@sphereon/ssi-sdk.siopv2-oid4vp-rp-rest-api 0.34.1-fix.80 → 0.34.1-next.278

package/dist/index.js

@@ -4,13 +4,14 @@ var __name = (target, value) => __defProp(target, "name", { value, configurable:
 // src/siop-api-functions.ts
 import { checkAuth, sendErrorResponse } from "@sphereon/ssi-express-support";
 import { CredentialMapper } from "@sphereon/ssi-types";
+import { validate as isValidUUID } from "uuid";
 var parseAuthorizationResponse = /* @__PURE__ */ __name((request) => {
   const contentType = request.header("content-type");
-  if (contentType === "application/json") {
+  if (contentType?.startsWith("application/json")) {
     const payload = typeof request.body === "string" ? JSON.parse(request.body) : request.body;
     return payload;
   }
-  if (contentType === "application/x-www-form-urlencoded") {
+  if (contentType?.startsWith("application/x-www-form-urlencoded")) {
     const payload = request.body;
     if (typeof payload.presentation_submission === "string") {
       console.log(`Supplied presentation_submission was a string instead of JSON. Correcting, but external party should fix their implementation!`);
@@ -26,45 +27,67 @@ var parseAuthorizationResponse = /* @__PURE__ */ __name((request) => {
   }
   throw new Error(`Unsupported content type: ${contentType}. Currently only application/x-www-form-urlencoded and application/json (for direct_post) are supported`);
 }, "parseAuthorizationResponse");
+var validatePresentationSubmission = /* @__PURE__ */ __name((query, submission) => {
+  return query.credentials.every((credential) => credential.id in submission);
+}, "validatePresentationSubmission");
 function verifyAuthResponseSIOPv2Endpoint(router, context, opts) {
   if (opts?.enabled === false) {
     console.log(`verifyAuthResponse SIOP endpoint is disabled`);
     return;
   }
-  const path = opts?.path ?? "/siop/definitions/:definitionId/auth-responses/:correlationId";
+  const path = opts?.path ?? "/siop/queries/:queryId/auth-responses/:correlationId";
   router.post(path, checkAuth(opts?.endpoint), async (request, response) => {
     try {
-      const { correlationId, definitionId, tenantId, version } = request.params;
-      if (!correlationId || !definitionId) {
-        console.log(`No authorization request could be found for the given url. correlationId: ${correlationId}, definitionId: ${definitionId}`);
+      const { correlationId, queryId, tenantId, version } = request.params;
+      if (!correlationId) {
+        console.log(`No authorization request could be found for the given url. correlationId: ${correlationId}`);
         return sendErrorResponse(response, 404, "No authorization request could be found");
       }
-      console.log("Authorization Response (siop-sessions");
-      console.log(JSON.stringify(request.body, null, 2));
+      console.debug("Authorization Response (siop-sessions");
+      console.debug(JSON.stringify(request.body, null, 2));
       const definitionItems = await context.agent.pdmGetDefinitions({
-        filter: [
-          {
-            definitionId,
-            tenantId,
-            version
-          }
-        ]
+        filter: buildQueryIdFilter(queryId, tenantId, version)
       });
       if (definitionItems.length === 0) {
-        console.log(`Could not get definition ${definitionId} from agent. Will return 404`);
+        console.log(`Could not get dcql query with id ${queryId} from agent. Will return 404`);
         response.statusCode = 404;
-        response.statusMessage = `No definition ${definitionId}`;
+        response.statusMessage = `No definition ${queryId}`;
         return response.send();
       }
       const authorizationResponse = parseAuthorizationResponse(request);
       console.log(`URI: ${JSON.stringify(authorizationResponse)}`);
       const definitionItem = definitionItems[0];
-      await context.agent.siopVerifyAuthResponse({
+      const verifiedResponse = await context.agent.siopVerifyAuthResponse({
         authorizationResponse,
         correlationId,
-        definitionId,
-        dcqlQuery: definitionItem.dcqlPayload
+        dcqlQuery: definitionItem.query
       });
+      const presentation = verifiedResponse?.oid4vpSubmission?.presentation;
+      if (presentation && validatePresentationSubmission(definitionItem.query, presentation)) {
+        console.log("PRESENTATIONS:" + JSON.stringify(presentation, null, 2));
+        response.statusCode = 200;
+        const authorizationChallengeValidationResponse = {
+          presentation_during_issuance_session: verifiedResponse.correlationId
+        };
+        if (authorizationResponse.is_first_party) {
+          response.setHeader("Content-Type", "application/json");
+          return response.send(JSON.stringify(authorizationChallengeValidationResponse));
+        }
+        const responseRedirectURI = await context.agent.siopGetRedirectURI({
+          correlationId,
+          state: verifiedResponse.state
+        });
+        if (responseRedirectURI) {
+          response.setHeader("Content-Type", "application/json");
+          return response.send(JSON.stringify({
+            redirect_uri: responseRedirectURI
+          }));
+        }
+      } else {
+        console.log("Missing Presentation (Verifiable Credentials)");
+        response.statusCode = 500;
+        response.statusMessage = "Missing Presentation (Verifiable Credentials)";
+      }
       return response.send();
     } catch (error) {
       console.error(error);
@@ -78,24 +101,34 @@ function getAuthRequestSIOPv2Endpoint(router, context, opts) {
     console.log(`getAuthRequest SIOP endpoint is disabled`);
     return;
   }
-  const path = opts?.path ?? "/siop/definitions/:definitionId/auth-requests/:correlationId";
+  const path = opts?.path ?? "/siop/queries/:queryId/auth-requests/:correlationId";
   router.get(path, checkAuth(opts?.endpoint), async (request, response) => {
     try {
       const correlationId = request.params.correlationId;
-      const definitionId = request.params.definitionId;
-      if (!correlationId || !definitionId) {
-        console.log(`No authorization request could be found for the given url. correlationId: ${correlationId}, definitionId: ${definitionId}`);
+      const queryId = request.params.queryId;
+      if (!correlationId || !queryId) {
+        console.log(`No authorization request could be found for the given url. correlationId: ${correlationId}, queryId: ${queryId}`);
         return sendErrorResponse(response, 404, "No authorization request could be found");
       }
       const requestState = await context.agent.siopGetAuthRequestState({
         correlationId,
-        definitionId,
         errorOnNotFound: false
       });
       if (!requestState) {
-        console.log(`No authorization request could be found for the given url in the state manager. correlationId: ${correlationId}, definitionId: ${definitionId}`);
+        console.log(`No authorization request could be found for the given url in the state manager. correlationId: ${correlationId}, definitionId: ${queryId}`);
         return sendErrorResponse(response, 404, `No authorization request could be found`);
       }
+      const definitionItems = await context.agent.pdmGetDefinitions({
+        filter: buildQueryIdFilter(queryId)
+      });
+      if (definitionItems.length === 0) {
+        console.log(`Could not get dcql query with id ${queryId} from agent. Will return 404`);
+        response.statusCode = 404;
+        response.statusMessage = `No definition ${queryId}`;
+        return response.send();
+      }
+      const payload = requestState.request?.requestObject?.getPayload();
+      payload.dcql_query = definitionItems[0].query;
       const requestObject = await requestState.request?.requestObject?.toJwt();
       console.log("JWT Request object:");
       console.log(requestObject);
@@ -110,8 +143,7 @@ function getAuthRequestSIOPv2Endpoint(router, context, opts) {
       } finally {
         await context.agent.siopUpdateAuthRequestState({
           correlationId,
-          definitionId,
-          state: "sent",
+          state: "authorization_request_created",
           error
         });
       }
@@ -121,185 +153,244 @@ function getAuthRequestSIOPv2Endpoint(router, context, opts) {
   });
 }
 __name(getAuthRequestSIOPv2Endpoint, "getAuthRequestSIOPv2Endpoint");
+function buildQueryIdFilter(queryId, tenantId, version) {
+  const queryFilter = {
+    queryId,
+    ...tenantId ? {
+      tenantId
+    } : {},
+    ...version ? {
+      version
+    } : {}
+  };
+  return [
+    queryFilter,
+    ...isValidUUID(queryId) ? [
+      {
+        id: queryId
+      }
+    ] : []
+  ];
+}
+__name(buildQueryIdFilter, "buildQueryIdFilter");
 
-// src/webapp-api-functions.ts
-import { AuthorizationResponseStateStatus } from "@sphereon/did-auth-siop";
+// src/universal-oid4vp-api-functions.ts
+import { AuthorizationRequestStateStatus, createAuthorizationRequestFromPayload, CreateAuthorizationRequestPayloadSchema } from "@sphereon/did-auth-siop";
 import { checkAuth as checkAuth2, sendErrorResponse as sendErrorResponse2 } from "@sphereon/ssi-express-support";
 import { uriWithBase } from "@sphereon/ssi-sdk.siopv2-oid4vp-common";
-import { VerifiedDataMode } from "@sphereon/ssi-sdk.siopv2-oid4vp-rp-auth";
 import uuid from "short-uuid";
-import { shaHasher as defaultHasher } from "@sphereon/ssi-sdk.core";
-function createAuthRequestWebappEndpoint(router, context, opts) {
+
+// src/middleware/validationMiddleware.ts
+import { ZodError } from "zod";
+var validateData = /* @__PURE__ */ __name((schema) => {
+  return (req, res, next) => {
+    try {
+      schema.parse(req.body);
+      next();
+    } catch (error) {
+      if (error instanceof ZodError) {
+        const errorMessages = error.issues.map((issue) => ({
+          message: `${issue.path.join(".")} is ${issue.message}`
+        }));
+        res.status(400).json({
+          status: 400,
+          message: "Invalid data",
+          error_details: errorMessages[0].message
+        });
+      } else {
+        res.status(500).json({
+          status: 500,
+          message: "Internal Server Error"
+        });
+      }
+    }
+  };
+}, "validateData");
+
+// src/universal-oid4vp-api-functions.ts
+function createAuthRequestUniversalOID4VPEndpoint(router, context, opts) {
   if (opts?.enabled === false) {
-    console.log(`createAuthRequest Webapp endpoint is disabled`);
+    console.log(`createAuthRequest universal OID4VP endpoint is disabled`);
     return;
   }
-  const path = opts?.path ?? "/webapp/definitions/:definitionId/auth-requests";
-  router.post(path, checkAuth2(opts?.endpoint), async (request, response) => {
+  const path = opts?.path ?? "/backend/auth/requests";
+  router.post(path, checkAuth2(opts?.endpoint), validateData(CreateAuthorizationRequestPayloadSchema), async (request, response) => {
     try {
-      const definitionId = request.params.definitionId;
-      if (!definitionId) {
-        return sendErrorResponse2(response, 400, "No definitionId query parameter provided");
+      const authRequest = createAuthorizationRequestFromPayload(request.body);
+      const correlationId = authRequest.correlationId ?? uuid.uuid();
+      const qrCodeOpts = authRequest.qrCode ? {
+        ...authRequest.qrCode
+      } : opts?.qrCodeOpts;
+      const queryId = authRequest.queryId;
+      const definitionItems = await context.agent.pdmGetDefinitions({
+        filter: buildQueryIdFilter(queryId)
+      });
+      if (definitionItems.length === 0) {
+        console.log(`No query could be found for the given id. Query id: ${queryId}`);
+        return sendErrorResponse2(response, 404, {
+          status: 404,
+          message: "No query could be found"
+        });
       }
-      const state = request.body.state ?? uuid.uuid();
-      const correlationId = request.body.correlationId ?? state;
-      const qrCodeOpts = request.body.qrCodeOpts ?? opts?.qrCodeOpts;
-      const requestByReferenceURI = uriWithBase(`/siop/definitions/${definitionId}/auth-requests/${state}`, {
-        baseURI: opts?.siopBaseURI
+      const requestByReferenceURI = uriWithBase(`/siop/queries/${queryId}/auth-requests/${correlationId}`, {
+        baseURI: authRequest.requestUriBase ?? opts?.siopBaseURI
       });
-      const responseURI = uriWithBase(`/siop/definitions/${definitionId}/auth-responses/${state}`, {
+      const responseURI = uriWithBase(`/siop/queries/${queryId}/auth-responses/${correlationId}`, {
         baseURI: opts?.siopBaseURI
       });
-      const responseRedirectURI = ("response_redirect_uri" in request.body && request.body.response_redirect_uri) ?? ("responseRedirectURI" in request.body && request.body.responseRedirectURI);
       const authRequestURI = await context.agent.siopCreateAuthRequestURI({
-        definitionId,
+        queryId,
         correlationId,
-        state,
         nonce: uuid.uuid(),
         requestByReferenceURI,
         responseURIType: "response_uri",
         responseURI,
-        ...responseRedirectURI && {
-          responseRedirectURI
+        ...authRequest.directPostResponseRedirectUri && {
+          responseRedirectURI: authRequest.directPostResponseRedirectUri
+        },
+        ...authRequest.callback && {
+          callback: authRequest.callback
         }
       });
       let qrCodeDataUri;
       if (qrCodeOpts) {
         const { AwesomeQR } = await import("awesome-qr");
         const qrCode = new AwesomeQR({
-          ...qrCodeOpts,
-          text: authRequestURI
+          text: authRequestURI,
+          size: qrCodeOpts.size ?? 250,
+          colorDark: qrCodeOpts.colorDark ?? "#000000",
+          colorLight: qrCodeOpts.colorLight ?? "#FFFFFF"
         });
         qrCodeDataUri = `data:image/png;base64,${(await qrCode.draw()).toString("base64")}`;
+      } else {
+        qrCodeDataUri = authRequestURI;
       }
       const authRequestBody = {
-        correlationId,
-        state,
-        definitionId,
-        authRequestURI,
-        authStatusURI: `${uriWithBase(opts?.webappAuthStatusPath ?? "/webapp/auth-status", {
+        query_id: queryId,
+        correlation_id: correlationId,
+        request_uri: authRequestURI,
+        status_uri: `${uriWithBase(opts?.webappAuthStatusPath ?? `/backend/auth/status/${correlationId}`, {
           baseURI: opts?.webappBaseURI
         })}`,
         ...qrCodeDataUri && {
-          qrCodeDataUri
+          qr_uri: qrCodeDataUri
         }
       };
       console.log(`Auth Request URI data to send back: ${JSON.stringify(authRequestBody)}`);
-      return response.json(authRequestBody);
+      return response.status(201).json(authRequestBody);
     } catch (error) {
-      return sendErrorResponse2(response, 500, "Could not create an authorization request URI", error);
+      return sendErrorResponse2(response, 500, {
+        status: 500,
+        message: "Could not create an authorization request URI"
+      }, error);
     }
   });
 }
-__name(createAuthRequestWebappEndpoint, "createAuthRequestWebappEndpoint");
-function authStatusWebappEndpoint(router, context, opts) {
+__name(createAuthRequestUniversalOID4VPEndpoint, "createAuthRequestUniversalOID4VPEndpoint");
+function removeAuthRequestStateUniversalOID4VPEndpoint(router, context, opts) {
   if (opts?.enabled === false) {
-    console.log(`authStatus Webapp endpoint is disabled`);
+    console.log(`removeAuthStatus universal OID4VP endpoint is disabled`);
     return;
   }
-  const path = opts?.path ?? "/webapp/auth-status";
-  router.post(path, checkAuth2(opts?.endpoint), async (request, response) => {
+  const path = opts?.path ?? "/backend/auth/requests/:correlationId";
+  router.delete(path, checkAuth2(opts?.endpoint), async (request, response) => {
     try {
-      console.log("Received auth-status request...");
-      const correlationId = request.body.correlationId;
-      const definitionId = request.body.definitionId;
-      const requestState = correlationId && definitionId ? await context.agent.siopGetAuthRequestState({
+      const correlationId = request.params.correlationId;
+      const authRequestState = await context.agent.siopGetAuthRequestState({
         correlationId,
-        definitionId,
         errorOnNotFound: false
-      }) : void 0;
-      if (!requestState || !definitionId || !correlationId) {
-        console.log(`No authentication request mapping could be found for the given URL. correlation: ${correlationId}, definitionId: ${definitionId}`);
-        response.statusCode = 404;
-        const statusBody2 = {
-          status: requestState ? requestState.status : "error",
-          error: "No authentication request mapping could be found for the given URL.",
-          correlationId,
-          definitionId,
-          lastUpdated: requestState ? requestState.lastUpdated : Date.now()
-        };
-        return response.json(statusBody2);
+      });
+      if (!authRequestState) {
+        console.log(`No authorization request could be found for the given correlationId. correlationId: ${correlationId}`);
+        return sendErrorResponse2(response, 404, {
+          status: 404,
+          message: "No authorization request could be found"
+        });
       }
-      let includeVerifiedData = VerifiedDataMode.NONE;
-      if ("includeVerifiedData" in request.body) {
-        includeVerifiedData = request.body.includeVerifiedData;
+      await context.agent.siopDeleteAuthState({
+        correlationId
+      });
+      return response.status(204).json();
+    } catch (error) {
+      return sendErrorResponse2(response, 500, {
+        status: 500,
+        message: error.message
+      }, error);
+    }
+  });
+}
+__name(removeAuthRequestStateUniversalOID4VPEndpoint, "removeAuthRequestStateUniversalOID4VPEndpoint");
+function authStatusUniversalOID4VPEndpoint(router, context, opts) {
+  if (opts?.enabled === false) {
+    console.log(`authStatus universal OID4VP endpoint is disabled`);
+    return;
+  }
+  const path = opts?.path ?? "/backend/auth/status/:correlationId";
+  router.get(path, checkAuth2(opts?.endpoint), async (request, response) => {
+    try {
+      console.log("Received auth-status request...");
+      const correlationId = request.params.correlationId;
+      const requestState = await context.agent.siopGetAuthRequestState({
+        correlationId,
+        errorOnNotFound: false
+      });
+      if (!requestState) {
+        console.log(`No authorization request could be found for the given correlationId. correlationId: ${correlationId}`);
+        return sendErrorResponse2(response, 404, {
+          status: 404,
+          message: "No authorization request could be found"
+        });
       }
       let responseState;
-      if (requestState.status === "sent") {
+      if (requestState.status === AuthorizationRequestStateStatus.RETRIEVED) {
         responseState = await context.agent.siopGetAuthResponseState({
           correlationId,
-          definitionId,
-          includeVerifiedData,
           errorOnNotFound: false
         });
       }
       const overallState = responseState ?? requestState;
       const statusBody = {
         status: overallState.status,
-        ...overallState.error ? {
-          error: overallState.error?.message
-        } : {},
-        correlationId,
-        definitionId,
-        lastUpdated: overallState.lastUpdated,
-        ...responseState && responseState.status === AuthorizationResponseStateStatus.VERIFIED ? {
-          payload: await responseState.response.mergedPayloads({
-            hasher: defaultHasher
-          }),
-          verifiedData: responseState.verifiedData
-        } : {}
+        correlation_id: overallState.correlationId,
+        query_id: overallState.queryId,
+        last_updated: overallState.lastUpdated,
+        ..."verifiedData" in overallState && {
+          verified_data: overallState.verifiedData
+        },
+        ...overallState.error && {
+          message: overallState.error.message
+        }
       };
       console.debug(`Will send auth status: ${JSON.stringify(statusBody)}`);
       if (overallState.status === "error") {
-        response.statusCode = 500;
-        return response.json(statusBody);
+        return response.status(500).json(statusBody);
       }
-      response.statusCode = 200;
-      return response.json(statusBody);
-    } catch (error) {
-      return sendErrorResponse2(response, 500, error.message, error);
-    }
-  });
-}
-__name(authStatusWebappEndpoint, "authStatusWebappEndpoint");
-function removeAuthRequestStateWebappEndpoint(router, context, opts) {
-  if (opts?.enabled === false) {
-    console.log(`removeAuthStatus Webapp endpoint is disabled`);
-    return;
-  }
-  const path = opts?.path ?? "/webapp/definitions/:definitionId/auth-requests/:correlationId";
-  router.delete(path, checkAuth2(opts?.endpoint), async (request, response) => {
-    try {
-      const correlationId = request.params.correlationId;
-      const definitionId = request.params.definitionId;
-      if (!correlationId || !definitionId) {
-        console.log(`No authorization request could be found for the given url. correlationId: ${correlationId}, definitionId: ${definitionId}`);
-        return sendErrorResponse2(response, 404, "No authorization request could be found");
-      }
-      response.statusCode = 200;
-      return response.json(await context.agent.siopDeleteAuthState({
-        definitionId,
-        correlationId
-      }));
+      return response.status(200).json(statusBody);
     } catch (error) {
-      return sendErrorResponse2(response, 500, error.message, error);
+      return sendErrorResponse2(response, 500, {
+        status: 500,
+        message: error.message
+      }, error);
     }
   });
 }
-__name(removeAuthRequestStateWebappEndpoint, "removeAuthRequestStateWebappEndpoint");
+__name(authStatusUniversalOID4VPEndpoint, "authStatusUniversalOID4VPEndpoint");
 function getDefinitionsEndpoint(router, context, opts) {
   if (opts?.enabled === false) {
-    console.log(`getDefinitions Webapp endpoint is disabled`);
+    console.log(`getDefinitions universal OID4VP endpoint is disabled`);
     return;
   }
-  const path = opts?.path ?? "/webapp/definitions";
+  const path = opts?.path ?? "/backend/definitions";
   router.get(path, checkAuth2(opts?.endpoint), async (request, response) => {
     try {
       const definitions = await context.agent.pdmGetDefinitions();
       response.statusCode = 200;
       return response.json(definitions);
     } catch (error) {
-      return sendErrorResponse2(response, 500, error.message, error);
+      return sendErrorResponse2(response, 500, {
+        status: 500,
+        message: error.message
+      }, error);
     }
   });
 }
@@ -350,9 +441,9 @@ var SIOPv2RPApiServer = class {
     ];
     console.log(`SIOPv2 API enabled, with features: ${JSON.stringify(features)}}`);
     if (features.includes("rp-status")) {
-      createAuthRequestWebappEndpoint(this._router, context, opts?.endpointOpts?.webappCreateAuthRequest);
-      authStatusWebappEndpoint(this._router, context, opts?.endpointOpts?.webappAuthStatus);
-      removeAuthRequestStateWebappEndpoint(this._router, context, opts?.endpointOpts?.webappDeleteAuthRequest);
+      createAuthRequestUniversalOID4VPEndpoint(this._router, context, opts?.endpointOpts?.webappCreateAuthRequest);
+      authStatusUniversalOID4VPEndpoint(this._router, context, opts?.endpointOpts?.webappAuthStatus);
+      removeAuthRequestStateUniversalOID4VPEndpoint(this._router, context, opts?.endpointOpts?.webappDeleteAuthRequest);
       getDefinitionsEndpoint(this._router, context, opts?.endpointOpts?.webappGetDefinitions);
     }
     if (features.includes("siop")) {
@@ -399,11 +490,12 @@ var SIOPv2RPApiServer = class {
 };
 export {
   SIOPv2RPApiServer,
-  authStatusWebappEndpoint,
-  createAuthRequestWebappEndpoint,
+  authStatusUniversalOID4VPEndpoint,
+  buildQueryIdFilter,
+  createAuthRequestUniversalOID4VPEndpoint,
   getAuthRequestSIOPv2Endpoint,
   getDefinitionsEndpoint,
-  removeAuthRequestStateWebappEndpoint,
+  removeAuthRequestStateUniversalOID4VPEndpoint,
   verifyAuthResponseSIOPv2Endpoint
 };
 //# sourceMappingURL=index.js.map