Merge remote-tracking branch 'origin/feature/SSISDK-5_credential_offer_uri' into develop

# Conflicts:
#	packages/client/lib/CredentialOfferClient.ts
#	packages/client/lib/CredentialOfferClientV1_0_13.ts
#	packages/client/lib/functions/UrlUtil.ts
#	packages/issuer-rest/lib/oid4vci-api-functions.ts
#	pnpm-lock.yaml

Author: nklomp

packages/client/lib/CredentialOfferClient.ts

@@ -7,20 +7,17 @@ import {
   CredentialOfferRequestWithBaseUrl,
   CredentialOfferV1_0_11,
   CredentialOfferV1_0_13,
-  decodeJsonProperties,
   determineSpecVersionFromURI,
-  getClientIdFromCredentialOfferPayload,
-  getURIComponentsAsArray,
   OpenId4VCIVersion,
-  PRE_AUTH_CODE_LITERAL,
   PRE_AUTH_GRANT_LITERAL,
   toUniformCredentialOfferRequest,
 } from '@sphereon/oid4vci-common';
 import { fetch } from 'cross-fetch';
 import Debug from 'debug';
 
-import { isUrlEncoded } from './functions';
-import { LOG } from './types';
+import { LOG } from './types'
+import { fetch } from 'cross-fetch'
+import { constructBaseResponse, handleCredentialOfferUri, isUrlEncoded } from './functions'
 
 const debug = Debug('sphereon:oid4vci:offer');
 
@@ -48,22 +45,7 @@ export class CredentialOfferClient {
       };
     } else {
       if (uri.includes('credential_offer_uri')) {
-        const uriObj = getURIComponentsAsArray(uri) as unknown as Record<string, string>; // FIXME
-        const credentialOfferUri = decodeURIComponent(uriObj['credential_offer_uri']);
-        const decodedUri = isUrlEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
-        const response = await fetch(decodedUri);
-        if (!(response && response.status >= 200 && response.status < 400)) {
-          return Promise.reject(
-            `the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`,
-          );
-        }
-
-        if (response.headers.get('Content-Type')?.startsWith('application/json') === false) {
-          return Promise.reject('the credential offer URI endpoint did not return content type application/json');
-        }
-        credentialOffer = {
-          credential_offer: decodeJsonProperties(await response.json()),
-        } as CredentialOfferV1_0_11 | CredentialOfferV1_0_13;
+        credentialOffer = await handleCredentialOfferUri(uri) as CredentialOfferV1_0_11 | CredentialOfferV1_0_13
       } else {
         credentialOffer = convertURIToJsonObject(uri, {
           // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
@@ -72,34 +54,22 @@ export class CredentialOfferClient {
         }) as CredentialOfferV1_0_11 | CredentialOfferV1_0_13;
       }
       if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
-        throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+        throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri) // cannot be reached since convertURIToJsonObject will check the params
       }
     }
 
     const request = await toUniformCredentialOfferRequest(credentialOffer, {
       ...opts,
-      version,
-    });
-    const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer);
-    const grants = request.credential_offer?.grants;
+      version
+    })
 
     return {
-      scheme,
-      baseUrl,
-      ...(clientId && { clientId }),
-      ...request,
-      ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
-      ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {
-        preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL],
-      }),
+      ...constructBaseResponse(request, scheme, baseUrl),
       userPinRequired:
         request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.user_pin_required ??
         !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code ??
-        false,
-      ...(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code && {
-        txCode: request.credential_offer.grants[PRE_AUTH_GRANT_LITERAL].tx_code,
-      }),
-    };
+        false
+    }
   }
 
   public static toURI(

packages/client/lib/CredentialOfferClientV1_0_11.ts

@@ -44,7 +44,7 @@ export class CredentialOfferClientV1_0_11 {
         requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
       }) as CredentialOfferV1_0_11;
       if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
-        throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+        throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri); // cannot be reached since convertURIToJsonObject will check the params
       }
     }
 

packages/client/lib/CredentialOfferClientV1_0_13.ts

@@ -3,51 +3,30 @@ import {
   convertURIToJsonObject,
   CredentialOffer,
   CredentialOfferRequestWithBaseUrl,
-  CredentialOfferV1_0_11,
   CredentialOfferV1_0_13,
-  decodeJsonProperties,
   determineSpecVersionFromURI,
-  getClientIdFromCredentialOfferPayload,
-  getURIComponentsAsArray,
   OpenId4VCIVersion,
-  PRE_AUTH_CODE_LITERAL,
   PRE_AUTH_GRANT_LITERAL,
-  toUniformCredentialOfferRequest,
-} from '@sphereon/oid4vci-common';
-import { fetch } from 'cross-fetch';
-import Debug from 'debug';
-
-import { isUrlEncoded } from './functions';
+  toUniformCredentialOfferRequest
+} from '@sphereon/oid4vci-common'
+import Debug from 'debug'
+import { constructBaseResponse, handleCredentialOfferUri } from './functions'
 
 const debug = Debug('sphereon:oid4vci:offer');
 
 export class CredentialOfferClientV1_0_13 {
   public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise<CredentialOfferRequestWithBaseUrl> {
-    debug(`Credential Offer URI: ${uri}`);
+    debug(`Credential Offer URI: ${uri}`)
     if (!uri.includes('?') || !uri.includes('://')) {
-      debug(`Invalid Credential Offer URI: ${uri}`);
-      throw Error(`Invalid Credential Offer Request`);
+      debug(`Invalid Credential Offer URI: ${uri}`)
+      throw Error(`Invalid Credential Offer Request`)
     }
-    const scheme = uri.split('://')[0];
-    const baseUrl = uri.split('?')[0];
-    const version = determineSpecVersionFromURI(uri);
-    let credentialOffer: CredentialOffer;
-    if (uri.includes('credential_offer_uri')) {
-      // FIXME deduplicate
-      const uriObj = getURIComponentsAsArray(uri) as unknown as Record<string, string>; // FIXME
-      const credentialOfferUri = decodeURIComponent(uriObj['credential_offer_uri']);
-      const decodedUri = isUrlEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
-      const response = await fetch(decodedUri);
-      if (!(response && response.status >= 200 && response.status < 400)) {
-        return Promise.reject(
-          `the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`,
-        );
-      }
-
-      if (response.headers.get('Content-Type')?.startsWith('application/json') === false) {
-        return Promise.reject('the credential offer URI endpoint did not return content type application/json');
-      }
-      credentialOffer = decodeJsonProperties(await response.json()) as CredentialOfferV1_0_11 | CredentialOfferV1_0_13;
+    const scheme = uri.split('://')[0]
+    const baseUrl = uri.split('?')[0]
+    const version = determineSpecVersionFromURI(uri)
+    let credentialOffer: CredentialOffer
+    if (uri.includes('credential_offer_uri')) { // FIXME deduplicate
+      credentialOffer = await handleCredentialOfferUri(uri) as CredentialOfferV1_0_13
     } else {
       credentialOffer = convertURIToJsonObject(uri, {
         // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
@@ -58,30 +37,18 @@ export class CredentialOfferClientV1_0_13 {
       }) as CredentialOfferV1_0_13;
     }
     if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
-      throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+      throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri) // cannot be reached since convertURIToJsonObject will check the params
     }
 
     const request = await toUniformCredentialOfferRequest(credentialOffer, {
       ...opts,
-      version,
-    });
-    const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer);
-    const grants = request.credential_offer?.grants;
+      version
+    })
 
     return {
-      scheme,
-      baseUrl,
-      ...(clientId && { clientId }),
-      ...request,
-      ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
-      ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {
-        preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL],
-      }),
-      userPinRequired: !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false,
-      ...(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code && {
-        txCode: request.credential_offer.grants[PRE_AUTH_GRANT_LITERAL].tx_code,
-      }),
-    };
+      ...constructBaseResponse(request, scheme, baseUrl),
+      userPinRequired: !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false
+    }
   }
 
   public static toURI(

packages/client/lib/__tests__/CredentialRequestClient.spec.ts

@@ -341,3 +341,62 @@ describe('Credential Request Client with different issuers ', () => {
     });
   });
 });
+
+describe('Credential Offer Client error handling', () => {
+  beforeEach(() => {
+    nock.cleanAll()
+  })
+
+  afterEach(() => {
+    nock.cleanAll()
+  })
+
+  it('should handle non-200 response from credential offer URI endpoint', async () => {
+    const IRR_URI = 'openid-credential-offer://?credential_offer_uri=https%3A%2F%2Ftest.example.com%2Foffer'
+
+    nock('https://test.example.com')
+      .get('/offer')
+      .reply(404, 'Not Found')
+
+    await expect(CredentialOfferClient.fromURI(IRR_URI)).rejects.toMatch(
+      /the credential offer URI endpoint call was not successful. http code 404 - reason Not Found/
+    )
+  })
+
+  it('should handle invalid content type from credential offer URI endpoint', async () => {
+    const IRR_URI = 'openid-credential-offer://?credential_offer_uri=https%3A%2F%2Ftest.example.com%2Foffer'
+
+    nock('https://test.example.com')
+      .get('/offer')
+      .reply(200, 'plain text response', { 'Content-Type': 'text/plain' })
+
+    await expect(CredentialOfferClient.fromURI(IRR_URI)).rejects.toMatch(
+      'the credential offer URI endpoint did not return content type application/json'
+    )
+  })
+
+  it('should handle missing required credential offer properties', async () => {
+    const IRR_URI = 'openid-credential-offer://?invalid_param=test'
+
+  await expect(CredentialOfferClient.fromURI(IRR_URI)).rejects.toThrow('Wrong parameters provided')
+  })
+
+  it('should handle credential offer URI with credential_offer param', async () => {
+    const IRR_URI = 'openid-credential-offer://?credential_offer=%7B%22test%22%3A%22value%22%7D'
+
+    const client = await CredentialOfferClient.fromURI(IRR_URI)
+    expect(client.credential_offer).toBeDefined()
+  })
+
+  it('should handle URL encoded credential offer URI properly', async () => {
+    const encodedUri = 'https%3A%2F%2Ftest.example.com%2Foffer'
+    const IRR_URI = `openid-credential-offer://?credential_offer_uri=${encodedUri}`
+
+    nock('https://test.example.com')
+      .get('/offer')
+      .reply(200, { test: 'value' }, { 'Content-Type': 'application/json' })
+
+    const client = await CredentialOfferClient.fromURI(IRR_URI)
+    expect(client.credential_offer).toBeDefined()
+  })
+})

packages/client/lib/functions/CredentialOfferCommons.ts

@@ -0,0 +1,52 @@
+import {
+  decodeJsonProperties,
+  getClientIdFromCredentialOfferPayload,
+  getURIComponentsAsArray,
+  PRE_AUTH_CODE_LITERAL,
+  PRE_AUTH_GRANT_LITERAL,
+  UniformCredentialOfferRequest
+} from '@sphereon/oid4vci-common'
+import { fetch } from 'cross-fetch'
+
+export function isUriEncoded(str: string): boolean {
+  const pattern = /%[0-9A-F]{2}/i
+  return pattern.test(str)
+}
+
+export async function handleCredentialOfferUri(uri: string) {
+  const uriObj = getURIComponentsAsArray(uri) as unknown as Record<string, string>
+  const credentialOfferUri = decodeURIComponent(uriObj['credential_offer_uri'])
+  const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri
+  const response = await fetch(decodedUri)
+
+  if (!(response && response.status >= 200 && response.status < 400)) {
+    return Promise.reject(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`)
+  }
+
+  if (response.headers.get('Content-Type')?.startsWith('application/json') === false) {
+    return Promise.reject('the credential offer URI endpoint did not return content type application/json')
+  }
+
+  return {
+    credential_offer: decodeJsonProperties(await response.json())
+  }
+}
+
+export function constructBaseResponse(request: UniformCredentialOfferRequest, scheme: string, baseUrl: string) {
+  const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer)
+  const grants = request.credential_offer?.grants
+
+  return {
+    scheme,
+    baseUrl,
+    ...(clientId && { clientId }),
+    ...request,
+    ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
+    ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {
+      preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL]
+    }),
+    ...(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code && {
+      txCode: request.credential_offer.grants[PRE_AUTH_GRANT_LITERAL].tx_code
+    })
+  }
+}

packages/client/lib/functions/UrlUtil.ts

@@ -2,4 +2,4 @@ export * from './AuthorizationUtil';
 export * from './notifications';
 export * from './OpenIDUtils';
 export * from './AccessTokenUtil';
-export * from './UrlUtil';
+export * from './CredentialOfferCommons';