npm - @pagopa/io-wallet-oid4vp - Versions diffs - 0.4.2 → 0.5.1 - Mend

@pagopa/io-wallet-oid4vp 0.4.2 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -50,6 +50,67 @@ const parsedRequestObject = await parseAuthorizeRequest({
 });
 ```
+### Generating an Authorization Response
+```typescript
+import { createAuthorizationResponse, AuthorizationRequestObject } from '@pagopa/io-wallet-oid4vp';
+import { ItWalletCredentialVerifierMetadata } from "@pagopa/io-wallet-oid-federation";
+//Obtain the RP's metadata
+const rpMetadata : ItWalletCredentialVerifierMetadata = {
+  ...
+}
+//Obtain a decoded Request Object from, e.g., parseAuthorizeRequest invocation
+const requestObject: AuthorizationRequestObject = {
+  ...
+}
+//Obtain the signer
+const signer = {
+    method : 'jwk',
+    publicJwk : {/*... jwk details*/},
+    alg : 'ES256'
+}
+//Obtain the vp_token
+const vp_token = {
+  ... //VP token containing the attributes to disclose
+}
+//Prepare the callbacks
+const callbacks = {
+    encryptJwe : async (jweEncryptor, data) => {
+        const result = encrypt(data, jweEncryptor)
+        return {
+            verified : result,
+            encryptionJwk : jweEncryptor
+        }
+    },
+    fetch : async (input, init) => {
+      ...//Fetch implementation
+    },
+    generateRandom : async (number) => new Uint8Array(number),
+    signJwt : async (jwtSigner, {header, payload}) => {
+      const str = `${b64url(JSON.stringify(header))}.${b64url(JSON.stringify(body))}`
+      const sig = signJwt(jwtSigner, str)
+      return `${str}.${sig}`
+    }
+}
+//Create the response
+const resp = createAuthorizationResponse({
+  callbacks,
+  client_id : "JWK Thumbprint",
+  requestObject,
+  rpMetadata,
+  signer,
+  vp_token
+})
+```
 ## API Reference
 ### AuthorizationRequestObject type and Zod parser
@@ -98,6 +159,57 @@ export async function parseAuthorizeRequest(options: ParseAuthorizeRequestOption
 ```
 This method receives a Request Object in JWT format, verifies the signature and returns the decoded Request Object.
+### createAuthorizationResponse
+```typescript
+export interface CreateAuthorizationResponseOptions {
+  /**
+   * Callbacks for authorization response generation
+   */
+  callbacks: Pick<
+    CallbackContext,
+    "encryptJwe" | "fetch" | "generateRandom" | "signJwt"
+  >;
+  /**
+   * Thumbprint of the JWK in the cnf Wallet Attestation
+   */
+  client_id: string;
+  /**
+   * Optional expiration of the Authorization Response JWT, defaults to 10 minutes
+   */
+  exp?: number;
+  /**
+   * Presentation's Request Object
+   */
+  requestObject: AuthorizationRequestObject;
+  /**
+   * OpenID Federation Relying Party metadata
+   */
+  rpMetadata: ItWalletCredentialVerifierMetadata;
+  /**
+   * Signer created from the Wallet Instance's private key
+   */
+  signer: JwtSigner;
+  /**
+   * Array containing the vp_tokens of the credentials
+   * to present
+   */
+  vp_token: VpToken;
+}
+export async function createAuthorizationResponse(
+  options: CreateAuthorizationResponseOptions,
+) {
+  ...
+}
+```
+This method receives the RequestObject, its resolved VP Tokens and other necessary cryptographic and configuration data and returns a signed Authorization Response
 ### Errors
 ```typescript
@@ -124,4 +236,17 @@ export class ParseAuthorizeRequestError extends Oid4vpError {
   }
 }
 ```
-Error thrown by `parseAuthorizeRequest` when the passed request object has an invalid signature or unexpected errors are thrown.
+Error thrown by `parseAuthorizeRequest` when the passed request object has an invalid signature or unexpected errors are thrown.
+```typescript
+export class CreateAuthorizationResponseError extends Oid4vpError {
+  constructor(
+    message: string,
+    public readonly statusCode?: number,
+  ) {
+    super(message);
+    this.name = "CreateAuthorizationResponseError";
+  }
+}
+```
+Error thrown by `createAuthorizationResponse` in case there are unexpected errors.

package/dist/index.d.mts CHANGED Viewed

@@ -1,5 +1,9 @@
-import { CallbackContext, RequestDpopOptions } from '@openid4vc/oauth2';
+import { CallbackContext, RequestDpopOptions, JwtSigner } from '@openid4vc/oauth2';
 import { z } from 'zod';
+import * as _openid4vc_openid4vp from '@openid4vc/openid4vp';
+import { VpToken } from '@openid4vc/openid4vp';
+export { CreateOpenid4vpAuthorizationResponseOptions, CreateOpenid4vpAuthorizationResponseResult, VpToken, createOpenid4vpAuthorizationResponse } from '@openid4vc/openid4vp';
+import { ItWalletCredentialVerifierMetadata } from '@pagopa/io-wallet-oid-federation';
 /**
  * Zod parser that describes a JWT payload
@@ -15,7 +19,7 @@ declare const zOpenid4vpAuthorizationRequest: z.ZodIntersection<z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
     response_uri: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
     wallet_nonce: z.ZodOptional<z.ZodString>;
 }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
     client_id: z.ZodString;
@@ -27,7 +31,7 @@ declare const zOpenid4vpAuthorizationRequest: z.ZodIntersection<z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
     response_uri: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
     wallet_nonce: z.ZodOptional<z.ZodString>;
 }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
     client_id: z.ZodString;
@@ -39,7 +43,7 @@ declare const zOpenid4vpAuthorizationRequest: z.ZodIntersection<z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
     response_uri: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
     wallet_nonce: z.ZodOptional<z.ZodString>;
 }, z.ZodTypeAny, "passthrough">>, z.ZodObject<{
     iss: z.ZodOptional<z.ZodString>;
@@ -1102,6 +1106,48 @@ interface ParseAuthorizeRequestOptions {
  */
 declare function parseAuthorizeRequest(options: ParseAuthorizeRequestOptions): Promise<AuthorizationRequestObject>;
+interface CreateAuthorizationResponseOptions {
+    /**
+     * Callbacks for authorization response generation
+     */
+    callbacks: Pick<CallbackContext, "encryptJwe" | "fetch" | "generateRandom" | "signJwt">;
+    /**
+     * Thumbprint of the JWK in the cnf Wallet Attestation
+     */
+    client_id: string;
+    /**
+     * Optional expiration of the Authorization Response JWT, defaults to 10 minutes
+     */
+    exp?: number;
+    /**
+     * Presentation's Request Object
+     */
+    requestObject: AuthorizationRequestObject;
+    /**
+     * OpenID Federation Relying Party metadata
+     */
+    rpMetadata: ItWalletCredentialVerifierMetadata;
+    /**
+     * Signer created from the Wallet Instance's private key
+     */
+    signer: JwtSigner;
+    /**
+     * Array containing the vp_tokens of the credentials
+     * to present
+     */
+    vp_token: VpToken;
+}
+/**
+ * This method receives the RequestObject, its resolved VP Tokens and other necessary cryptographic and configuration data
+ * and returns a signed and encrypted Presentation Response
+ * @param options {@link CreateAuthorizationResponseOptions}
+ * @returns An {@link CreateOpenid4vpAuthorizationResponseResult} representing
+ *          the encrypted and signed Presentation Response to the corresponding {@link AuthorizationRequestObject}
+ * @throws An {@link CreateAuthorizationResponseError} in case of unexpected errors during response generation,
+ *         encryption, or signing
+ */
+declare function createAuthorizationResponse(options: CreateAuthorizationResponseOptions): Promise<_openid4vc_openid4vp.CreateOpenid4vpAuthorizationResponseResult>;
 /**
  * Generic error thrown during Oid4vp operations
  */
@@ -1118,5 +1164,13 @@ declare class ParseAuthorizeRequestError extends Oid4vpError {
     readonly statusCode?: number | undefined;
     constructor(message: string, statusCode?: number | undefined);
 }
+/**
+ * Error thrown by {@link createAuthorizationResponse} in case there
+ * are unexpected errors.
+ */
+declare class CreateAuthorizationResponseError extends Oid4vpError {
+    readonly statusCode?: number | undefined;
+    constructor(message: string, statusCode?: number | undefined);
+}
-export { type AuthorizationRequestObject, Oid4vpError, ParseAuthorizeRequestError, type ParseAuthorizeRequestOptions, parseAuthorizeRequest, zOpenid4vpAuthorizationRequest };
+export { type AuthorizationRequestObject, CreateAuthorizationResponseError, type CreateAuthorizationResponseOptions, Oid4vpError, ParseAuthorizeRequestError, type ParseAuthorizeRequestOptions, createAuthorizationResponse, parseAuthorizeRequest, zOpenid4vpAuthorizationRequest };

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,9 @@
-import { CallbackContext, RequestDpopOptions } from '@openid4vc/oauth2';
+import { CallbackContext, RequestDpopOptions, JwtSigner } from '@openid4vc/oauth2';
 import { z } from 'zod';
+import * as _openid4vc_openid4vp from '@openid4vc/openid4vp';
+import { VpToken } from '@openid4vc/openid4vp';
+export { CreateOpenid4vpAuthorizationResponseOptions, CreateOpenid4vpAuthorizationResponseResult, VpToken, createOpenid4vpAuthorizationResponse } from '@openid4vc/openid4vp';
+import { ItWalletCredentialVerifierMetadata } from '@pagopa/io-wallet-oid-federation';
 /**
  * Zod parser that describes a JWT payload
@@ -15,7 +19,7 @@ declare const zOpenid4vpAuthorizationRequest: z.ZodIntersection<z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
     response_uri: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
     wallet_nonce: z.ZodOptional<z.ZodString>;
 }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
     client_id: z.ZodString;
@@ -27,7 +31,7 @@ declare const zOpenid4vpAuthorizationRequest: z.ZodIntersection<z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
     response_uri: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
     wallet_nonce: z.ZodOptional<z.ZodString>;
 }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
     client_id: z.ZodString;
@@ -39,7 +43,7 @@ declare const zOpenid4vpAuthorizationRequest: z.ZodIntersection<z.ZodObject<{
     response_type: z.ZodLiteral<"vp_token">;
     response_uri: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
     wallet_nonce: z.ZodOptional<z.ZodString>;
 }, z.ZodTypeAny, "passthrough">>, z.ZodObject<{
     iss: z.ZodOptional<z.ZodString>;
@@ -1102,6 +1106,48 @@ interface ParseAuthorizeRequestOptions {
  */
 declare function parseAuthorizeRequest(options: ParseAuthorizeRequestOptions): Promise<AuthorizationRequestObject>;
+interface CreateAuthorizationResponseOptions {
+    /**
+     * Callbacks for authorization response generation
+     */
+    callbacks: Pick<CallbackContext, "encryptJwe" | "fetch" | "generateRandom" | "signJwt">;
+    /**
+     * Thumbprint of the JWK in the cnf Wallet Attestation
+     */
+    client_id: string;
+    /**
+     * Optional expiration of the Authorization Response JWT, defaults to 10 minutes
+     */
+    exp?: number;
+    /**
+     * Presentation's Request Object
+     */
+    requestObject: AuthorizationRequestObject;
+    /**
+     * OpenID Federation Relying Party metadata
+     */
+    rpMetadata: ItWalletCredentialVerifierMetadata;
+    /**
+     * Signer created from the Wallet Instance's private key
+     */
+    signer: JwtSigner;
+    /**
+     * Array containing the vp_tokens of the credentials
+     * to present
+     */
+    vp_token: VpToken;
+}
+/**
+ * This method receives the RequestObject, its resolved VP Tokens and other necessary cryptographic and configuration data
+ * and returns a signed and encrypted Presentation Response
+ * @param options {@link CreateAuthorizationResponseOptions}
+ * @returns An {@link CreateOpenid4vpAuthorizationResponseResult} representing
+ *          the encrypted and signed Presentation Response to the corresponding {@link AuthorizationRequestObject}
+ * @throws An {@link CreateAuthorizationResponseError} in case of unexpected errors during response generation,
+ *         encryption, or signing
+ */
+declare function createAuthorizationResponse(options: CreateAuthorizationResponseOptions): Promise<_openid4vc_openid4vp.CreateOpenid4vpAuthorizationResponseResult>;
 /**
  * Generic error thrown during Oid4vp operations
  */
@@ -1118,5 +1164,13 @@ declare class ParseAuthorizeRequestError extends Oid4vpError {
     readonly statusCode?: number | undefined;
     constructor(message: string, statusCode?: number | undefined);
 }
+/**
+ * Error thrown by {@link createAuthorizationResponse} in case there
+ * are unexpected errors.
+ */
+declare class CreateAuthorizationResponseError extends Oid4vpError {
+    readonly statusCode?: number | undefined;
+    constructor(message: string, statusCode?: number | undefined);
+}
-export { type AuthorizationRequestObject, Oid4vpError, ParseAuthorizeRequestError, type ParseAuthorizeRequestOptions, parseAuthorizeRequest, zOpenid4vpAuthorizationRequest };
+export { type AuthorizationRequestObject, CreateAuthorizationResponseError, type CreateAuthorizationResponseOptions, Oid4vpError, ParseAuthorizeRequestError, type ParseAuthorizeRequestOptions, createAuthorizationResponse, parseAuthorizeRequest, zOpenid4vpAuthorizationRequest };

package/dist/index.js CHANGED Viewed

@@ -20,8 +20,11 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  CreateAuthorizationResponseError: () => CreateAuthorizationResponseError,
   Oid4vpError: () => Oid4vpError,
   ParseAuthorizeRequestError: () => ParseAuthorizeRequestError,
+  createAuthorizationResponse: () => createAuthorizationResponse,
+  createOpenid4vpAuthorizationResponse: () => import_openid4vp2.createOpenid4vpAuthorizationResponse,
   parseAuthorizeRequest: () => parseAuthorizeRequest,
   zOpenid4vpAuthorizationRequest: () => zOpenid4vpAuthorizationRequest
 });
@@ -46,6 +49,13 @@ var ParseAuthorizeRequestError = class extends Oid4vpError {
     this.name = "ParseAuthorizeRequestError";
   }
 };
+var CreateAuthorizationResponseError = class extends Oid4vpError {
+  constructor(message, statusCode) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "CreateAuthorizationResponseError";
+  }
+};
 // src/authorization-request/z-request-object.ts
 var import_oauth2 = require("@openid4vc/oauth2");
@@ -60,7 +70,7 @@ var zOpenid4vpAuthorizationRequest = import_zod.z.object({
   response_type: import_zod.z.literal("vp_token"),
   response_uri: import_zod.z.string().url().optional(),
   scope: import_zod.z.string().optional(),
-  state: import_zod.z.string().optional(),
+  state: import_zod.z.string(),
   wallet_nonce: import_zod.z.string().optional()
 }).passthrough().and(import_oauth2.zJwtPayload);
@@ -92,10 +102,61 @@ async function parseAuthorizeRequest(options) {
     );
   }
 }
+// src/authorization-response/create-authorization-response.ts
+var import_openid4vp = require("@openid4vc/openid4vp");
+var import_utils2 = require("@openid4vc/utils");
+async function createAuthorizationResponse(options) {
+  try {
+    const openid_credential_verifier = options.rpMetadata;
+    const serverMetadata = {
+      authorization_encryption_alg_values_supported: [
+        openid_credential_verifier.authorization_encrypted_response_alg
+      ],
+      authorization_encryption_enc_values_supported: [
+        openid_credential_verifier.authorization_encrypted_response_enc
+      ],
+      authorization_signing_alg_values_supported: [
+        openid_credential_verifier.authorization_signed_response_alg
+      ]
+    };
+    return await (0, import_openid4vp.createOpenid4vpAuthorizationResponse)({
+      authorizationRequestPayload: options.requestObject,
+      authorizationResponsePayload: {
+        vp_token: options.vp_token
+      },
+      callbacks: options.callbacks,
+      clientMetadata: openid_credential_verifier,
+      jarm: {
+        audience: options.requestObject.client_id,
+        authorizationServer: options.client_id,
+        encryption: {
+          nonce: new TextDecoder().decode(
+            await options.callbacks.generateRandom(32)
+          )
+        },
+        expiresInSeconds: options.exp ?? (0, import_utils2.dateToSeconds)((0, import_utils2.addSecondsToDate)(/* @__PURE__ */ new Date(), 60 * 10)),
+        // default: 10 minutes
+        jwtSigner: options.signer,
+        serverMetadata
+      }
+    });
+  } catch (error) {
+    throw new CreateAuthorizationResponseError(
+      `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+// src/index.ts
+var import_openid4vp2 = require("@openid4vc/openid4vp");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  CreateAuthorizationResponseError,
   Oid4vpError,
   ParseAuthorizeRequestError,
+  createAuthorizationResponse,
+  createOpenid4vpAuthorizationResponse,
   parseAuthorizeRequest,
   zOpenid4vpAuthorizationRequest
 });

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/authorization-request/parse-authorization-request.ts","../src/errors.ts","../src/authorization-request/z-request-object.ts"],"sourcesContent":["export * from \"./authorization-request\";\nexport * from \"./errors\";\n","import {\n CallbackContext,\n Oauth2JwtParseError,\n RequestDpopOptions,\n decodeJwt,\n} from \"@openid4vc/oauth2\";\nimport { ValidationError } from \"@openid4vc/utils\";\n\nimport { ParseAuthorizeRequestError } from \"../errors\";\nimport {\n AuthorizationRequestObject,\n zOpenid4vpAuthorizationRequest,\n} from \"./z-request-object\";\n\nexport interface ParseAuthorizeRequestOptions {\n /*\n Callback context for signature verification.\n /\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /\n DPoP options\n /\n dpop: RequestDpopOptions;\n\n /\n The Authorization Request Object JWT.\n /\n requestObjectJwt: string;\n}\n\n/\n This method verifies a JWT containing a Request Object and returns its\n * decoded value for further processing\n * @param options {@link ParseAuthorizeRequestOptions}\n * @returns An {@link AuthorizationRequestObject} containing the RP required\n * credentials\n * @throws {@link ValidationError} in case there are errors validating the Request Object structure\n * @throws {@link Oauth2JwtParseError} in case the request object jwt is malformed (e.g missing header, bad encoding)\n * @throws {@link ParseAuthorizeRequestError} in case the JWT signature is invalid or there are unexpected errors\n /\nexport async function parseAuthorizeRequest(\n options: ParseAuthorizeRequestOptions,\n): Promise<AuthorizationRequestObject> {\n try {\n const decoded = decodeJwt({\n jwt: options.requestObjectJwt,\n payloadSchema: zOpenid4vpAuthorizationRequest,\n });\n const verificationResult = await options.callbacks.verifyJwt(\n options.dpop.signer,\n {\n compact: options.requestObjectJwt,\n header: decoded.header,\n payload: decoded.payload,\n },\n );\n\n if (!verificationResult.verified)\n throw new ParseAuthorizeRequestError(\n \"Error verifying Request Object signature\",\n );\n\n return decoded.payload;\n } catch (error) {\n if (\n error instanceof ValidationError \|\|\n error instanceof Oauth2JwtParseError\n )\n throw error;\n throw new ParseAuthorizeRequestError(\n `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/\n Generic error thrown during Oid4vp operations\n /\nexport class Oid4vpError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vpError\";\n }\n}\n\n/\n Error thrown by {@link parseAuthorizeRequest} when the passed\n * request object has an invalid signature or unexpected errors\n * are thrown\n /\nexport class ParseAuthorizeRequestError extends Oid4vpError {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"ParseAuthorizeRequestError\";\n }\n}\n","import { zJwtPayload } from \"@openid4vc/oauth2\";\nimport { z } from \"zod\";\n\n/\n Zod parser that describes a JWT payload\n * containing an OID4VP Request Object\n */\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n client_id: z.string(),\n dcql_query: z.record(z.string(), z.any()).optional(),\n nonce: z.string(),\n request_uri: z.string().url().optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.literal(\"direct_post.jwt\"),\n response_type: z.literal(\"vp_token\"),\n response_uri: z.string().url().optional(),\n scope: z.string().optional(),\n state: z.string().optional(),\n wallet_nonce: z.string().optional(),\n })\n .passthrough()\n .and(zJwtPayload);\n\nexport type AuthorizationRequestObject = z.infer<\n typeof zOpenid4vpAuthorizationRequest\n>;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAA,iBAKO;AACP,mBAAgC;;;ACHzB,IAAM,cAAN,cAA0B,MAAM;AAAA,EACrC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,6BAAN,cAAyC,YAAY;AAAA,EAC1D,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;AC1BA,oBAA4B;AAC5B,iBAAkB;AAMX,IAAM,iCAAiC,aAC3C,OAAO;AAAA,EACN,WAAW,aAAE,OAAO;AAAA,EACpB,YAAY,aAAE,OAAO,aAAE,OAAO,GAAG,aAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACnD,OAAO,aAAE,OAAO;AAAA,EAChB,aAAa,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACvC,oBAAoB,aAAE,SAAS,aAAE,OAAO,CAAC;AAAA,EACzC,eAAe,aAAE,QAAQ,iBAAiB;AAAA,EAC1C,eAAe,aAAE,QAAQ,UAAU;AAAA,EACnC,cAAc,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,OAAO,aAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,OAAO,aAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,cAAc,aAAE,OAAO,EAAE,SAAS;AACpC,CAAC,EACA,YAAY,EACZ,IAAI,yBAAW;;;AFmBlB,eAAsB,sBACpB,SACqC;AACrC,MAAI;AACF,UAAM,cAAU,0BAAU;AAAA,MACxB,KAAK,QAAQ;AAAA,MACb,eAAe;AAAA,IACjB,CAAC;AACD,UAAM,qBAAqB,MAAM,QAAQ,UAAU;AAAA,MACjD,QAAQ,KAAK;AAAA,MACb;AAAA,QACE,SAAS,QAAQ;AAAA,QACjB,QAAQ,QAAQ;AAAA,QAChB,SAAS,QAAQ;AAAA,MACnB;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAEF,WAAO,QAAQ;AAAA,EACjB,SAAS,OAAO;AACd,QACE,iBAAiB,gCACjB,iBAAiB;AAEjB,YAAM;AACR,UAAM,IAAI;AAAA,MACR,mDAAmD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC3G;AAAA,EACF;AACF;","names":["import_oauth2"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/authorization-request/parse-authorization-request.ts","../src/errors.ts","../src/authorization-request/z-request-object.ts","../src/authorization-response/create-authorization-response.ts"],"sourcesContent":["export * from \"./authorization-request\";\nexport * from \"./authorization-response\";\nexport * from \"./errors\";\n\nexport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n type CreateOpenid4vpAuthorizationResponseResult,\n type VpToken,\n createOpenid4vpAuthorizationResponse,\n} from \"@openid4vc/openid4vp\";\n","import {\n CallbackContext,\n Oauth2JwtParseError,\n RequestDpopOptions,\n decodeJwt,\n} from \"@openid4vc/oauth2\";\nimport { ValidationError } from \"@openid4vc/utils\";\n\nimport { ParseAuthorizeRequestError } from \"../errors\";\nimport {\n AuthorizationRequestObject,\n zOpenid4vpAuthorizationRequest,\n} from \"./z-request-object\";\n\nexport interface ParseAuthorizeRequestOptions {\n /*\n Callback context for signature verification.\n /\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /\n DPoP options\n /\n dpop: RequestDpopOptions;\n\n /\n The Authorization Request Object JWT.\n /\n requestObjectJwt: string;\n}\n\n/\n This method verifies a JWT containing a Request Object and returns its\n * decoded value for further processing\n * @param options {@link ParseAuthorizeRequestOptions}\n * @returns An {@link AuthorizationRequestObject} containing the RP required\n * credentials\n * @throws {@link ValidationError} in case there are errors validating the Request Object structure\n * @throws {@link Oauth2JwtParseError} in case the request object jwt is malformed (e.g missing header, bad encoding)\n * @throws {@link ParseAuthorizeRequestError} in case the JWT signature is invalid or there are unexpected errors\n /\nexport async function parseAuthorizeRequest(\n options: ParseAuthorizeRequestOptions,\n): Promise<AuthorizationRequestObject> {\n try {\n const decoded = decodeJwt({\n jwt: options.requestObjectJwt,\n payloadSchema: zOpenid4vpAuthorizationRequest,\n });\n const verificationResult = await options.callbacks.verifyJwt(\n options.dpop.signer,\n {\n compact: options.requestObjectJwt,\n header: decoded.header,\n payload: decoded.payload,\n },\n );\n\n if (!verificationResult.verified)\n throw new ParseAuthorizeRequestError(\n \"Error verifying Request Object signature\",\n );\n\n return decoded.payload;\n } catch (error) {\n if (\n error instanceof ValidationError \|\|\n error instanceof Oauth2JwtParseError\n )\n throw error;\n throw new ParseAuthorizeRequestError(\n `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/\n Generic error thrown during Oid4vp operations\n /\nexport class Oid4vpError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vpError\";\n }\n}\n\n/\n Error thrown by {@link parseAuthorizeRequest} when the passed\n * request object has an invalid signature or unexpected errors\n * are thrown\n /\nexport class ParseAuthorizeRequestError extends Oid4vpError {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"ParseAuthorizeRequestError\";\n }\n}\n\n/\n Error thrown by {@link createAuthorizationResponse} in case there\n * are unexpected errors.\n /\nexport class CreateAuthorizationResponseError extends Oid4vpError {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"CreateAuthorizationResponseError\";\n }\n}\n","import { zJwtPayload } from \"@openid4vc/oauth2\";\nimport { z } from \"zod\";\n\n/\n Zod parser that describes a JWT payload\n * containing an OID4VP Request Object\n /\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n client_id: z.string(),\n dcql_query: z.record(z.string(), z.any()).optional(),\n nonce: z.string(),\n request_uri: z.string().url().optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.literal(\"direct_post.jwt\"),\n response_type: z.literal(\"vp_token\"),\n response_uri: z.string().url().optional(),\n scope: z.string().optional(),\n state: z.string(),\n wallet_nonce: z.string().optional(),\n })\n .passthrough()\n .and(zJwtPayload);\n\nexport type AuthorizationRequestObject = z.infer<\n typeof zOpenid4vpAuthorizationRequest\n>;\n","import { CallbackContext, JwtSigner } from \"@openid4vc/oauth2\";\nimport {\n CreateOpenid4vpAuthorizationResponseOptions,\n VpToken,\n createOpenid4vpAuthorizationResponse,\n} from \"@openid4vc/openid4vp\";\nimport { addSecondsToDate, dateToSeconds } from \"@openid4vc/utils\";\nimport { ItWalletCredentialVerifierMetadata } from \"@pagopa/io-wallet-oid-federation\";\n\nimport { AuthorizationRequestObject } from \"../authorization-request\";\nimport { CreateAuthorizationResponseError } from \"../errors\";\n\ntype JarmServerMetadata = NonNullable<\n CreateOpenid4vpAuthorizationResponseOptions[\"jarm\"]\n>[\"serverMetadata\"];\n\nexport interface CreateAuthorizationResponseOptions {\n /\n Callbacks for authorization response generation\n /\n callbacks: Pick<\n CallbackContext,\n \"encryptJwe\" \| \"fetch\" \| \"generateRandom\" \| \"signJwt\"\n >;\n\n /\n Thumbprint of the JWK in the cnf Wallet Attestation\n /\n client_id: string;\n\n /\n Optional expiration of the Authorization Response JWT, defaults to 10 minutes\n /\n exp?: number;\n\n /\n Presentation's Request Object\n /\n requestObject: AuthorizationRequestObject;\n\n /\n OpenID Federation Relying Party metadata\n /\n rpMetadata: ItWalletCredentialVerifierMetadata;\n\n /\n Signer created from the Wallet Instance's private key\n /\n signer: JwtSigner;\n\n /\n Array containing the vp_tokens of the credentials\n * to present\n /\n vp_token: VpToken;\n}\n\n/\n This method receives the RequestObject, its resolved VP Tokens and other necessary cryptographic and configuration data\n * and returns a signed and encrypted Presentation Response\n * @param options {@link CreateAuthorizationResponseOptions}\n * @returns An {@link CreateOpenid4vpAuthorizationResponseResult} representing\n * the encrypted and signed Presentation Response to the corresponding {@link AuthorizationRequestObject}\n * @throws An {@link CreateAuthorizationResponseError} in case of unexpected errors during response generation,\n * encryption, or signing\n /\nexport async function createAuthorizationResponse(\n options: CreateAuthorizationResponseOptions,\n) {\n try {\n const openid_credential_verifier = options.rpMetadata;\n\n const serverMetadata: JarmServerMetadata = {\n authorization_encryption_alg_values_supported: [\n openid_credential_verifier.authorization_encrypted_response_alg,\n ],\n authorization_encryption_enc_values_supported: [\n openid_credential_verifier.authorization_encrypted_response_enc,\n ],\n authorization_signing_alg_values_supported: [\n openid_credential_verifier.authorization_signed_response_alg,\n ],\n };\n\n // NOTE: This method sets the state in the Authorization Response\n // using the corresponding value in the Request Object\n return await createOpenid4vpAuthorizationResponse({\n authorizationRequestPayload: options.requestObject,\n authorizationResponsePayload: {\n vp_token: options.vp_token,\n },\n callbacks: options.callbacks,\n clientMetadata: openid_credential_verifier,\n jarm: {\n audience: options.requestObject.client_id,\n authorizationServer: options.client_id,\n encryption: {\n nonce: new TextDecoder().decode(\n await options.callbacks.generateRandom(32),\n ),\n },\n expiresInSeconds:\n options.exp ?? dateToSeconds(addSecondsToDate(new Date(), 60 10)), // default: 10 minutes\n jwtSigner: options.signer,\n serverMetadata,\n },\n });\n } catch (error) {\n throw new CreateAuthorizationResponseError(\n `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAA,iBAKO;AACP,mBAAgC;;;ACHzB,IAAM,cAAN,cAA0B,MAAM;AAAA,EACrC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,6BAAN,cAAyC,YAAY;AAAA,EAC1D,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAMO,IAAM,mCAAN,cAA+C,YAAY;AAAA,EAChE,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACxCA,oBAA4B;AAC5B,iBAAkB;AAMX,IAAM,iCAAiC,aAC3C,OAAO;AAAA,EACN,WAAW,aAAE,OAAO;AAAA,EACpB,YAAY,aAAE,OAAO,aAAE,OAAO,GAAG,aAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACnD,OAAO,aAAE,OAAO;AAAA,EAChB,aAAa,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACvC,oBAAoB,aAAE,SAAS,aAAE,OAAO,CAAC;AAAA,EACzC,eAAe,aAAE,QAAQ,iBAAiB;AAAA,EAC1C,eAAe,aAAE,QAAQ,UAAU;AAAA,EACnC,cAAc,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,OAAO,aAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,OAAO,aAAE,OAAO;AAAA,EAChB,cAAc,aAAE,OAAO,EAAE,SAAS;AACpC,CAAC,EACA,YAAY,EACZ,IAAI,yBAAW;;;AFmBlB,eAAsB,sBACpB,SACqC;AACrC,MAAI;AACF,UAAM,cAAU,0BAAU;AAAA,MACxB,KAAK,QAAQ;AAAA,MACb,eAAe;AAAA,IACjB,CAAC;AACD,UAAM,qBAAqB,MAAM,QAAQ,UAAU;AAAA,MACjD,QAAQ,KAAK;AAAA,MACb;AAAA,QACE,SAAS,QAAQ;AAAA,QACjB,QAAQ,QAAQ;AAAA,QAChB,SAAS,QAAQ;AAAA,MACnB;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAEF,WAAO,QAAQ;AAAA,EACjB,SAAS,OAAO;AACd,QACE,iBAAiB,gCACjB,iBAAiB;AAEjB,YAAM;AACR,UAAM,IAAI;AAAA,MACR,mDAAmD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC3G;AAAA,EACF;AACF;;;AGzEA,uBAIO;AACP,IAAAC,gBAAgD;AA4DhD,eAAsB,4BACpB,SACA;AACA,MAAI;AACF,UAAM,6BAA6B,QAAQ;AAE3C,UAAM,iBAAqC;AAAA,MACzC,+CAA+C;AAAA,QAC7C,2BAA2B;AAAA,MAC7B;AAAA,MACA,+CAA+C;AAAA,QAC7C,2BAA2B;AAAA,MAC7B;AAAA,MACA,4CAA4C;AAAA,QAC1C,2BAA2B;AAAA,MAC7B;AAAA,IACF;AAIA,WAAO,UAAM,uDAAqC;AAAA,MAChD,6BAA6B,QAAQ;AAAA,MACrC,8BAA8B;AAAA,QAC5B,UAAU,QAAQ;AAAA,MACpB;AAAA,MACA,WAAW,QAAQ;AAAA,MACnB,gBAAgB;AAAA,MAChB,MAAM;AAAA,QACJ,UAAU,QAAQ,cAAc;AAAA,QAChC,qBAAqB,QAAQ;AAAA,QAC7B,YAAY;AAAA,UACV,OAAO,IAAI,YAAY,EAAE;AAAA,YACvB,MAAM,QAAQ,UAAU,eAAe,EAAE;AAAA,UAC3C;AAAA,QACF;AAAA,QACA,kBACE,QAAQ,WAAO,iCAAc,gCAAiB,oBAAI,KAAK,GAAG,KAAK,EAAE,CAAC;AAAA;AAAA,QACpE,WAAW,QAAQ;AAAA,QACnB;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,mDAAmD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC3G;AAAA,EACF;AACF;;;AJ5GA,IAAAC,oBAKO;","names":["import_oauth2","import_utils","import_openid4vp"]}

package/dist/index.mjs CHANGED Viewed

@@ -20,6 +20,13 @@ var ParseAuthorizeRequestError = class extends Oid4vpError {
     this.name = "ParseAuthorizeRequestError";
   }
 };
+var CreateAuthorizationResponseError = class extends Oid4vpError {
+  constructor(message, statusCode) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "CreateAuthorizationResponseError";
+  }
+};
 // src/authorization-request/z-request-object.ts
 import { zJwtPayload } from "@openid4vc/oauth2";
@@ -34,7 +41,7 @@ var zOpenid4vpAuthorizationRequest = z.object({
   response_type: z.literal("vp_token"),
   response_uri: z.string().url().optional(),
   scope: z.string().optional(),
-  state: z.string().optional(),
+  state: z.string(),
   wallet_nonce: z.string().optional()
 }).passthrough().and(zJwtPayload);
@@ -66,9 +73,64 @@ async function parseAuthorizeRequest(options) {
     );
   }
 }
+// src/authorization-response/create-authorization-response.ts
+import {
+  createOpenid4vpAuthorizationResponse
+} from "@openid4vc/openid4vp";
+import { addSecondsToDate, dateToSeconds } from "@openid4vc/utils";
+async function createAuthorizationResponse(options) {
+  try {
+    const openid_credential_verifier = options.rpMetadata;
+    const serverMetadata = {
+      authorization_encryption_alg_values_supported: [
+        openid_credential_verifier.authorization_encrypted_response_alg
+      ],
+      authorization_encryption_enc_values_supported: [
+        openid_credential_verifier.authorization_encrypted_response_enc
+      ],
+      authorization_signing_alg_values_supported: [
+        openid_credential_verifier.authorization_signed_response_alg
+      ]
+    };
+    return await createOpenid4vpAuthorizationResponse({
+      authorizationRequestPayload: options.requestObject,
+      authorizationResponsePayload: {
+        vp_token: options.vp_token
+      },
+      callbacks: options.callbacks,
+      clientMetadata: openid_credential_verifier,
+      jarm: {
+        audience: options.requestObject.client_id,
+        authorizationServer: options.client_id,
+        encryption: {
+          nonce: new TextDecoder().decode(
+            await options.callbacks.generateRandom(32)
+          )
+        },
+        expiresInSeconds: options.exp ?? dateToSeconds(addSecondsToDate(/* @__PURE__ */ new Date(), 60 * 10)),
+        // default: 10 minutes
+        jwtSigner: options.signer,
+        serverMetadata
+      }
+    });
+  } catch (error) {
+    throw new CreateAuthorizationResponseError(
+      `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+// src/index.ts
+import {
+  createOpenid4vpAuthorizationResponse as createOpenid4vpAuthorizationResponse2
+} from "@openid4vc/openid4vp";
 export {
+  CreateAuthorizationResponseError,
   Oid4vpError,
   ParseAuthorizeRequestError,
+  createAuthorizationResponse,
+  createOpenid4vpAuthorizationResponse2 as createOpenid4vpAuthorizationResponse,
   parseAuthorizeRequest,
   zOpenid4vpAuthorizationRequest
 };

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/authorization-request/parse-authorization-request.ts","../src/errors.ts","../src/authorization-request/z-request-object.ts"],"sourcesContent":["import {\n CallbackContext,\n Oauth2JwtParseError,\n RequestDpopOptions,\n decodeJwt,\n} from \"@openid4vc/oauth2\";\nimport { ValidationError } from \"@openid4vc/utils\";\n\nimport { ParseAuthorizeRequestError } from \"../errors\";\nimport {\n AuthorizationRequestObject,\n zOpenid4vpAuthorizationRequest,\n} from \"./z-request-object\";\n\nexport interface ParseAuthorizeRequestOptions {\n /*\n Callback context for signature verification.\n /\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /\n DPoP options\n /\n dpop: RequestDpopOptions;\n\n /\n The Authorization Request Object JWT.\n /\n requestObjectJwt: string;\n}\n\n/\n This method verifies a JWT containing a Request Object and returns its\n * decoded value for further processing\n * @param options {@link ParseAuthorizeRequestOptions}\n * @returns An {@link AuthorizationRequestObject} containing the RP required\n * credentials\n * @throws {@link ValidationError} in case there are errors validating the Request Object structure\n * @throws {@link Oauth2JwtParseError} in case the request object jwt is malformed (e.g missing header, bad encoding)\n * @throws {@link ParseAuthorizeRequestError} in case the JWT signature is invalid or there are unexpected errors\n /\nexport async function parseAuthorizeRequest(\n options: ParseAuthorizeRequestOptions,\n): Promise<AuthorizationRequestObject> {\n try {\n const decoded = decodeJwt({\n jwt: options.requestObjectJwt,\n payloadSchema: zOpenid4vpAuthorizationRequest,\n });\n const verificationResult = await options.callbacks.verifyJwt(\n options.dpop.signer,\n {\n compact: options.requestObjectJwt,\n header: decoded.header,\n payload: decoded.payload,\n },\n );\n\n if (!verificationResult.verified)\n throw new ParseAuthorizeRequestError(\n \"Error verifying Request Object signature\",\n );\n\n return decoded.payload;\n } catch (error) {\n if (\n error instanceof ValidationError \|\|\n error instanceof Oauth2JwtParseError\n )\n throw error;\n throw new ParseAuthorizeRequestError(\n `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/\n Generic error thrown during Oid4vp operations\n /\nexport class Oid4vpError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vpError\";\n }\n}\n\n/\n Error thrown by {@link parseAuthorizeRequest} when the passed\n * request object has an invalid signature or unexpected errors\n * are thrown\n /\nexport class ParseAuthorizeRequestError extends Oid4vpError {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"ParseAuthorizeRequestError\";\n }\n}\n","import { zJwtPayload } from \"@openid4vc/oauth2\";\nimport { z } from \"zod\";\n\n/\n Zod parser that describes a JWT payload\n * containing an OID4VP Request Object\n */\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n client_id: z.string(),\n dcql_query: z.record(z.string(), z.any()).optional(),\n nonce: z.string(),\n request_uri: z.string().url().optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.literal(\"direct_post.jwt\"),\n response_type: z.literal(\"vp_token\"),\n response_uri: z.string().url().optional(),\n scope: z.string().optional(),\n state: z.string().optional(),\n wallet_nonce: z.string().optional(),\n })\n .passthrough()\n .and(zJwtPayload);\n\nexport type AuthorizationRequestObject = z.infer<\n typeof zOpenid4vpAuthorizationRequest\n>;\n"],"mappings":";AAAA;AAAA,EAEE;AAAA,EAEA;AAAA,OACK;AACP,SAAS,uBAAuB;;;ACHzB,IAAM,cAAN,cAA0B,MAAM;AAAA,EACrC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,6BAAN,cAAyC,YAAY;AAAA,EAC1D,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;AC1BA,SAAS,mBAAmB;AAC5B,SAAS,SAAS;AAMX,IAAM,iCAAiC,EAC3C,OAAO;AAAA,EACN,WAAW,EAAE,OAAO;AAAA,EACpB,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACnD,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACvC,oBAAoB,EAAE,SAAS,EAAE,OAAO,CAAC;AAAA,EACzC,eAAe,EAAE,QAAQ,iBAAiB;AAAA,EAC1C,eAAe,EAAE,QAAQ,UAAU;AAAA,EACnC,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,cAAc,EAAE,OAAO,EAAE,SAAS;AACpC,CAAC,EACA,YAAY,EACZ,IAAI,WAAW;;;AFmBlB,eAAsB,sBACpB,SACqC;AACrC,MAAI;AACF,UAAM,UAAU,UAAU;AAAA,MACxB,KAAK,QAAQ;AAAA,MACb,eAAe;AAAA,IACjB,CAAC;AACD,UAAM,qBAAqB,MAAM,QAAQ,UAAU;AAAA,MACjD,QAAQ,KAAK;AAAA,MACb;AAAA,QACE,SAAS,QAAQ;AAAA,QACjB,QAAQ,QAAQ;AAAA,QAChB,SAAS,QAAQ;AAAA,MACnB;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAEF,WAAO,QAAQ;AAAA,EACjB,SAAS,OAAO;AACd,QACE,iBAAiB,mBACjB,iBAAiB;AAEjB,YAAM;AACR,UAAM,IAAI;AAAA,MACR,mDAAmD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC3G;AAAA,EACF;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/authorization-request/parse-authorization-request.ts","../src/errors.ts","../src/authorization-request/z-request-object.ts","../src/authorization-response/create-authorization-response.ts","../src/index.ts"],"sourcesContent":["import {\n CallbackContext,\n Oauth2JwtParseError,\n RequestDpopOptions,\n decodeJwt,\n} from \"@openid4vc/oauth2\";\nimport { ValidationError } from \"@openid4vc/utils\";\n\nimport { ParseAuthorizeRequestError } from \"../errors\";\nimport {\n AuthorizationRequestObject,\n zOpenid4vpAuthorizationRequest,\n} from \"./z-request-object\";\n\nexport interface ParseAuthorizeRequestOptions {\n /*\n Callback context for signature verification.\n /\n callbacks: Pick<CallbackContext, \"verifyJwt\">;\n\n /\n DPoP options\n /\n dpop: RequestDpopOptions;\n\n /\n The Authorization Request Object JWT.\n /\n requestObjectJwt: string;\n}\n\n/\n This method verifies a JWT containing a Request Object and returns its\n * decoded value for further processing\n * @param options {@link ParseAuthorizeRequestOptions}\n * @returns An {@link AuthorizationRequestObject} containing the RP required\n * credentials\n * @throws {@link ValidationError} in case there are errors validating the Request Object structure\n * @throws {@link Oauth2JwtParseError} in case the request object jwt is malformed (e.g missing header, bad encoding)\n * @throws {@link ParseAuthorizeRequestError} in case the JWT signature is invalid or there are unexpected errors\n /\nexport async function parseAuthorizeRequest(\n options: ParseAuthorizeRequestOptions,\n): Promise<AuthorizationRequestObject> {\n try {\n const decoded = decodeJwt({\n jwt: options.requestObjectJwt,\n payloadSchema: zOpenid4vpAuthorizationRequest,\n });\n const verificationResult = await options.callbacks.verifyJwt(\n options.dpop.signer,\n {\n compact: options.requestObjectJwt,\n header: decoded.header,\n payload: decoded.payload,\n },\n );\n\n if (!verificationResult.verified)\n throw new ParseAuthorizeRequestError(\n \"Error verifying Request Object signature\",\n );\n\n return decoded.payload;\n } catch (error) {\n if (\n error instanceof ValidationError \|\|\n error instanceof Oauth2JwtParseError\n )\n throw error;\n throw new ParseAuthorizeRequestError(\n `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","/\n Generic error thrown during Oid4vp operations\n /\nexport class Oid4vpError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"Oid4vpError\";\n }\n}\n\n/\n Error thrown by {@link parseAuthorizeRequest} when the passed\n * request object has an invalid signature or unexpected errors\n * are thrown\n /\nexport class ParseAuthorizeRequestError extends Oid4vpError {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"ParseAuthorizeRequestError\";\n }\n}\n\n/\n Error thrown by {@link createAuthorizationResponse} in case there\n * are unexpected errors.\n /\nexport class CreateAuthorizationResponseError extends Oid4vpError {\n constructor(\n message: string,\n public readonly statusCode?: number,\n ) {\n super(message);\n this.name = \"CreateAuthorizationResponseError\";\n }\n}\n","import { zJwtPayload } from \"@openid4vc/oauth2\";\nimport { z } from \"zod\";\n\n/\n Zod parser that describes a JWT payload\n * containing an OID4VP Request Object\n /\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n client_id: z.string(),\n dcql_query: z.record(z.string(), z.any()).optional(),\n nonce: z.string(),\n request_uri: z.string().url().optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.literal(\"direct_post.jwt\"),\n response_type: z.literal(\"vp_token\"),\n response_uri: z.string().url().optional(),\n scope: z.string().optional(),\n state: z.string(),\n wallet_nonce: z.string().optional(),\n })\n .passthrough()\n .and(zJwtPayload);\n\nexport type AuthorizationRequestObject = z.infer<\n typeof zOpenid4vpAuthorizationRequest\n>;\n","import { CallbackContext, JwtSigner } from \"@openid4vc/oauth2\";\nimport {\n CreateOpenid4vpAuthorizationResponseOptions,\n VpToken,\n createOpenid4vpAuthorizationResponse,\n} from \"@openid4vc/openid4vp\";\nimport { addSecondsToDate, dateToSeconds } from \"@openid4vc/utils\";\nimport { ItWalletCredentialVerifierMetadata } from \"@pagopa/io-wallet-oid-federation\";\n\nimport { AuthorizationRequestObject } from \"../authorization-request\";\nimport { CreateAuthorizationResponseError } from \"../errors\";\n\ntype JarmServerMetadata = NonNullable<\n CreateOpenid4vpAuthorizationResponseOptions[\"jarm\"]\n>[\"serverMetadata\"];\n\nexport interface CreateAuthorizationResponseOptions {\n /\n Callbacks for authorization response generation\n /\n callbacks: Pick<\n CallbackContext,\n \"encryptJwe\" \| \"fetch\" \| \"generateRandom\" \| \"signJwt\"\n >;\n\n /\n Thumbprint of the JWK in the cnf Wallet Attestation\n /\n client_id: string;\n\n /\n Optional expiration of the Authorization Response JWT, defaults to 10 minutes\n /\n exp?: number;\n\n /\n Presentation's Request Object\n /\n requestObject: AuthorizationRequestObject;\n\n /\n OpenID Federation Relying Party metadata\n /\n rpMetadata: ItWalletCredentialVerifierMetadata;\n\n /\n Signer created from the Wallet Instance's private key\n /\n signer: JwtSigner;\n\n /\n Array containing the vp_tokens of the credentials\n * to present\n /\n vp_token: VpToken;\n}\n\n/\n This method receives the RequestObject, its resolved VP Tokens and other necessary cryptographic and configuration data\n * and returns a signed and encrypted Presentation Response\n * @param options {@link CreateAuthorizationResponseOptions}\n * @returns An {@link CreateOpenid4vpAuthorizationResponseResult} representing\n * the encrypted and signed Presentation Response to the corresponding {@link AuthorizationRequestObject}\n * @throws An {@link CreateAuthorizationResponseError} in case of unexpected errors during response generation,\n * encryption, or signing\n /\nexport async function createAuthorizationResponse(\n options: CreateAuthorizationResponseOptions,\n) {\n try {\n const openid_credential_verifier = options.rpMetadata;\n\n const serverMetadata: JarmServerMetadata = {\n authorization_encryption_alg_values_supported: [\n openid_credential_verifier.authorization_encrypted_response_alg,\n ],\n authorization_encryption_enc_values_supported: [\n openid_credential_verifier.authorization_encrypted_response_enc,\n ],\n authorization_signing_alg_values_supported: [\n openid_credential_verifier.authorization_signed_response_alg,\n ],\n };\n\n // NOTE: This method sets the state in the Authorization Response\n // using the corresponding value in the Request Object\n return await createOpenid4vpAuthorizationResponse({\n authorizationRequestPayload: options.requestObject,\n authorizationResponsePayload: {\n vp_token: options.vp_token,\n },\n callbacks: options.callbacks,\n clientMetadata: openid_credential_verifier,\n jarm: {\n audience: options.requestObject.client_id,\n authorizationServer: options.client_id,\n encryption: {\n nonce: new TextDecoder().decode(\n await options.callbacks.generateRandom(32),\n ),\n },\n expiresInSeconds:\n options.exp ?? dateToSeconds(addSecondsToDate(new Date(), 60 10)), // default: 10 minutes\n jwtSigner: options.signer,\n serverMetadata,\n },\n });\n } catch (error) {\n throw new CreateAuthorizationResponseError(\n `Unexpected error during Request Object parsing: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n}\n","export * from \"./authorization-request\";\nexport * from \"./authorization-response\";\nexport * from \"./errors\";\n\nexport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n type CreateOpenid4vpAuthorizationResponseResult,\n type VpToken,\n createOpenid4vpAuthorizationResponse,\n} from \"@openid4vc/openid4vp\";\n"],"mappings":";AAAA;AAAA,EAEE;AAAA,EAEA;AAAA,OACK;AACP,SAAS,uBAAuB;;;ACHzB,IAAM,cAAN,cAA0B,MAAM;AAAA,EACrC,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,6BAAN,cAAyC,YAAY;AAAA,EAC1D,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAMO,IAAM,mCAAN,cAA+C,YAAY;AAAA,EAChE,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;;;ACxCA,SAAS,mBAAmB;AAC5B,SAAS,SAAS;AAMX,IAAM,iCAAiC,EAC3C,OAAO;AAAA,EACN,WAAW,EAAE,OAAO;AAAA,EACpB,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACnD,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACvC,oBAAoB,EAAE,SAAS,EAAE,OAAO,CAAC;AAAA,EACzC,eAAe,EAAE,QAAQ,iBAAiB;AAAA,EAC1C,eAAe,EAAE,QAAQ,UAAU;AAAA,EACnC,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,OAAO,EAAE,OAAO;AAAA,EAChB,cAAc,EAAE,OAAO,EAAE,SAAS;AACpC,CAAC,EACA,YAAY,EACZ,IAAI,WAAW;;;AFmBlB,eAAsB,sBACpB,SACqC;AACrC,MAAI;AACF,UAAM,UAAU,UAAU;AAAA,MACxB,KAAK,QAAQ;AAAA,MACb,eAAe;AAAA,IACjB,CAAC;AACD,UAAM,qBAAqB,MAAM,QAAQ,UAAU;AAAA,MACjD,QAAQ,KAAK;AAAA,MACb;AAAA,QACE,SAAS,QAAQ;AAAA,QACjB,QAAQ,QAAQ;AAAA,QAChB,SAAS,QAAQ;AAAA,MACnB;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAEF,WAAO,QAAQ;AAAA,EACjB,SAAS,OAAO;AACd,QACE,iBAAiB,mBACjB,iBAAiB;AAEjB,YAAM;AACR,UAAM,IAAI;AAAA,MACR,mDAAmD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC3G;AAAA,EACF;AACF;;;AGzEA;AAAA,EAGE;AAAA,OACK;AACP,SAAS,kBAAkB,qBAAqB;AA4DhD,eAAsB,4BACpB,SACA;AACA,MAAI;AACF,UAAM,6BAA6B,QAAQ;AAE3C,UAAM,iBAAqC;AAAA,MACzC,+CAA+C;AAAA,QAC7C,2BAA2B;AAAA,MAC7B;AAAA,MACA,+CAA+C;AAAA,QAC7C,2BAA2B;AAAA,MAC7B;AAAA,MACA,4CAA4C;AAAA,QAC1C,2BAA2B;AAAA,MAC7B;AAAA,IACF;AAIA,WAAO,MAAM,qCAAqC;AAAA,MAChD,6BAA6B,QAAQ;AAAA,MACrC,8BAA8B;AAAA,QAC5B,UAAU,QAAQ;AAAA,MACpB;AAAA,MACA,WAAW,QAAQ;AAAA,MACnB,gBAAgB;AAAA,MAChB,MAAM;AAAA,QACJ,UAAU,QAAQ,cAAc;AAAA,QAChC,qBAAqB,QAAQ;AAAA,QAC7B,YAAY;AAAA,UACV,OAAO,IAAI,YAAY,EAAE;AAAA,YACvB,MAAM,QAAQ,UAAU,eAAe,EAAE;AAAA,UAC3C;AAAA,QACF;AAAA,QACA,kBACE,QAAQ,OAAO,cAAc,iBAAiB,oBAAI,KAAK,GAAG,KAAK,EAAE,CAAC;AAAA;AAAA,QACpE,WAAW,QAAQ;AAAA,QACnB;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH,SAAS,OAAO;AACd,UAAM,IAAI;AAAA,MACR,mDAAmD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC3G;AAAA,EACF;AACF;;;AC5GA;AAAA,EAIE,wCAAAA;AAAA,OACK;","names":["createOpenid4vpAuthorizationResponse"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-wallet-oid4vp",
-  "version": "0.4.2",
+  "version": "0.5.1",
   "files": [
     "dist"
   ],
@@ -29,13 +29,15 @@
     "@openid4vc/oauth2": "0.3.0-alpha-20250714110838",
     "@openid4vc/utils": "0.3.0-alpha-20250714110838",
     "@openid4vc/openid4vp": "0.3.0-alpha-20250714110838",
-    "zod": "^3.24.2"
+    "zod": "^3.24.2",
+    "@pagopa/io-wallet-oid-federation": ""
   },
   "devDependencies": {
-    "jose": "^6.1.0"
+    "jose": "^6.1.0",
+    "js-base64": "^3.7.8"
   },
   "scripts": {
-    "build": "tsup src/index.ts --format cjs,esm --dts --clean --sourcemap",
+    "build": "tsup src/index.ts --format cjs,esm --dts --sourcemap",
     "test": "vitest"
   }
 }