import { ValidationResult } from './shared/dto/validationResult.dto.js'; import joseWrapper from './shared/middleware/joseWrapper.js'; import { DidDocumentResolver } from './resolvers/didDocumentResolver.js'; import { DidPublicKeyResolver } from './resolvers/didPublicKeyResolver.js'; import { SignatureValidator } from './validators/credential/signatureValidator.js'; export enum DidAuthResponseIss { SELF_ISSUE = 'https://self-issued.me', SELF_ISSUE_V2 = 'https://self-issued.me/v2', } export enum DidAuthKeyAlgorithm { ES256KR = 'ES256K-R', ES256K = 'ES256K', EDDSA = 'EdDSA', ES256 = 'ES256', } async function validateDidAuthIdToken( id_token: string, ): Promise { if (!id_token) throw new Error('VERIFY_BAD_PARAMETERS'); const payload = joseWrapper.decodeJWT(id_token); const header = joseWrapper.decodeJwtProtectedHeader(id_token); if ( !Object.values(DidAuthResponseIss).includes( payload.iss as DidAuthResponseIss, ) ) throw new Error('NO_SELFISSUED_ISS'); //TODO: // // The Client MUST validate that the aud (audience) Claim contains the value of the // // redirect_uri that the Client sent in the Authentication Request as an audience. // if (payload.aud !== opts.redirectUri) // throw new Error(DidAuthErrors.REPONSE_AUD_MISMATCH_REDIRECT_URI); const didDocumentResolver = new DidDocumentResolver(); const didPublicKeyResolver = new DidPublicKeyResolver(didDocumentResolver); const publicKey = await didPublicKeyResolver.getPublicKeyJwk(header.kid); if ( header.alg !== DidAuthKeyAlgorithm.ES256K && header.alg !== DidAuthKeyAlgorithm.ES256KR && header.alg !== DidAuthKeyAlgorithm.EDDSA && header.alg !== DidAuthKeyAlgorithm.ES256 ) throw new Error('NO_ALG_SUPPORTED'); const signatureValidator = new SignatureValidator(); const signatureValidation = await signatureValidator.validate( id_token, publicKey, header.alg, 'id_token', ); return { valid: signatureValidation.valid, payload: payload, }; } export { validateDidAuthIdToken };