Merge remote-tracking branch 'origin/feature/SSISDK-73_cnonce_fix' into feature/DIIPv4

Author: sanderPostma

packages/issuer-rest/lib/__tests__/nonceEndpoint.spec.ts

@@ -76,7 +76,7 @@ describe('Nonce Endpoint', () => {
     await new Promise((resolve) => setTimeout((v: void) => resolve(v), 500))
   })
 
-  it('should return fresh c_nonce without authorization', async () => {
+  it('should return fresh c_nonce', async () => {
     const res = await requests(app).post('/nonce').send()
 
     expect(res.statusCode).toEqual(200)
@@ -101,19 +101,6 @@ describe('Nonce Endpoint', () => {
     expect(storedNonce?.expiresAt).toBeGreaterThan(Math.floor(Date.now() / 1000))
   })
 
-  it('should return error with invalid access token', async () => {
-    const res = await requests(app)
-      .post('/nonce')
-      .set('Authorization', 'Bearer invalid-token')
-      .send()
-
-    expect(res.statusCode).toEqual(400)
-    const actual = JSON.parse(res.text)
-    expect(actual).toEqual({
-      error: 'invalid_token'
-    })
-  })
-
   it('should work when nonce endpoint is disabled', async () => {
     const disabledVcIssuer = new VcIssuer(
       {

packages/issuer-rest/lib/oid4vci-api-functions.ts

@@ -1,4 +1,4 @@
-import { epochTime, uuidv4 } from '@sphereon/oid4vc-common'
+import { uuidv4 } from '@sphereon/oid4vc-common'
 import {
   ACCESS_TOKEN_ISSUER_REQUIRED_ERROR,
   AccessTokenRequest,
@@ -434,46 +434,18 @@ export function nonceEndpoint(router: Router, issuer: VcIssuer, opts: INonceEndp
 
   router.post(path, async (request: Request, response: Response) => {
     try {
-      let preAuthorizedCode: string | undefined
-      let issuerState: string | undefined
-
-      // Verify access token if present (optional per spec)
-      // If not present, the nonce will be unbound to any session
-      if (request.header('Authorization')) {
-        try {
-          const jwt = extractBearerToken(request.header('Authorization'))
-          const jwtResult = await validateJWT(jwt, {
-            accessTokenVerificationCallback: issuer.jwtVerifyCallback
-          })
-
-          // Extract session info from access token
-          const accessToken = jwtResult.jwt.payload as AccessTokenRequest
-          preAuthorizedCode = accessToken['pre-authorized_code']
-        } catch (e) {
-          LOG.warning(e)
-          return sendErrorResponse(response, 400, {
-            error: 'invalid_token'
-          })
-        }
-      }
-
       const cNonce = uuidv4()
       const cNonceExpiresIn = issuer.cNonceExpiresIn || 300
 
-      const createdAt = epochTime()
+      const createdAt = +Date.now()
+      const expiresAt = createdAt + Math.abs(cNonceExpiresIn) * 1000
+
 
       // Create nonce state - only include session identifiers if available
       const cNonceState: any = {
         cNonce,
-        createdAt: createdAt,
-        expiresAt: createdAt + cNonceExpiresIn
-      }
-
-      if (preAuthorizedCode) {
-        cNonceState.preAuthorizedCode = preAuthorizedCode
-      }
-      if (issuerState) {
-        cNonceState.issuerState = issuerState
+        createdAt,
+        expiresAt
       }
 
       await issuer.cNonces.set(cNonce, cNonceState)

packages/siop-oid4vp/lib/authorization-response/OpenID4VP.ts

@@ -104,10 +104,26 @@ export const extractDcqlPresentationFromDcqlVpToken = (
   opts?: { hasher?: HasherSync },
 ): PresentationSubmission => {
   return Object.fromEntries(
-      Object.entries(DcqlPresentation.parse(vpToken)).map(([credentialQueryId, vp]) => [
+    Object.entries(DcqlPresentation.parse(vpToken)).map(([credentialQueryId, vp]) => {
+      let singleVp: W3CVerifiablePresentation | CompactSdJwtVc | string
+
+      if (Array.isArray(vp)) {
+        if (vp.length === 0) {
+          throw new Error(`DCQL query '${credentialQueryId}' has empty array of presentations`)
+        }
+        if (vp.length > 1) {
+          throw new Error(`DCQL query '${credentialQueryId}' has multiple presentations (${vp.length}), but only one is supported atm`)
+        }
+        singleVp = vp[0]
+      } else {
+        singleVp = vp
+      }
+
+      return [
         credentialQueryId,
-        CredentialMapper.toWrappedVerifiablePresentation(vp as W3CVerifiablePresentation | CompactSdJwtVc | string, {hasher: opts?.hasher}),
-      ]),
+        CredentialMapper.toWrappedVerifiablePresentation(singleVp as W3CVerifiablePresentation | CompactSdJwtVc | string, {hasher: opts?.hasher}),
+      ]
+    }),
   )
 }
 

packages/siop-oid4vp/lib/authorization-response/Payload.ts

@@ -3,13 +3,85 @@ import { AuthorizationRequest } from '../authorization-request'
 import { IDToken } from '../id-token'
 import { RequestObject } from '../request-object'
 import { assertValidResponseOpts } from './Opts'
-import { AuthorizationRequestPayload, AuthorizationResponsePayload, IDTokenPayload, SIOPErrors } from '../types'
+import {
+  AuthorizationRequestPayload,
+  AuthorizationResponsePayload,
+  DcqlPresentationEntry,
+  DcqlVpToken,
+  DcqlVpTokenInput,
+  IDTokenPayload,
+  NonEmptyArray,
+  SIOPErrors
+} from '../types'
 import { AuthorizationResponseOpts } from './types'
 
+
+/**
+ * Checks if an object is array-like (has only numeric string keys: "0", "1", "2", etc.)
+ * This handles objects that were serialized arrays: { "0": val1, "1": val2 }
+ */
+const isArrayLikeObject = (value: unknown): value is Record<string, DcqlPresentationEntry> => {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return false
+  }
+  const keys = Object.keys(value)
+  return keys.length > 0 && keys.every(key => /^\d+$/.test(key))
+}
+
+/**
+ * Normalizes a credential query value to an array.
+ * Handles three input formats:
+ * 1. Single value: "credential" -> ["credential"]
+ * 2. Array: ["cred1", "cred2"] -> ["cred1", "cred2"]
+ * 3. Array-like object: {"0": "cred1", "1": "cred2"} -> ["cred1", "cred2"]
+ */
+const normalizeToArray = (
+  credentialQueryId: string,
+  value: DcqlPresentationEntry | DcqlPresentationEntry[] | Record<string, DcqlPresentationEntry>
+): NonEmptyArray<DcqlPresentationEntry> => {
+  let presentationsArray: DcqlPresentationEntry[]
+
+  if (Array.isArray(value)) {
+    presentationsArray = value
+  } else if (isArrayLikeObject(value)) {
+    const sortedKeys = Object.keys(value).sort((a, b) => Number(a) - Number(b))
+    presentationsArray = sortedKeys.map(key => value[key])
+  } else {
+    presentationsArray = [value]
+  }
+
+  if (presentationsArray.length === 0) {
+    throw new Error(
+      `DCQL presentations for credential query '${credentialQueryId}' cannot be empty`
+    )
+  }
+
+  return presentationsArray as NonEmptyArray<DcqlPresentationEntry>
+}
+
+/**
+ * Converts a DCQL presentation input (which may have mixed formats) to the canonical
+ * format where all credential queries map to non-empty arrays of presentations.
+ *
+ * This ensures consistent handling of:
+ * - Single presentations: { "PID": "eyJ..." } -> { "PID": ["eyJ..."] }
+ * - Array presentations: { "PID": ["eyJ..."] } -> { "PID": ["eyJ..."] }
+ * - Array-like objects: { "PID": {"0": "eyJ..."} } -> { "PID": ["eyJ..."] }
+ */
+const toCanonicalDcqlPresentation = (input: DcqlVpTokenInput): DcqlVpToken => {
+  return Object.fromEntries(
+    Object.entries(input).map(([credentialQueryId, value]) => {
+      const presentationsArray = normalizeToArray(credentialQueryId, value)
+      return [credentialQueryId, presentationsArray]
+    })
+  ) as DcqlVpToken
+}
+
+
 export const createResponsePayload = async (
   authorizationRequest: AuthorizationRequest,
   responseOpts: AuthorizationResponseOpts,
-  idTokenPayload?: IDTokenPayload,
+  idTokenPayload?: IDTokenPayload
 ): Promise<AuthorizationResponsePayload | undefined> => {
   assertValidResponseOpts(responseOpts)
   if (!authorizationRequest) {
@@ -20,15 +92,21 @@ export const createResponsePayload = async (
   const state: string | undefined = authorizationRequest.getMergedProperty('state')
 
   const responsePayload: AuthorizationResponsePayload = {
-    ...(responseOpts.accessToken && { access_token: responseOpts.accessToken, expires_in: responseOpts.expiresIn || 3600 }),
+    ...(responseOpts.accessToken && {
+      access_token: responseOpts.accessToken,
+      expires_in: responseOpts.expiresIn || 3600
+    }),
     ...(responseOpts.tokenType && { token_type: responseOpts.tokenType }),
     ...(responseOpts.refreshToken && { refresh_token: responseOpts.refreshToken }),
     ...(responseOpts.isFirstParty && { is_first_party: responseOpts.isFirstParty }),
-    state,
+    state
   }
 
   if (responseOpts.dcqlResponse?.dcqlPresentation) {
-    responsePayload.vp_token = DcqlPresentation.encode(responseOpts.dcqlResponse.dcqlPresentation as DcqlPresentation)
+    const canonicalPresentation = toCanonicalDcqlPresentation(
+      responseOpts.dcqlResponse.dcqlPresentation
+    )
+    responsePayload.vp_token = DcqlPresentation.encode(canonicalPresentation)
   }
 
   if (idTokenPayload) {
@@ -46,7 +124,7 @@ export const createResponsePayload = async (
  */
 export const mergeOAuth2AndOpenIdInRequestPayload = async (
   payload: AuthorizationRequestPayload,
-  requestObject?: RequestObject,
+  requestObject?: RequestObject
 ): Promise<AuthorizationRequestPayload> => {
   const payloadCopy = JSON.parse(JSON.stringify(payload))
 

packages/siop-oid4vp/lib/authorization-response/types.ts

@@ -6,21 +6,22 @@ import {
   HasherSync,
   MdocOid4vpIssuerSigned,
   PresentationSubmission,
-  W3CVerifiablePresentation,
+  W3CVerifiablePresentation
 } from '@sphereon/ssi-types'
 import { DcqlQuery } from 'dcql'
 import { AuthorizationResponse } from './AuthorizationResponse'
 import {
   CreateJwtCallback,
+  DcqlVpTokenInput,
+  ResponseIss,
   ResponseMode,
   ResponseRegistrationOpts,
   ResponseType,
   ResponseURIType,
   SupportedVersion,
   VerifiablePresentationWithFormat,
   Verification,
-  VerifyJwtCallback,
-  ResponseIss
+  VerifyJwtCallback
 } from '../types'
 
 export interface AuthorizationResponseOpts {
@@ -42,7 +43,7 @@ export interface AuthorizationResponseOpts {
 }
 
 export interface DcqlResponseOpts {
-  dcqlPresentation: Record<string, string | Record<string, unknown> | Array<string | Record<string, unknown>>>
+  dcqlPresentation: DcqlVpTokenInput
 }
 
 export interface DcqlQueryPayloadOpts {

packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts

@@ -874,38 +874,76 @@ export const AuthorizationResponseOptsSchemaObj = {
       "type": "object",
       "properties": {
         "dcqlPresentation": {
-          "type": "object",
-          "additionalProperties": {
-            "anyOf": [
-              {
-                "type": "string"
-              },
-              {
-                "type": "object",
-                "additionalProperties": {}
-              },
-              {
-                "type": "array",
-                "items": {
-                  "anyOf": [
-                    {
-                      "type": "string"
-                    },
-                    {
-                      "type": "object",
-                      "additionalProperties": {}
-                    }
-                  ]
-                }
-              }
-            ]
-          }
+          "$ref": "#/definitions/DcqlVpTokenInput"
         }
       },
       "required": [
         "dcqlPresentation"
       ],
       "additionalProperties": false
+    },
+    "DcqlVpTokenInput": {
+      "type": "object",
+      "additionalProperties": {
+        "anyOf": [
+          {
+            "$ref": "#/definitions/DcqlPresentationEntry"
+          },
+          {
+            "type": "array",
+            "items": {
+              "$ref": "#/definitions/DcqlPresentationEntry"
+            }
+          },
+          {
+            "type": "object",
+            "additionalProperties": {
+              "$ref": "#/definitions/DcqlPresentationEntry"
+            }
+          }
+        ]
+      }
+    },
+    "DcqlPresentationEntry": {
+      "anyOf": [
+        {
+          "type": "string"
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/Json"
+          }
+        }
+      ]
+    },
+    "Json": {
+      "anyOf": [
+        {
+          "type": "string"
+        },
+        {
+          "type": "number"
+        },
+        {
+          "type": "boolean"
+        },
+        {
+          "type": "null"
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/Json"
+          }
+        },
+        {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Json"
+          }
+        }
+      ]
     }
   }
 };