feat: [EUDIW-209] Add Remote presentation for Potential (#174)

Co-authored-by: LazyAfternoons <[email protected]>

Author: manuraf

package.json

@@ -107,8 +107,10 @@
     ]
   },
   "dependencies": {
+    "ajv": "^8.17.1",
     "js-base64": "^3.7.7",
     "js-sha256": "^0.9.0",
+    "jsonpath-plus": "^10.2.0",
     "parse-url": "^9.2.0",
     "react-native-url-polyfill": "^2.0.0",
     "react-native-uuid": "^2.0.1",

src/credential/presentation/01-start-flow.ts

@@ -1,6 +1,5 @@
 import * as z from "zod";
-import { decodeBase64 } from "@pagopa/io-react-native-jwt";
-import { AuthRequestDecodeError } from "./errors";
+import { InvalidQRCodeError } from "./errors";
 
 const QRCodePayload = z.object({
   protocol: z.string(),
@@ -31,10 +30,15 @@ export type StartFlow<T extends Array<unknown> = []> = (...args: T) => {
 export const startFlowFromQR: StartFlow<[string]> = (qrcode) => {
   let decodedUrl: URL;
   try {
-    const decoded = decodeBase64(qrcode);
-    decodedUrl = new URL(decoded);
+    // splitting qrcode to identify which is link format
+    const originalQrCode = qrcode.split("://");
+    const replacedQrcode = originalQrCode[1]?.startsWith("?")
+      ? qrcode.replace(`${originalQrCode[0]}://`, "https://wallet.example/")
+      : qrcode;
+
+    decodedUrl = new URL(replacedQrcode);
   } catch (error) {
-    throw new AuthRequestDecodeError("Failed to decode QR code: ", qrcode);
+    throw new InvalidQRCodeError(`Failed to decode QR code:  ${qrcode}`);
   }
 
   const protocol = decodedUrl.protocol;
@@ -52,6 +56,6 @@ export const startFlowFromQR: StartFlow<[string]> = (qrcode) => {
   if (result.success) {
     return result.data;
   } else {
-    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
+    throw new InvalidQRCodeError(`${result.error.message}, ${decodedUrl}`);
   }
 };

src/credential/presentation/04-get-request-object.ts renamed to src/credential/presentation/03-get-request-object.ts

@@ -1,27 +1,21 @@
 import uuid from "react-native-uuid";
 import {
-  decode as decodeJwt,
   sha256ToBase64,
-  verify,
   type CryptoContext,
 } from "@pagopa/io-react-native-jwt";
 
 import { createDPopToken } from "../../utils/dpop";
-import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
-import type { FetchJwks } from "./03-retrieve-jwks";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartFlow } from "./01-start-flow";
-import { RequestObject } from "./types";
 
 export type GetRequestObject = (
   requestUri: Out<StartFlow>["requestURI"],
   context: {
     wiaCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
     walletInstanceAttestation: string;
-  },
-  jwkKeys?: Out<FetchJwks>["keys"]
-) => Promise<{ requestObject: RequestObject }>;
+  }
+) => Promise<{ requestObjectEncodedJwt: string }>;
 
 /**
  * Obtain the Request Object for RP authentication
@@ -36,8 +30,7 @@ export type GetRequestObject = (
  */
 export const getRequestObject: GetRequestObject = async (
   requestUri,
-  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation },
-  jwkKeys
+  { wiaCryptoContext, appFetch = fetch, walletInstanceAttestation }
 ) => {
   const signedWalletInstanceDPoP = await createDPopToken(
     {
@@ -49,55 +42,17 @@ export const getRequestObject: GetRequestObject = async (
     wiaCryptoContext
   );
 
-  const responseEncodedJwt = await appFetch(requestUri, {
+  const requestObjectEncodedJwt = await appFetch(requestUri, {
     method: "GET",
     headers: {
       Authorization: `DPoP ${walletInstanceAttestation}`,
       DPoP: signedWalletInstanceDPoP,
     },
   })
     .then(hasStatusOrThrow(200))
-    .then((res) => res.json())
-    .then((responseJson) => responseJson.response);
-
-  const responseJwt = decodeJwt(responseEncodedJwt);
-
-  await verifyTokenSignature(jwkKeys, responseJwt);
-
-  // Ensure that the request object conforms to the expected specification.
-  const requestObject = RequestObject.parse(responseJwt.payload);
+    .then((res) => res.text());
 
   return {
-    requestObject,
+    requestObjectEncodedJwt,
   };
 };
-
-const verifyTokenSignature = async (
-  jwkKeys?: Out<FetchJwks>["keys"],
-  responseJwt?: any
-): Promise<void> => {
-  // verify token signature to ensure the request object is authentic
-  // 1. according to entity configuration if present
-  if (jwkKeys) {
-    const pubKey = jwkKeys.find(
-      ({ kid }) => kid === responseJwt.protectedHeader.kid
-    );
-    if (!pubKey) {
-      throw new NoSuitableKeysFoundInEntityConfiguration(
-        "Request Object signature verification"
-      );
-    }
-    await verify(responseJwt, pubKey);
-    return;
-  }
-
-  // 2. If jwk is not retrieved from entity config, check if the token contains the 'jwk' attribute
-  if (responseJwt.protectedHeader?.jwk) {
-    const pubKey = responseJwt.protectedHeader.jwk;
-    await verify(responseJwt, pubKey);
-    return;
-  }
-
-  // No verification condition matched: skipping signature verification for now.
-  // TODO: [EUDIW-215] Remove skipping signature verification
-};

src/credential/presentation/03-retrieve-jwks.ts renamed to src/credential/presentation/04-retrieve-rp-jwks.ts

@@ -1,6 +1,8 @@
 import { JWKS, JWK } from "../../utils/jwk";
 import { hasStatusOrThrow } from "../../utils/misc";
 import { RelyingPartyEntityConfiguration } from "../../entity/trust/types";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 
 /**
  * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
@@ -15,35 +17,53 @@ export type FetchJwks<T extends Array<unknown> = []> = (...args: T) => Promise<{
 
 /**
  * Retrieves the JSON Web Key Set (JWKS) from the specified client's well-known endpoint.
+ * It is formed using `{issUrl.base}/.well-known/jar-issuer${issUrl.pah}` as explained in SD-JWT VC issuer metadata section
  *
- * @param clientUrl - The base URL of the client entity from which to retrieve the JWKS.
+ * @param requestObjectEncodedJwt - Request Object in JWT format.
  * @param options - Optional context containing a custom fetch implementation.
  * @param options.context - Optional context object.
  * @param options.context.appFetch - Optional custom fetch function to use instead of the global `fetch`.
  * @returns A promise resolving to an object containing an array of JWKs.
  * @throws Will throw an error if the JWKS retrieval fails.
  */
-export const fetchJwksFromUri: FetchJwks<
+export const fetchJwksFromRequestObject: FetchJwks<
   [string, { context?: { appFetch?: GlobalFetch["fetch"] } }]
-> = async (clientUrl, { context = {} } = {}) => {
+> = async (requestObjectEncodedJwt, { context = {} } = {}) => {
   const { appFetch = fetch } = context;
+  const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
 
-  const wellKnownUrl = new URL(
-    "/.well-known/jar-issuer/jwk",
-    clientUrl
-  ).toString();
+  // 1. check if request object jwt contains the 'jwk' attribute
+  if (requestObjectJwt.protectedHeader?.jwk) {
+    return {
+      keys: [JWK.parse(requestObjectJwt.protectedHeader.jwk)],
+    };
+  }
 
-  // Fetches the JWKS from a specific endpoint of the entity's well-known configuration
-  const jwks = await appFetch(wellKnownUrl, {
-    method: "GET",
-  })
-    .then(hasStatusOrThrow(200))
-    .then((raw) => raw.json())
-    .then((json) => JWKS.parse(json));
+  // 2. According to Potential profile, retrieve from RP endpoint using iss claim
+  const issClaimValue = requestObjectJwt.payload?.iss as string;
+  if (issClaimValue) {
+    const issUrl = new URL(issClaimValue);
+    const wellKnownUrl = new URL(
+      `/.well-known/jar-issuer${issUrl.pathname}`,
+      `${issUrl.protocol}//${issUrl.host}`
+    ).toString();
 
-  return {
-    keys: jwks.keys,
-  };
+    // Fetches the JWKS from a specific endpoint of the entity's well-known configuration
+    const jwks = await appFetch(wellKnownUrl, {
+      method: "GET",
+    })
+      .then(hasStatusOrThrow(200))
+      .then((raw) => raw.json())
+      .then((json) => JWKS.parse(json.jwks));
+
+    return {
+      keys: jwks.keys,
+    };
+  }
+
+  throw new NoSuitableKeysFoundInEntityConfiguration(
+    "Request Object signature verification"
+  );
 };
 
 /**
@@ -54,14 +74,9 @@ export const fetchJwksFromUri: FetchJwks<
  * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
  */
 export const fetchJwksFromConfig: FetchJwks<
-  [RelyingPartyEntityConfiguration]
+  [RelyingPartyEntityConfiguration["payload"]["metadata"]]
 > = async (rpConfig) => {
-  const parsedConfig = RelyingPartyEntityConfiguration.safeParse(rpConfig);
-  if (!parsedConfig.success) {
-    throw new Error("Invalid Relying Party configuration.");
-  }
-
-  const jwks = parsedConfig.data.payload.metadata.wallet_relying_party.jwks;
+  const jwks = rpConfig.wallet_relying_party.jwks;
 
   if (!jwks || !Array.isArray(jwks.keys)) {
     throw new Error("JWKS not found in Relying Party configuration.");