@sphereon/oid4vci-client 0.2.0 → 0.4.1-unstable.247

package/lib/functions/Encoding.ts

@@ -0,0 +1,138 @@
+import { BAD_PARAMS, DecodeURIAsJsonOpts, EncodeJsonAsURIOpts, SearchValue } from '@sphereon/oid4vci-common';
+
+/**
+ * @function encodeJsonAsURI encodes a Json object into a URI
+ * @param json object
+ * @param opts:
+ *          - urlTypeProperties: a list of properties of which the value is a URL
+ *          - arrayTypeProperties: a list of properties which are an array
+ */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+export function convertJsonToURI(json: { [s: string]: any } | ArrayLike<any> | string, opts?: EncodeJsonAsURIOpts): string {
+  if (typeof json === 'string') {
+    return convertJsonToURI(JSON.parse(json), opts);
+  }
+  const results = [];
+
+  function encodeAndStripWhitespace(key: string): string {
+    return encodeURIComponent(key.replace(' ', ''));
+  }
+
+  for (const [key, value] of Object.entries(json)) {
+    if (!value) {
+      continue;
+    }
+    //Skip properties that are not of URL type
+    if (!opts?.uriTypeProperties?.includes(key)) {
+      results.push(`${key}=${value}`);
+      continue;
+    }
+    if (opts?.arrayTypeProperties?.includes(key) && Array.isArray(value)) {
+      results.push(value.map((v) => `${encodeAndStripWhitespace(key)}=${customEncodeURIComponent(v, /\./g)}`).join('&'));
+      continue;
+    }
+    const isBool = typeof value == 'boolean';
+    const isNumber = typeof value == 'number';
+    const isString = typeof value == 'string';
+    let encoded;
+    if (isBool || isNumber) {
+      encoded = `${encodeAndStripWhitespace(key)}=${value}`;
+    } else if (isString) {
+      encoded = `${encodeAndStripWhitespace(key)}=${customEncodeURIComponent(value, /\./g)}`;
+    } else {
+      encoded = `${encodeAndStripWhitespace(key)}=${customEncodeURIComponent(JSON.stringify(value), /\./g)}`;
+    }
+    results.push(encoded);
+  }
+  const components = results.join('&');
+  if (opts?.baseUrl) {
+    return `${opts.baseUrl}?${components}`;
+  }
+  return components;
+}
+
+/**
+ * @function decodeUriAsJson decodes a URI into a Json object
+ * @param uri string
+ * @param opts:
+ *          - requiredProperties: the required properties
+ *          - arrayTypeProperties: properties that can show up more that once
+ */
+export function convertURIToJsonObject(uri: string, opts?: DecodeURIAsJsonOpts): unknown {
+  if (!uri || !opts?.requiredProperties?.every((p) => uri.includes(p))) {
+    throw new Error(BAD_PARAMS);
+  }
+  const uriComponents = getURIComponentsAsArray(uri, opts?.arrayTypeProperties);
+  return decodeJsonProperties(uriComponents);
+}
+
+function decodeJsonProperties(parts: string[] | string[][]): unknown {
+  const json: { [s: string]: any } | ArrayLike<any> = {};
+  for (const key in parts) {
+    const value = parts[key];
+    if (!value) {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      if (value.length > 1) {
+        json[decodeURIComponent(key)] = value.map((v) => decodeURIComponent(v));
+      } else {
+        json[decodeURIComponent(key)] = decodeURIComponent(value[0]);
+      }
+    }
+    const isBool = typeof value == 'boolean';
+    const isNumber = typeof value == 'number';
+    const isString = typeof value == 'string';
+    if (isBool || isNumber) {
+      json[decodeURIComponent(key)] = value;
+    } else if (isString) {
+      const decoded = decodeURIComponent(value);
+      if (decoded.startsWith('{') && decoded.endsWith('}')) {
+        json[decodeURIComponent(key)] = JSON.parse(decoded);
+      } else {
+        json[decodeURIComponent(key)] = decoded;
+      }
+    }
+  }
+  return json;
+}
+
+/**
+ * @function get URI Components as Array
+ * @param uri string
+ * @param arrayTypes array of string containing array like keys
+ */
+function getURIComponentsAsArray(uri: string, arrayTypes?: string[]): string[] | string[][] {
+  const parts = uri.includes('?') ? uri.split('?')[1] : uri.includes('://') ? uri.split('://')[1] : uri;
+  const json: string[] | string[][] = [];
+  const dict: string[] = parts.split('&');
+  for (const entry of dict) {
+    const pair: string[] = entry.split('=');
+    const p0: any = pair[0];
+    const p1: any = pair[1];
+    if (arrayTypes?.includes(p0)) {
+      const key = json[p0];
+      if (Array.isArray(key)) {
+        key.push(p1);
+      } else {
+        json[p0] = [p1];
+      }
+      continue;
+    }
+    json[p0] = p1;
+  }
+  return json;
+}
+
+/* eslint-enable @typescript-eslint/no-explicit-any */
+
+/**
+ * @function customEncodeURIComponent is used to encode chars that are not encoded by default
+ * @param searchValue The pattern/regexp to find the char(s) to be encoded
+ * @param uriComponent query string
+ */
+function customEncodeURIComponent(uriComponent: string, searchValue: SearchValue): string {
+  // -_.!~*'() are not escaped because they are considered safe.
+  // Add them to the regex as you need
+  return encodeURIComponent(uriComponent).replace(searchValue, (c) => `%${c.charCodeAt(0).toString(16).toUpperCase()}`);
+}

package/lib/functions/HttpUtils.ts

@@ -0,0 +1,106 @@
+import { Encoding, OpenIDResponse } from '@sphereon/oid4vci-common';
+import { fetch } from 'cross-fetch';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:openid4vci:http');
+
+export const getJson = async <T>(
+  URL: string,
+  opts?: { bearerToken?: string; contentType?: string; accept?: string; customHeaders?: Record<string, string>; exceptionOnHttpErrorStatus?: boolean }
+): Promise<OpenIDResponse<T>> => {
+  return await openIdFetch(URL, undefined, { method: 'GET', ...opts });
+};
+
+export const formPost = async <T>(
+  url: string,
+  body: BodyInit,
+  opts?: { bearerToken?: string; contentType?: string; accept?: string; customHeaders?: Record<string, string>; exceptionOnHttpErrorStatus?: boolean }
+): Promise<OpenIDResponse<T>> => {
+  return await post(url, body, opts?.contentType ? { ...opts } : { contentType: Encoding.FORM_URL_ENCODED, ...opts });
+};
+
+export const post = async <T>(
+  url: string,
+  body?: BodyInit,
+  opts?: { bearerToken?: string; contentType?: string; accept?: string; customHeaders?: Record<string, string>; exceptionOnHttpErrorStatus?: boolean }
+): Promise<OpenIDResponse<T>> => {
+  return await openIdFetch(url, body, { method: 'POST', ...opts });
+};
+
+const openIdFetch = async <T>(
+  url: string,
+  body?: BodyInit,
+  opts?: {
+    method?: string;
+    bearerToken?: string;
+    contentType?: string;
+    accept?: string;
+    customHeaders?: Record<string, string>;
+    exceptionOnHttpErrorStatus?: boolean;
+  }
+): Promise<OpenIDResponse<T>> => {
+  const headers: Record<string, string> = opts?.customHeaders ?? {};
+  if (opts?.bearerToken) {
+    headers['Authorization'] = `Bearer ${opts.bearerToken}`;
+  }
+  const method = opts?.method ? opts.method : body ? 'POST' : 'GET';
+  const accept = opts?.accept ? opts.accept : 'application/json';
+  headers['Accept'] = accept;
+  if (headers['Content-Type']) {
+    if (opts?.contentType && opts.contentType !== headers['Content-Type']) {
+      throw Error(
+        `Mismatch in content-types from custom headers (${headers['Content-Type']}) and supplied content type option (${opts.contentType})`
+      );
+    }
+  } else {
+    if (opts?.contentType) {
+      headers['Content-Type'] = opts.contentType;
+    } else if (method !== 'GET') {
+      headers['Content-Type'] = 'application/json';
+    }
+  }
+
+  const payload: RequestInit = {
+    method,
+    headers,
+    body,
+  };
+
+  debug(`START fetching url: ${url}`);
+  if (body) {
+    debug(`Body:\r\n${JSON.stringify(body)}`);
+  }
+  debug(`Headers:\r\n${JSON.stringify(payload.headers)}`);
+  const origResponse = await fetch(url, payload);
+  const isJSONResponse = accept === 'application/json' || origResponse.headers.get('Content-Type') === 'application/json';
+  const success = origResponse && origResponse.status >= 200 && origResponse.status < 400;
+  const responseText = await origResponse.text();
+  const responseBody = isJSONResponse ? JSON.parse(responseText) : responseText;
+
+  debug(`${success ? 'success' : 'error'} status: ${origResponse.status}, body:\r\n${JSON.stringify(responseBody)}`);
+  if (!success && opts?.exceptionOnHttpErrorStatus) {
+    const error = JSON.stringify(responseBody);
+    throw new Error(error === '{}' ? '{"error": "not found"}' : error);
+  }
+  debug(`END fetching url: ${url}`);
+
+  return {
+    origResponse,
+    successBody: success ? responseBody : undefined,
+    errorBody: !success ? responseBody : undefined,
+  };
+};
+
+export const isValidURL = (url: string): boolean => {
+  const urlPattern = new RegExp(
+    '^(https?:\\/\\/)' + // validate protocol
+      '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|' + // validate domain name
+      '((localhost))|' + // validate OR localhost
+      '((\\d{1,3}\\.){3}\\d{1,3}))' + // validate OR ip (v4) address
+      '(\\:\\d+)?(\\/[-a-z\\d%_.~+:]*)*' + // validate port and path
+      '(\\?[;&a-z\\d%_.~+=-]*)?' + // validate query string
+      '(\\#[-a-z\\d_]*)?$', // validate fragment locator
+    'i'
+  );
+  return !!urlPattern.test(url);
+};

package/lib/functions/ProofUtil.ts

@@ -0,0 +1,128 @@
+import {
+  BAD_PARAMS,
+  JWS_NOT_VALID,
+  Jwt,
+  JWTHeader,
+  JWTPayload,
+  ProofOfPossession,
+  ProofOfPossessionCallbacks,
+  ProofType,
+  Typ,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:openid4vci:token');
+
+/**
+ *
+ *  - proofOfPossessionCallback: JWTSignerCallback
+ *    Mandatory if you want to create (sign) ProofOfPossession
+ *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback
+ *    If exists, verifies the ProofOfPossession
+ *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs
+ *    arguments needed for signing ProofOfPossession
+ * @param callbacks:
+ *    - proofOfPossessionCallback: JWTSignerCallback
+ *      Mandatory to create (sign) ProofOfPossession
+ *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback
+ *      If exists, verifies the ProofOfPossession
+ * @param jwtProps
+ * @param existingJwt
+ *  - Optional, clientId of the party requesting the credential
+ */
+export const createProofOfPossession = async (
+  callbacks: ProofOfPossessionCallbacks,
+  jwtProps?: JwtProps,
+  existingJwt?: Jwt
+): Promise<ProofOfPossession> => {
+  if (!callbacks.signCallback) {
+    debug(`no jwt signer callback or arguments supplied!`);
+    throw new Error(BAD_PARAMS);
+  }
+  const signerArgs = createJWT(jwtProps, existingJwt);
+  const jwt = await callbacks.signCallback(signerArgs, signerArgs.header.kid);
+  const proof = {
+    proof_type: ProofType.JWT,
+    jwt,
+  };
+
+  try {
+    partiallyValidateJWS(jwt);
+    if (callbacks.verifyCallback) {
+      debug(`Calling supplied verify callback....`);
+      await callbacks.verifyCallback({ jwt, kid: signerArgs.header.kid });
+      debug(`Supplied verify callback return success result`);
+    }
+  } catch {
+    debug(`JWS was not valid`);
+    throw new Error(JWS_NOT_VALID);
+  }
+  debug(`Proof of Possession JWT:\r\n${jwt}`);
+  return proof;
+};
+
+const partiallyValidateJWS = (jws: string): void => {
+  if (jws.split('.').length !== 3 || !jws.startsWith('ey')) {
+    throw new Error(JWS_NOT_VALID);
+  }
+};
+
+export interface JwtProps {
+  typ?: string;
+  kid?: string;
+  issuer?: string;
+  clientId?: string;
+  alg?: string;
+  jti?: string;
+  nonce?: string;
+}
+
+const createJWT = (jwtProps?: JwtProps, existingJwt?: Jwt): Jwt => {
+  const aud = getJwtProperty('aud', true, jwtProps?.issuer, existingJwt?.payload?.aud);
+  const iss = getJwtProperty('iss', false, jwtProps?.clientId, existingJwt?.payload?.iss);
+  const jti = getJwtProperty('jti', false, jwtProps?.jti, existingJwt?.payload?.jti);
+  const nonce = getJwtProperty('nonce', false, jwtProps?.nonce, existingJwt?.payload?.nonce); // Officially this is required, but some implementations don't have it
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+  const alg = getJwtProperty('alg', false, jwtProps?.alg, existingJwt?.header?.alg, 'ES256')!;
+  const kid = getJwtProperty('kid', true, jwtProps?.kid, existingJwt?.header?.kid);
+  const jwt: Partial<Jwt> = existingJwt ? existingJwt : {};
+  const now = +new Date();
+  const jwtPayload: Partial<JWTPayload> = {
+    aud,
+    iat: jwt.payload?.iat ? jwt.payload.iat : now / 1000 - 60, // Let's ensure we subtract 60 seconds for potential time offsets
+    exp: jwt.payload?.exp ? jwt.payload.exp : now / 1000 + 10 * 60,
+    nonce,
+    ...(iss ? { iss } : {}),
+    ...(jti ? { jti } : {}),
+  };
+
+  const jwtHeader: JWTHeader = {
+    typ: Typ.JWT,
+    alg,
+    kid,
+  };
+  return {
+    payload: { ...jwt.payload, ...jwtPayload },
+    header: { ...jwt.header, ...jwtHeader },
+  };
+};
+
+const getJwtProperty = (
+  propertyName: string,
+  required: boolean,
+  option?: string,
+  jwtProperty?: string,
+  defaultValue?: string
+): string | undefined => {
+  if (option && jwtProperty && option !== jwtProperty) {
+    throw Error(`Cannot have a property '${propertyName}' with value '${option}' and different JWT value '${jwtProperty}' at the same time`);
+  }
+  let result = jwtProperty ? jwtProperty : option;
+  if (!result) {
+    if (required) {
+      throw Error(`No ${propertyName} property provided either in a JWT or as option`);
+    }
+    result = defaultValue;
+  }
+  return result;
+};

package/{dist/main/lib/functions/index.d.ts → lib/functions/index.ts}

@@ -1,3 +1,3 @@
-export * from './Encoding';
-export * from './HttpUtils';
-export * from './ProofUtil';
+export * from './Encoding';
+export * from './HttpUtils';
+export * from './ProofUtil';

package/lib/index.ts

@@ -0,0 +1,8 @@
+export * from './AccessTokenClient';
+export * from './CredentialOffer';
+export * from './CredentialRequestClient';
+export * from './CredentialRequestClientBuilderV1_0_09';
+export * from './functions';
+export * from './MetadataClient';
+export * from './OpenID4VCIClient';
+export * from './ProofOfPossessionBuilder';

package/package.json

@@ -1,71 +1,68 @@
-{
-  "name": "@sphereon/oid4vci-client",
-  "version": "0.2.0",
-  "description": "OpenID for Verifiable Credential Issuance (OID4VCI) client",
-  "main": "dist/main/index.js",
-  "types": "dist/main/index.d.ts",
-  "author": "Sphereon",
-  "license": "Apache-2.0",
-  "private": false,
-  "scripts": {
-    "build": "run-p build:*",
-    "build:main": "tsc -p tsconfig.build.json",
-    "clean": "rimraf dist coverage",
-    "watch": "tsc -w",
-    "fix": "run-s fix:*",
-    "fix:prettier": "prettier \"{lib,tests}/**/*.ts\" --write",
-    "fix:lint": "eslint . --ext .ts --fix",
-    "test": "run-s build test:*",
-    "test:lint": "eslint . --ext .ts",
-    "test:prettier": "prettier \"{lib,tests}/**/*.ts\" --list-different",
-    "test:cov": "jest --ci --coverage && codecov",
-    "uninstall": "rimraf dist coverage yarn.lock package-lock.json node_modules"
-  },
-  "engines": {
-    "node": ">=14"
-  },
-  "dependencies": {
-    "@sphereon/ssi-types": "0.8.1-unstable.74",
-    "debug": "^4.3.4",
-    "bs58": "^5.0.0",
-    "cross-fetch": "^3.1.5",
-    "uint8arrays": "^3.1.1"
-  },
-  "devDependencies": {
-    "@types/jest": "^28.1.8",
-    "@typescript-eslint/eslint-plugin": "^5.36.1",
-    "@typescript-eslint/parser": "^5.36.1",
-    "codecov": "^3.8.3",
-    "dotenv": "^16.0.2",
-    "eslint": "^8.23.0",
-    "eslint-config-prettier": "^8.5.0",
-    "eslint-plugin-eslint-comments": "^3.2.0",
-    "eslint-plugin-import": "^2.26.0",
-    "jest": "^29.1.2",
-    "jest-junit": "^14.0.1",
-    "jose": "^4.10.0",
-    "nock": "^13.2.9",
-    "npm-run-all": "^4.1.5",
-    "open-cli": "^7.0.1",
-    "rimraf": "^3.0.2",
-    "prettier": "^2.7.1",
-    "ts-jest": "^29.0.3",
-    "ts-node": "^10.9.1",
-    "typescript": "4.6.4"
-  },
-  "files": [
-    "dist/main"
-  ],
-  "prettier": {
-    "singleQuote": true,
-    "printWidth": 150
-  },
-  "keywords": [
-    "Sphereon",
-    "Verifiable Credentials",
-    "OpenID",
-    "OpenID for Verifiable Credential Issuance",
-    "OIDC4VCI",
-    "OID4VCI"
-  ]
-}
+{
+  "name": "@sphereon/oid4vci-client",
+  "version": "0.4.1-unstable.247+0bbe17c",
+  "description": "OpenID for Verifiable Credential Issuance (OpenID4VCI) client",
+  "source": "lib/index.ts",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "author": "Sphereon",
+  "license": "Apache-2.0",
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc"
+  },
+  "dependencies": {
+    "@sphereon/oid4vci-common": "0.4.1-unstable.247+0bbe17c",
+    "@sphereon/ssi-types": "^0.9.0",
+    "cross-fetch": "^3.1.5",
+    "debug": "^4.3.4",
+    "uint8arrays": "^3.1.1"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.0",
+    "@types/node": "^18.15.3",
+    "@typescript-eslint/eslint-plugin": "^5.36.1",
+    "@typescript-eslint/parser": "^5.36.1",
+    "codecov": "^3.8.3",
+    "dotenv": "^16.0.2",
+    "eslint": "^8.23.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-eslint-comments": "^3.2.0",
+    "eslint-plugin-import": "^2.26.0",
+    "jest": "^29.1.2",
+    "jest-junit": "^14.0.1",
+    "jose": "^4.10.0",
+    "nock": "^13.2.9",
+    "npm-run-all": "^4.1.5",
+    "open-cli": "^7.0.1",
+    "ts-jest": "^29.0.5",
+    "ts-node": "^10.9.1",
+    "typescript": "4.9.5"
+  },
+  "engines": {
+    "node": ">=16"
+  },
+  "files": [
+    "lib/**/*",
+    "dist/**/*"
+  ],
+  "prettier": {
+    "singleQuote": true,
+    "printWidth": 150
+  },
+  "keywords": [
+    "Sphereon",
+    "Verifiable Credentials",
+    "OpenID",
+    "OpenID for Verifiable Credential Issuance",
+    "OAuth2",
+    "SSI",
+    "OpenID4VCI",
+    "OIDC4VCI",
+    "OID4VCI"
+  ],
+  "gitHead": "0bbe17c13de4df95e2fd79b3470a746cc7a5374a"
+}

package/CHANGELOG.md

@@ -1,21 +0,0 @@
-# Release Notes
-
-## v0.2.0 - 2022-11-04
-
-Release with support for the pre-authorized code flow only.
-
-Expect breaking changes in the future, as this package still is undergoing heavy development.
-
-- Added:
-  - Support for well-known OID4VCI, oAuth2 and OpenID metadata
-  
-- Fixes:
-  - Several fixes related to pincode handling
-  - Overall fixes
-
-
-## v0.1.0 - 2022-10-18
-
-Initial release with support for the pre-authorized code flow only.
-
-Expect breaking changes in the future, as this package still is undergoing heavy development.

package/dist/main/index.d.ts

@@ -1 +0,0 @@
-export * from './lib';

package/dist/main/index.js

@@ -1,18 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./lib"), exports);
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsd0NBQXFCIn0=

package/dist/main/lib/AccessTokenClient.d.ts

@@ -1,20 +0,0 @@
-import { AccessTokenRequest, AccessTokenRequestOpts, AccessTokenResponse, AuthorizationServerOpts, EndpointMetadata, ErrorResponse, IssuanceInitiationRequestPayload, IssuanceInitiationWithBaseUrl, IssuerOpts } from './types';
-export declare class AccessTokenClient {
-    acquireAccessTokenUsingIssuanceInitiation(issuanceInitiation: IssuanceInitiationWithBaseUrl, opts?: AccessTokenRequestOpts): Promise<AccessTokenResponse | ErrorResponse>;
-    acquireAccessTokenUsingRequest(accessTokenRequest: AccessTokenRequest, opts?: {
-        isPinRequired?: boolean;
-        metadata?: EndpointMetadata;
-        asOpts?: AuthorizationServerOpts;
-        issuerOpts?: IssuerOpts;
-    }): Promise<AccessTokenResponse | ErrorResponse>;
-    createAccessTokenRequest(issuanceInitiationRequest: IssuanceInitiationRequestPayload, opts?: AccessTokenRequestOpts): Promise<AccessTokenRequest>;
-    private assertPreAuthorizedGrantType;
-    private isPinRequiredValue;
-    private assertNumericPin;
-    private assertNonEmptyPreAuthorizedCode;
-    private validate;
-    private sendAuthCode;
-    private determineTokenURL;
-    private creatTokenURLFromURL;
-    private throwNotSupportedFlow;
-}