25166281377

Committed 30 Apr 2026 12:23PM UTC coverage: 59.991% (+0.7%) from 59.25%

Build Type

github

Committed by wistefan

Commit Message

Merge pull request 'Ticket #34 - Step 5: Comprehensive tests for refresh token flows' (#6) from ticket-34/step-5 into ticket-34/work

Reviewed-on: http://localhost:3001/general-agent-4/VCVerifier/pulls/6
Reviewed-by: wistefan <wistefan@dev-env.local>

Pull Request Pull Request #96: Add refresh token support

Coverage Stats

195 of 248 new or added lines in 5 files covered. (78.63%)

568 existing lines in 10 files now uncovered.

3870 of 6451 relevant lines covered (59.99%)

0.69 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

51.97

/openapi/api_api.go

/*
 * vcverifier
 *
 * Backend component to verify credentials
 *
 * API version: 0.0.1
 * Generated by: OpenAPI Generator (https://openapi-generator.tech)
 */

package openapi

import (
        "encoding/base64"
        "encoding/json"
        "fmt"
        "net/http"
        "slices"
        "strings"

        "github.com/fiware/VCVerifier/common"
        "github.com/fiware/VCVerifier/did"
        "github.com/fiware/VCVerifier/logging"
        "github.com/fiware/VCVerifier/verifier"
        "github.com/google/uuid"
        "github.com/lestrrat-go/jwx/v3/jwa"
        "github.com/lestrrat-go/jwx/v3/jwt"

        "github.com/gin-gonic/gin"
)

const DEEPLINK = "DEEPLINK"
const FRONTEND_V1 = "FRONTEND_V1"
const FRONTEND_V2 = "FRONTEND_V2"

var apiVerifier verifier.Verifier
var presentationParser verifier.PresentationParser
var sdJwtParser verifier.SdJwtParser
var keyResolver verifier.KeyResolver

var ErrorMessagNoGrantType = ErrorMessage{"no_grant_type_provided", "Token requests require a grant_type."}
var ErrorMessageUnsupportedGrantType = ErrorMessage{"unsupported_grant_type", "Provided grant_type is not supported by the implementation."}
var ErrorMessageNoCode = ErrorMessage{"no_code_provided", "Token requests require a code."}
var ErrorMessageNoRedircetUri = ErrorMessage{"no_redirect_uri_provided", "Token requests require a redirect_uri."}
var ErrorMessageNoResource = ErrorMessage{"no_resource_provided", "When using token-exchange, resource is required to provide the client_id."}
var ErrorMessageNoState = ErrorMessage{"no_state_provided", "Authentication requires a state provided as query parameter."}
var ErrorMessageNoScope = ErrorMessage{"no_scope_provided", "Authentication requires a scope provided as a parameter."}
var ErrorMessageInvalidResponseType = ErrorMessage{"invalid_response_type", "Authentication requires the response_type to be `code`."}
var ErrorMessageFailedSameDevice = ErrorMessage{"failed_same_device", "Was not able to start a same-device flow."}
var ErrorMessageNoClientId = ErrorMessage{"no_client_id_provided", "Authentication requires a client-id provided as a parameter."}
var ErrorMessageNoNonce = ErrorMessage{"no_nonce_provided", "Authentication requires a nonce provided as a query parameter."}
var ErrorMessageNoToken = ErrorMessage{"no_token_provided", "Authentication requires a token provided as a form parameter."}
var ErrorMessageNoPresentationSubmission = ErrorMessage{"no_presentation_submission_provided", "Authentication requires a presentation submission provided as a form parameter."}
var ErrorMessageNoCallback = ErrorMessage{"NoCallbackProvided", "A callback address has to be provided as query-parameter."}
var ErrorMessageUnableToDecodeToken = ErrorMessage{"invalid_token", "Token could not be decoded."}
var ErrorMessageUnableToDecodeCredential = ErrorMessage{"invalid_token", "Could not read the credential(s) inside the token."}
var ErrorMessageUnableToDecodeHolder = ErrorMessage{"invalid_token", "Could not read the holder inside the token."}
var ErrorMessageNoSuchSession = ErrorMessage{"no_session", "Session with the requested id is not available."}
var ErrorMessageInvalidSdJwt = ErrorMessage{"invalid_sdjwt", "SdJwt does not contain all required fields."}
var ErrorMessageNoWebsocketConnection = ErrorMessage{"invalid_connection", "No Websocket connection available for the authenticated session."}
var ErrorMessageUnresolvableRequestObject = ErrorMessage{"unresolvable_request_object", "Was not able to get the request object from the client."}
var ErrorMessageInvalidAudience = ErrorMessage{"invalid_audience", "Audience of the request object was invalid."}
var ErrorMessageUnsupportedAssertionType = ErrorMessage{"unsupported_assertion_type", "Assertion type is not supported."}
var ErrorMessageInvalidClientAssertion = ErrorMessage{"invalid_client_assertion", "Provided client assertion is invalid."}
var ErrorMessageInvalidTokenRequest = ErrorMessage{"invalid_token_request", "Token request has no redirect_uri and no valid client assertion."}
var ErrorMessageInvalidSubjectTokenType = ErrorMessage{"invalid_subject_token_type", "Token exchange is only supported for token type urn:eu:oidf:vp_token."}
var ErrorMessageInvalidRequestedTokenType = ErrorMessage{"invalid_requested_token_type", "Token exchange is only supported for requesting tokens of type urn:ietf:params:oauth:token-type:access_token."}
var ErrorMessageNoRefreshToken = ErrorMessage{"no_refresh_token_provided", "Refresh token requests require a refresh_token."}
var ErrorMessageInvalidRefreshToken = ErrorMessage{"invalid_refresh_token", "The provided refresh token is invalid or expired."}

func getApiVerifier() verifier.Verifier {
        if apiVerifier == nil {
                apiVerifier = verifier.GetVerifier()
        }
        return apiVerifier
}

func getPresentationParser() verifier.PresentationParser {
        if presentationParser == nil {
                presentationParser = verifier.GetPresentationParser()
        }
        return presentationParser
}

func getSdJwtParser() verifier.SdJwtParser {
        if sdJwtParser == nil {
                sdJwtParser = verifier.GetSdJwtParser()
        }
        return sdJwtParser
}

func getKeyResolver() verifier.KeyResolver {
        if keyResolver == nil {
                keyResolver = &verifier.VdrKeyResolver{Vdr: []did.VDR{did.NewKeyVDR(), did.NewJWKVDR(), did.NewWebVDR()}}
        }
        return keyResolver
}

// GetToken - Token endpoint to exchange the authorization code with the actual JWT.
func GetToken(c *gin.Context) {

        logging.Log().Debugf("%v", c.Request)
        grantType, grantTypeExists := c.GetPostForm("grant_type")
        if !grantTypeExists {
                logging.Log().Debug("No grant_type present in the request.")
                c.AbortWithStatusJSON(400, ErrorMessagNoGrantType)
                return
        }

        switch grantType {
        case common.TYPE_CODE:
                handleTokenTypeCode(c)
        case common.TYPE_VP_TOKEN:
                handleTokenTypeVPToken(c, c.GetHeader("client_id"))
        case common.TYPE_TOKEN_EXCHANGE:
                resource, resourceExists := c.GetPostForm("resource")
                if !resourceExists {
                        c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoResource)
                        return
                }
                handleTokenTypeTokenExchange(c, resource)
        case common.TYPE_REFRESH_TOKEN:
                handleTokenTypeRefreshToken(c)
        default:
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageUnsupportedGrantType)
        }
}

func AuthorizationEndpoint(c *gin.Context) {
        logging.Log().Debug("Receive authorization request.")
        clientId, clientIdExists := c.GetQuery("client_id")
        responseType, responseTypeExists := c.GetQuery("response_type")
        scope, scopeExists := c.GetQuery("scope")
        redirectUri, redirectUriExists := c.GetQuery("redirect_uri")
        nonce, nonceExists := c.GetQuery("nonce")
        state, stateExists := c.GetQuery("state")

        requestUri, requestUriExists := c.GetQuery("request_uri")
        if requestUriExists {
                logging.Log().Debug("Requesting the client for its request object.")
                cro, err := getRequestObjectClient().GetClientRequestObject(requestUri)
                if err != nil {
                        logging.Log().Warnf("Was not able to get request object. Err: %v", err)
                        c.AbortWithStatusJSON(http.StatusInternalServerError, ErrorMessageUnresolvableRequestObject)
                        return
                }
                if !slices.Contains(cro.Aud, getFrontendVerifier().GetHost()) {
                        c.AbortWithStatusJSON(http.StatusInternalServerError, ErrorMessageInvalidAudience)
                        return
                }

                if cro.ClientId != "" {
                        clientId = cro.ClientId
                        clientIdExists = true
                }

                if cro.Scope != "" {
                        scope = cro.Scope
                        scopeExists = true
                }

                if cro.RedirectUri != "" {
                        redirectUri = cro.RedirectUri
                        redirectUriExists = true
                }

                if cro.Nonce != "" {
                        nonce = cro.Nonce
                        nonceExists = true
                }

                if cro.State != "" {
                        state = cro.State
                        stateExists = true
                }

                if cro.ResponseType != "" {
                        responseType = cro.ResponseType
                        responseTypeExists = true
                }
        }

        if !clientIdExists {
                logging.Log().Info("Received an authorization request without a client_id.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoClientId)
                return
        }
        if !scopeExists {
                logging.Log().Info("Received an authorization request without a scope.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoScope)
                return
        }
        if !redirectUriExists {
                logging.Log().Info("Received an authorization request without a redirect_uri.")
                //c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoRedircetUri)
                //return
        }
        if !nonceExists {
                logging.Log().Info("Received an authorization request without a nonce.")
                nonce = uuid.NewString()
        }
        if !stateExists {
                logging.Log().Info("Received an authorization request without a state.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoState)
                return
        }
        if !responseTypeExists && responseType != "code" {
                logging.Log().Infof("Received an authorization request with an invalid response type. Was %s.", responseType)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidResponseType)
                return
        }

        logging.Log().Debugf("Received request: clientID - %s, scope - %s, redirect_uri - %s, nonce - %s, state - %s.", clientId, scope, redirectUri, nonce, state)

        protocol := "https"
        if c.Request.TLS == nil {
                protocol = "http"
        }

        authorizationType := getApiVerifier().GetAuthorizationType(clientId)
        var redirect string
        var err error
        switch authorizationType {
        case DEEPLINK:
                redirect, err = getApiVerifier().StartSameDeviceFlow(c.Request.Host, protocol, state, "", clientId, nonce, verifier.REQUEST_MODE_BY_REFERENCE, scope, verifier.OPENID4VP_PROTOCOL)
                if err != nil {
                        logging.Log().Warnf("Was not able start a same device flow. Err: %v", err)
                        c.AbortWithStatusJSON(http.StatusInternalServerError, ErrorMessageFailedSameDevice)
                        return
                }
        case FRONTEND_V2:
                redirect = buildFrontendV2Address(protocol, c.Request.Host, state, clientId, redirectUri, scope, nonce)
        }
        c.Redirect(http.StatusFound, redirect)
}

func buildFrontendV2Address(protocol, host, state, clientId, redirectUri, scope, nonce string) string {
        logging.Log().Debugf("%s://%s/api/v2/loginQR?state=%s&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&request_mode=byReference", protocol, host, state, clientId, redirectUri, scope, nonce)
        return fmt.Sprintf("%s://%s/api/v2/loginQR?state=%s&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&request_mode=byReference", protocol, host, state, clientId, redirectUri, scope, nonce)
}

// GetToken - Token endpoint to exchange the authorization code with the actual JWT.
func GetTokenForService(c *gin.Context) {

        logging.Log().Debugf("%v", c.Request)
        grantType, grantTypeExists := c.GetPostForm("grant_type")
        if !grantTypeExists {
                logging.Log().Debug("No grant_type present in the request.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessagNoGrantType)
                return
        }

        switch grantType {
        case common.TYPE_CODE:
                handleTokenTypeCode(c)
        case common.TYPE_VP_TOKEN:
                handleTokenTypeVPToken(c, c.Param("service_id"))
        case common.TYPE_TOKEN_EXCHANGE:
                handleTokenTypeTokenExchange(c, c.Param("service_id"))
        case common.TYPE_REFRESH_TOKEN:
                handleTokenTypeRefreshToken(c)
        default:
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageUnsupportedGrantType)
        }
}

func handleTokenTypeTokenExchange(c *gin.Context, clientId string) {
        subjectTokenType, subjectTokenTypeExists := c.GetPostForm("subject_token_type")
        if !subjectTokenTypeExists || subjectTokenType != common.TYPE_VP_TOKEN_SUBJECT {
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidSubjectTokenType)
                return
        }
        requestedTokenType, requestedTokenTypeExists := c.GetPostForm("requested_token_type")
        if requestedTokenTypeExists && requestedTokenType != common.TYPE_ACCESS_TOKEN {
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidRequestedTokenType)
                return
        }

        scopes := getScopesFromRequest(c, clientId)

        audience, audienceExists := c.GetPostForm("audience")
        if !audienceExists {
                audience = clientId
        }

        subjectToken, subjectTokenExists := c.GetPostForm("subject_token")
        if !subjectTokenExists {
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoToken)
                return
        }

        logging.Log().Debugf("Got token %s", subjectToken)

        verifiyVPToken(c, subjectToken, clientId, scopes, audience)
}

func handleTokenTypeVPToken(c *gin.Context, clientId string) {

        vpToken, vpTokenExists := c.GetPostForm("vp_token")
        if !vpTokenExists {
                logging.Log().Debug("No vp token present in the request.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoToken)
                return
        }

        logging.Log().Warnf("Got token %s", vpToken)

        scopes := getScopesFromRequest(c, clientId)
        if len(scopes) == 0 {
                return
        }

        verifiyVPToken(c, vpToken, clientId, scopes, clientId)
}

func verifiyVPToken(c *gin.Context, vpToken string, clientId string, scopes []string, audience string) {

        presentation, err := extractVpFromToken(c, vpToken)
        if err != nil {
                logging.Log().Warnf("Was not able to extract the credentials from the vp_token. E: %v", err)
                return
        }

        logging.Log().Debug("Was able to extract presentation")
        // Subject is empty since multiple VCs with different subjects can be provided
        expiration, signedToken, err := getApiVerifier().GenerateToken(clientId, "", clientId, scopes, presentation)
        if err != nil {
                logging.Log().Error("Failure during generating M2M token: ", err)
                c.AbortWithStatusJSON(http.StatusBadRequest, err)
                return
        }

        var refreshToken string
        if getApiVerifier().IsRefreshTokenEnabled() {
                refreshToken, err = getApiVerifier().CreateRefreshToken(clientId, signedToken)
                if err != nil {
                        logging.Log().Warnf("Failed to create refresh token: %v", err)
                        // Non-fatal: return the access token without a refresh token.
                }
        }

        response := TokenResponse{TokenType: "Bearer", IssuedTokenType: common.TYPE_ACCESS_TOKEN, ExpiresIn: float32(expiration), IdToken: signedToken, AccessToken: signedToken, Scope: strings.Join(scopes, ","), RefreshToken: refreshToken}
        logging.Log().Infof("Generated and signed token: %v", response)
        c.JSON(http.StatusOK, response)
}

// handleTokenTypeRefreshToken handles the grant_type=refresh_token flow.
// It exchanges a valid refresh token for a new access token and a rotated
// refresh token.
func handleTokenTypeRefreshToken(c *gin.Context) {
        refreshToken, refreshTokenExists := c.GetPostForm("refresh_token")
        if !refreshTokenExists {
                logging.Log().Debug("No refresh_token present in the request.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoRefreshToken)
                return
        }

        jwtString, expiration, newRefreshToken, err := getApiVerifier().ExchangeRefreshToken(refreshToken)
        if err != nil {
                logging.Log().Warnf("Failed to exchange refresh token: %v", err)
                c.AbortWithStatusJSON(http.StatusForbidden, ErrorMessageInvalidRefreshToken)
                return
        }

        c.JSON(http.StatusOK, TokenResponse{
                TokenType:    "Bearer",
                ExpiresIn:    float32(expiration),
                AccessToken:  jwtString,
                IdToken:      jwtString,
                RefreshToken: newRefreshToken,
        })
}

func handleTokenTypeCode(c *gin.Context) {

        code, codeExists := c.GetPostForm("code")
        if !codeExists {
                logging.Log().Debug("No code present in the request.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoCode)
                return
        }

        assertionType, assertionTypeExists := c.GetPostForm("client_assertion_type")
        redirectUri, redirectUriExists := c.GetPostForm("redirect_uri")
        if redirectUriExists {
                jwt, expiration, refreshToken, err := getApiVerifier().GetToken(code, redirectUri, false)
                if err != nil {
                        c.AbortWithStatusJSON(http.StatusForbidden, ErrorMessage{Summary: err.Error()})
                        return
                }
                c.JSON(http.StatusOK, TokenResponse{TokenType: "Bearer", ExpiresIn: float32(expiration), IdToken: jwt, AccessToken: jwt, RefreshToken: refreshToken})
                return
        }
        if assertionTypeExists {
                handleWithClientAssertion(c, assertionType, code)
                return
        }
        c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidTokenRequest)
}

func getScopesFromRequest(c *gin.Context, clientId string) (scopes []string) {

        scope, scopeExists := c.GetPostForm("scope")
        if !scopeExists {
                defaultScope, err := getApiVerifier().GetDefaultScope(clientId)
                if err != nil {
                        c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoScope)
                        return scopes
                }
                logging.Log().Debugf("No scope present in the request, use the default scope %s", defaultScope)
                return []string{defaultScope}
        }

        return strings.Split(scope, ",")

}

func handleWithClientAssertion(c *gin.Context, assertionType string, code string) {
        if assertionType != "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" {
                logging.Log().Warnf("Assertion type %s is not supported.", assertionType)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageUnsupportedAssertionType)
                return
        }

        clientAssertion, clientAssertionExists := c.GetPostForm("client_assertion")
        clientId, clientIdExists := c.GetPostForm("client_id")
        if !clientAssertionExists || !clientIdExists {
                logging.Log().Warnf("Client Id (%s) or assertion (%s) not provided.", clientId, clientAssertion)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageUnsupportedAssertionType)
                return
        }

        kid, err := getKeyResolver().ExtractKIDFromJWT(clientAssertion)
        if err != nil {
                logging.Log().Warnf("Was not able to retrive kid from token %s. Err: %v.", clientAssertion, err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidClientAssertion)
                return
        }
        pubKey, err := getKeyResolver().ResolvePublicKeyFromDID(kid)
        if err != nil {
                logging.Log().Warnf("Was not able to retrive key from kid %s. Err: %v.", kid, err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidClientAssertion)
                return
        }

        alg, algExists := pubKey.Algorithm()
        if !algExists {
                // fallback to default
                alg = jwa.ES256()
        }

        parsed, err := jwt.Parse([]byte(clientAssertion), jwt.WithKey(alg, pubKey))
        if err != nil {
                logging.Log().Warnf("Was not able to parse and verify the token %s. Err: %v", clientAssertion, err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidClientAssertion)
                return
        }

        // Serialize token to JSON
        jsonBytes, err := json.Marshal(parsed)
        if err != nil {
                logging.Log().Warnf("Was not able to marshal the token %s. Err: %v", clientAssertion, err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidClientAssertion)
                return
        }

        // Unmarshal to your struct
        var clientAssertionObject ClientAssertion
        if err := json.Unmarshal(jsonBytes, &clientAssertionObject); err != nil {
                logging.Log().Warnf("Was not able to unmarshal the token: %s, Err: %v", string(jsonBytes), err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidClientAssertion)
                return
        }

        if clientAssertionObject.Sub != clientId || clientAssertionObject.Iss != clientId || !slices.Contains(clientAssertionObject.Aud, getFrontendVerifier().GetHost()) {
                logging.Log().Warnf("Invalid assertion: %s. Client Id: %s, Host: %s", logging.PrettyPrintObject(clientAssertionObject), clientId, getApiVerifier().GetHost())
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidClientAssertion)
                return
        }

        jwt, expiration, refreshToken, err := getApiVerifier().GetToken(code, "", true)
        if err != nil {
                c.AbortWithStatusJSON(http.StatusForbidden, ErrorMessage{Summary: err.Error()})
                return
        }
        c.JSON(http.StatusOK, TokenResponse{TokenType: "Bearer", ExpiresIn: float32(expiration), IdToken: jwt, AccessToken: jwt, RefreshToken: refreshToken})
}

// StartSIOPSameDevice - Starts the siop flow for credentials hold by the same device
func StartSIOPSameDevice(c *gin.Context) {
        state, stateExists := c.GetQuery("state")
        if !stateExists {
                logging.Log().Debugf("No state was provided.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessage{"no_state_provided", "Authentication requires a state provided as query parameter."})
                return
        }
        redirectPath, redirectPathExists := c.GetQuery("redirect_path")
        requestProtocol := verifier.REDIRECT_PROTOCOL
        if !redirectPathExists {
                requestProtocol = verifier.OPENID4VP_PROTOCOL
        }

        protocol := "https"
        if c.Request.TLS == nil {
                protocol = "http"
        }

        clientId, clientIdExists := c.GetQuery("client_id")
        logging.Log().Debugf("The client id %s", clientId)
        if !clientIdExists {
                logging.Log().Infof("Start a login flow for a not specified client.")
        }

        requestMode, requestModeExists := c.GetQuery("request_mode")
        if !requestModeExists {
                logging.Log().Infof("Using default request mode %s.", DEFAULT_REQUEST_MODE)
                requestMode = DEFAULT_REQUEST_MODE
        }

        scope, scopeExists := c.GetQuery("scope")
        if !scopeExists {
                logging.Log().Infof("Start a login flow with default scope.")
                scope = ""
        }

        authenticationRequest, err := getApiVerifier().StartSameDeviceFlow(c.Request.Host, protocol, state, redirectPath, clientId, "", requestMode, scope, requestProtocol)
        if err != nil {
                logging.Log().Warnf("Error starting the same-device flow. Err: %v", err)
                c.AbortWithStatusJSON(http.StatusInternalServerError, ErrorMessage{err.Error(), "Was not able to start the same device flow."})
                return
        }

        c.Redirect(http.StatusFound, authenticationRequest)
}

// VerifierAPIAuthenticationResponse - Stores the credential for the given session
func VerifierAPIAuthenticationResponse(c *gin.Context) {

        var state string
        stateForm, stateFormExists := c.GetPostForm("state")
        stateQuery, stateQueryExists := c.GetQuery("state")
        if !stateFormExists && !stateQueryExists {
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoState)
                return
        }
        if stateFormExists {
                state = stateForm
        } else {
                // allow the state submitted through a query parameter for backwards-compatibility
                state = stateQuery
        }

        vptoken, tokenExists := c.GetPostForm("vp_token")
        if !tokenExists {
                logging.Log().Info("No token was provided.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoToken)
                return
        }

        presentation, err := extractVpFromToken(c, vptoken)
        if err != nil {
                logging.Log().Warnf("Was not able to extract the presentation from the vp_token.")
                return
        }
        handleAuthenticationResponse(c, state, presentation)
}

// GetVerifierAPIAuthenticationResponse - Stores the credential for the given session
func GetVerifierAPIAuthenticationResponse(c *gin.Context) {
        state, stateExists := c.GetQuery("state")
        if !stateExists {
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoState)
                return
        }

        vpToken, tokenExists := c.GetQuery("vp_token")
        if !tokenExists {
                logging.Log().Info("No token was provided.")
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoToken)
                return
        }
        presentation, err := extractVpFromToken(c, vpToken)
        if err != nil {
                logging.Log().Warnf("Was not able to extract the presentation from the vp_token.")
                return
        }
        handleAuthenticationResponse(c, state, presentation)
}

// GetRequestByReference - Get the request object by reference
func GetRequestByReference(c *gin.Context) {
        sessionId := c.Param("id")

        jwt, err := verifier.GetVerifier().GetRequestObject(sessionId)
        if err != nil {
                logging.Log().Debugf("No request for  %s. Err: %v", sessionId, err)
                c.AbortWithStatusJSON(http.StatusNotFound, ErrorMessageNoSuchSession)
                return
        }
        c.String(http.StatusOK, jwt)
}

func extractVpFromToken(c *gin.Context, vpToken string) (parsedPresentation *common.Presentation, err error) {

        logging.Log().Debugf("The token %s.", vpToken)

        parsedPresentation, err = getPresentationFromQuery(c, vpToken)

        if err != nil {
                logging.Log().Debugf("Received a vpToken with a query, but was not able to extract the presentation. Token: %s", vpToken)
                return parsedPresentation, err
        }
        if parsedPresentation != nil {
                return parsedPresentation, err
        }
        return tokenToPresentation(c, vpToken)

}

func tokenToPresentation(c *gin.Context, vpToken string) (parsedPresentation *common.Presentation, err error) {
        tokenBytes := decodeVpString(vpToken)

        isSdJWT, parsedPresentation, err := isSdJWT(c, vpToken)
        if isSdJWT && err != nil {
                return
        }
        if isSdJWT {
                logging.Log().Debugf("Received an sdJwt: %s", logging.PrettyPrintObject(parsedPresentation))
                return
        }

        parsedPresentation, err = getSdJwtParser().ParseWithSdJwt(tokenBytes)
        if err == nil {
                logging.Log().Debug("Parsed presentation containing sd-jwt's.")
                return parsedPresentation, err
        }
        if err == verifier.ErrorInvalidProof {
                logging.Log().Infof("Was not able to parse the token %s. Err: %v", vpToken, err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageUnableToDecodeToken)
                return
        }
        logging.Log().Debugf("Parse without SD-Jwt %v", err)

        logging.Log().Debug("Parse presentation.")

        parsedPresentation, err = getPresentationParser().ParsePresentation(tokenBytes)

        if err != nil {
                logging.Log().Infof("Was not able to parse the token %s. Err: %v", vpToken, err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageUnableToDecodeToken)
                return
        }

        return
}

func getPresentationFromQuery(c *gin.Context, vpToken string) (parsedPresentation *common.Presentation, err error) {
        tokenBytes := decodeVpString(vpToken)

        var queryMap map[string]string
        //unmarshal
        err = json.Unmarshal(tokenBytes, &queryMap)
        if err != nil {
                logging.Log().Debug("VP Token does not contain query map. Checking the other options.", err)
                return nil, nil
        }

        for _, v := range queryMap {
                p, err := tokenToPresentation(c, v)
                if err != nil {
                        return nil, err
                }
                if parsedPresentation == nil {
                        parsedPresentation = p
                } else {
                        parsedPresentation.AddCredentials(p.Credentials()...)
                }
        }
        return parsedPresentation, err
}

// checks if the presented token contains a single sd-jwt credential. Will be repackage to a presentation for further validation
func isSdJWT(c *gin.Context, vpToken string) (isSdJwt bool, presentation *common.Presentation, err error) {
        claims, err := getSdJwtParser().Parse(vpToken)
        if err != nil {
                logging.Log().Debugf("Was not a sdjwt. Err: %v", err)
                return false, presentation, err
        }
        issuer, i_ok := claims[common.JWTClaimIss]
        vct, vct_ok := claims[common.JWTClaimVct]
        if !i_ok || !vct_ok {
                // Not an SD-JWT VC (missing iss or vct) — let other parsers handle it
                logging.Log().Debugf("Token does not contain issuer(%v) or vct(%v), not an SD-JWT VC.", i_ok, vct_ok)
                return false, presentation, nil
        }
        customFields := common.CustomFields{}
        for k, v := range claims {
                if k != common.JWTClaimIss && k != common.JWTClaimVct {
                        customFields[k] = v
                }
        }
        subject := common.Subject{CustomFields: customFields}
        contents := common.CredentialContents{Issuer: &common.Issuer{ID: issuer.(string)}, Types: []string{vct.(string)}, Subject: []common.Subject{subject}}
        credential, err := common.CreateCredential(contents, common.CustomFields{})
        if err != nil {
                logging.Log().Infof("Was not able to create credential from sdJwt. E: %v", err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidSdJwt)
                return true, presentation, err
        }
        presentation, err = common.NewPresentation()
        if err != nil {
                logging.Log().Infof("Was not able to create credpresentation from sdJwt. E: %v", err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageInvalidSdJwt)
                return true, presentation, err
        }
        presentation.AddCredentials(credential)
        presentation.Holder = issuer.(string)
        return true, presentation, nil
}

// decodeVpString - In newer versions of OID4VP the token is not encoded as a whole but only its segments separately. This function covers the older and newer versions
func decodeVpString(vpToken string) (tokenBytes []byte) {
        tokenBytes, err := base64.RawURLEncoding.DecodeString(vpToken)
        if err != nil {
                return []byte(vpToken)
        }
        return tokenBytes
}

func handleAuthenticationResponse(c *gin.Context, state string, presentation *common.Presentation) {

        response, err := getApiVerifier().AuthenticationResponse(state, presentation)
        if err != nil {
                logging.Log().Warnf("Was not able to fullfil the authentication response. Err: %v", err)
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessage{Summary: err.Error()})
                return
        }
        if response != (verifier.Response{}) && response.FlowVersion == verifier.SAME_DEVICE {
                if response.Nonce != "" {
                        c.Redirect(302, fmt.Sprintf("%s?state=%s&code=%s&nonce=%s", response.RedirectTarget, response.SessionId, response.Code, response.Nonce))
                } else {
                        c.Redirect(302, fmt.Sprintf("%s?state=%s&code=%s", response.RedirectTarget, response.SessionId, response.Code))
                }
                return
        } else if response != (verifier.Response{}) && response.FlowVersion == verifier.CROSS_DEVICE_V2 {
                sendRedirect(c, response.SessionId, response.Code, response.RedirectTarget)
        }
        logging.Log().Debugf("Successfully authenticated %s.", state)
        c.JSON(http.StatusOK, gin.H{})
}

// VerifierAPIJWKS - Provides the public keys for the given verifier, to be used for verifing the JWTs
func VerifierAPIJWKS(c *gin.Context) {
        c.JSON(http.StatusOK, getApiVerifier().GetJWKS())
}

// VerifierAPIOpenID
func VerifierAPIOpenIDConfiguration(c *gin.Context) {

        metadata, err := getApiVerifier().GetOpenIDConfiguration(c.Param("service_id"))
        if err != nil {
                c.AbortWithStatusJSON(http.StatusInternalServerError, ErrorMessage{err.Error(), "Was not able to generate the OpenID metadata."})
                return
        }
        c.JSON(http.StatusOK, metadata)
}

// VerifierAPIStartSIOP - Initiates the siop flow and returns the 'openid://...' connection string
func VerifierAPIStartSIOP(c *gin.Context) {
        state, stateExists := c.GetQuery("state")
        if !stateExists {
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoState)
                // early exit
                return
        }

        callback, callbackExists := c.GetQuery("client_callback")
        if !callbackExists {
                c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoCallback)
                // early exit
                return
        }
        protocol := "https"
        if c.Request.TLS == nil {
                protocol = "http"
        }
        clientId, clientIdExists := c.GetQuery("client_id")
        if !clientIdExists {
                logging.Log().Infof("Start a login flow for a not specified client.")
        }

        requestMode, requestModeExists := c.GetQuery("request_mode")
        if !requestModeExists {
                logging.Log().Infof("Using default request mode %s.", DEFAULT_REQUEST_MODE)
                requestMode = DEFAULT_REQUEST_MODE
        }

        connectionString, err := getApiVerifier().StartSiopFlow(c.Request.Host, protocol, callback, state, clientId, "", requestMode)
        if err != nil {
                c.AbortWithStatusJSON(http.StatusInternalServerError, ErrorMessage{err.Error(), "Was not able to generate the connection string."})
                return
        }
        c.String(http.StatusOK, connectionString)
}

type ClientAssertion struct {
        Iss string   `json:"iss"`
        Aud []string `json:"aud"`
        Sub string   `json:"sub"`
        Exp int      `json:"exp"`
        Iat int      `json:"iat"`
}

FIWARE / VCVerifier / 25166281377

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous