@sphereon/oid4vci-client 0.2.0 → 0.4.1-unstable.247

package/lib/__tests__/OpenID4VCIClientPAR.spec.ts

@@ -0,0 +1,112 @@
+import { AuthzFlowType, CodeChallengeMethod, Oauth2ASWithOID4VCIMetadata } from '@sphereon/oid4vci-common';
+import nock from 'nock';
+
+import { OpenID4VCIClient } from '../OpenID4VCIClient';
+
+const MOCK_URL = 'https://server.example.com/';
+describe('OpenID4VCIClient', () => {
+  let client: OpenID4VCIClient;
+
+  beforeEach(async () => {
+    nock(MOCK_URL).get(/.*/).reply(200, {});
+    nock(`${MOCK_URL}`).post('/v1/auth/par').reply(201, { request_uri: 'test_uri', expires_in: 90 });
+    client = await OpenID4VCIClient.fromURI({
+      uri: 'openid-initiate-issuance://?issuer=https://server.example.com&credential_type=TestCredential',
+      flowType: AuthzFlowType.AUTHORIZATION_CODE_FLOW,
+    });
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+  });
+
+  it('should successfully retrieve the authorization code using PAR', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      scope: 'openid TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+
+  it('should fail when pushed_authorization_request_endpoint is not present', async () => {
+    await expect(() =>
+      client.acquirePushedAuthorizationRequestURI({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        scope: 'openid TestCredential',
+        redirectUri: 'http://localhost:8881/cb',
+      })
+    ).rejects.toThrow(Error('Server metadata does not contain pushed authorization request endpoint'));
+  });
+
+  it('should fail when authorization_details and scope are not present', async () => {
+    await expect(() =>
+      client.acquirePushedAuthorizationRequestURI({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        redirectUri: 'http://localhost:8881/cb',
+      })
+    ).rejects.toThrow(Error('Please provide a scope or authorization_details'));
+  });
+
+  it('should not fail when only authorization_details is present', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      authorizationDetails: [
+        {
+          type: 'openid_credential',
+          format: 'ldp_vc',
+          credential_definition: {
+            '@context': ['https://www.w3.org/2018/credentials/v1', 'https://www.w3.org/2018/credentials/examples/v1'],
+            types: ['VerifiableCredential', 'UniversityDegreeCredential'],
+          },
+        },
+      ],
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+
+  it('should not fail when only scope is present', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      scope: 'openid TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+
+  it('should not fail when both authorization_details and scope are present', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      authorizationDetails: [
+        {
+          type: 'openid_credential',
+          format: 'ldp_vc',
+          credential_definition: {
+            '@context': ['https://www.w3.org/2018/credentials/v1', 'https://www.w3.org/2018/credentials/examples/v1'],
+            types: ['VerifiableCredential', 'UniversityDegreeCredential'],
+          },
+        },
+      ],
+      scope: 'openid TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+});

package/lib/__tests__/ProofOfPossessionBuilder.spec.ts

@@ -0,0 +1,109 @@
+import { KeyObject } from 'crypto';
+
+import { Alg, JWS_NOT_VALID, Jwt, NO_JWT_PROVIDED, PROOF_CANT_BE_CONSTRUCTED, ProofOfPossession, Typ } from '@sphereon/oid4vci-common';
+import * as jose from 'jose';
+
+import { ProofOfPossessionBuilder } from '..';
+
+import { IDENTIPROOF_ISSUER_URL } from './MetadataMocks';
+
+const jwt: Jwt = {
+  header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1', typ: Typ.JWT },
+  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now() },
+};
+
+const kid = 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1';
+
+let keypair: KeyPair;
+
+async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
+  if (!args.payload.aud) {
+    throw Error('aud required');
+  } else if (!kid) {
+    throw Error('kid required');
+  }
+  return await new jose.SignJWT({ ...args.payload })
+    .setProtectedHeader({ alg: 'ES256' })
+    .setIssuedAt(args.payload.iat)
+    .setIssuer(kid)
+    .setAudience(args.payload.aud)
+    .setExpirationTime('2h')
+    .sign(keypair.privateKey);
+}
+
+interface KeyPair {
+  publicKey: KeyObject;
+  privateKey: KeyObject;
+}
+
+beforeAll(async () => {
+  const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
+  keypair = { publicKey: publicKey as KeyObject, privateKey: privateKey as KeyObject };
+});
+
+describe('ProofOfPossession Builder ', () => {
+  it('should fail without supplied proof or callbacks', async function () {
+    await expect(
+      ProofOfPossessionBuilder.fromProof(undefined as never)
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).rejects.toThrow(Error(PROOF_CANT_BE_CONSTRUCTED));
+  });
+
+  it('should fail wit undefined jwt supplied', async function () {
+    await expect(() =>
+      ProofOfPossessionBuilder.fromJwt({ jwt, callbacks: { signCallback: proofOfPossessionCallbackFunction } })
+        .withJwt(undefined as never)
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).toThrow(Error(NO_JWT_PROVIDED));
+  });
+
+  it('should build a proof with all required params present', async function () {
+    const proof: ProofOfPossession = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+      },
+    })
+      .withIssuer(IDENTIPROOF_ISSUER_URL)
+      .withKid(kid)
+      .withClientId('sphereon:wallet')
+      .build();
+    expect(proof).toBeDefined();
+  });
+
+  it('should fail creating a proof of possession with simple verification', async () => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async function proofOfPossessionCallbackFunction(_args: Jwt, _kid?: string): Promise<string> {
+      throw new Error(JWS_NOT_VALID);
+    }
+
+    await expect(
+      ProofOfPossessionBuilder.fromJwt({ jwt, callbacks: { signCallback: proofOfPossessionCallbackFunction } })
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).rejects.toThrow(Error(JWS_NOT_VALID));
+  });
+
+  it('should fail creating a proof of possession without verify callback', async () => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async function proofOfPossessionCallbackFunction(_args: Jwt, _kid?: string): Promise<string> {
+      throw new Error(JWS_NOT_VALID);
+    }
+
+    await expect(
+      ProofOfPossessionBuilder.fromJwt({ jwt, callbacks: { signCallback: proofOfPossessionCallbackFunction } })
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).rejects.toThrow(Error(JWS_NOT_VALID));
+  });
+});