponse JWT\n */\n authorizationResponseCompact: string;\n\n /**\n * Authorization Response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponseDecoded: ReturnType<\n typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n >;\n\n /**\n * Callback for verifying the authorization jwt signature\n */\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * Signer of the form POST returned jwt\n */\n signer: JwtSignerJwk;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n * match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n if (options.authorizationResponse.iss !== options.iss)\n throw new Oid4vciError(\n `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n );\n if (options.authorizationResponse.state !== options.state)\n throw new Oid4vciError(\n `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n );\n\n return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n * signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n try {\n const decodedJwt = options.authorizationResponseDecoded;\n const result = await options.callbacks.verifyJwt(options.signer, {\n compact: options.authorizationResponseCompact,\n ...decodedJwt,\n });\n\n if (!result.verified) {\n throw new Oid4vciError(\"Error verifying JWT signature\");\n }\n\n return verifyAuthorizationResponse({\n authorizationResponse: options.authorizationResponseDecoded.payload,\n iss: options.iss,\n state: options.state,\n });\n } catch (error) {\n if (error instanceof Oid4vciError) throw error;\n\n throw new Oid4vciError(\n `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n code: z.string(),\n iss: z.string(),\n state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { CallbackContext, JwtSignerJwk } from \"@openid4vc/oauth2\";\nimport { dateToSeconds, parseWithErrorHandling } from \"@openid4vc/utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport { CredentialRequest, zCredentialRequest } from \"./z-credential\";\n\nexport interface CredentialRequestOptions {\n /**\n * Callbacks to use for signing proof\n */\n callbacks: Pick<CallbackContext, \"signJwt\">;\n\n /**\n * Client identifier of the OAuth2 Client making the Credential Request.\n */\n clientId: string;\n\n /**\n * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.\n */\n credential_identifier: string;\n\n /**\n * Identifier of the Credential Issuer, for ex: https://issuer.example.com.\n */\n issuerIdentifier: string;\n\n /**\n * A nonce value previously requested to associate a Client session with the Credential Request.\n */\n nonce: string;\n\n /**\n * The signer of the credential PoP JWT.\n */\n signer: JwtSignerJwk;\n}\n\n/**\n * Create a Credential Request.\n * @param options - Options to create the Credential Request\n * @returns The created Credential Request\n */\nexport const createCredentialRequest = async (\n options: CredentialRequestOptions,\n): Promise<CredentialRequest> => {\n try {\n const { signJwt } = options.callbacks;\n const proofJwt = await signJwt(options.signer, {\n header: {\n alg: options.signer.alg,\n jwk: options.signer.publicJwk,\n typ: \"openid4vci-proof+jwt\",\n },\n payload: {\n aud: options.issuerIdentifier,\n iat: dateToSeconds(new Date()),\n iss: options.clientId,\n nonce: options.nonce,\n },\n });\n\n return parseWithErrorHandling(zCredentialRequest, {\n credential_identifier: options.credential_identifier,\n proof: {\n jwt: proofJwt.jwt,\n proof_type: \"jwt\",\n },\n } satisfies CredentialRequest);\n } catch (error) {\n throw new Oid4vciError(\n `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n};\n","import { z } from \"zod\";\n\n// Proof object schema\nconst ProofSchema = z.object({\n jwt: z.string().min(1, \"JWT must not be empty\"),\n proof_type: z.literal(\"jwt\"), // MUST be \"jwt\"\n});\n\nexport const zCredentialRequest = z\n .object({\n credential_configuration_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise.\",\n ),\n\n credential_identifier: z\n .string()\n .optional()\n .describe(\n \"REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present.\",\n ),\n\n proof: ProofSchema.describe(\n \"REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt).\",\n ),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Exclusive OR between credential_identifier and credential_configuration_id\n if (data.credential_identifier && data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credential_identifier and credential_configuration_id MUST NOT be used together\",\n path: [\"credential_identifier\"],\n });\n }\n\n if (!data.credential_identifier && !data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"One of credential_identifier or credential_configuration_id MUST be present\",\n path: [\"credential_identifier\"],\n });\n }\n });\n\nexport type CredentialRequest = z.infer<typeof zCredentialRequest>;\n\nconst CredentialsSchema = z.object({\n credential: z\n .string()\n .min(1, \"credential must not be empty\")\n .describe(\n \"REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure.\",\n ),\n});\n\nexport const zCredentialResponse = z\n .object({\n credentials: CredentialsSchema.optional().describe(\n \"REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise.\",\n ),\n\n lead_time: z\n .number()\n .int()\n .positive()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n\n notification_id: z\n .string()\n .optional()\n .describe(\"OPTIONAL. MUST NOT be present if credentials is not present.\"),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Enforce XOR: credentials vs (lead_time + transaction_id)\n if (data.credentials && (data.lead_time || data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credentials MUST NOT be present if lead_time or transaction_id is provided\",\n path: [\"credentials\"],\n });\n }\n\n if (!data.credentials && (!data.lead_time || !data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"If credentials is absent, both lead_time and transaction_id MUST be present\",\n path: [\"lead_time\"],\n });\n }\n\n // notification_id must only exist if credentials is present\n if (!data.credentials && data.notification_id) {\n ctx.addIssue({\n code: \"custom\",\n message: \"notification_id MUST NOT be present if credentials is absent\",\n path: [\"notification_id\"],\n });\n }\n });\n\nexport type CredentialResponse = z.infer<typeof zCredentialResponse>;\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { createFetcher, parseWithErrorHandling } from \"@openid4vc/utils\";\nimport {\n CONTENT_TYPES,\n HEADERS,\n UnexpectedStatusCodeError,\n ValidationError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { FetchCredentialResponseError } from \"../errors\";\nimport {\n CredentialRequest,\n CredentialResponse,\n zCredentialResponse,\n} from \"./z-credential\";\n\nexport interface FetchCredentialResponseOptions {\n /**\n * Access token to authorize the credential request for DPoP mechanism\n */\n accessToken: string;\n /**\n * Callbacks to use for requesting access token\n */\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The credential endpoint URL\n */\n credentialEndpoint: string;\n\n /**\n * Credential request body\n */\n credentialRequest: CredentialRequest;\n\n /**\n * DPoP proof with addition of ath claim\n */\n dPoP: string;\n}\n\n/**\n * Fetches a credential response from the credential endpoint.\n *\n * @param options - Options for fetching the credential response\n * @returns The credential response\n * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch\n * @throws UnexpectedStatusCodeError if the response status code is not 200\n * @throws ValidationError if the response cannot be parsed as a valid credential response\n */\nexport async function fetchCredentialResponse(\n options: FetchCredentialResponseOptions,\n): Promise<CredentialResponse> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const credentialResponse = await fetch(options.credentialEndpoint, {\n body: JSON.stringify(options.credentialRequest),\n headers: {\n [HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,\n [HEADERS.CONTENT_TYPE]: CONTENT_TYPES.JSON,\n [HEADERS.DPOP]: options.dPoP,\n },\n method: \"POST\",\n });\n\n await hasStatusOrThrow(200, UnexpectedStatusCodeError)(credentialResponse);\n\n return parseWithErrorHandling(\n zCredentialResponse,\n credentialResponse.json(),\n `Failed to parse credential response`,\n );\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError\n ) {\n throw error;\n }\n throw new FetchCredentialResponseError(\n `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n /**\n * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n */\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /**\n * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n */\n expiresAt?: Date;\n /**\n * The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n */\n issuer: string;\n\n signer: {\n /**\n * An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n */\n trustChain: [string, ...string[]];\n\n /**\n * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n */\n walletProviderJwkPublicKid: string;\n };\n\n /**\n * An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n */\n walletLink?: string;\n\n /**\n * An optional display name for the wallet.\n * @type {string}\n */\n walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n /**\n * Creates a wallet attestation JWT.\n *\n * This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n *\n * @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n */\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";AACA,SAAS,iBAAiB,qBAAqB;AAC/C,SAAS,0BAA0B;AACnC;AAAA,EAEE;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,OACK;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,OAAO,OAAO;AAEP,IAAM,yBAAyB,EAAE,OAAO;AAAA,EAC7C,MAAM,EAAE,OAAO;AAAA,EACf,KAAK,EAAE,OAAO;AAAA,EACd,OAAO,EAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,QAAQ,cAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,MAAM,mBAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,MAAM,2BAA2B,OAAO;AAEpE,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIlIA,SAAS,eAAe,8BAA8B;;;ACDtD,SAAS,KAAAA,UAAS;AAGlB,IAAM,cAAcA,GAAE,OAAO;AAAA,EAC3B,KAAKA,GAAE,OAAO,EAAE,IAAI,GAAG,uBAAuB;AAAA,EAC9C,YAAYA,GAAE,QAAQ,KAAK;AAAA;AAC7B,CAAC;AAEM,IAAM,qBAAqBA,GAC/B,OAAO;AAAA,EACN,6BAA6BA,GAC1B,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,uBAAuBA,GACpB,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,OAAO,YAAY;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,gBAAgBA,GACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,yBAAyB,KAAK,6BAA6B;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,yBAAyB,CAAC,KAAK,6BAA6B;AACpE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AACF,CAAC;AAIH,IAAM,oBAAoBA,GAAE,OAAO;AAAA,EACjC,YAAYA,GACT,OAAO,EACP,IAAI,GAAG,8BAA8B,EACrC;AAAA,IACC;AAAA,EACF;AACJ,CAAC;AAEM,IAAM,sBAAsBA,GAChC,OAAO;AAAA,EACN,aAAa,kBAAkB,SAAS,EAAE;AAAA,IACxC;AAAA,EACF;AAAA,EAEA,WAAWA,GACR,OAAO,EACP,IAAI,EACJ,SAAS,EACT,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,iBAAiBA,GACd,OAAO,EACP,SAAS,EACT,SAAS,8DAA8D;AAAA,EAE1E,gBAAgBA,GACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,gBAAgB,KAAK,aAAa,KAAK,iBAAiB;AAC/D,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,aAAa;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,aAAa,CAAC,KAAK,iBAAiB;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,WAAW;AAAA,IACpB,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,KAAK,eAAe,KAAK,iBAAiB;AAC7C,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,iBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AACF,CAAC;;;AD/EI,IAAM,0BAA0B,OACrC,YAC+B;AAC/B,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,QAAQ;AAC5B,UAAM,WAAW,MAAM,QAAQ,QAAQ,QAAQ;AAAA,MAC7C,QAAQ;AAAA,QACN,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK;AAAA,MACP;AAAA,MACA,SAAS;AAAA,QACP,KAAK,QAAQ;AAAA,QACb,KAAK,cAAc,oBAAI,KAAK,CAAC;AAAA,QAC7B,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AAED,WAAO,uBAAuB,oBAAoB;AAAA,MAChD,uBAAuB,QAAQ;AAAA,MAC/B,OAAO;AAAA,QACL,KAAK,SAAS;AAAA,QACd,YAAY;AAAA,MACd;AAAA,IACF,CAA6B;AAAA,EAC/B,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,sDAAsD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9G;AAAA,EACF;AACF;;;AEzEA,SAAS,iBAAAC,gBAAe,0BAAAC,+BAA8B;AACtD;AAAA,EACE;AAAA,EACA;AAAA,EACA,6BAAAC;AAAA,EACA,mBAAAC;AAAA,EACA,oBAAAC;AAAA,OACK;AA4CP,eAAsB,wBACpB,SAC6B;AAC7B,MAAI;AACF,UAAM,QAAQC,eAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,qBAAqB,MAAM,MAAM,QAAQ,oBAAoB;AAAA,MACjE,MAAM,KAAK,UAAU,QAAQ,iBAAiB;AAAA,MAC9C,SAAS;AAAA,QACP,CAAC,QAAQ,aAAa,GAAG,QAAQ,QAAQ,WAAW;AAAA,QACpD,CAAC,QAAQ,YAAY,GAAG,cAAc;AAAA,QACtC,CAAC,QAAQ,IAAI,GAAG,QAAQ;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAMC,kBAAiB,KAAKC,0BAAyB,EAAE,kBAAkB;AAEzE,WAAOC;AAAA,MACL;AAAA,MACA,mBAAmB,KAAK;AAAA,MACxB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QACE,iBAAiBD,8BACjB,iBAAiBE,kBACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,gDAAgD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IACxG;AAAA,EACF;AACF;;;ACpFA,SAAS,gCAAgC;AACzC,SAAS,wBAAwB;AA8D1B,IAAM,iBAAN,cAA6B,yBAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,aAAa,iBAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","createFetcher","parseWithErrorHandling","UnexpectedStatusCodeError","ValidationError","hasStatusOrThrow","createFetcher","hasStatusOrThrow","UnexpectedStatusCodeError","parseWithErrorHandling","ValidationError"]}
1
+ {"version":3,"sources":["../src/authorization-response/complete-authorization.ts","../src/errors.ts","../src/authorization-response/verify-authorization-response.ts","../src/authorization-response/z-authorization-response.ts","../src/credential-request/create-credential-request.ts","../src/credential-request/z-credential.ts","../src/credential-request/fetch-credential-response.ts","../src/wallet-provider/WalletProvider.ts"],"sourcesContent":["import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { ValidationError, createFetcher } from \"@openid4vc/utils\";\nimport { getJwtFromFormPost } from \"@pagopa/io-wallet-oauth2\";\nimport {\n FetchAuthorizationResponseOptions,\n fetchAuthorizationResponse,\n} from \"@pagopa/io-wallet-oid4vp\";\nimport {\n UnexpectedStatusCodeError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n VerifyAuthorizationResponseFormPostJWTOptions,\n verifyAuthorizationResponseFormPostJWT,\n} from \"./verify-authorization-response\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface CompleteAuthorizationOptions {\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The response_uri returned by the server after a successful\n * OID4VP Authorization Response is sent\n */\n response_uri: string;\n}\n\n/**\n * Combination of {@link CompleteAuthorizationOptions},\n * {@link FetchAuthorizationResponseOptions} and\n * {@link VerifyAuthorizationResponseFormPostJWTOptions}\n */\nexport type SendAuthorizationResponseAndExtractCodeOptions =\n FetchAuthorizationResponseOptions &\n Omit<\n VerifyAuthorizationResponseFormPostJWTOptions,\n \"authorizationResponseCompact\" | \"authorizationResponseDecoded\"\n > &\n Omit<CompleteAuthorizationOptions, \"response_uri\">;\n\n/**\n * Method that completes the form_post.jwt based authorization\n * process for credentials issuance following the ITWallet\n * specification by retrieving the form from the provided uri,\n * extracting and parsing the contained JWT and verifying the\n * iss and state fields match the authorization session's expected\n * values.\n * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-low-level.html#\n * steps 6-7 for details.\n *\n * @param options {@link CompleteAuthorizationOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * necessary for access token issuance\n */\nexport async function completeAuthorization(\n options: CompleteAuthorizationOptions,\n): ReturnType<typeof getJwtFromFormPost<typeof zAuthorizationResponse>> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const authorizationResponseResult = await fetch(options.response_uri);\n\n await hasStatusOrThrow(\n 200,\n UnexpectedStatusCodeError,\n )(authorizationResponseResult);\n\n return await getJwtFromFormPost({\n formData: await authorizationResponseResult.text(),\n schema: zAuthorizationResponse,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error completing the authorization process: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n\n/**\n * Convenience method that combines {@link completeAuthorization},\n * oid4vp package's {@link fetchAuthorizationResponse} and {@link verifyAuthorizationResponseFormPostJWT} to retrieve the\n * access code starting from the authorization response and the response uri\n *\n * @param options {@link SendAuthorizationResponseAndExtractCodeOptions}\n * @returns An object containing the fetched JWT and its decoding. The JWT contains the access code\n * for necessary for access token issuance\n */\nexport async function sendAuthorizationResponseAndExtractCode(\n options: SendAuthorizationResponseAndExtractCodeOptions,\n): Promise<AuthorizationResponse> {\n try {\n const authorizationResult = await fetchAuthorizationResponse(options);\n\n if (!authorizationResult.redirect_uri) {\n throw new Oid4vciError(\n \"The authorization response did not contain a redirect_uri\",\n );\n }\n\n const jwtAndPayload = await completeAuthorization({\n ...options,\n response_uri: authorizationResult.redirect_uri,\n });\n\n return verifyAuthorizationResponseFormPostJWT({\n authorizationResponseCompact: jwtAndPayload.jwt,\n authorizationResponseDecoded: jwtAndPayload.decodedJwt,\n callbacks: {\n verifyJwt: options.callbacks.verifyJwt,\n },\n iss: options.iss,\n signer: options.signer,\n state: options.state,\n });\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError ||\n error instanceof Oid4vciError\n ) {\n throw error;\n }\n throw new Oid4vciError(\n `Unexpected error sending the authorization response and retrieving the acces code: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/**\n * Generic error thrown on Oid4vci operations\n */\nexport class Oid4vciError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vciError\";\n }\n}\n\n/**\n * Error thrown in case the DPoP key passed to the\n * {@link WalletProvider.createItWalletAttestationJwt} method\n * doesn't contain a kid\n */\nexport class WalletProviderError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"WalletProviderError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during nonce request.\n */\nexport class NonceRequestError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"NonceRequestError\";\n }\n}\n\n/**\n * Error thrown when an unexpected error occurs during credential response fetching.\n */\nexport class FetchCredentialResponseError extends Oid4vciError {\n constructor(\n message: string,\n public readonly originalError?: unknown,\n ) {\n super(message);\n this.name = \"FetchCredentialResponseError\";\n }\n}\n","import { CallbackContext, JwtSignerJwk, decodeJwt } from \"@openid4vc/oauth2\";\n\nimport { Oid4vciError } from \"../errors\";\nimport {\n AuthorizationResponse,\n zAuthorizationResponse,\n} from \"./z-authorization-response\";\n\nexport interface VerifyAuthorizationResponseOptions {\n /**\n * Authorization response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponse: AuthorizationResponse;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\nexport interface VerifyAuthorizationResponseFormPostJWTOptions {\n /**\n * Compact AuthorizaitonResponse JWT\n */\n authorizationResponseCompact: string;\n\n /**\n * Authorization Response object containing the authorization\n * code, the issuer and the session's state\n */\n authorizationResponseDecoded: ReturnType<\n typeof decodeJwt<undefined, typeof zAuthorizationResponse>\n >;\n\n /**\n * Callback for verifying the authorization jwt signature\n */\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /**\n * The issuer the Wallet Instance started the\n * authorization flow (either via PAR or directly) with\n */\n iss: string;\n\n /**\n * Signer of the form POST returned jwt\n */\n signer: JwtSignerJwk;\n\n /**\n * The state sent by the Wallet Instance at the start\n * of the authorization flow (either via PAR or directly)\n */\n state: string;\n}\n\n/**\n * Utility that verifies if the returned Authorization Response's iss and state field match\n * the Authorization Session ones\n * @param options {@link VerifyAuthorizationResponseOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case the iss or state field of the Authorization request don't\n * match the provided ones\n */\nexport async function verifyAuthorizationResponse(\n options: VerifyAuthorizationResponseOptions,\n): Promise<AuthorizationResponse> {\n if (options.authorizationResponse.iss !== options.iss)\n throw new Oid4vciError(\n `Response result iss doesn't match passed counterpart. Expected: ${options.iss}, Got: ${options.authorizationResponse.iss}`,\n );\n if (options.authorizationResponse.state !== options.state)\n throw new Oid4vciError(\n `Response result state doesn't match passed counterpart. Expected: ${options.state}, Got: ${options.authorizationResponse.state}`,\n );\n\n return options.authorizationResponse;\n}\n\n/**\n * Wrapper of {@link verifyAuthorizationResponse} that verifies the signature of the JWT containing\n * the authorization response and extracts the {@link AuthorizationResponse} payload\n * @param options {@link VerifyAuthorizationResponseFormPostJWTOptions}\n * @returns the {@link AuthorizationResponse} passed as an option\n * @throws {Oid4vciError} in case {@link verifyAuthorizationResponse} throws or in case\n * signature verification fails\n */\nexport async function verifyAuthorizationResponseFormPostJWT(\n options: VerifyAuthorizationResponseFormPostJWTOptions,\n): Promise<AuthorizationResponse> {\n try {\n const decodedJwt = options.authorizationResponseDecoded;\n const result = await options.callbacks.verifyJwt(options.signer, {\n compact: options.authorizationResponseCompact,\n ...decodedJwt,\n });\n\n if (!result.verified) {\n throw new Oid4vciError(\"Error verifying JWT signature\");\n }\n\n return verifyAuthorizationResponse({\n authorizationResponse: options.authorizationResponseDecoded.payload,\n iss: options.iss,\n state: options.state,\n });\n } catch (error) {\n if (error instanceof Oid4vciError) throw error;\n\n throw new Oid4vciError(\n `Unexpected error verifying form post jwt: ${error instanceof Error ? `${error.name} : ${error.message}` : String(error)}`,\n );\n }\n}\n","import z from \"zod\";\n\nexport const zAuthorizationResponse = z.object({\n code: z.string(),\n iss: z.string(),\n state: z.string(),\n});\n\nexport type AuthorizationResponse = z.infer<typeof zAuthorizationResponse>;\n","import { CallbackContext, JwtSignerJwk } from \"@openid4vc/oauth2\";\nimport { dateToSeconds, parseWithErrorHandling } from \"@openid4vc/utils\";\n\nimport { Oid4vciError } from \"../errors\";\nimport { CredentialRequest, zCredentialRequest } from \"./z-credential\";\n\nexport interface CredentialRequestOptions {\n /**\n * Callbacks to use for signing proof\n */\n callbacks: Pick<CallbackContext, \"signJwt\">;\n\n /**\n * Client identifier of the OAuth2 Client making the Credential Request.\n */\n clientId: string;\n\n /**\n * This MUST be set with one of the value obtained in the credential_identifiers claim of the Token Response.\n */\n credential_identifier: string;\n\n /**\n * Identifier of the Credential Issuer, for ex: https://issuer.example.com.\n */\n issuerIdentifier: string;\n\n /**\n * A nonce value previously requested to associate a Client session with the Credential Request.\n */\n nonce: string;\n\n /**\n * The signer of the credential PoP JWT.\n */\n signer: JwtSignerJwk;\n}\n\n/**\n * Create a Credential Request.\n * @param options - Options to create the Credential Request\n * @returns The created Credential Request\n */\nexport const createCredentialRequest = async (\n options: CredentialRequestOptions,\n): Promise<CredentialRequest> => {\n try {\n const { signJwt } = options.callbacks;\n const proofJwt = await signJwt(options.signer, {\n header: {\n alg: options.signer.alg,\n jwk: options.signer.publicJwk,\n typ: \"openid4vci-proof+jwt\",\n },\n payload: {\n aud: options.issuerIdentifier,\n iat: dateToSeconds(new Date()),\n iss: options.clientId,\n nonce: options.nonce,\n },\n });\n\n return parseWithErrorHandling(zCredentialRequest, {\n credential_identifier: options.credential_identifier,\n proof: {\n jwt: proofJwt.jwt,\n proof_type: \"jwt\",\n },\n } satisfies CredentialRequest);\n } catch (error) {\n throw new Oid4vciError(\n `Unexpected error during create credential request: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n};\n","import { z } from \"zod\";\n\n// Proof object schema\nconst ProofSchema = z.object({\n jwt: z.string().min(1, \"JWT must not be empty\"),\n proof_type: z.literal(\"jwt\"), // MUST be \"jwt\"\n});\n\nexport const zCredentialRequest = z\n .object({\n credential_configuration_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credential_identifiers param is absent. MUST NOT be used otherwise.\",\n ),\n\n credential_identifier: z\n .string()\n .optional()\n .describe(\n \"REQUIRED when Authorization Details of type openid_credential was returned. MUST NOT be used if credential_configuration_id is present.\",\n ),\n\n proof: ProofSchema.describe(\n \"REQUIRED. Proof of possession of key material (must contain proof_type=jwt and a jwt).\",\n ),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED only in case of deferred flow. MUST NOT be present in immediate flow.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Exclusive OR between credential_identifier and credential_configuration_id\n if (data.credential_identifier && data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credential_identifier and credential_configuration_id MUST NOT be used together\",\n path: [\"credential_identifier\"],\n });\n }\n\n if (!data.credential_identifier && !data.credential_configuration_id) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"One of credential_identifier or credential_configuration_id MUST be present\",\n path: [\"credential_identifier\"],\n });\n }\n });\n\nexport type CredentialRequest = z.infer<typeof zCredentialRequest>;\n\nconst CredentialsSchema = z.array(\n z.object({\n credential: z\n .string()\n .describe(\n \"REQUIRED. Contains the issued Digital Credential. Depending on format, may be raw JWT or base64url-encoded CBOR structure.\",\n ),\n }),\n);\n\nexport const zCredentialResponse = z\n .object({\n credentials: CredentialsSchema.optional().describe(\n \"REQUIRED if lead_time and transaction_id are not present. MUST NOT be present otherwise.\",\n ),\n\n lead_time: z\n .number()\n .int()\n .positive()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n\n notification_id: z\n .string()\n .optional()\n .describe(\"OPTIONAL. MUST NOT be present if credentials is not present.\"),\n\n transaction_id: z\n .string()\n .optional()\n .describe(\n \"REQUIRED if credentials is not present. MUST NOT be present otherwise.\",\n ),\n })\n .superRefine((data, ctx) => {\n // Enforce XOR: credentials vs (lead_time + transaction_id)\n if (data.credentials && (data.lead_time || data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"credentials MUST NOT be present if lead_time or transaction_id is provided\",\n path: [\"credentials\"],\n });\n }\n\n if (!data.credentials && (!data.lead_time || !data.transaction_id)) {\n ctx.addIssue({\n code: \"custom\",\n message:\n \"If credentials is absent, both lead_time and transaction_id MUST be present\",\n path: [\"lead_time\"],\n });\n }\n\n // notification_id must only exist if credentials is present\n if (!data.credentials && data.notification_id) {\n ctx.addIssue({\n code: \"custom\",\n message: \"notification_id MUST NOT be present if credentials is absent\",\n path: [\"notification_id\"],\n });\n }\n });\n\nexport type CredentialResponse = z.infer<typeof zCredentialResponse>;\n","import { CallbackContext } from \"@openid4vc/oauth2\";\nimport { createFetcher, parseWithErrorHandling } from \"@openid4vc/utils\";\nimport {\n CONTENT_TYPES,\n HEADERS,\n UnexpectedStatusCodeError,\n ValidationError,\n hasStatusOrThrow,\n} from \"@pagopa/io-wallet-utils\";\n\nimport { FetchCredentialResponseError } from \"../errors\";\nimport {\n CredentialRequest,\n CredentialResponse,\n zCredentialResponse,\n} from \"./z-credential\";\n\nexport interface FetchCredentialResponseOptions {\n /**\n * Access token to authorize the credential request for DPoP mechanism\n */\n accessToken: string;\n /**\n * Callbacks to use for requesting access token\n */\n callbacks: Pick<CallbackContext, \"fetch\">;\n\n /**\n * The credential endpoint URL\n */\n credentialEndpoint: string;\n\n /**\n * Credential request body\n */\n credentialRequest: CredentialRequest;\n\n /**\n * DPoP proof with addition of ath claim\n */\n dPoP: string;\n}\n\n/**\n * Fetches a credential response from the credential endpoint.\n *\n * @param options - Options for fetching the credential response\n * @returns The credential response\n * @throws FetchCredentialResponseError if an unexpected error occurs during the fetch\n * @throws UnexpectedStatusCodeError if the response status code is not 200\n * @throws ValidationError if the response cannot be parsed as a valid credential response\n */\nexport async function fetchCredentialResponse(\n options: FetchCredentialResponseOptions,\n): Promise<CredentialResponse> {\n try {\n const fetch = createFetcher(options.callbacks.fetch);\n const credentialResponse = await fetch(options.credentialEndpoint, {\n body: JSON.stringify(options.credentialRequest),\n headers: {\n [HEADERS.AUTHORIZATION]: `DPoP ${options.accessToken}`,\n [HEADERS.CONTENT_TYPE]: CONTENT_TYPES.JSON,\n [HEADERS.DPOP]: options.dPoP,\n },\n method: \"POST\",\n });\n\n await hasStatusOrThrow(200, UnexpectedStatusCodeError)(credentialResponse);\n\n const credentialResponseJson = await credentialResponse.json();\n\n return parseWithErrorHandling(\n zCredentialResponse,\n credentialResponseJson,\n `Failed to parse credential response`,\n );\n } catch (error) {\n if (\n error instanceof UnexpectedStatusCodeError ||\n error instanceof ValidationError\n ) {\n throw error;\n }\n throw new FetchCredentialResponseError(\n `Unexpected error during credential response: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","import { ClientAttestationJwtPayload } from \"@openid4vc/oauth2\";\nimport { Openid4vciWalletProvider } from \"@openid4vc/openid4vci\";\nimport { addSecondsToDate } from \"@openid4vc/utils\";\n\nimport { WalletProviderError } from \"../errors\";\n\n/**\n * @interface WalletAttestationOptions\n * @description Defines the options required to create a wallet attestation JWT.\n * This attestation is a signed token that proves the wallet's identity and possession of a cryptographic key.\n */\nexport interface WalletAttestationOptions {\n /**\n * The public part of the DPoP (Demonstrating Proof-of-Possession) key in JWK (JSON Web Key) format.\n * This key is used to bind the attestation to the client's session.\n * @type {ClientAttestationJwtPayload['cnf']}\n */\n dpopJwkPublic: ClientAttestationJwtPayload[\"cnf\"][\"jwk\"];\n\n /**\n * The optional expiration date for the attestation JWT. If not provided, a default lifetime will be used.\n * @type {Date}\n */\n expiresAt?: Date;\n /**\n * The issuer of the attestation, typically the Wallet Provider's identifier.\n * @type {string}\n */\n issuer: string;\n\n signer: {\n /**\n * An array of JWTs representing the chain of trust from the federation's trust anchor\n * to the wallet provider. This is used in federated identity systems to validate the provider's authenticity.\n * @type {[string, ...string[]]}\n */\n trustChain: [string, ...string[]];\n\n /**\n * The Key ID (`kid`) of the wallet provider's public key used for signing the attestation.\n * @type {string}\n */\n walletProviderJwkPublicKid: string;\n };\n\n /**\n * An optional deep link or URL that can be used to open or interact with the wallet.\n * @type {string}\n */\n walletLink?: string;\n\n /**\n * An optional display name for the wallet.\n * @type {string}\n */\n walletName?: string;\n}\n\n/**\n * @class WalletProvider\n * @extends Openid4vciWalletProvider\n * @description An implementation of a wallet provider for the OpenID4VCI protocol, tailored for a specific ecosystem (e.g., the Italian one).\n * It handles the creation of wallet attestations required during the credential issuance flow.\n */\nexport class WalletProvider extends Openid4vciWalletProvider {\n /**\n * Creates a wallet attestation JWT.\n *\n * This method constructs a signed JWT that asserts the wallet's control over a specific\n * cryptographic key (DPoP key). This is a security measure to ensure that the entity\n * presenting the credential offer is the legitimate wallet instance.\n *\n * @public\n * @async\n * @param {WalletAttestationOptions} options - The necessary parameters to build the attestation.\n * @returns {Promise<string>} A promise that resolves to the signed wallet attestation JWT as a string.\n */\n public async createItWalletAttestationJwt(\n options: WalletAttestationOptions,\n ): Promise<string> {\n if (!options.dpopJwkPublic.kid) {\n throw new WalletProviderError(\"The DPoP JWK must have a 'kid' property\");\n }\n\n const walletAttestation = await this.createWalletAttestationJwt({\n clientId: options.dpopJwkPublic.kid,\n confirmation: {\n // We use the same key for DPoP as the wallet attestation\n jwk: options.dpopJwkPublic,\n },\n expiresAt:\n options.expiresAt ?? addSecondsToDate(new Date(), 3600 * 24 * 60 * 60),\n issuer: options.issuer,\n signer: {\n alg: \"ES256\",\n kid: options.signer.walletProviderJwkPublicKid,\n method: \"federation\", // Indicates the validation method relies on a trust chain.\n trustChain: options.signer.trustChain,\n },\n walletLink: options.walletLink,\n walletName: options.walletName,\n });\n\n return walletAttestation;\n }\n}\n"],"mappings":";AACA,SAAS,iBAAiB,qBAAqB;AAC/C,SAAS,0BAA0B;AACnC;AAAA,EAEE;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,OACK;;;ACPA,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,sBAAN,cAAkC,aAAa;AAAA,EACpD,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,oBAAN,cAAgC,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,+BAAN,cAA2C,aAAa;AAAA,EAC7D,YACE,SACgB,eAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACqBA,eAAsB,4BACpB,SACgC;AAChC,MAAI,QAAQ,sBAAsB,QAAQ,QAAQ;AAChD,UAAM,IAAI;AAAA,MACR,mEAAmE,QAAQ,GAAG,UAAU,QAAQ,sBAAsB,GAAG;AAAA,IAC3H;AACF,MAAI,QAAQ,sBAAsB,UAAU,QAAQ;AAClD,UAAM,IAAI;AAAA,MACR,qEAAqE,QAAQ,KAAK,UAAU,QAAQ,sBAAsB,KAAK;AAAA,IACjI;AAEF,SAAO,QAAQ;AACjB;AAUA,eAAsB,uCACpB,SACgC;AAChC,MAAI;AACF,UAAM,aAAa,QAAQ;AAC3B,UAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,QAAQ,QAAQ;AAAA,MAC/D,SAAS,QAAQ;AAAA,MACjB,GAAG;AAAA,IACL,CAAC;AAED,QAAI,CAAC,OAAO,UAAU;AACpB,YAAM,IAAI,aAAa,+BAA+B;AAAA,IACxD;AAEA,WAAO,4BAA4B;AAAA,MACjC,uBAAuB,QAAQ,6BAA6B;AAAA,MAC5D,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QAAI,iBAAiB,aAAc,OAAM;AAEzC,UAAM,IAAI;AAAA,MACR,6CAA6C,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IAC1H;AAAA,EACF;AACF;;;AC1HA,OAAO,OAAO;AAEP,IAAM,yBAAyB,EAAE,OAAO;AAAA,EAC7C,MAAM,EAAE,OAAO;AAAA,EACf,KAAK,EAAE,OAAO;AAAA,EACd,OAAO,EAAE,OAAO;AAClB,CAAC;;;AHqDD,eAAsB,sBACpB,SACsE;AACtE,MAAI;AACF,UAAM,QAAQ,cAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,8BAA8B,MAAM,MAAM,QAAQ,YAAY;AAEpE,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,IACF,EAAE,2BAA2B;AAE7B,WAAO,MAAM,mBAAmB;AAAA,MAC9B,UAAU,MAAM,4BAA4B,KAAK;AAAA,MACjD,QAAQ;AAAA,IACV,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,0DAA0D,iBAAiB,QAAQ,GAAG,MAAM,IAAI,MAAM,MAAM,OAAO,KAAK,OAAO,KAAK,CAAC;AAAA,IACvI;AAAA,EACF;AACF;AAWA,eAAsB,wCACpB,SACgC;AAChC,MAAI;AACF,UAAM,sBAAsB,MAAM,2BAA2B,OAAO;AAEpE,QAAI,CAAC,oBAAoB,cAAc;AACrC,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,gBAAgB,MAAM,sBAAsB;AAAA,MAChD,GAAG;AAAA,MACH,cAAc,oBAAoB;AAAA,IACpC,CAAC;AAED,WAAO,uCAAuC;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,8BAA8B,cAAc;AAAA,MAC5C,WAAW;AAAA,QACT,WAAW,QAAQ,UAAU;AAAA,MAC/B;AAAA,MACA,KAAK,QAAQ;AAAA,MACb,QAAQ,QAAQ;AAAA,MAChB,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,OAAO;AACd,QACE,iBAAiB,6BACjB,iBAAiB,mBACjB,iBAAiB,cACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,sFAAsF,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9I;AAAA,EACF;AACF;;;AIxIA,SAAS,eAAe,8BAA8B;;;ACDtD,SAAS,KAAAA,UAAS;AAGlB,IAAM,cAAcA,GAAE,OAAO;AAAA,EAC3B,KAAKA,GAAE,OAAO,EAAE,IAAI,GAAG,uBAAuB;AAAA,EAC9C,YAAYA,GAAE,QAAQ,KAAK;AAAA;AAC7B,CAAC;AAEM,IAAM,qBAAqBA,GAC/B,OAAO;AAAA,EACN,6BAA6BA,GAC1B,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,uBAAuBA,GACpB,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,OAAO,YAAY;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,gBAAgBA,GACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,yBAAyB,KAAK,6BAA6B;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,yBAAyB,CAAC,KAAK,6BAA6B;AACpE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,uBAAuB;AAAA,IAChC,CAAC;AAAA,EACH;AACF,CAAC;AAIH,IAAM,oBAAoBA,GAAE;AAAA,EAC1BA,GAAE,OAAO;AAAA,IACP,YAAYA,GACT,OAAO,EACP;AAAA,MACC;AAAA,IACF;AAAA,EACJ,CAAC;AACH;AAEO,IAAM,sBAAsBA,GAChC,OAAO;AAAA,EACN,aAAa,kBAAkB,SAAS,EAAE;AAAA,IACxC;AAAA,EACF;AAAA,EAEA,WAAWA,GACR,OAAO,EACP,IAAI,EACJ,SAAS,EACT,SAAS,EACT;AAAA,IACC;AAAA,EACF;AAAA,EAEF,iBAAiBA,GACd,OAAO,EACP,SAAS,EACT,SAAS,8DAA8D;AAAA,EAE1E,gBAAgBA,GACb,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA,EACF;AACJ,CAAC,EACA,YAAY,CAAC,MAAM,QAAQ;AAE1B,MAAI,KAAK,gBAAgB,KAAK,aAAa,KAAK,iBAAiB;AAC/D,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,aAAa;AAAA,IACtB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,aAAa,CAAC,KAAK,iBAAiB;AAClE,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SACE;AAAA,MACF,MAAM,CAAC,WAAW;AAAA,IACpB,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,KAAK,eAAe,KAAK,iBAAiB;AAC7C,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,iBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AACF,CAAC;;;ADhFI,IAAM,0BAA0B,OACrC,YAC+B;AAC/B,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,QAAQ;AAC5B,UAAM,WAAW,MAAM,QAAQ,QAAQ,QAAQ;AAAA,MAC7C,QAAQ;AAAA,QACN,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK,QAAQ,OAAO;AAAA,QACpB,KAAK;AAAA,MACP;AAAA,MACA,SAAS;AAAA,QACP,KAAK,QAAQ;AAAA,QACb,KAAK,cAAc,oBAAI,KAAK,CAAC;AAAA,QAC7B,KAAK,QAAQ;AAAA,QACb,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AAED,WAAO,uBAAuB,oBAAoB;AAAA,MAChD,uBAAuB,QAAQ;AAAA,MAC/B,OAAO;AAAA,QACL,KAAK,SAAS;AAAA,QACd,YAAY;AAAA,MACd;AAAA,IACF,CAA6B;AAAA,EAC/B,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,sDAAsD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC9G;AAAA,EACF;AACF;;;AEzEA,SAAS,iBAAAC,gBAAe,0BAAAC,+BAA8B;AACtD;AAAA,EACE;AAAA,EACA;AAAA,EACA,6BAAAC;AAAA,EACA,mBAAAC;AAAA,EACA,oBAAAC;AAAA,OACK;AA4CP,eAAsB,wBACpB,SAC6B;AAC7B,MAAI;AACF,UAAM,QAAQC,eAAc,QAAQ,UAAU,KAAK;AACnD,UAAM,qBAAqB,MAAM,MAAM,QAAQ,oBAAoB;AAAA,MACjE,MAAM,KAAK,UAAU,QAAQ,iBAAiB;AAAA,MAC9C,SAAS;AAAA,QACP,CAAC,QAAQ,aAAa,GAAG,QAAQ,QAAQ,WAAW;AAAA,QACpD,CAAC,QAAQ,YAAY,GAAG,cAAc;AAAA,QACtC,CAAC,QAAQ,IAAI,GAAG,QAAQ;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAMC,kBAAiB,KAAKC,0BAAyB,EAAE,kBAAkB;AAEzE,UAAM,yBAAyB,MAAM,mBAAmB,KAAK;AAE7D,WAAOC;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QACE,iBAAiBD,8BACjB,iBAAiBE,kBACjB;AACA,YAAM;AAAA,IACR;AACA,UAAM,IAAI;AAAA,MACR,gDAAgD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IACxG;AAAA,EACF;AACF;;;ACtFA,SAAS,gCAAgC;AACzC,SAAS,wBAAwB;AA8D1B,IAAM,iBAAN,cAA6B,yBAAyB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa3D,MAAa,6BACX,SACiB;AACjB,QAAI,CAAC,QAAQ,cAAc,KAAK;AAC9B,YAAM,IAAI,oBAAoB,yCAAyC;AAAA,IACzE;AAEA,UAAM,oBAAoB,MAAM,KAAK,2BAA2B;AAAA,MAC9D,UAAU,QAAQ,cAAc;AAAA,MAChC,cAAc;AAAA;AAAA,QAEZ,KAAK,QAAQ;AAAA,MACf;AAAA,MACA,WACE,QAAQ,aAAa,iBAAiB,oBAAI,KAAK,GAAG,OAAO,KAAK,KAAK,EAAE;AAAA,MACvE,QAAQ,QAAQ;AAAA,MAChB,QAAQ;AAAA,QACN,KAAK;AAAA,QACL,KAAK,QAAQ,OAAO;AAAA,QACpB,QAAQ;AAAA;AAAA,QACR,YAAY,QAAQ,OAAO;AAAA,MAC7B;AAAA,MACA,YAAY,QAAQ;AAAA,MACpB,YAAY,QAAQ;AAAA,IACtB,CAAC;AAED,WAAO;AAAA,EACT;AACF;","names":["z","createFetcher","parseWithErrorHandling","UnexpectedStatusCodeError","ValidationError","hasStatusOrThrow","createFetcher","hasStatusOrThrow","UnexpectedStatusCodeError","parseWithErrorHandling","ValidationError"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pagopa/io-wallet-oid4vci",
3
- "version": "0.7.3",
3
+ "version": "0.7.6",
4
4
  "files": [
5
5
  "dist"
6
6
  ],
@@ -31,9 +31,9 @@
31
31
  "@openid4vc/openid4vci": "0.3.0-alpha-20250714110838",
32
32
  "@openid4vc/utils": "0.3.0-alpha-20250714110838",
33
33
  "zod": "^3.24.2",
34
- "@pagopa/io-wallet-utils": "0.7.3",
35
- "@pagopa/io-wallet-oauth2": "0.7.3",
36
- "@pagopa/io-wallet-oid4vp": "0.7.3"
34
+ "@pagopa/io-wallet-utils": "0.7.6",
35
+ "@pagopa/io-wallet-oauth2": "0.7.6",
36
+ "@pagopa/io-wallet-oid4vp": "0.7.6"
37
37
  },
38
38
  "devDependencies": {
39
39
  "js-base64": "^3.7.8"