chore: vp_token repairs

Author: sanderPostma

packages/siop-oid4vp/lib/authorization-response/Payload.ts

@@ -3,13 +3,88 @@ import { AuthorizationRequest } from '../authorization-request'
 import { IDToken } from '../id-token'
 import { RequestObject } from '../request-object'
 import { assertValidResponseOpts } from './Opts'
-import { AuthorizationRequestPayload, AuthorizationResponsePayload, IDTokenPayload, SIOPErrors } from '../types'
+import {
+  AuthorizationRequestPayload,
+  AuthorizationResponsePayload,
+  DcqlPresentationEntry,
+  DcqlVpToken,
+  DcqlVpTokenInput,
+  IDTokenPayload,
+  NonEmptyArray,
+  SIOPErrors
+} from '../types'
 import { AuthorizationResponseOpts } from './types'
 
+
+/**
+ * Checks if an object is array-like (has only numeric string keys: "0", "1", "2", etc.)
+ * This handles objects that were serialized arrays: { "0": val1, "1": val2 }
+ */
+const isArrayLikeObject = (value: unknown): value is Record<string, DcqlPresentationEntry> => {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return false
+  }
+  const keys = Object.keys(value)
+  return keys.length > 0 && keys.every(key => /^\d+$/.test(key))
+}
+
+/**
+ * Normalizes a credential query value to an array.
+ * Handles three input formats:
+ * 1. Single value: "credential" -> ["credential"]
+ * 2. Array: ["cred1", "cred2"] -> ["cred1", "cred2"]
+ * 3. Array-like object: {"0": "cred1", "1": "cred2"} -> ["cred1", "cred2"]
+ */
+const normalizeToArray = (
+  credentialQueryId: string,
+  value: DcqlPresentationEntry | DcqlPresentationEntry[] | Record<string, DcqlPresentationEntry>
+): NonEmptyArray<DcqlPresentationEntry> => {
+  let presentationsArray: DcqlPresentationEntry[]
+
+  if (Array.isArray(value)) {
+    presentationsArray = value
+  } else if (isArrayLikeObject(value)) {
+    // Convert array-like object to array by sorting keys numerically
+    const sortedKeys = Object.keys(value).sort((a, b) => Number(a) - Number(b))
+    presentationsArray = sortedKeys.map(key => value[key])
+  } else {
+    // Single value, wrap in array
+    presentationsArray = [value]
+  }
+
+  if (presentationsArray.length === 0) {
+    throw new Error(
+      `DCQL presentations for credential query '${credentialQueryId}' cannot be empty`
+    )
+  }
+
+  // Cast to NonEmptyArray since we verified length > 0
+  return presentationsArray as NonEmptyArray<DcqlPresentationEntry>
+}
+
+/**
+ * Converts a DCQL presentation input (which may have mixed formats) to the canonical
+ * format where all credential queries map to non-empty arrays of presentations.
+ *
+ * This ensures consistent handling of:
+ * - Single presentations: { "PID": "eyJ..." } -> { "PID": ["eyJ..."] }
+ * - Array presentations: { "PID": ["eyJ..."] } -> { "PID": ["eyJ..."] }
+ * - Array-like objects: { "PID": {"0": "eyJ..."} } -> { "PID": ["eyJ..."] }
+ */
+const toCanonicalDcqlPresentation = (input: DcqlVpTokenInput): DcqlVpToken => {
+  return Object.fromEntries(
+    Object.entries(input).map(([credentialQueryId, value]) => {
+      const presentationsArray = normalizeToArray(credentialQueryId, value)
+      return [credentialQueryId, presentationsArray]
+    })
+  ) as DcqlVpToken
+}
+
+
 export const createResponsePayload = async (
   authorizationRequest: AuthorizationRequest,
   responseOpts: AuthorizationResponseOpts,
-  idTokenPayload?: IDTokenPayload,
+  idTokenPayload?: IDTokenPayload
 ): Promise<AuthorizationResponsePayload | undefined> => {
   assertValidResponseOpts(responseOpts)
   if (!authorizationRequest) {
@@ -20,15 +95,21 @@ export const createResponsePayload = async (
   const state: string | undefined = authorizationRequest.getMergedProperty('state')
 
   const responsePayload: AuthorizationResponsePayload = {
-    ...(responseOpts.accessToken && { access_token: responseOpts.accessToken, expires_in: responseOpts.expiresIn || 3600 }),
+    ...(responseOpts.accessToken && {
+      access_token: responseOpts.accessToken,
+      expires_in: responseOpts.expiresIn || 3600
+    }),
     ...(responseOpts.tokenType && { token_type: responseOpts.tokenType }),
     ...(responseOpts.refreshToken && { refresh_token: responseOpts.refreshToken }),
     ...(responseOpts.isFirstParty && { is_first_party: responseOpts.isFirstParty }),
-    state,
+    state
   }
 
   if (responseOpts.dcqlResponse?.dcqlPresentation) {
-    responsePayload.vp_token = DcqlPresentation.encode(responseOpts.dcqlResponse.dcqlPresentation as DcqlPresentation)
+    const canonicalPresentation = toCanonicalDcqlPresentation(
+      responseOpts.dcqlResponse.dcqlPresentation
+    )
+    responsePayload.vp_token = DcqlPresentation.encode(canonicalPresentation)
   }
 
   if (idTokenPayload) {
@@ -46,7 +127,7 @@ export const createResponsePayload = async (
  */
 export const mergeOAuth2AndOpenIdInRequestPayload = async (
   payload: AuthorizationRequestPayload,
-  requestObject?: RequestObject,
+  requestObject?: RequestObject
 ): Promise<AuthorizationRequestPayload> => {
   const payloadCopy = JSON.parse(JSON.stringify(payload))
 

packages/siop-oid4vp/lib/authorization-response/types.ts

@@ -6,21 +6,22 @@ import {
   HasherSync,
   MdocOid4vpIssuerSigned,
   PresentationSubmission,
-  W3CVerifiablePresentation,
+  W3CVerifiablePresentation
 } from '@sphereon/ssi-types'
 import { DcqlQuery } from 'dcql'
 import { AuthorizationResponse } from './AuthorizationResponse'
 import {
   CreateJwtCallback,
+  DcqlVpTokenInput,
+  ResponseIss,
   ResponseMode,
   ResponseRegistrationOpts,
   ResponseType,
   ResponseURIType,
   SupportedVersion,
   VerifiablePresentationWithFormat,
   Verification,
-  VerifyJwtCallback,
-  ResponseIss
+  VerifyJwtCallback
 } from '../types'
 
 export interface AuthorizationResponseOpts {
@@ -42,7 +43,7 @@ export interface AuthorizationResponseOpts {
 }
 
 export interface DcqlResponseOpts {
-  dcqlPresentation: Record<string, string | Record<string, unknown> | Array<string | Record<string, unknown>>>
+  dcqlPresentation: DcqlVpTokenInput
 }
 
 export interface DcqlQueryPayloadOpts {

packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts

@@ -874,38 +874,76 @@ export const AuthorizationResponseOptsSchemaObj = {
       "type": "object",
       "properties": {
         "dcqlPresentation": {
-          "type": "object",
-          "additionalProperties": {
-            "anyOf": [
-              {
-                "type": "string"
-              },
-              {
-                "type": "object",
-                "additionalProperties": {}
-              },
-              {
-                "type": "array",
-                "items": {
-                  "anyOf": [
-                    {
-                      "type": "string"
-                    },
-                    {
-                      "type": "object",
-                      "additionalProperties": {}
-                    }
-                  ]
-                }
-              }
-            ]
-          }
+          "$ref": "#/definitions/DcqlVpTokenInput"
         }
       },
       "required": [
         "dcqlPresentation"
       ],
       "additionalProperties": false
+    },
+    "DcqlVpTokenInput": {
+      "type": "object",
+      "additionalProperties": {
+        "anyOf": [
+          {
+            "$ref": "#/definitions/DcqlPresentationEntry"
+          },
+          {
+            "type": "array",
+            "items": {
+              "$ref": "#/definitions/DcqlPresentationEntry"
+            }
+          },
+          {
+            "type": "object",
+            "additionalProperties": {
+              "$ref": "#/definitions/DcqlPresentationEntry"
+            }
+          }
+        ]
+      }
+    },
+    "DcqlPresentationEntry": {
+      "anyOf": [
+        {
+          "type": "string"
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/Json"
+          }
+        }
+      ]
+    },
+    "Json": {
+      "anyOf": [
+        {
+          "type": "string"
+        },
+        {
+          "type": "number"
+        },
+        {
+          "type": "boolean"
+        },
+        {
+          "type": "null"
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/Json"
+          }
+        },
+        {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Json"
+          }
+        }
+      ]
     }
   }
 };

packages/siop-oid4vp/lib/types/SIOP.types.ts

@@ -2,9 +2,7 @@ import { JarmClientMetadata } from '@sphereon/jarm'
 import { DynamicRegistrationClientMetadata, SigningAlgo } from '@sphereon/oid4vc-common'
 import {
   AdditionalClaims,
-  CompactSdJwtVc,
   Format,
-  MdocOid4vpMdocVpToken,
   W3CVerifiableCredential,
   W3CVerifiablePresentation,
   WrappedVerifiablePresentation
@@ -37,9 +35,12 @@ import {
   CreateAuthorizationResponsePayloadSchema,
   CreateAuthorizationResponseSchema,
   QRCodeOptsPayloadSchema,
-  QRCodeOptsSchema, RequestErrorPayloadSchema, RequestErrorSchema,
+  QRCodeOptsSchema,
+  RequestErrorPayloadSchema,
+  RequestErrorSchema,
   VerifiedDataOptsSchema
 } from '../schemas'
+import { Json } from './Json.types'
 
 export const DEFAULT_EXPIRATION_TIME = 10 * 60
 
@@ -178,6 +179,14 @@ export interface IDTokenPayload extends JWTPayload {
   }
 }
 
+export type NonEmptyArray<T> = [T, ...T[]]
+export type DcqlPresentationEntry = string | Record<string, Json>
+export type DcqlVpToken = Record<string, NonEmptyArray<DcqlPresentationEntry>>
+export type DcqlVpTokenInput = Record<
+  string,
+  DcqlPresentationEntry | DcqlPresentationEntry[] | Record<string, DcqlPresentationEntry>
+>
+
 export type EncodedDcqlPresentationVpToken = string
 
 export interface AuthorizationResponsePayload {
@@ -187,12 +196,7 @@ export interface AuthorizationResponsePayload {
   expires_in?: number
   state?: string
   id_token?: string
-  vp_token?:
-    | Array<W3CVerifiablePresentation | CompactSdJwtVc | MdocOid4vpMdocVpToken>
-    | W3CVerifiablePresentation
-    | CompactSdJwtVc
-    | MdocOid4vpMdocVpToken
-    | EncodedDcqlPresentationVpToken
+  vp_token?: EncodedDcqlPresentationVpToken
   is_first_party?: boolean
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   [x: string]: any