fix: add tx code support (#312)

Signed-off-by: Mirko Mollik <mirko.mollik@eudi.sprind.org>

Author: cre8

apps/backend/src/issuer/authorize/authorize.controller.ts

@@ -83,12 +83,7 @@ export class AuthorizeController {
         @Req() req: Request,
         @Param("tenantId") tenantId: string,
     ): Promise<any> {
-        return this.authorizeService
-            .validateTokenRequest(body, req, tenantId)
-            .catch((error) => {
-                console.error("Error in token endpoint:", error);
-                throw error;
-            });
+        return this.authorizeService.validateTokenRequest(body, req, tenantId);
     }
 
     /**

apps/backend/src/issuer/authorize/authorize.service.ts

@@ -1,5 +1,9 @@
 import { randomUUID } from "node:crypto";
-import { ConflictException, Injectable } from "@nestjs/common";
+import {
+    BadRequestException,
+    ConflictException,
+    Injectable,
+} from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import {
     type AuthorizationCodeGrantIdentifier,
@@ -107,11 +111,19 @@ export class AuthorizeService {
         }
     }
 
+    /**
+     * Validate the token request.
+     * This endpoint is used to exchange the authorization code for an access token.
+     * @param body
+     * @param req
+     * @returns
+     */
     async validateTokenRequest(
         body: any,
         req: Request,
         tenantId: string,
     ): Promise<any> {
+        //TODO: check if all the error cases are covered: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-error-response
         const url = `${this.configService.getOrThrow<string>("PUBLIC_URL")}${req.url}`;
         const parsedAccessTokenRequest = this.getAuthorizationServer(
             tenantId,
@@ -143,29 +155,34 @@ export class AuthorizeService {
             parsedAccessTokenRequest.grant.grantType ===
             preAuthorizedCodeGrantIdentifier
         ) {
-            const { dpop } = await this.getAuthorizationServer(
-                tenantId,
-            ).verifyPreAuthorizedCodeAccessTokenRequest({
-                grant: parsedAccessTokenRequest.grant as ParsedAccessTokenPreAuthorizedCodeRequestGrant,
-                accessTokenRequest: parsedAccessTokenRequest.accessTokenRequest,
-                request: {
-                    method: req.method as HttpMethod,
-                    url,
-                    headers: getHeadersFromRequest(req),
-                },
-                dpop: {
-                    required: issuanceConfig.dPopRequired,
-                    allowedSigningAlgs:
-                        authorizationServerMetadata.dpop_signing_alg_values_supported,
-                    jwt: parsedAccessTokenRequest.dpop?.jwt,
-                },
+            const { dpop } = await this.getAuthorizationServer(tenantId)
+                .verifyPreAuthorizedCodeAccessTokenRequest({
+                    grant: parsedAccessTokenRequest.grant as ParsedAccessTokenPreAuthorizedCodeRequestGrant,
+                    accessTokenRequest:
+                        parsedAccessTokenRequest.accessTokenRequest,
+                    request: {
+                        method: req.method as HttpMethod,
+                        url,
+                        headers: getHeadersFromRequest(req),
+                    },
+                    dpop: {
+                        required: issuanceConfig.dPopRequired,
+                        allowedSigningAlgs:
+                            authorizationServerMetadata.dpop_signing_alg_values_supported,
+                        jwt: parsedAccessTokenRequest.dpop?.jwt,
+                    },
 
-                authorizationServerMetadata,
+                    authorizationServerMetadata,
 
-                expectedPreAuthorizedCode:
-                    parsedAccessTokenRequest.grant.preAuthorizedCode,
-                expectedTxCode: parsedAccessTokenRequest.grant.txCode,
-            });
+                    expectedPreAuthorizedCode: session.authorization_code!,
+                    expectedTxCode: session.credentialPayload?.tx_code,
+                })
+                .catch((err) => {
+                    throw new BadRequestException(err.error, {
+                        cause: err,
+                        description: err.error_description,
+                    });
+                });
             dpopValue = dpop;
         }
 

apps/backend/src/issuer/oid4vci/dto/offer-request.dto.ts

@@ -125,9 +125,44 @@ export class OfferRequestDto {
      * Each credential can have claims provided inline or fetched via webhook.
      * Keys must be a subset of credentialConfigurationIds.
      */
+    @ApiProperty({
+        description:
+            "Credential claims configuration per credential. Keys must match credentialConfigurationIds.",
+        type: "object",
+        properties: {
+            additionalProperties: {
+                oneOf: [
+                    {
+                        type: "object",
+                        properties: {
+                            type: { type: "string", enum: ["inline"] },
+                            claims: {
+                                type: "object",
+                                additionalProperties: true,
+                            },
+                        },
+                        required: ["type", "claims"],
+                    },
+                    {
+                        type: "object",
+                        properties: {
+                            type: { type: "string", enum: ["webhook"] },
+                            webhook: { type: "object" },
+                        },
+                        required: ["type", "webhook"],
+                    },
+                ],
+            },
+        },
+        example: {
+            citizen: {
+                type: "inline",
+                claims: { given_name: "John", family_name: "Doe" },
+            },
+        },
+    })
     @IsObject()
     @IsOptional()
-    @ValidateNested({ each: true })
     @Validate(CredentialClaimsMatchIdsConstraint)
     @Transform(({ value }) => {
         if (!value) return value;
@@ -136,9 +171,13 @@ export class OfferRequestDto {
         for (const [key, val] of Object.entries(value)) {
             const source = val as any;
             if (source.type === "inline") {
-                result[key] = plainToClass(InlineClaimsSource, val);
+                result[key] = plainToClass(InlineClaimsSource, val, {
+                    enableImplicitConversion: true,
+                });
             } else if (source.type === "webhook") {
-                result[key] = plainToClass(WebhookClaimsSource, val);
+                result[key] = plainToClass(WebhookClaimsSource, val, {
+                    enableImplicitConversion: true,
+                });
             }
         }
         return result;

apps/backend/src/issuer/oid4vci/oid4vci.service.ts

@@ -192,10 +192,20 @@ export class Oid4vciService {
         let grants: any;
         const issuer_state = v4();
         if (body.flow === FlowType.PRE_AUTH_CODE) {
+            //check if tx_code is a number
             authorization_code = v4();
             grants = {
                 [preAuthorizedCodeGrantIdentifier]: {
                     "pre-authorized_code": authorization_code,
+                    tx_code: body.tx_code
+                        ? {
+                              input_mode: Number(body.tx_code)
+                                  ? "numeric"
+                                  : "text",
+                              length: body.tx_code.length,
+                              //TODO: should give the possiblity to pass a description
+                          }
+                        : undefined,
                 },
             };
         } else {
@@ -311,8 +321,7 @@ export class Oid4vciService {
                 issuerMetadata,
                 credentialRequest: req.body as Record<string, unknown>,
             });
-        } catch (error) {
-            console.log(error);
+        } catch {
             throw new ConflictException("Invalid credential request");
         }
 

apps/client/src/app/issuance/credential-config/credential-config-create/credential-config-create.component.ts

@@ -29,7 +29,7 @@ import {
 import { EditorComponent, extractSchema } from '../../../utils/editor/editor.component';
 import { ImageFieldComponent } from '../../../utils/image-field/image-field.component';
 import {
-  fbWebhook,
+  createWebhookFormGroup,
   WebhookConfigEditComponent,
 } from '../../../utils/webhook-config-edit/webhook-config-edit.component';
 
@@ -93,8 +93,8 @@ export class CredentialConfigCreateComponent implements OnInit {
       schema: new FormControl(''),
       displayConfigs: new FormArray([this.createDisplayConfigGroup()]),
       embeddedDisclosurePolicy: new FormControl(''),
-      claimsWebhook: fbWebhook,
-      notificationWebhook: fbWebhook,
+      claimsWebhook: createWebhookFormGroup(),
+      notificationWebhook: createWebhookFormGroup(),
     } as { [k in keyof Omit<CredentialConfigCreate, 'config'>]: any });
 
     if (this.route.snapshot.params['id']) {
@@ -195,12 +195,14 @@ export class CredentialConfigCreateComponent implements OnInit {
       keyBinding: config.keyBinding ?? true,
       statusManagement: config.statusManagement ?? true,
       claims: this.stringifyField(config.claims),
+      claimsWebhook: config.claimsWebhook,
+      notificationWebhook: config.notificationWebhook,
       disclosureFrame: this.stringifyField(config.disclosureFrame),
       vct: this.stringifyField(config.vct),
       schema: this.stringifyField(config.schema),
       displayConfigs: config.config?.display || [],
       embeddedDisclosurePolicy: this.stringifyField(config.embeddedDisclosurePolicy),
-    });
+    } as { [k in keyof Omit<CredentialConfigCreate, 'config'>]: any });
   }
 
   private markFormGroupTouched(): void {

apps/client/src/app/issuance/issuance-config/issuance-config-create/issuance-config-create.component.ts

@@ -20,7 +20,7 @@ import { issuanceConfigSchema } from '../../../utils/schemas';
 import { JsonViewDialogComponent } from '../../credential-config/credential-config-create/json-view-dialog/json-view-dialog.component';
 import { MatDialog } from '@angular/material/dialog';
 import {
-  fbWebhook,
+  createWebhookFormGroup,
   WebhookConfigEditComponent,
 } from '../../../utils/webhook-config-edit/webhook-config-edit.component';
 import { MatSlideToggle, MatSlideToggleModule } from '@angular/material/slide-toggle';
@@ -69,7 +69,7 @@ export class IssuanceConfigCreateComponent implements OnInit {
       display: this.fb.array([]),
       batchSize: new FormControl(1, [Validators.min(1)]),
       dPopRequired: new FormControl(true),
-      notifyWebhook: fbWebhook,
+      notifyWebhook: createWebhookFormGroup(),
     } as { [k in keyof IssuanceDto]: any });
   }
 

apps/client/src/app/utils/webhook-config-edit/webhook-config-edit.component.html

@@ -29,7 +29,7 @@
     }
   </div>
   <div align="end">
-    <button mat-button type="button" (click)="clearConfig()" [disabled]="group.pristine">
+    <button mat-button type="button" (click)="clearConfig()">
       <mat-icon>clear</mat-icon>
       Clear Webhook Configuration
     </button>

apps/client/src/app/utils/webhook-config-edit/webhook-config-edit.component.ts

@@ -6,16 +6,18 @@ import { MatSelectModule } from '@angular/material/select';
 import { FlexLayoutModule } from 'ngx-flexible-layout';
 import { MatAnchor } from '@angular/material/button';
 
-export const fbWebhook = new FormGroup({
-  url: new FormControl(''),
-  auth: new FormGroup({
-    type: new FormControl(''),
-    config: new FormGroup({
-      headerName: new FormControl(''),
-      value: new FormControl(''),
+export function createWebhookFormGroup(): FormGroup {
+  return new FormGroup({
+    url: new FormControl(''),
+    auth: new FormGroup({
+      type: new FormControl(''),
+      config: new FormGroup({
+        headerName: new FormControl(''),
+        value: new FormControl(''),
+      }),
     }),
-  }),
-});
+  });
+}
 
 @Component({
   selector: 'app-webhook-config-edit',

packages/eudiplo-sdk/src/api/schemas.gen.ts

@@ -994,6 +994,53 @@ export const OfferRequestDtoSchema = {
       ],
       description: "The type of response expected for the offer request.",
     },
+    credentialClaims: {
+      type: "object",
+      description:
+        "Credential claims configuration per credential. Keys must match credentialConfigurationIds.",
+      properties: {
+        additionalProperties: {
+          oneOf: [
+            {
+              type: "object",
+              properties: {
+                type: {
+                  type: "string",
+                  enum: ["inline"],
+                },
+                claims: {
+                  type: "object",
+                  additionalProperties: true,
+                },
+              },
+              required: ["type", "claims"],
+            },
+            {
+              type: "object",
+              properties: {
+                type: {
+                  type: "string",
+                  enum: ["webhook"],
+                },
+                webhook: {
+                  type: "object",
+                },
+              },
+              required: ["type", "webhook"],
+            },
+          ],
+        },
+      },
+      example: {
+        citizen: {
+          type: "inline",
+          claims: {
+            given_name: "John",
+            family_name: "Doe",
+          },
+        },
+      },
+    },
     flow: {
       description: "The flow type for the offer request.",
       enum: ["authorization_code", "pre_authorized_code"],
@@ -1011,11 +1058,6 @@ export const OfferRequestDtoSchema = {
         type: "string",
       },
     },
-    credentialClaims: {
-      type: "object",
-      description:
-        "Credential claims configuration per credential.\nEach credential can have claims provided inline or fetched via webhook.\nKeys must be a subset of credentialConfigurationIds.",
-    },
     notifyWebhook: {
       description:
         "Webhook to notify about the status of the issuance process.",

packages/eudiplo-sdk/src/api/types.gen.ts

@@ -585,6 +585,24 @@ export type OfferRequestDto = {
    * The type of response expected for the offer request.
    */
   response_type: "qrcode" | "uri" | "dc-api";
+  /**
+   * Credential claims configuration per credential. Keys must match credentialConfigurationIds.
+   */
+  credentialClaims?: {
+    additionalProperties?:
+      | {
+          type: "inline";
+          claims: {
+            [key: string]: unknown;
+          };
+        }
+      | {
+          type: "webhook";
+          webhook: {
+            [key: string]: unknown;
+          };
+        };
+  };
   /**
    * The flow type for the offer request.
    */
@@ -597,14 +615,6 @@ export type OfferRequestDto = {
    * List of credential configuration ids to be included in the offer.
    */
   credentialConfigurationIds: Array<string>;
-  /**
-   * Credential claims configuration per credential.
-   * Each credential can have claims provided inline or fetched via webhook.
-   * Keys must be a subset of credentialConfigurationIds.
-   */
-  credentialClaims?: {
-    [key: string]: unknown;
-  };
   /**
    * Webhook to notify about the status of the issuance process.
    */