Sphereon-Opensource
diff --git a/‎packages/issuer-rest/lib/OID4VCIServer.ts‎
Lines changed: 43 additions & 17 deletions b/‎packages/issuer-rest/lib/OID4VCIServer.ts‎
Lines changed: 43 additions & 17 deletions
diff --git a/‎packages/issuer-rest/lib/__tests__/nonceEndpoint.spec.ts‎
Lines changed: 158 additions & 0 deletions b/‎packages/issuer-rest/lib/__tests__/nonceEndpoint.spec.ts‎
Lines changed: 158 additions & 0 deletions
@@ -27,7 +27,7 @@ import {
   getCredentialOfferEndpoint,
   getCredentialOfferReferenceEndpoint,
   getIssueStatusEndpoint,
-  getMetadataEndpoints,
+  getMetadataEndpoints, nonceEndpoint,
   pushedAuthorizationEndpoint
 } from './oid4vci-api-functions'
 
@@ -38,7 +38,7 @@ function buildVCIFromEnvironment() {
     .withFormat(process.env.credential_supported_format as unknown as OID4VCICredentialFormat)
     .withCredentialName(process.env.credential_supported_name_1 as string)
     .withCredentialDefinition({
-      type: [process.env.credential_supported_1_definition_type_1 as string, process.env.credential_supported_1_definition_type_2 as string],
+      type: [process.env.credential_supported_1_definition_type_1 as string, process.env.credential_supported_1_definition_type_2 as string]
       // TODO: setup credentialSubject here from env
       // credentialSubject
     })
@@ -47,20 +47,24 @@ function buildVCIFromEnvironment() {
       locale: process.env.credential_display_locale as string,
       logo: {
         url: process.env.credential_display_logo_url as string,
-        alt_text: process.env.credential_display_logo_alt_text as string,
+        alt_text: process.env.credential_display_logo_alt_text as string
       },
       background_color: process.env.credential_display_background_color as string,
-      text_color: process.env.credential_display_text_color as string,
+      text_color: process.env.credential_display_text_color as string
     })
     .build()
   const issuerBuilder = new VcIssuerBuilder()
-    .withTXCode({ length: process.env.user_pin_length as unknown as number, input_mode: process.env.user_pin_input_mode as 'numeric' | 'text' })
+    .withTXCode({
+      length: process.env.user_pin_length as unknown as number,
+      input_mode: process.env.user_pin_input_mode as 'numeric' | 'text'
+    })
     .withAuthorizationServers(process.env.authorization_server as string)
     .withCredentialEndpoint(process.env.credential_endpoint as string)
+    .withNonceEndpoint(process.env.nonce_endpoint as string)
     .withCredentialIssuer(process.env.credential_issuer as string)
     .withIssuerDisplay({
       name: process.env.issuer_name as string,
-      locale: process.env.issuer_locale as string,
+      locale: process.env.issuer_locale as string
     })
     .withCredentialConfigurationsSupported(credentialsSupported)
     .withInMemoryCredentialOfferState()
@@ -73,7 +77,7 @@ function buildVCIFromEnvironment() {
     issuerBuilder.withASClientMetadataParams({
       client_id: process.env.authorization_server_client_id,
       client_secret: process.env.authorization_server_client_secret,
-      redirect_uris: [process.env.authorization_server_redirect_uri],
+      redirect_uris: [process.env.authorization_server_redirect_uri]
     })
   }
 
@@ -133,6 +137,11 @@ export interface IOID4VCIEndpointOpts {
   getIssuePayloadOpts?: IGetIssuePayloadEndpointOpts
   parOpts?: ISingleEndpointOpts
   authorizationChallengeOpts?: IAuthorizationChallengeEndpointOpts
+  nonceOpts?: INonceEndpointOpts
+}
+
+export interface INonceEndpointOpts extends ISingleEndpointOpts {
+  baseUrl: string | URL
 }
 
 export interface IOID4VCIServerOpts extends HasEndpointOpts {
@@ -153,7 +162,9 @@ export class OID4VCIServer {
 
   constructor(
     expressSupport: ExpressSupport,
-    opts: IOID4VCIServerOpts & { issuer?: VcIssuer } /*If not supplied as argument, it will be fully configured from environment variables*/,
+    opts: IOID4VCIServerOpts & {
+      issuer?: VcIssuer
+    } /*If not supplied as argument, it will be fully configured from environment variables*/
   ) {
     this._baseUrl = new URL(opts?.baseUrl ?? process.env.BASE_URL ?? opts?.issuer?.issuerMetadata?.credential_issuer ?? 'http://localhost')
     this._expressSupport = expressSupport
@@ -169,7 +180,7 @@ export class OID4VCIServer {
     if (this.isGetIssuePayloadEndpointEnabled(opts?.endpointOpts?.getIssuePayloadOpts)) {
       issuerPayloadPath = getCredentialOfferReferenceEndpoint(this.router, this.issuer, {
         ...opts?.endpointOpts?.getIssuePayloadOpts,
-        baseUrl: this.baseUrl,
+        baseUrl: this.baseUrl
       })
     }
 
@@ -185,11 +196,11 @@ export class OID4VCIServer {
         opts.endpointOpts?.tokenEndpointOpts?.accessTokenVerificationCallback ??
         (this._asClientOpts
           ? oidcAccessTokenVerifyCallback({
-              clientMetadata: this._asClientOpts,
-              credentialIssuer: this._issuer.issuerMetadata.credential_issuer,
-              authorizationServer: this._issuer.issuerMetadata.authorization_servers![0],
-            })
-          : undefined),
+            clientMetadata: this._asClientOpts,
+            credentialIssuer: this._issuer.issuerMetadata.credential_issuer,
+            authorizationServer: this._issuer.issuerMetadata.authorization_servers![0]
+          })
+          : undefined)
     })
     this.assertAccessTokenHandling()
     if (!this.isTokenEndpointDisabled(opts?.endpointOpts?.tokenEndpointOpts, opts?.asClientOpts)) {
@@ -204,7 +215,17 @@ export class OID4VCIServer {
       } else if (!opts?.endpointOpts?.authorizationChallengeOpts?.verifyAuthResponseCallback) {
         throw Error(`Unable to enable authorization challenge endpoint. No verifyAuthResponseCallback present in authorization challenge options`)
       }
-      authorizationChallengeEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.authorizationChallengeOpts, baseUrl: this.baseUrl })
+      authorizationChallengeEndpoint(this.router, this.issuer, {
+        ...opts?.endpointOpts?.authorizationChallengeOpts,
+        baseUrl: this.baseUrl
+      })
+    }
+
+    if (this.isNonceEndpointEnabled(opts?.endpointOpts?.nonceOpts)) {
+      nonceEndpoint(this.router, this.issuer, {
+        ...opts?.endpointOpts?.nonceOpts,
+        baseUrl: this.baseUrl,
+      })
     }
     this._app.use(getBasePath(this.baseUrl), this._router)
   }
@@ -253,7 +274,7 @@ export class OID4VCIServer {
     if (this.isTokenEndpointDisabled(tokenEndpointOpts, this.issuer.asClientOpts)) {
       if (!authServer || authServer.length === 0) {
         throw Error(
-          `No Authorization Server (AS) is defined in the issuer metadata and the token endpoint is disabled. An AS or token endpoints needs to be present`,
+          `No Authorization Server (AS) is defined in the issuer metadata and the token endpoint is disabled. An AS or token endpoints needs to be present`
         )
       }
       if (this.issuer.asClientOpts) {
@@ -264,13 +285,18 @@ export class OID4VCIServer {
     } else {
       if (authServer && authServer.some((as) => as !== this.issuer.issuerMetadata.credential_issuer)) {
         throw Error(
-          `An external Authorization Server (AS) was already enabled in the issuer metadata (${authServer}). Cannot both have an AS and enable the token endpoint at the same time `,
+          `An external Authorization Server (AS) was already enabled in the issuer metadata (${authServer}). Cannot both have an AS and enable the token endpoint at the same time `
         )
       } else if (this._asClientOpts) {
         throw Error(`OIDC Client metadata is set, but the token endpoint is not disabled. This is not supported.`)
       }
     }
   }
+
+  private isNonceEndpointEnabled(nonceEndpointOpts?: INonceEndpointOpts) {
+    return nonceEndpointOpts?.enabled !== false || process.env.NONCE_ENDPOINT_ENABLED !== 'false'
+  }
+
   get baseUrl(): URL {
     return this._baseUrl
   }
 
@@ -0,0 +1,158 @@
+import { CNonceState, CredentialIssuerMetadataOptsV1_0_15 } from '@sphereon/oid4vci-common'
+import { AuthorizationServerMetadataBuilder, MemoryStates, VcIssuer } from '@sphereon/oid4vci-issuer'
+import { ExpressBuilder, ExpressSupport } from '@sphereon/ssi-express-support'
+import { Express } from 'express'
+import requests from 'supertest'
+import { afterAll, beforeAll, describe, expect, it } from 'vitest'
+
+import { OID4VCIServer } from '../OID4VCIServer'
+
+const authorizationServerMetadata = new AuthorizationServerMetadataBuilder()
+  .withIssuer('test-issuer')
+  .withNonceEndpoint('http://localhost:9002/nonce')
+  .withCredentialEndpoint('http://localhost:9002/credential-endpoint')
+  .withTokenEndpoint('http://localhost:9002/token')
+  .withResponseTypesSupported(['code'])
+  .build()
+
+describe('Nonce Endpoint', () => {
+  let app: Express
+  let expressSupport: ExpressSupport
+  let vcIssuer: VcIssuer
+
+  beforeAll(async () => {
+    vcIssuer = new VcIssuer(
+      {
+        credential_endpoint: 'http://localhost:9002/credential-endpoint',
+        nonce_endpoint: 'http://localhost:9002/nonce',
+        credential_issuer: 'test_issuer',
+        credential_configurations_supported: {
+          TestCredential: {
+            format: 'jwt_vc_json',
+            credential_definition: {
+              type: ['VerifiableCredential']
+            },
+            cryptographic_binding_methods_supported: ['did'],
+            credential_signing_alg_values_supported: ['ES256K']
+          }
+        }
+      } as CredentialIssuerMetadataOptsV1_0_15,
+      authorizationServerMetadata,
+      {
+        cNonceExpiresIn: 300,
+        credentialOfferSessions: new MemoryStates(),
+        cNonces: new MemoryStates<CNonceState>()
+      }
+    )
+
+    expressSupport = ExpressBuilder.fromServerOpts({
+      startListening: false,
+      port: 9002,
+      hostname: '0.0.0.0'
+    }).build({ startListening: false })
+
+    const vcIssuerServer = new OID4VCIServer(expressSupport, {
+      issuer: vcIssuer,
+      baseUrl: 'http://localhost:9002',
+      endpointOpts: {
+        tokenEndpointOpts: {
+          tokenEndpointDisabled: true
+        },
+        nonceOpts: {
+          enabled: true,
+          baseUrl: 'http://localhost:9002'
+        }
+      }
+    })
+
+    expressSupport.start()
+    app = vcIssuerServer.app
+  })
+
+  afterAll(async () => {
+    if (expressSupport) {
+      await expressSupport.stop()
+    }
+    await new Promise((resolve) => setTimeout((v: void) => resolve(v), 500))
+  })
+
+  it('should return fresh c_nonce without authorization', async () => {
+    const res = await requests(app).post('/nonce').send()
+
+    expect(res.statusCode).toEqual(200)
+    const actual = JSON.parse(res.text)
+    expect(actual).toEqual({
+      c_nonce: expect.any(String),
+      c_nonce_expires_in: 300
+    })
+    expect(actual.c_nonce).toMatch(/^[a-f0-9-]{36}$/) // UUID format
+  })
+
+  it('should store nonce in issuer state', async () => {
+    const res = await requests(app).post('/nonce').send()
+
+    expect(res.statusCode).toEqual(200)
+    const { c_nonce } = JSON.parse(res.text)
+
+    const storedNonce = await vcIssuer.cNonces.get(c_nonce)
+    expect(storedNonce).toBeDefined()
+    expect(storedNonce?.cNonce).toEqual(c_nonce)
+    expect(storedNonce?.createdAt).toBeTypeOf('number')
+    expect(storedNonce?.expiresAt).toBeGreaterThan(Math.floor(Date.now() / 1000))
+  })
+
+  it('should return error with invalid access token', async () => {
+    const res = await requests(app)
+      .post('/nonce')
+      .set('Authorization', 'Bearer invalid-token')
+      .send()
+
+    expect(res.statusCode).toEqual(400)
+    const actual = JSON.parse(res.text)
+    expect(actual).toEqual({
+      error: 'invalid_token'
+    })
+  })
+
+  it('should work when nonce endpoint is disabled', async () => {
+    const disabledVcIssuer = new VcIssuer(
+      {
+        credential_endpoint: 'http://localhost:9003/credential-endpoint',
+        credential_issuer: 'test_issuer',
+        credential_configurations_supported: {}
+      } as CredentialIssuerMetadataOptsV1_0_15,
+      new AuthorizationServerMetadataBuilder()
+        .withIssuer('test')
+        .withResponseTypesSupported(['code'])
+        .build(),
+      {
+        credentialOfferSessions: new MemoryStates(),
+        cNonces: new MemoryStates<CNonceState>()
+      }
+    )
+
+    const disabledExpressSupport = ExpressBuilder.fromServerOpts({
+      startListening: false,
+      port: 9003
+    }).build({ startListening: false })
+
+    new OID4VCIServer(disabledExpressSupport, {
+      issuer: disabledVcIssuer,
+      baseUrl: 'http://localhost:9003',
+      endpointOpts: {
+        tokenEndpointOpts: {
+          tokenEndpointDisabled: true
+        },
+        nonceOpts: {
+          enabled: false,
+          baseUrl: 'http://localhost:9003'
+        }
+      }
+    })
+
+    const res = await requests(disabledExpressSupport.express).post('/nonce').send()
+    expect(res.statusCode).toEqual(404)
+
+    await disabledExpressSupport.stop()
+  })
+})