{"version":3,"sources":["../lib/index.ts","../lib/OID4VCIServer.ts","../lib/oid4vci-api-functions.ts","../lib/IssuerTokenEndpoint.ts","../lib/expressUtils.ts"],"sourcesContent":["export * from './OID4VCIServer'\nexport * from './oid4vci-api-functions'\nexport * from './expressUtils'\n\n// We re-export oidc-client types, as they were previously exported here\nexport { ClientResponseType, ClientAuthMethod, ClientMetadata } from '@sphereon/oid4vci-common'\n","import {\n  AuthorizationRequest,\n  ClientMetadata,\n  CreateCredentialOfferURIResult,\n  CredentialConfigurationSupportedV1_0_13,\n  CredentialOfferMode,\n  IssuerCredentialSubjectDisplay,\n  OID4VCICredentialFormat,\n  QRCodeOpts,\n} from '@sphereon/oid4vci-common'\nimport {\n  CredentialSupportedBuilderV1_13,\n  ITokenEndpointOpts,\n  oidcAccessTokenVerifyCallback,\n  VcIssuer,\n  VcIssuerBuilder,\n} from '@sphereon/oid4vci-issuer'\nimport { ExpressSupport, HasEndpointOpts, ISingleEndpointOpts } from '@sphereon/ssi-express-support'\nimport express, { Express } from 'express'\n\nimport {\n  accessTokenEndpoint,\n  authorizationChallengeEndpoint,\n  createCredentialOfferEndpoint,\n  deleteCredentialOfferEndpoint,\n  getBasePath,\n  getCredentialEndpoint,\n  getCredentialOfferEndpoint,\n  getCredentialOfferReferenceEndpoint,\n  getIssueStatusEndpoint,\n  getMetadataEndpoints,\n  pushedAuthorizationEndpoint,\n} from './oid4vci-api-functions'\n\nfunction buildVCIFromEnvironment() {\n  const credentialsSupported: Record<string, CredentialConfigurationSupportedV1_0_13> = new CredentialSupportedBuilderV1_13()\n    .withCredentialSigningAlgValuesSupported(process.env.credential_signing_alg_values_supported as string)\n    .withCryptographicBindingMethod(process.env.cryptographic_binding_methods_supported as string)\n    .withFormat(process.env.credential_supported_format as unknown as OID4VCICredentialFormat)\n    .withCredentialName(process.env.credential_supported_name_1 as string)\n    .withCredentialDefinition({\n      type: [process.env.credential_supported_1_definition_type_1 as string, process.env.credential_supported_1_definition_type_2 as string],\n      // TODO: setup credentialSubject here from env\n      // credentialSubject\n    })\n    .withCredentialSupportedDisplay({\n      name: process.env.credential_display_name as string,\n      locale: process.env.credential_display_locale as string,\n      logo: {\n        url: process.env.credential_display_logo_url as string,\n        alt_text: process.env.credential_display_logo_alt_text as string,\n      },\n      background_color: process.env.credential_display_background_color as string,\n      text_color: process.env.credential_display_text_color as string,\n    })\n    .addCredentialSubjectPropertyDisplay(\n      process.env.credential_subject_display_key1 as string,\n      {\n        name: process.env.credential_subject_display_key1_name as string,\n        locale: process.env.credential_subject_display_key1_locale as string,\n      } as IssuerCredentialSubjectDisplay, // fixme: This is wrong (remove the cast and see it has no matches)\n    )\n    .build()\n  const issuerBuilder = new VcIssuerBuilder()\n    .withTXCode({ length: process.env.user_pin_length as unknown as number, input_mode: process.env.user_pin_input_mode as 'numeric' | 'text' })\n    .withAuthorizationServers(process.env.authorization_server as string)\n    .withCredentialEndpoint(process.env.credential_endpoint as string)\n    .withCredentialIssuer(process.env.credential_issuer as string)\n    .withIssuerDisplay({\n      name: process.env.issuer_name as string,\n      locale: process.env.issuer_locale as string,\n    })\n    .withCredentialConfigurationsSupported(credentialsSupported)\n    .withInMemoryCredentialOfferState()\n    .withInMemoryCNonceState()\n\n  if (process.env.authorization_server_client_id) {\n    if (!process.env.authorization_server_redirect_uri) {\n      throw Error('Authorization server redirect uri is required when client id is set')\n    }\n    issuerBuilder.withASClientMetadataParams({\n      client_id: process.env.authorization_server_client_id,\n      client_secret: process.env.authorization_server_client_secret,\n      redirect_uris: [process.env.authorization_server_redirect_uri],\n    })\n  }\n\n  return issuerBuilder.build()\n}\n\nexport type ICreateCredentialOfferURIResponse = Omit<CreateCredentialOfferURIResult, 'session'>\n\nexport interface IGetCredentialOfferEndpointOpts extends ISingleEndpointOpts {\n  baseUrl: string\n}\n\nexport interface IDeleteCredentialOfferEndpointOpts extends ISingleEndpointOpts {\n  baseUrl: string\n}\n\nexport interface ICreateCredentialOfferEndpointOpts extends ISingleEndpointOpts {\n  getOfferPath?: string\n  qrCodeOpts?: QRCodeOpts\n  baseUrl?: string\n  credentialOfferReferenceBasePath?: string\n  defaultCredentialOfferMode?: CredentialOfferMode\n}\n\nexport interface IGetIssueStatusEndpointOpts extends ISingleEndpointOpts {\n  baseUrl: string | URL\n}\n\nexport interface IGetIssuePayloadEndpointOpts extends ISingleEndpointOpts {\n  baseUrl: string | URL\n}\n\nexport interface IAuthorizationChallengeEndpointOpts extends ISingleEndpointOpts {\n  createAuthRequestUriEndpointPath?: string\n  verifyAuthResponseEndpointPath?: string\n  /**\n   * Callback used for creating the authorization request uri used for the RP.\n   * Added an optional state parameter so that when direct calls are used,\n   * one could set the state value of the RP session to match the state value of the VCI session.\n   */\n  createAuthRequestUriCallback: (state?: string) => Promise<string>\n  /**\n   * Callback used for verifying the status of the authorization response.\n   * This is checked by the issuer before issuing an authorization code.\n   */\n  verifyAuthResponseCallback: (correlationId: string) => Promise<boolean>\n}\n\nexport interface IOID4VCIEndpointOpts {\n  trustProxy?: boolean | Array<string>\n  tokenEndpointOpts?: ITokenEndpointOpts\n  notificationOpts?: ISingleEndpointOpts\n  createCredentialOfferOpts?: ICreateCredentialOfferEndpointOpts\n  deleteCredentialOfferOpts?: IDeleteCredentialOfferEndpointOpts\n  getCredentialOfferOpts?: IGetCredentialOfferEndpointOpts\n  getStatusOpts?: IGetIssueStatusEndpointOpts\n  getIssuePayloadOpts?: IGetIssuePayloadEndpointOpts\n  parOpts?: ISingleEndpointOpts\n  authorizationChallengeOpts?: IAuthorizationChallengeEndpointOpts\n}\n\nexport interface IOID4VCIServerOpts extends HasEndpointOpts {\n  asClientOpts?: ClientMetadata\n  endpointOpts?: IOID4VCIEndpointOpts\n  baseUrl?: string\n}\n\nexport class OID4VCIServer {\n  private readonly _issuer: VcIssuer\n  private authRequestsData: Map<string, AuthorizationRequest> = new Map()\n  private readonly _app: Express\n  private readonly _baseUrl: URL\n  private readonly _expressSupport: ExpressSupport\n  // private readonly _server?: http.Server\n  private readonly _router: express.Router\n  private readonly _asClientOpts?: ClientMetadata\n\n  constructor(\n    expressSupport: ExpressSupport,\n    opts: IOID4VCIServerOpts & { issuer?: VcIssuer } /*If not supplied as argument, it will be fully configured from environment variables*/,\n  ) {\n    this._baseUrl = new URL(opts?.baseUrl ?? process.env.BASE_URL ?? opts?.issuer?.issuerMetadata?.credential_issuer ?? 'http://localhost')\n    this._expressSupport = expressSupport\n    this._app = expressSupport.express\n    this._router = express.Router()\n    this._issuer = opts?.issuer ? opts.issuer : buildVCIFromEnvironment()\n    this._asClientOpts =\n      opts.asClientOpts || this._issuer.asClientOpts ? ({ ...opts.asClientOpts, ...this._issuer.asClientOpts } as ClientMetadata) : undefined\n\n    pushedAuthorizationEndpoint(this.router, this.issuer, this.authRequestsData)\n    getMetadataEndpoints(this.router, this.issuer)\n    let issuerPayloadPath: string | undefined\n    if (this.isGetIssuePayloadEndpointEnabled(opts?.endpointOpts?.getIssuePayloadOpts)) {\n      issuerPayloadPath = getCredentialOfferReferenceEndpoint(this.router, this.issuer, {\n        ...opts?.endpointOpts?.getIssuePayloadOpts,\n        baseUrl: this.baseUrl,\n      })\n    }\n\n    if (opts?.endpointOpts?.createCredentialOfferOpts?.enabled !== false || process.env.CREDENTIAL_OFFER_ENDPOINT_ENABLED === 'true') {\n      createCredentialOfferEndpoint(this.router, this.issuer, opts?.endpointOpts?.createCredentialOfferOpts, issuerPayloadPath)\n      deleteCredentialOfferEndpoint(this.router, this.issuer, opts?.endpointOpts?.deleteCredentialOfferOpts)\n    }\n    getCredentialOfferEndpoint(this.router, this.issuer, opts?.endpointOpts?.getCredentialOfferOpts)\n    getCredentialEndpoint(this.router, this.issuer, {\n      ...opts?.endpointOpts?.tokenEndpointOpts,\n      baseUrl: this.baseUrl,\n      accessTokenVerificationCallback:\n        opts.endpointOpts?.tokenEndpointOpts?.accessTokenVerificationCallback ??\n        (this._asClientOpts\n          ? oidcAccessTokenVerifyCallback({\n              clientMetadata: this._asClientOpts,\n              credentialIssuer: this._issuer.issuerMetadata.credential_issuer,\n              authorizationServer: this._issuer.issuerMetadata.authorization_servers![0],\n            })\n          : undefined),\n    })\n    this.assertAccessTokenHandling()\n    if (!this.isTokenEndpointDisabled(opts?.endpointOpts?.tokenEndpointOpts, opts?.asClientOpts)) {\n      accessTokenEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.tokenEndpointOpts, baseUrl: this.baseUrl })\n    }\n    if (this.isStatusEndpointEnabled(opts?.endpointOpts?.getStatusOpts)) {\n      getIssueStatusEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.getStatusOpts, baseUrl: this.baseUrl })\n    }\n    if (this.isAuthorizationChallengeEndpointEnabled(opts?.endpointOpts?.authorizationChallengeOpts)) {\n      if (!opts?.endpointOpts?.authorizationChallengeOpts?.createAuthRequestUriCallback) {\n        throw Error(`Unable to enable authorization challenge endpoint. No createAuthRequestUriCallback present in authorization challenge options`)\n      } else if (!opts?.endpointOpts?.authorizationChallengeOpts?.verifyAuthResponseCallback) {\n        throw Error(`Unable to enable authorization challenge endpoint. No verifyAuthResponseCallback present in authorization challenge options`)\n      }\n      authorizationChallengeEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.authorizationChallengeOpts, baseUrl: this.baseUrl })\n    }\n    this._app.use(getBasePath(this.baseUrl), this._router)\n  }\n\n  public get app(): Express {\n    return this._app\n  }\n\n  /*public get server(): http.Server | undefined {\n    return this._server\n  }*/\n\n  public get router(): express.Router {\n    return this._router\n  }\n\n  get issuer(): VcIssuer {\n    return this._issuer\n  }\n\n  public async stop() {\n    if (!this._expressSupport) {\n      throw Error('Cannot stop server is the REST API is only a router of an existing express app')\n    }\n    await this._expressSupport.stop()\n  }\n\n  private isTokenEndpointDisabled(tokenEndpointOpts?: ITokenEndpointOpts, asClientMetadata?: ClientMetadata) {\n    return tokenEndpointOpts?.tokenEndpointDisabled === true || process.env.TOKEN_ENDPOINT_DISABLED === 'true' || asClientMetadata\n  }\n\n  private isStatusEndpointEnabled(statusEndpointOpts?: IGetIssueStatusEndpointOpts) {\n    return statusEndpointOpts?.enabled !== false || process.env.STATUS_ENDPOINT_ENABLED !== 'false'\n  }\n\n  private isGetIssuePayloadEndpointEnabled(payloadEndpointOpts?: IGetIssuePayloadEndpointOpts) {\n    return payloadEndpointOpts?.enabled !== false || process.env.STATUS_ENDPOINT_ENABLED !== 'false'\n  }\n\n  private isAuthorizationChallengeEndpointEnabled(authorizationChallengeEndpointOpts?: IAuthorizationChallengeEndpointOpts) {\n    return authorizationChallengeEndpointOpts?.enabled === true || process.env.AUTHORIZATION_CHALLENGE_ENDPOINT_ENABLED === 'true'\n  }\n\n  private assertAccessTokenHandling(tokenEndpointOpts?: ITokenEndpointOpts) {\n    const authServer = this.issuer.issuerMetadata.authorization_servers\n    if (this.isTokenEndpointDisabled(tokenEndpointOpts, this.issuer.asClientOpts)) {\n      if (!authServer || authServer.length === 0) {\n        throw Error(\n          `No Authorization Server (AS) is defined in the issuer metadata and the token endpoint is disabled. An AS or token endpoints needs to be present`,\n        )\n      }\n      if (this.issuer.asClientOpts) {\n        console.log(`Token endpoint disabled because AS client metadata is set for ${authServer[0]}`)\n      } else {\n        console.log(`Token endpoint disabled by configuration`)\n      }\n    } else {\n      if (authServer && authServer.some((as) => as !== this.issuer.issuerMetadata.credential_issuer)) {\n        throw Error(\n          `An external Authorization Server (AS) was already enabled in the issuer metadata (${authServer}). Cannot both have an AS and enable the token endpoint at the same time `,\n        )\n      } else if (this._asClientOpts) {\n        throw Error(`OIDC Client metadata is set, but the token endpoint is not disabled. This is not supported.`)\n      }\n    }\n  }\n  get baseUrl(): URL {\n    return this._baseUrl\n  }\n}\n","import { uuidv4 } from '@sphereon/oid4vc-common'\nimport {\n  ACCESS_TOKEN_ISSUER_REQUIRED_ERROR,\n  AccessTokenRequest,\n  adjustUrl,\n  AuthorizationChallengeCodeResponse,\n  AuthorizationChallengeError,\n  AuthorizationChallengeErrorResponse,\n  AuthorizationRequest,\n  CommonAuthorizationChallengeRequest,\n  CredentialIssuerMetadataOptsV1_0_13,\n  CredentialOfferMode,\n  CredentialOfferRESTRequest,\n  CredentialRequestV1_0_13,\n  determineGrantTypes,\n  determineSpecVersionFromOffer,\n  EVENTS,\n  extractBearerToken,\n  generateRandomString,\n  getNumberOrUndefined,\n  Grant,\n  IssueStatusResponse,\n  JWT_SIGNER_CALLBACK_REQUIRED_ERROR,\n  NotificationRequest,\n  NotificationStatusEventNames,\n  OpenId4VCIVersion,\n  TokenErrorResponse,\n  trimBoth,\n  trimEnd,\n  trimStart,\n  validateJWT,\n  WellKnownEndpoints,\n} from '@sphereon/oid4vci-common'\nimport { ITokenEndpointOpts, LOG, VcIssuer } from '@sphereon/oid4vci-issuer'\nimport { env, ISingleEndpointOpts, sendErrorResponse } from '@sphereon/ssi-express-support'\nimport { InitiatorType, SubSystem, System } from '@sphereon/ssi-types'\nimport { NextFunction, Request, Response, Router } from 'express'\n\nimport { handleTokenRequest, verifyTokenRequest } from './IssuerTokenEndpoint'\nimport {\n  IAuthorizationChallengeEndpointOpts,\n  ICreateCredentialOfferEndpointOpts,\n  ICreateCredentialOfferURIResponse,\n  IGetCredentialOfferEndpointOpts,\n  IGetIssueStatusEndpointOpts,\n} from './OID4VCIServer'\nimport { validateRequestBody } from './expressUtils'\n\nconst expiresIn = process.env.EXPIRES_IN ? parseInt(process.env.EXPIRES_IN) : 90\n\nexport function getIssueStatusEndpoint(router: Router, issuer: VcIssuer, opts: IGetIssueStatusEndpointOpts) {\n  const path = determinePath(opts.baseUrl, opts?.path ?? '/webapp/credential-offer-status', { stripBasePath: true })\n  LOG.log(`[OID4VCI] getIssueStatus endpoint enabled at ${path}`)\n  router.post(path, async (request: Request, response: Response) => {\n    try {\n      const { id } = request.body\n      const session = await issuer.getCredentialOfferSessionById(id)\n      if (!session || !session.credentialOffer) {\n        return sendErrorResponse(response, 404, {\n          error: 'invalid_request',\n          error_description: `Credential offer ${id} not found`,\n        })\n      }\n\n      const authStatusBody: IssueStatusResponse = {\n        createdAt: session.createdAt,\n        lastUpdatedAt: session.lastUpdatedAt,\n        expiresAt: session.expiresAt,\n        status: session.status,\n        statusLists: session.statusLists,\n        ...(session.error && { error: session.error }),\n        ...(session.clientId && { clientId: session.clientId }),\n      }\n      return response.json(authStatusBody)\n    } catch (e) {\n      return sendErrorResponse(\n        response,\n        500,\n        {\n          error: 'invalid_request',\n          error_description: (e as Error).message,\n        },\n        e,\n      )\n    }\n  })\n}\n\nexport function getCredentialOfferReferenceEndpoint(router: Router, issuer: VcIssuer, opts: IGetIssueStatusEndpointOpts): string {\n  const path = determinePath(opts.baseUrl, opts?.path ?? '/credential-offers/:id', { stripBasePath: true })\n  LOG.log(`[OID4VCI] getCredentialOfferReferenceEndpoint endpoint enabled at ${path}`)\n  router.get(path, async (request: Request, response: Response) => {\n    try {\n      const { id } = request.params\n      if (!id) {\n        return sendErrorResponse(response, 404, {\n          error: 'invalid_request',\n          error_description: `query parameter 'id' is missing`,\n        })\n      }\n\n      let session\n      try {\n        session = await issuer.getCredentialOfferSessionById(id as string)\n      } catch (e) {\n        /* will crash with 500 instead of 404 if we do not catch */\n      }\n\n      if (!session || !session.credentialOffer || session.status !== 'OFFER_CREATED') {\n        if (session?.status) {\n          LOG.warning(\n            `[OID4VCI] credential offer reference URI request with ${id}, but request was already received earlier. Session status: ${session.status}`,\n          )\n        }\n        return sendErrorResponse(response, 404, {\n          error: 'invalid_request',\n          error_description: `Credential offer ${id} not found`,\n        })\n      }\n\n      return response.json(session.credentialOffer.credential_offer)\n    } catch (e) {\n      return sendErrorResponse(\n        response,\n        500,\n        {\n          error: 'invalid_request',\n          error_description: (e as Error).message,\n        },\n        e,\n      )\n    }\n  })\n  return path\n}\n\nfunction isExternalAS(issuerMetadata: CredentialIssuerMetadataOptsV1_0_13) {\n  return issuerMetadata.authorization_servers?.some((as) => !as.includes(issuerMetadata.credential_issuer))\n}\n\nexport function authorizationChallengeEndpoint(\n  router: Router,\n  issuer: VcIssuer,\n  opts: IAuthorizationChallengeEndpointOpts & { baseUrl: string | URL },\n) {\n  const endpoint = issuer.authorizationServerMetadata.authorization_challenge_endpoint ?? issuer.issuerMetadata.authorization_challenge_endpoint\n  const baseUrl = getBaseUrl(opts.baseUrl)\n  if (!endpoint) {\n    LOG.info('authorization challenge endpoint disabled as no \"authorization_challenge_endpoint\" has been configured in issuer metadata')\n    return\n  }\n  const path = determinePath(baseUrl, endpoint, { stripBasePath: true })\n  LOG.log(`[OID4VCI] authorization challenge endpoint at ${path}`)\n  router.post(path, async (request: Request, response: Response) => {\n    const authorizationChallengeRequest = request.body as CommonAuthorizationChallengeRequest\n    const { client_id, issuer_state, auth_session, presentation_during_issuance_session } = authorizationChallengeRequest\n\n    try {\n      if (!client_id && !auth_session) {\n        const authorizationChallengeErrorResponse: AuthorizationChallengeErrorResponse = {\n          error: AuthorizationChallengeError.invalid_request,\n          error_description: 'No client id or auth session present',\n        } as AuthorizationChallengeErrorResponse\n        throw authorizationChallengeErrorResponse\n      }\n\n      if (!auth_session && issuer_state) {\n        const session = await issuer.credentialOfferSessions.get(issuer_state)\n        if (!session) {\n          const authorizationChallengeErrorResponse: AuthorizationChallengeErrorResponse = {\n            error: AuthorizationChallengeError.invalid_session,\n            error_description: 'Session is invalid',\n          }\n          throw authorizationChallengeErrorResponse\n        }\n\n        const authRequestURI = await opts.createAuthRequestUriCallback(issuer_state) // TODO generate some error\n        const authorizationChallengeErrorResponse: AuthorizationChallengeErrorResponse = {\n          error: AuthorizationChallengeError.insufficient_authorization,\n          auth_session: issuer_state,\n          presentation: authRequestURI,\n        }\n        throw authorizationChallengeErrorResponse\n      }\n\n      if (auth_session && presentation_during_issuance_session) {\n        const session = await issuer.credentialOfferSessions.get(auth_session)\n        if (!session) {\n          const authorizationChallengeErrorResponse: AuthorizationChallengeErrorResponse = {\n            error: AuthorizationChallengeError.invalid_session,\n            error_description: 'Session is invalid',\n          }\n          throw authorizationChallengeErrorResponse\n        }\n\n        const verifiedResponse = await opts.verifyAuthResponseCallback(presentation_during_issuance_session) // TODO generate some error\n        if (verifiedResponse) {\n          const authorizationCode = generateRandomString(16, 'base64url')\n          session.authorizationCode = authorizationCode\n          await issuer.credentialOfferSessions.set(auth_session, session)\n          const authorizationChallengeCodeResponse: AuthorizationChallengeCodeResponse = {\n            authorization_code: authorizationCode,\n          }\n          return response.json(authorizationChallengeCodeResponse)\n        }\n      }\n\n      const authorizationChallengeErrorResponse: AuthorizationChallengeErrorResponse = {\n        error: AuthorizationChallengeError.invalid_request,\n      }\n      throw authorizationChallengeErrorResponse\n    } catch (e) {\n      return sendErrorResponse(response, 400, e as Error, e)\n    }\n  })\n}\n\nexport function accessTokenEndpoint(router: Router, issuer: VcIssuer, opts: ITokenEndpointOpts & ISingleEndpointOpts & { baseUrl: string | URL }) {\n  const externalAS = isExternalAS(issuer.issuerMetadata) || issuer.asClientOpts\n  if (externalAS || (opts.accessTokenProvider && opts.accessTokenProvider !== 'internal')) {\n    LOG.log(\n      `[OID4VCI] External Authorization Server ${issuer.issuerMetadata.authorization_servers} is being used. Not enabling internal issuer token endpoint`,\n    )\n    return\n  } else if (opts?.enabled === false) {\n    LOG.log(`[OID4VCI] Internal issuer token endpoint is not enabled`)\n    return\n  }\n  const accessTokenIssuer =\n    opts?.accessTokenIssuer ??\n    process.env.ACCESS_TOKEN_ISSUER ??\n    issuer.issuerMetadata.authorization_servers?.[0] ??\n    issuer.issuerMetadata.credential_issuer\n\n  const preAuthorizedCodeExpirationDuration =\n    opts?.preAuthorizedCodeExpirationDuration ?? getNumberOrUndefined(process.env.PRE_AUTHORIZED_CODE_EXPIRATION_DURATION) ?? 300\n  const interval = opts?.interval ?? getNumberOrUndefined(process.env.INTERVAL) ?? 300\n  const tokenExpiresIn = opts?.tokenExpiresIn ?? 300\n\n  // todo: this means we cannot sign JWTs or issue access tokens when configured from env vars!\n  if (opts?.accessTokenSignerCallback === undefined) {\n    throw new Error(JWT_SIGNER_CALLBACK_REQUIRED_ERROR)\n  } else if (!accessTokenIssuer) {\n    throw new Error(ACCESS_TOKEN_ISSUER_REQUIRED_ERROR)\n  }\n\n  const baseUrl = getBaseUrl(opts.baseUrl)\n\n  // issuer is also AS\n  const path = determinePath(baseUrl, opts?.tokenPath ?? process.env.TOKEN_PATH ?? '/token', {\n    skipBaseUrlCheck: false,\n    stripBasePath: true,\n  })\n  // let's fix any baseUrl ending with a slash as path will always start with a slash, and we already removed it at the end of the base url\n\n  const url = new URL(`${baseUrl}${path}`)\n\n  LOG.log(`[OID4VCI] Token endpoint enabled at ${url.toString()}`)\n\n  // this.issuer.issuerMetadata.token_endpoint = url.toString()\n  router.post(\n    determinePath(baseUrl, url.pathname, { stripBasePath: true }),\n    verifyTokenRequest({\n      issuer,\n      preAuthorizedCodeExpirationDuration,\n    }),\n    handleTokenRequest({\n      issuer,\n      accessTokenSignerCallback: opts.accessTokenSignerCallback,\n      cNonceExpiresIn: issuer.cNonceExpiresIn,\n      interval,\n      tokenExpiresIn,\n      accessTokenIssuer,\n    }),\n  )\n}\n\nexport function getCredentialEndpoint(\n  router: Router,\n  issuer: VcIssuer,\n  opts: Pick<ITokenEndpointOpts, 'accessTokenVerificationCallback' | 'accessTokenSignerCallback' | 'tokenExpiresIn' | 'cNonceExpiresIn'> &\n    ISingleEndpointOpts & { baseUrl: string | URL },\n) {\n  const endpoint = issuer.issuerMetadata.credential_endpoint\n  const baseUrl = getBaseUrl(opts.baseUrl)\n  let path: string\n  if (!endpoint) {\n    path = `/credentials`\n    issuer.issuerMetadata.credential_endpoint = `${baseUrl}${path}`\n  } else {\n    path = determinePath(baseUrl, endpoint, { stripBasePath: true, skipBaseUrlCheck: false })\n  }\n  path = determinePath(baseUrl, path, { stripBasePath: true })\n  LOG.log(`[OID4VCI] getCredential endpoint enabled at ${path}`)\n  router.post(path, async (request: Request, response: Response) => {\n    try {\n      const credentialRequest = request.body as CredentialRequestV1_0_13\n      LOG.log(`credential request received`, credentialRequest)\n      try {\n        const jwt = extractBearerToken(request.header('Authorization'))\n        await validateJWT(jwt, { accessTokenVerificationCallback: opts.accessTokenVerificationCallback ?? issuer.jwtVerifyCallback })\n      } catch (e) {\n        LOG.warning(e)\n        return sendErrorResponse(response, 400, {\n          error: 'invalid_token',\n        })\n      }\n\n      const credential = await issuer.issueCredential({\n        credentialRequest: credentialRequest,\n        tokenExpiresIn: opts.tokenExpiresIn,\n        cNonceExpiresIn: opts.cNonceExpiresIn,\n      })\n      return response.json(credential)\n    } catch (e) {\n      return sendErrorResponse(\n        response,\n        500,\n        {\n          error: 'invalid_request',\n          error_description: (e as Error).message,\n        },\n        e,\n      )\n    }\n  })\n}\n\nexport function notificationEndpoint(\n  router: Router,\n  issuer: VcIssuer,\n  opts: ISingleEndpointOpts & Pick<ITokenEndpointOpts, 'accessTokenVerificationCallback'> & { baseUrl: string | URL },\n) {\n  const endpoint = issuer.issuerMetadata.notification_endpoint\n  const baseUrl = getBaseUrl(opts.baseUrl)\n  if (!endpoint) {\n    LOG.warning('Notification endpoint disabled as no \"notification_endpoint\" has been configured in issuer metadata')\n    return\n  }\n  const path = determinePath(baseUrl, endpoint, { stripBasePath: true })\n  LOG.log(`[OID4VCI] notification endpoint enabled at ${path}`)\n  router.post(path, async (request: Request, response: Response) => {\n    try {\n      const notificationRequest = request.body as NotificationRequest\n      LOG.log(\n        `notification ${notificationRequest.event}/${notificationRequest.event_description} received for ${notificationRequest.notification_id}`,\n      )\n      const jwt = extractBearerToken(request.header('Authorization'))\n      EVENTS.emit(NotificationStatusEventNames.OID4VCI_NOTIFICATION_RECEIVED, {\n        eventName: NotificationStatusEventNames.OID4VCI_NOTIFICATION_RECEIVED,\n        id: uuidv4(),\n        data: notificationRequest,\n        initiator: jwt,\n        initiatorType: InitiatorType.EXTERNAL,\n        system: System.OID4VCI,\n        subsystem: SubSystem.API,\n      })\n      try {\n        const jwtResult = await validateJWT(jwt, { accessTokenVerificationCallback: opts.accessTokenVerificationCallback })\n        const accessToken = jwtResult.jwt.payload as AccessTokenRequest\n        const errorOrSession = await issuer.processNotification({\n          preAuthorizedCode: accessToken['pre-authorized_code'],\n          /*TODO: authorizationCode*/ notification: notificationRequest,\n        })\n        if (errorOrSession instanceof Error) {\n          EVENTS.emit(NotificationStatusEventNames.OID4VCI_NOTIFICATION_ERROR, {\n            eventName: NotificationStatusEventNames.OID4VCI_NOTIFICATION_ERROR,\n            id: uuidv4(),\n            data: notificationRequest,\n            initiator: jwtResult.jwt,\n            initiatorType: InitiatorType.EXTERNAL,\n            system: System.OID4VCI,\n            subsystem: SubSystem.API,\n          })\n          return sendErrorResponse(response, 400, errorOrSession.message)\n        } else {\n          EVENTS.emit(NotificationStatusEventNames.OID4VCI_NOTIFICATION_PROCESSED, {\n            eventName: NotificationStatusEventNames.OID4VCI_NOTIFICATION_PROCESSED,\n            id: uuidv4(),\n            data: notificationRequest,\n            initiator: jwtResult.jwt,\n            initiatorType: InitiatorType.EXTERNAL,\n            system: System.OID4VCI,\n            subsystem: SubSystem.API,\n          })\n        }\n      } catch (e) {\n        LOG.warning(e)\n        return sendErrorResponse(response, 400, {\n          error: 'invalid_token',\n        })\n      }\n      return response.status(204).send()\n    } catch (e) {\n      return sendErrorResponse(\n        response,\n        400,\n        {\n          error: 'invalid_notification_request',\n          error_description: (e as Error).message,\n        },\n        e,\n      )\n    }\n  })\n}\n\nexport function getCredentialOfferEndpoint(router: Router, issuer: VcIssuer, opts?: IGetCredentialOfferEndpointOpts) {\n  const path = determinePath(opts?.baseUrl, opts?.path ?? '/webapp/credential-offers/:id', { stripBasePath: true })\n  LOG.log(`[OID4VCI] getCredentialOffer endpoint enabled at ${path}`)\n  router.get(path, async (request: Request, response: Response) => {\n    try {\n      const { id } = request.params\n      const session = await issuer.getCredentialOfferSessionById(id)\n      if (!session || !session.credentialOffer) {\n        return sendErrorResponse(response, 404, {\n          error: 'invalid_request',\n          error_description: `Credential offer ${id} not found`,\n        })\n      }\n      return response.json(session.credentialOffer.credential_offer)\n    } catch (e) {\n      return sendErrorResponse(\n        response,\n        500,\n        {\n          error: 'invalid_request',\n          error_description: (e as Error).message,\n        },\n        e,\n      )\n    }\n  })\n}\n\nexport function deleteCredentialOfferEndpoint(router: Router, issuer: VcIssuer, opts?: IGetCredentialOfferEndpointOpts) {\n  const path = determinePath(opts?.baseUrl, opts?.path ?? '/webapp/credential-offers/:id', { stripBasePath: true })\n  LOG.log(`[OID4VCI] deleteCredentialOffer endpoint enabled at ${path}`)\n  router.delete(path, async (request: Request, response: Response) => {\n    try {\n      const { id } = request.params\n      if (!id) {\n        return sendErrorResponse(response, 400, {\n          error: 'invalid_request',\n          error_description: 'id must be present',\n        })\n      }\n      await issuer.deleteCredentialOfferSessionById(id)\n      return response.sendStatus(204)\n    } catch (e) {\n      return sendErrorResponse(\n        response,\n        500,\n        {\n          error: 'invalid_request',\n          error_description: (e as Error).message,\n        },\n        e,\n      )\n    }\n  })\n}\n\nfunction buildCredentialOfferReferenceUri(request: Request<CredentialOfferRESTRequest>, offerReferencePath?: string) {\n  if (!offerReferencePath) {\n    return Promise.reject(Error('issuePayloadPath must bet set for offerMode REFERENCE!'))\n  }\n\n  const protocol = request.headers['x-forwarded-proto']?.toString() ?? request.protocol\n  let host = request.headers['x-forwarded-host']?.toString() ?? request.get('host')\n  const forwardedPort = request.headers['x-forwarded-port']?.toString()\n\n  if (forwardedPort && !(protocol === 'https' && forwardedPort === '443') && !(protocol === 'http' && forwardedPort === '80')) {\n    host += `:${forwardedPort}`\n  }\n\n  const forwardedPrefix = request.headers['x-forwarded-prefix']?.toString() ?? ''\n\n  return `${protocol}://${host}${forwardedPrefix}${request.baseUrl}${offerReferencePath}`\n}\n\nexport function createCredentialOfferEndpoint(\n  router: Router,\n  issuer: VcIssuer,\n  opts?: ICreateCredentialOfferEndpointOpts & { baseUrl?: string },\n  issuerPayloadPath?: string, // backwards compat, sigh\n) {\n  const path = determinePath(opts?.baseUrl, opts?.path ?? '/webapp/credential-offers', { stripBasePath: true })\n  const offerReferencePath =\n    opts?.credentialOfferReferenceBasePath ?? issuerPayloadPath ?? determinePath(opts?.baseUrl, '/credential-offers', { stripBasePath: true })\n\n  LOG.log(`[OID4VCI] createCredentialOffer endpoint enabled at ${path}`)\n  router.post(path, async (request: Request<CredentialOfferRESTRequest>, response: Response<ICreateCredentialOfferURIResponse>) => {\n    try {\n      const specVersion = determineSpecVersionFromOffer(request.body.original_credential_offer)\n      if (specVersion < OpenId4VCIVersion.VER_1_0_13) {\n        return sendErrorResponse(response, 400, {\n          error: TokenErrorResponse.invalid_client,\n          error_description: 'credential offer request should be of spec version 1.0.13 or above',\n        })\n      }\n\n      const grantTypes = determineGrantTypes(request.body)\n      if (grantTypes.length === 0) {\n        return sendErrorResponse(response, 400, { error: TokenErrorResponse.invalid_grant, error_description: 'No grant type supplied' })\n      }\n      const grants = request.body.grants as Grant\n      const credentialConfigIds = request.body.credential_configuration_ids as string[]\n      if (!credentialConfigIds || credentialConfigIds.length === 0) {\n        return sendErrorResponse(response, 400, {\n          error: TokenErrorResponse.invalid_request,\n          error_description: 'credential_configuration_ids missing credential_configuration_ids in credential offer payload',\n        })\n      }\n      const qrCodeOpts = request.body.qrCodeOpts ?? opts?.qrCodeOpts\n      const offerMode: CredentialOfferMode = request.body.offerMode ?? opts?.defaultCredentialOfferMode ?? 'VALUE' // default to existing mode when nothing specified\n\n      const client_id: string | undefined = request.body.client_id ?? request.body.original_credential_offer?.client_id\n      const result = await issuer.createCredentialOfferURI({\n        ...request.body,\n        offerMode,\n        client_id,\n        ...(request.body.correlationId && { correlationId: request.body.correlationId }),\n        ...(offerMode === 'REFERENCE' && { credentialOfferUri: buildCredentialOfferReferenceUri(request, offerReferencePath) }),\n        qrCodeOpts,\n        grants,\n      })\n      const resultResponse: ICreateCredentialOfferURIResponse = result\n      if ('session' in resultResponse) {\n        // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n        // @ts-ignore\n        delete resultResponse.session\n      }\n      return response.json(resultResponse)\n    } catch (e) {\n      return sendErrorResponse(\n        response,\n        500,\n        {\n          error: TokenErrorResponse.invalid_request,\n          error_description: (e as Error).message,\n        },\n        e,\n      )\n    }\n  })\n}\n\nexport function pushedAuthorizationEndpoint(\n  router: Router,\n  issuer: VcIssuer,\n  authRequestsData: Map<string, AuthorizationRequest>,\n  opts?: ISingleEndpointOpts,\n) {\n  const externalAS = isExternalAS(issuer.issuerMetadata) || issuer.asClientOpts\n  if (externalAS) {\n    LOG.log(\n      `[OID4VCI] External Authorization Server ${issuer.issuerMetadata.authorization_servers} is being used. Not enabling internal PAR endpoint`,\n    )\n    return\n  } else if (opts?.enabled === false) {\n    LOG.log(`[OID4VCI] Internal PAR endpoint is not enabled`)\n    return\n  }\n\n  const handleHttpStatus400 = async (req: Request, res: Response, next: NextFunction) => {\n    if (!req.body) {\n      return res.status(400).json({ error: 'invalid_request', error_description: 'Request body must be present' })\n    }\n    const required = ['client_id', 'code_challenge_method', 'code_challenge', 'redirect_uri']\n    const conditional = ['authorization_details', 'scope']\n    try {\n      validateRequestBody({ required, conditional, body: req.body })\n    } catch (e: unknown) {\n      return sendErrorResponse(res, 400, {\n        error: 'invalid_request',\n        error_description: (e as Error).message,\n      })\n    }\n    return next()\n  }\n\n  router.post('/par', handleHttpStatus400, (req: Request, res: Response) => {\n    // FIXME Fake client for testing, it needs to come from a registered client\n    const client = {\n      scope: ['openid', 'test'],\n      redirectUris: ['http://localhost:8080/*', 'https://www.test.com/*', 'https://test.nl', 'http://*/chart', 'http:*'],\n    }\n\n    // For security reasons the redirect_uri from the request needs to be matched against the ones present in the registered client\n    const matched = client.redirectUris.filter((s: string) => new RegExp(s.replace('*', '.*')).test(req.body.redirect_uri))\n    if (!matched.length) {\n      return sendErrorResponse(res, 400, {\n        error: 'invalid_request',\n        error_description: 'redirect_uri is not valid for the given client',\n      })\n    }\n\n    // The scopes from the request need to be matched against the ones present in the registered client\n    if (!req.body.scope.split(',').every((scope: string) => client.scope.includes(scope))) {\n      return sendErrorResponse(res, 400, {\n        error: 'invalid_scope',\n        error_description: 'scope is not valid for the given client',\n      })\n    }\n\n    //TODO Implement authorization_details verification\n\n    // TODO: Both UUID and requestURI need to be configurable for the server\n    const uuid = uuidv4()\n    const requestUri = `urn:ietf:params:oauth:request_uri:${uuid}`\n    // The redirect_uri is created and set in a map, to keep track of the actual request\n    authRequestsData.set(requestUri, req.body)\n    // Invalidates the request_uri removing it from the mapping after it is expired, needs to be refactored because\n    // some of the properties will be needed in subsequent steps if the authorization succeeds\n    // TODO in the /token endpoint the code_challenge must be matched against the hashed code_verifier\n    setTimeout(() => {\n      authRequestsData.delete(requestUri)\n    }, expiresIn * 1000)\n\n    return res.status(201).json({ request_uri: requestUri, expires_in: expiresIn })\n  })\n}\n\nexport function getMetadataEndpoints(router: Router, issuer: VcIssuer) {\n  const credentialIssuerHandler = (request: Request, response: Response) => {\n    return response.json(issuer.issuerMetadata)\n  }\n  router.get(WellKnownEndpoints.OPENID4VCI_ISSUER, credentialIssuerHandler)\n\n  const authorizationServerHandler = (request: Request, response: Response) => {\n    return response.json(issuer.authorizationServerMetadata)\n  }\n  router.get(WellKnownEndpoints.OAUTH_AS, authorizationServerHandler)\n}\n\nexport function determinePath(\n  baseUrl: URL | string | undefined,\n  endpoint: string,\n  opts?: { skipBaseUrlCheck?: boolean; prependUrl?: string; stripBasePath?: boolean },\n) {\n  const basePath = baseUrl ? getBasePath(baseUrl) : ''\n  let path = endpoint\n  if (opts?.prependUrl) {\n    path = adjustUrl(path, { prepend: opts.prependUrl })\n  }\n  if (opts?.skipBaseUrlCheck !== true) {\n    assertEndpointHasIssuerBaseUrl(baseUrl, endpoint)\n  }\n  if (endpoint.includes('://')) {\n    path = new URL(endpoint).pathname\n  }\n  path = `/${trimBoth(path, '/')}`\n  if (opts?.stripBasePath && path.startsWith(basePath)) {\n    path = trimStart(path, basePath)\n    path = `/${trimBoth(path, '/')}`\n  }\n  return path\n}\n\nfunction assertEndpointHasIssuerBaseUrl(baseUrl: URL | string | undefined, endpoint: string) {\n  if (!validateEndpointHasIssuerBaseUrl(baseUrl, endpoint)) {\n    throw Error(`endpoint '${endpoint}' does not have base url '${baseUrl ? getBaseUrl(baseUrl) : '<no baseurl supplied>'}'`)\n  }\n}\n\nfunction validateEndpointHasIssuerBaseUrl(baseUrl: URL | string | undefined, endpoint: string): boolean {\n  if (!endpoint) {\n    return false\n  } else if (!endpoint.includes('://')) {\n    return true //absolute or relative path, not containing a hostname\n  } else if (!baseUrl) {\n    return true\n  }\n  return endpoint.startsWith(getBaseUrl(baseUrl))\n}\n\nexport function getBaseUrl(url?: URL | string | undefined) {\n  let baseUrl = url\n  if (!baseUrl) {\n    const envUrl = env('BASE_URL', process?.env?.ENV_PREFIX)\n    if (envUrl && envUrl.length > 0) {\n      baseUrl = new URL(envUrl)\n    }\n  }\n  if (!baseUrl) {\n    throw Error(`No base URL provided`)\n  }\n  return trimEnd(baseUrl.toString(), '/')\n}\n\nexport function getBasePath(url?: URL | string) {\n  const basePath = new URL(getBaseUrl(url)).pathname\n  if (basePath === '' || basePath === '/') {\n    return ''\n  }\n  return `/${trimBoth(basePath, '/')}`\n}\n","import { DPoPVerifyJwtCallback, JWK, uuidv4, verifyDPoP } from '@sphereon/oid4vc-common'\nimport { GrantTypes, PRE_AUTHORIZED_CODE_REQUIRED_ERROR, TokenError, TokenErrorResponse } from '@sphereon/oid4vci-common'\nimport { assertValidAccessTokenRequest, createAccessTokenResponse, ITokenEndpointOpts, VcIssuer } from '@sphereon/oid4vci-issuer'\nimport { sendErrorResponse } from '@sphereon/ssi-express-support'\nimport { NextFunction, Request, Response } from 'express'\n\n/**\n *\n * @param tokenExpiresIn\n * @param accessTokenSignerCallback\n * @param accessTokenIssuer\n * @param cNonceExpiresIn\n * @param issuer\n * @param interval\n */\nexport const handleTokenRequest = ({\n  tokenExpiresIn, // expiration in seconds\n  accessTokenEndpoint,\n  accessTokenSignerCallback,\n  accessTokenIssuer,\n  cNonceExpiresIn, // expiration in seconds\n  issuer,\n  interval,\n  dpop,\n}: Required<Pick<ITokenEndpointOpts, 'accessTokenIssuer' | 'cNonceExpiresIn' | 'interval' | 'accessTokenSignerCallback' | 'tokenExpiresIn'>> & {\n  issuer: VcIssuer\n  dpop?: {\n    requireDPoP?: boolean\n    dPoPVerifyJwtCallback: DPoPVerifyJwtCallback\n  }\n  // The full URL of the access token endpoint\n  accessTokenEndpoint?: string\n}) => {\n  return async (request: Request, response: Response) => {\n    response.set({\n      'Cache-Control': 'no-store',\n      Pragma: 'no-cache',\n    })\n\n    if (request.body.grant_type !== GrantTypes.PRE_AUTHORIZED_CODE) {\n      // Yes this is redundant, only here to remind us that we need to implement the auth flow as well\n      return sendErrorResponse(response, 400, {\n        error: TokenErrorResponse.invalid_request,\n        error_description: PRE_AUTHORIZED_CODE_REQUIRED_ERROR,\n      })\n    }\n\n    if (request.headers.authorization && request.headers.authorization.startsWith('DPoP ') && !request.headers.DPoP) {\n      return sendErrorResponse(response, 400, {\n        error: TokenErrorResponse.invalid_request,\n        error_description: 'DPoP header is required',\n      })\n    }\n\n    let dPoPJwk: JWK | undefined\n    if (dpop?.requireDPoP && !request.headers.dpop) {\n      return sendErrorResponse(response, 400, {\n        error: TokenErrorResponse.invalid_request,\n        error_description: 'DPoP is required for requesting access tokens.',\n      })\n    }\n\n    if (request.headers.dpop) {\n      if (!dpop) {\n        console.error('Received unsupported DPoP header. The issuer is not configured to work with DPoP. Provide DPoP options for it to work.')\n\n        return sendErrorResponse(response, 400, {\n          error: TokenErrorResponse.invalid_request,\n          error_description: 'Received unsupported DPoP header.',\n        })\n      }\n\n      try {\n        const fullUrl = accessTokenEndpoint ?? request.protocol + '://' + request.get('host') + request.originalUrl\n        dPoPJwk = await verifyDPoP(\n          { method: request.method, headers: request.headers, fullUrl },\n          {\n            jwtVerifyCallback: dpop.dPoPVerifyJwtCallback,\n            expectAccessToken: false,\n            maxIatAgeInSeconds: undefined,\n          },\n        )\n      } catch (error) {\n        return sendErrorResponse(response, 400, {\n          error: TokenErrorResponse.invalid_dpop_proof,\n          error_description: error instanceof Error ? error.message : 'Unknown error',\n        })\n      }\n    }\n\n    try {\n      const responseBody = await createAccessTokenResponse(request.body, {\n        credentialOfferSessions: issuer.credentialOfferSessions,\n        accessTokenIssuer,\n        cNonces: issuer.cNonces,\n        cNonce: uuidv4(),\n        accessTokenSignerCallback,\n        cNonceExpiresIn,\n        interval,\n        tokenExpiresIn,\n        dPoPJwk,\n      })\n      return response.status(200).json(responseBody)\n    } catch (error) {\n      return sendErrorResponse(\n        response,\n        400,\n        {\n          error: TokenErrorResponse.invalid_request,\n        },\n        error,\n      )\n    }\n  }\n}\n\nexport const verifyTokenRequest = ({\n  preAuthorizedCodeExpirationDuration,\n  issuer,\n}: Required<Pick<ITokenEndpointOpts, 'preAuthorizedCodeExpirationDuration'> & { issuer: VcIssuer }>) => {\n  return async (request: Request, response: Response, next: NextFunction) => {\n    try {\n      await assertValidAccessTokenRequest(request.body, {\n        expirationDuration: preAuthorizedCodeExpirationDuration,\n        credentialOfferSessions: issuer.credentialOfferSessions,\n      })\n    } catch (error) {\n      if (error instanceof TokenError) {\n        return sendErrorResponse(response, error.statusCode, {\n          error: error.responseError,\n          error_description: error.getDescription(),\n        })\n      } else {\n        return sendErrorResponse(response, 400, { error: TokenErrorResponse.invalid_request, error_description: (error as Error).message }, error)\n      }\n    }\n\n    return next()\n  }\n}\n","import { Request } from 'express'\n\nexport const validateRequestBody = ({\n  required,\n  conditional,\n  body,\n}: {\n  required?: string[]\n  conditional?: string[]\n  body: Pick<Request, 'body'>\n}): void => {\n  const keys = Object.keys(body)\n  let message\n  if (required && !required.every((k) => keys.includes(k))) {\n    message = `Request must contain ${required.toString()}`\n  }\n  if (conditional && !conditional.some((k) => keys.includes(k))) {\n    message = message ? `and request must contain ether ${conditional.toString()}` : `Request must contain ether ${conditional.toString()}`\n  }\n  if (message) {\n    throw new Error(message)\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;ACUA,IAAAA,yBAMO;AAEP,qBAAiC;;;AClBjC,IAAAC,wBAAuB;AACvB,IAAAC,yBA+BO;AACP,IAAAC,yBAAkD;AAClD,IAAAC,8BAA4D;AAC5D,uBAAiD;;;ACnCjD,2BAA+D;AAC/D,4BAA+F;AAC/F,4BAAuG;AACvG,iCAAkC;AAY3B,IAAMC,qBAAqB,wBAAC,EACjCC,gBACAC,qBAAAA,sBACAC,2BACAC,mBACAC,iBACAC,QACAC,UACAC,KAAI,MASL;AACC,SAAO,OAAOC,SAAkBC,aAAAA;AAC9BA,aAASC,IAAI;MACX,iBAAiB;MACjBC,QAAQ;IACV,CAAA;AAEA,QAAIH,QAAQI,KAAKC,eAAeC,iCAAWC,qBAAqB;AAE9D,iBAAOC,8CAAkBP,UAAU,KAAK;QACtCQ,OAAOC,yCAAmBC;QAC1BC,mBAAmBC;MACrB,CAAA;IACF;AAEA,QAAIb,QAAQc,QAAQC,iBAAiBf,QAAQc,QAAQC,cAAcC,WAAW,OAAA,KAAY,CAAChB,QAAQc,QAAQG,MAAM;AAC/G,iBAAOT,8CAAkBP,UAAU,KAAK;QACtCQ,OAAOC,yCAAmBC;QAC1BC,mBAAmB;MACrB,CAAA;IACF;AAEA,QAAIM;AACJ,QAAInB,MAAMoB,eAAe,CAACnB,QAAQc,QAAQf,MAAM;AAC9C,iBAAOS,8CAAkBP,UAAU,KAAK;QACtCQ,OAAOC,yCAAmBC;QAC1BC,mBAAmB;MACrB,CAAA;IACF;AAEA,QAAIZ,QAAQc,QAAQf,MAAM;AACxB,UAAI,CAACA,MAAM;AACTqB,gBAAQX,MAAM,wHAAA;AAEd,mBAAOD,8CAAkBP,UAAU,KAAK;UACtCQ,OAAOC,yCAAmBC;UAC1BC,mBAAmB;QACrB,CAAA;MACF;AAEA,UAAI;AACF,cAAMS,UAAU5B,wBAAuBO,QAAQsB,WAAW,QAAQtB,QAAQuB,IAAI,MAAA,IAAUvB,QAAQwB;AAChGN,kBAAU,UAAMO,iCACd;UAAEC,QAAQ1B,QAAQ0B;UAAQZ,SAASd,QAAQc;UAASO;QAAQ,GAC5D;UACEM,mBAAmB5B,KAAK6B;UACxBC,mBAAmB;UACnBC,oBAAoBC;QACtB,CAAA;MAEJ,SAAStB,OAAO;AACd,mBAAOD,8CAAkBP,UAAU,KAAK;UACtCQ,OAAOC,yCAAmBsB;UAC1BpB,mBAAmBH,iBAAiBwB,QAAQxB,MAAMyB,UAAU;QAC9D,CAAA;MACF;IACF;AAEA,QAAI;AACF,YAAMC,eAAe,UAAMC,iDAA0BpC,QAAQI,MAAM;QACjEiC,yBAAyBxC,OAAOwC;QAChC1C;QACA2C,SAASzC,OAAOyC;QAChBC,YAAQC,6BAAAA;QACR9C;QACAE;QACAE;QACAN;QACA0B;MACF,CAAA;AACA,aAAOjB,SAASwC,OAAO,GAAA,EAAKC,KAAKP,YAAAA;IACnC,SAAS1B,OAAO;AACd,iBAAOD,8CACLP,UACA,KACA;QACEQ,OAAOC,yCAAmBC;MAC5B,GACAF,KAAAA;IAEJ;EACF;AACF,GAnGkC;AAqG3B,IAAMkC,qBAAqB,wBAAC,EACjCC,qCACA/C,OAAM,MAC2F;AACjG,SAAO,OAAOG,SAAkBC,UAAoB4C,SAAAA;AAClD,QAAI;AACF,gBAAMC,qDAA8B9C,QAAQI,MAAM;QAChD2C,oBAAoBH;QACpBP,yBAAyBxC,OAAOwC;MAClC,CAAA;IACF,SAAS5B,OAAO;AACd,UAAIA,iBAAiBuC,kCAAY;AAC/B,mBAAOxC,8CAAkBP,UAAUQ,MAAMwC,YAAY;UACnDxC,OAAOA,MAAMyC;UACbtC,mBAAmBH,MAAM0C,eAAc;QACzC,CAAA;MACF,OAAO;AACL,mBAAO3C,8CAAkBP,UAAU,KAAK;UAAEQ,OAAOC,yCAAmBC;UAAiBC,mBAAoBH,MAAgByB;QAAQ,GAAGzB,KAAAA;MACtI;IACF;AAEA,WAAOoC,KAAAA;EACT;AACF,GAvBkC;;;AClH3B,IAAMO,sBAAsB,wBAAC,EAClCC,UACAC,aACAC,KAAI,MAKL;AACC,QAAMC,OAAOC,OAAOD,KAAKD,IAAAA;AACzB,MAAIG;AACJ,MAAIL,YAAY,CAACA,SAASM,MAAM,CAACC,MAAMJ,KAAKK,SAASD,CAAAA,CAAAA,GAAK;AACxDF,cAAU,wBAAwBL,SAASS,SAAQ,CAAA;EACrD;AACA,MAAIR,eAAe,CAACA,YAAYS,KAAK,CAACH,MAAMJ,KAAKK,SAASD,CAAAA,CAAAA,GAAK;AAC7DF,cAAUA,UAAU,kCAAkCJ,YAAYQ,SAAQ,CAAA,KAAO,8BAA8BR,YAAYQ,SAAQ,CAAA;EACrI;AACA,MAAIJ,SAAS;AACX,UAAM,IAAIM,MAAMN,OAAAA;EAClB;AACF,GApBmC;;;AF8CnC,IAAMO,YAAYC,QAAQC,IAAIC,aAAaC,SAASH,QAAQC,IAAIC,UAAU,IAAI;AAEvE,SAASE,uBAAuBC,QAAgBC,QAAkBC,MAAiC;AACxG,QAAMC,OAAOC,cAAcF,KAAKG,SAASH,MAAMC,QAAQ,mCAAmC;IAAEG,eAAe;EAAK,CAAA;AAChHC,6BAAIC,IAAI,gDAAgDL,IAAAA,EAAM;AAC9DH,SAAOS,KAAKN,MAAM,OAAOO,SAAkBC,aAAAA;AACzC,QAAI;AACF,YAAM,EAAEC,GAAE,IAAKF,QAAQG;AACvB,YAAMC,UAAU,MAAMb,OAAOc,8BAA8BH,EAAAA;AAC3D,UAAI,CAACE,WAAW,CAACA,QAAQE,iBAAiB;AACxC,mBAAOC,+CAAkBN,UAAU,KAAK;UACtCO,OAAO;UACPC,mBAAmB,oBAAoBP,EAAAA;QACzC,CAAA;MACF;AAEA,YAAMQ,iBAAsC;QAC1CC,WAAWP,QAAQO;QACnBC,eAAeR,QAAQQ;QACvBC,WAAWT,QAAQS;QACnBC,QAAQV,QAAQU;QAChBC,aAAaX,QAAQW;QACrB,GAAIX,QAAQI,SAAS;UAAEA,OAAOJ,QAAQI;QAAM;QAC5C,GAAIJ,QAAQY,YAAY;UAAEA,UAAUZ,QAAQY;QAAS;MACvD;AACA,aAAOf,SAASgB,KAAKP,cAAAA;IACvB,SAASQ,GAAG;AACV,iBAAOX,+CACLN,UACA,KACA;QACEO,OAAO;QACPC,mBAAoBS,EAAYC;MAClC,GACAD,CAAAA;IAEJ;EACF,CAAA;AACF;AApCgB7B;AAsCT,SAAS+B,oCAAoC9B,QAAgBC,QAAkBC,MAAiC;AACrH,QAAMC,OAAOC,cAAcF,KAAKG,SAASH,MAAMC,QAAQ,0BAA0B;IAAEG,eAAe;EAAK,CAAA;AACvGC,6BAAIC,IAAI,qEAAqEL,IAAAA,EAAM;AACnFH,SAAO+B,IAAI5B,MAAM,OAAOO,SAAkBC,aAAAA;AACxC,QAAI;AACF,YAAM,EAAEC,GAAE,IAAKF,QAAQsB;AACvB,UAAI,CAACpB,IAAI;AACP,mBAAOK,+CAAkBN,UAAU,KAAK;UACtCO,OAAO;UACPC,mBAAmB;QACrB,CAAA;MACF;AAEA,UAAIL;AACJ,UAAI;AACFA,kBAAU,MAAMb,OAAOc,8BAA8BH,EAAAA;MACvD,SAASgB,GAAG;MAEZ;AAEA,UAAI,CAACd,WAAW,CAACA,QAAQE,mBAAmBF,QAAQU,WAAW,iBAAiB;AAC9E,YAAIV,SAASU,QAAQ;AACnBjB,qCAAI0B,QACF,yDAAyDrB,EAAAA,+DAAiEE,QAAQU,MAAM,EAAE;QAE9I;AACA,mBAAOP,+CAAkBN,UAAU,KAAK;UACtCO,OAAO;UACPC,mBAAmB,oBAAoBP,EAAAA;QACzC,CAAA;MACF;AAEA,aAAOD,SAASgB,KAAKb,QAAQE,gBAAgBkB,gBAAgB;IAC/D,SAASN,GAAG;AACV,iBAAOX,+CACLN,UACA,KACA;QACEO,OAAO;QACPC,mBAAoBS,EAAYC;MAClC,GACAD,CAAAA;IAEJ;EACF,CAAA;AACA,SAAOzB;AACT;AA9CgB2B;AAgDhB,SAASK,aAAaC,gBAAmD;AACvE,SAAOA,eAAeC,uBAAuBC,KAAK,CAACC,OAAO,CAACA,GAAGC,SAASJ,eAAeK,iBAAiB,CAAA;AACzG;AAFSN;AAIF,SAASO,+BACd1C,QACAC,QACAC,MAAqE;AAErE,QAAMyC,WAAW1C,OAAO2C,4BAA4BC,oCAAoC5C,OAAOmC,eAAeS;AAC9G,QAAMxC,UAAUyC,WAAW5C,KAAKG,OAAO;AACvC,MAAI,CAACsC,UAAU;AACbpC,+BAAIwC,KAAK,2HAAA;AACT;EACF;AACA,QAAM5C,OAAOC,cAAcC,SAASsC,UAAU;IAAErC,eAAe;EAAK,CAAA;AACpEC,6BAAIC,IAAI,iDAAiDL,IAAAA,EAAM;AAC/DH,SAAOS,KAAKN,MAAM,OAAOO,SAAkBC,aAAAA;AACzC,UAAMqC,gCAAgCtC,QAAQG;AAC9C,UAAM,EAAEoC,WAAWC,cAAcC,cAAcC,qCAAoC,IAAKJ;AAExF,QAAI;AACF,UAAI,CAACC,aAAa,CAACE,cAAc;AAC/B,cAAME,uCAA2E;UAC/EnC,OAAOoC,mDAA4BC;UACnCpC,mBAAmB;QACrB;AACA,cAAMkC;MACR;AAEA,UAAI,CAACF,gBAAgBD,cAAc;AACjC,cAAMpC,UAAU,MAAMb,OAAOuD,wBAAwBzB,IAAImB,YAAAA;AACzD,YAAI,CAACpC,SAAS;AACZ,gBAAMuC,uCAA2E;YAC/EnC,OAAOoC,mDAA4BG;YACnCtC,mBAAmB;UACrB;AACA,gBAAMkC;QACR;AAEA,cAAMK,iBAAiB,MAAMxD,KAAKyD,6BAA6BT,YAAAA;AAC/D,cAAMG,uCAA2E;UAC/EnC,OAAOoC,mDAA4BM;UACnCT,cAAcD;UACdW,cAAcH;QAChB;AACA,cAAML;MACR;AAEA,UAAIF,gBAAgBC,sCAAsC;AACxD,cAAMtC,UAAU,MAAMb,OAAOuD,wBAAwBzB,IAAIoB,YAAAA;AACzD,YAAI,CAACrC,SAAS;AACZ,gBAAMuC,uCAA2E;YAC/EnC,OAAOoC,mDAA4BG;YACnCtC,mBAAmB;UACrB;AACA,gBAAMkC;QACR;AAEA,cAAMS,mBAAmB,MAAM5D,KAAK6D,2BAA2BX,oCAAAA;AAC/D,YAAIU,kBAAkB;AACpB,gBAAME,wBAAoBC,6CAAqB,IAAI,WAAA;AACnDnD,kBAAQkD,oBAAoBA;AAC5B,gBAAM/D,OAAOuD,wBAAwBU,IAAIf,cAAcrC,OAAAA;AACvD,gBAAMqD,qCAAyE;YAC7EC,oBAAoBJ;UACtB;AACA,iBAAOrD,SAASgB,KAAKwC,kCAAAA;QACvB;MACF;AAEA,YAAMd,sCAA2E;QAC/EnC,OAAOoC,mDAA4BC;MACrC;AACA,YAAMF;IACR,SAASzB,GAAG;AACV,iBAAOX,+CAAkBN,UAAU,KAAKiB,GAAYA,CAAAA;IACtD;EACF,CAAA;AACF;AA3EgBc;AA6ET,SAAS2B,oBAAoBrE,QAAgBC,QAAkBC,MAA0E;AAC9I,QAAMoE,aAAanC,aAAalC,OAAOmC,cAAc,KAAKnC,OAAOsE;AACjE,MAAID,cAAepE,KAAKsE,uBAAuBtE,KAAKsE,wBAAwB,YAAa;AACvFjE,+BAAIC,IACF,2CAA2CP,OAAOmC,eAAeC,qBAAqB,6DAA6D;AAErJ;EACF,WAAWnC,MAAMuE,YAAY,OAAO;AAClClE,+BAAIC,IAAI,yDAAyD;AACjE;EACF;AACA,QAAMkE,oBACJxE,MAAMwE,qBACN/E,QAAQC,IAAI+E,uBACZ1E,OAAOmC,eAAeC,wBAAwB,CAAA,KAC9CpC,OAAOmC,eAAeK;AAExB,QAAMmC,sCACJ1E,MAAM0E,2CAAuCC,6CAAqBlF,QAAQC,IAAIkF,uCAAuC,KAAK;AAC5H,QAAMC,WAAW7E,MAAM6E,gBAAYF,6CAAqBlF,QAAQC,IAAIoF,QAAQ,KAAK;AACjF,QAAMC,iBAAiB/E,MAAM+E,kBAAkB;AAG/C,MAAI/E,MAAMgF,8BAA8BC,QAAW;AACjD,UAAM,IAAIC,MAAMC,yDAAAA;EAClB,WAAW,CAACX,mBAAmB;AAC7B,UAAM,IAAIU,MAAME,yDAAAA;EAClB;AAEA,QAAMjF,UAAUyC,WAAW5C,KAAKG,OAAO;AAGvC,QAAMF,OAAOC,cAAcC,SAASH,MAAMqF,aAAa5F,QAAQC,IAAI4F,cAAc,UAAU;IACzFC,kBAAkB;IAClBnF,eAAe;EACjB,CAAA;AAGA,QAAMoF,MAAM,IAAIC,IAAI,GAAGtF,OAAAA,GAAUF,IAAAA,EAAM;AAEvCI,6BAAIC,IAAI,uCAAuCkF,IAAIE,SAAQ,CAAA,EAAI;AAG/D5F,SAAOS,KACLL,cAAcC,SAASqF,IAAIG,UAAU;IAAEvF,eAAe;EAAK,CAAA,GAC3DwF,mBAAmB;IACjB7F;IACA2E;EACF,CAAA,GACAmB,mBAAmB;IACjB9F;IACAiF,2BAA2BhF,KAAKgF;IAChCc,iBAAiB/F,OAAO+F;IACxBjB;IACAE;IACAP;EACF,CAAA,CAAA;AAEJ;AA1DgBL;AA4DT,SAAS4B,sBACdjG,QACAC,QACAC,MACiD;AAEjD,QAAMyC,WAAW1C,OAAOmC,eAAe8D;AACvC,QAAM7F,UAAUyC,WAAW5C,KAAKG,OAAO;AACvC,MAAIF;AACJ,MAAI,CAACwC,UAAU;AACbxC,WAAO;AACPF,WAAOmC,eAAe8D,sBAAsB,GAAG7F,OAAAA,GAAUF,IAAAA;EAC3D,OAAO;AACLA,WAAOC,cAAcC,SAASsC,UAAU;MAAErC,eAAe;MAAMmF,kBAAkB;IAAM,CAAA;EACzF;AACAtF,SAAOC,cAAcC,SAASF,MAAM;IAAEG,eAAe;EAAK,CAAA;AAC1DC,6BAAIC,IAAI,+CAA+CL,IAAAA,EAAM;AAC7DH,SAAOS,KAAKN,MAAM,OAAOO,SAAkBC,aAAAA;AACzC,QAAI;AACF,YAAMwF,oBAAoBzF,QAAQG;AAClCN,iCAAIC,IAAI,+BAA+B2F,iBAAAA;AACvC,UAAI;AACF,cAAMC,UAAMC,2CAAmB3F,QAAQ4F,OAAO,eAAA,CAAA;AAC9C,kBAAMC,oCAAYH,KAAK;UAAEI,iCAAiCtG,KAAKsG,mCAAmCvG,OAAOwG;QAAkB,CAAA;MAC7H,SAAS7E,GAAG;AACVrB,mCAAI0B,QAAQL,CAAAA;AACZ,mBAAOX,+CAAkBN,UAAU,KAAK;UACtCO,OAAO;QACT,CAAA;MACF;AAEA,YAAMwF,aAAa,MAAMzG,OAAO0G,gBAAgB;QAC9CR;QACAlB,gBAAgB/E,KAAK+E;QACrBe,iBAAiB9F,KAAK8F;MACxB,CAAA;AACA,aAAOrF,SAASgB,KAAK+E,UAAAA;IACvB,SAAS9E,GAAG;AACV,iBAAOX,+CACLN,UACA,KACA;QACEO,OAAO;QACPC,mBAAoBS,EAAYC;MAClC,GACAD,CAAAA;IAEJ;EACF,CAAA;AACF;AAjDgBqE;AAmDT,SAASW,qBACd5G,QACAC,QACAC,MAAmH;AAEnH,QAAMyC,WAAW1C,OAAOmC,eAAeyE;AACvC,QAAMxG,UAAUyC,WAAW5C,KAAKG,OAAO;AACvC,MAAI,CAACsC,UAAU;AACbpC,+BAAI0B,QAAQ,qGAAA;AACZ;EACF;AACA,QAAM9B,OAAOC,cAAcC,SAASsC,UAAU;IAAErC,eAAe;EAAK,CAAA;AACpEC,6BAAIC,IAAI,8CAA8CL,IAAAA,EAAM;AAC5DH,SAAOS,KAAKN,MAAM,OAAOO,SAAkBC,aAAAA;AACzC,QAAI;AACF,YAAMmG,sBAAsBpG,QAAQG;AACpCN,iCAAIC,IACF,gBAAgBsG,oBAAoBC,KAAK,IAAID,oBAAoBE,iBAAiB,iBAAiBF,oBAAoBG,eAAe,EAAE;AAE1I,YAAMb,UAAMC,2CAAmB3F,QAAQ4F,OAAO,eAAA,CAAA;AAC9CY,oCAAOC,KAAKC,oDAA6BC,+BAA+B;QACtEC,WAAWF,oDAA6BC;QACxCzG,QAAI2G,8BAAAA;QACJC,MAAMV;QACNW,WAAWrB;QACXsB,eAAeC,+BAAcC;QAC7BC,QAAQC,wBAAOC;QACfC,WAAWC,2BAAUC;MACvB,CAAA;AACA,UAAI;AACF,cAAMC,YAAY,UAAM5B,oCAAYH,KAAK;UAAEI,iCAAiCtG,KAAKsG;QAAgC,CAAA;AACjH,cAAM4B,cAAcD,UAAU/B,IAAIiC;AAClC,cAAMC,iBAAiB,MAAMrI,OAAOsI,oBAAoB;UACtDC,mBAAmBJ,YAAY,qBAAA;;UACHK,cAAc3B;QAC5C,CAAA;AACA,YAAIwB,0BAA0BlD,OAAO;AACnC8B,wCAAOC,KAAKC,oDAA6BsB,4BAA4B;YACnEpB,WAAWF,oDAA6BsB;YACxC9H,QAAI2G,8BAAAA;YACJC,MAAMV;YACNW,WAAWU,UAAU/B;YACrBsB,eAAeC,+BAAcC;YAC7BC,QAAQC,wBAAOC;YACfC,WAAWC,2BAAUC;UACvB,CAAA;AACA,qBAAOjH,+CAAkBN,UAAU,KAAK2H,eAAezG,OAAO;QAChE,OAAO;AACLqF,wCAAOC,KAAKC,oDAA6BuB,gCAAgC;YACvErB,WAAWF,oDAA6BuB;YACxC/H,QAAI2G,8BAAAA;YACJC,MAAMV;YACNW,WAAWU,UAAU/B;YACrBsB,eAAeC,+BAAcC;YAC7BC,QAAQC,wBAAOC;YACfC,WAAWC,2BAAUC;UACvB,CAAA;QACF;MACF,SAAStG,GAAG;AACVrB,mCAAI0B,QAAQL,CAAAA;AACZ,mBAAOX,+CAAkBN,UAAU,KAAK;UACtCO,OAAO;QACT,CAAA;MACF;AACA,aAAOP,SAASa,OAAO,GAAA,EAAKoH,KAAI;IAClC,SAAShH,GAAG;AACV,iBAAOX,+CACLN,UACA,KACA;QACEO,OAAO;QACPC,mBAAoBS,EAAYC;MAClC,GACAD,CAAAA;IAEJ;EACF,CAAA;AACF;AA7EgBgF;AA+ET,SAASiC,2BAA2B7I,QAAgBC,QAAkBC,MAAsC;AACjH,QAAMC,OAAOC,cAAcF,MAAMG,SAASH,MAAMC,QAAQ,iCAAiC;IAAEG,eAAe;EAAK,CAAA;AAC/GC,6BAAIC,IAAI,oDAAoDL,IAAAA,EAAM;AAClEH,SAAO+B,IAAI5B,MAAM,OAAOO,SAAkBC,aAAAA;AACxC,QAAI;AACF,YAAM,EAAEC,GAAE,IAAKF,QAAQsB;AACvB,YAAMlB,UAAU,MAAMb,OAAOc,8BAA8BH,EAAAA;AAC3D,UAAI,CAACE,WAAW,CAACA,QAAQE,iBAAiB;AACxC,mBAAOC,+CAAkBN,UAAU,KAAK;UACtCO,OAAO;UACPC,mBAAmB,oBAAoBP,EAAAA;QACzC,CAAA;MACF;AACA,aAAOD,SAASgB,KAAKb,QAAQE,gBAAgBkB,gBAAgB;IAC/D,SAASN,GAAG;AACV,iBAAOX,+CACLN,UACA,KACA;QACEO,OAAO;QACPC,mBAAoBS,EAAYC;MAClC,GACAD,CAAAA;IAEJ;EACF,CAAA;AACF;AA1BgBiH;AA4BT,SAASC,8BAA8B9I,QAAgBC,QAAkBC,MAAsC;AACpH,QAAMC,OAAOC,cAAcF,MAAMG,SAASH,MAAMC,QAAQ,iCAAiC;IAAEG,eAAe;EAAK,CAAA;AAC/GC,6BAAIC,IAAI,uDAAuDL,IAAAA,EAAM;AACrEH,SAAO+I,OAAO5I,MAAM,OAAOO,SAAkBC,aAAAA;AAC3C,QAAI;AACF,YAAM,EAAEC,GAAE,IAAKF,QAAQsB;AACvB,UAAI,CAACpB,IAAI;AACP,mBAAOK,+CAAkBN,UAAU,KAAK;UACtCO,OAAO;UACPC,mBAAmB;QACrB,CAAA;MACF;AACA,YAAMlB,OAAO+I,iCAAiCpI,EAAAA;AAC9C,aAAOD,SAASsI,WAAW,GAAA;IAC7B,SAASrH,GAAG;AACV,iBAAOX,+CACLN,UACA,KACA;QACEO,OAAO;QACPC,mBAAoBS,EAAYC;MAClC,GACAD,CAAAA;IAEJ;EACF,CAAA;AACF;AA1BgBkH;AA4BhB,SAASI,iCAAiCxI,SAA8CyI,oBAA2B;AACjH,MAAI,CAACA,oBAAoB;AACvB,WAAOC,QAAQC,OAAOjE,MAAM,wDAAA,CAAA;EAC9B;AAEA,QAAMkE,WAAW5I,QAAQ6I,QAAQ,mBAAA,GAAsB3D,SAAAA,KAAclF,QAAQ4I;AAC7E,MAAIE,OAAO9I,QAAQ6I,QAAQ,kBAAA,GAAqB3D,SAAAA,KAAclF,QAAQqB,IAAI,MAAA;AAC1E,QAAM0H,gBAAgB/I,QAAQ6I,QAAQ,kBAAA,GAAqB3D,SAAAA;AAE3D,MAAI6D,iBAAiB,EAAEH,aAAa,WAAWG,kBAAkB,UAAU,EAAEH,aAAa,UAAUG,kBAAkB,OAAO;AAC3HD,YAAQ,IAAIC,aAAAA;EACd;AAEA,QAAMC,kBAAkBhJ,QAAQ6I,QAAQ,oBAAA,GAAuB3D,SAAAA,KAAc;AAE7E,SAAO,GAAG0D,QAAAA,MAAcE,IAAAA,GAAOE,eAAAA,GAAkBhJ,QAAQL,OAAO,GAAG8I,kBAAAA;AACrE;AAhBSD;AAkBF,SAASS,8BACd3J,QACAC,QACAC,MACA0J,mBAA0B;AAE1B,QAAMzJ,OAAOC,cAAcF,MAAMG,SAASH,MAAMC,QAAQ,6BAA6B;IAAEG,eAAe;EAAK,CAAA;AAC3G,QAAM6I,qBACJjJ,MAAM2J,oCAAoCD,qBAAqBxJ,cAAcF,MAAMG,SAAS,sBAAsB;IAAEC,eAAe;EAAK,CAAA;AAE1IC,6BAAIC,IAAI,uDAAuDL,IAAAA,EAAM;AACrEH,SAAOS,KAAKN,MAAM,OAAOO,SAA8CC,aAAAA;AACrE,QAAI;AACF,YAAMmJ,kBAAcC,sDAA8BrJ,QAAQG,KAAKmJ,yBAAyB;AACxF,UAAIF,cAAcG,yCAAkBC,YAAY;AAC9C,mBAAOjJ,+CAAkBN,UAAU,KAAK;UACtCO,OAAOiJ,0CAAmBC;UAC1BjJ,mBAAmB;QACrB,CAAA;MACF;AAEA,YAAMkJ,iBAAaC,4CAAoB5J,QAAQG,IAAI;AACnD,UAAIwJ,WAAWE,WAAW,GAAG;AAC3B,mBAAOtJ,+CAAkBN,UAAU,KAAK;UAAEO,OAAOiJ,0CAAmBK;UAAerJ,mBAAmB;QAAyB,CAAA;MACjI;AACA,YAAMsJ,SAAS/J,QAAQG,KAAK4J;AAC5B,YAAMC,sBAAsBhK,QAAQG,KAAK8J;AACzC,UAAI,CAACD,uBAAuBA,oBAAoBH,WAAW,GAAG;AAC5D,mBAAOtJ,+CAAkBN,UAAU,KAAK;UACtCO,OAAOiJ,0CAAmB5G;UAC1BpC,mBAAmB;QACrB,CAAA;MACF;AACA,YAAMyJ,aAAalK,QAAQG,KAAK+J,cAAc1K,MAAM0K;AACpD,YAAMC,YAAiCnK,QAAQG,KAAKgK,aAAa3K,MAAM4K,8BAA8B;AAErG,YAAM7H,YAAgCvC,QAAQG,KAAKoC,aAAavC,QAAQG,KAAKmJ,2BAA2B/G;AACxG,YAAM8H,SAAS,MAAM9K,OAAO+K,yBAAyB;QACnD,GAAGtK,QAAQG;QACXgK;QACA5H;QACA,GAAIvC,QAAQG,KAAKoK,iBAAiB;UAAEA,eAAevK,QAAQG,KAAKoK;QAAc;QAC9E,GAAIJ,cAAc,eAAe;UAAEK,oBAAoBhC,iCAAiCxI,SAASyI,kBAAAA;QAAoB;QACrHyB;QACAH;MACF,CAAA;AACA,YAAMU,iBAAoDJ;AAC1D,UAAI,aAAaI,gBAAgB;AAG/B,eAAOA,eAAerK;MACxB;AACA,aAAOH,SAASgB,KAAKwJ,cAAAA;IACvB,SAASvJ,GAAG;AACV,iBAAOX,+CACLN,UACA,KACA;QACEO,OAAOiJ,0CAAmB5G;QAC1BpC,mBAAoBS,EAAYC;MAClC,GACAD,CAAAA;IAEJ;EACF,CAAA;AACF;AAjEgB+H;AAmET,SAASyB,4BACdpL,QACAC,QACAoL,kBACAnL,MAA0B;AAE1B,QAAMoE,aAAanC,aAAalC,OAAOmC,cAAc,KAAKnC,OAAOsE;AACjE,MAAID,YAAY;AACd/D,+BAAIC,IACF,2CAA2CP,OAAOmC,eAAeC,qBAAqB,oDAAoD;AAE5I;EACF,WAAWnC,MAAMuE,YAAY,OAAO;AAClClE,+BAAIC,IAAI,gDAAgD;AACxD;EACF;AAEA,QAAM8K,sBAAsB,8BAAOC,KAAcC,KAAeC,SAAAA;AAC9D,QAAI,CAACF,IAAI1K,MAAM;AACb,aAAO2K,IAAIhK,OAAO,GAAA,EAAKG,KAAK;QAAET,OAAO;QAAmBC,mBAAmB;MAA+B,CAAA;IAC5G;AACA,UAAMuK,WAAW;MAAC;MAAa;MAAyB;MAAkB;;AAC1E,UAAMC,cAAc;MAAC;MAAyB;;AAC9C,QAAI;AACFC,0BAAoB;QAAEF;QAAUC;QAAa9K,MAAM0K,IAAI1K;MAAK,CAAA;IAC9D,SAASe,GAAY;AACnB,iBAAOX,+CAAkBuK,KAAK,KAAK;QACjCtK,OAAO;QACPC,mBAAoBS,EAAYC;MAClC,CAAA;IACF;AACA,WAAO4J,KAAAA;EACT,GAf4B;AAiB5BzL,SAAOS,KAAK,QAAQ6K,qBAAqB,CAACC,KAAcC,QAAAA;AAEtD,UAAMK,SAAS;MACbC,OAAO;QAAC;QAAU;;MAClBC,cAAc;QAAC;QAA2B;QAA0B;QAAmB;QAAkB;;IAC3G;AAGA,UAAMC,UAAUH,OAAOE,aAAaE,OAAO,CAACC,MAAc,IAAIC,OAAOD,EAAEE,QAAQ,KAAK,IAAA,CAAA,EAAOC,KAAKd,IAAI1K,KAAKyL,YAAY,CAAA;AACrH,QAAI,CAACN,QAAQzB,QAAQ;AACnB,iBAAOtJ,+CAAkBuK,KAAK,KAAK;QACjCtK,OAAO;QACPC,mBAAmB;MACrB,CAAA;IACF;AAGA,QAAI,CAACoK,IAAI1K,KAAKiL,MAAMS,MAAM,GAAA,EAAKC,MAAM,CAACV,UAAkBD,OAAOC,MAAMtJ,SAASsJ,KAAAA,CAAAA,GAAS;AACrF,iBAAO7K,+CAAkBuK,KAAK,KAAK;QACjCtK,OAAO;QACPC,mBAAmB;MACrB,CAAA;IACF;AAKA,UAAMsL,WAAOlF,8BAAAA;AACb,UAAMmF,aAAa,qCAAqCD,IAAAA;AAExDpB,qBAAiBnH,IAAIwI,YAAYnB,IAAI1K,IAAI;AAIzC8L,eAAW,MAAA;AACTtB,uBAAiBtC,OAAO2D,UAAAA;IAC1B,GAAGhN,YAAY,GAAA;AAEf,WAAO8L,IAAIhK,OAAO,GAAA,EAAKG,KAAK;MAAEiL,aAAaF;MAAYG,YAAYnN;IAAU,CAAA;EAC/E,CAAA;AACF;AA1EgB0L;AA4ET,SAAS0B,qBAAqB9M,QAAgBC,QAAgB;AACnE,QAAM8M,0BAA0B,wBAACrM,SAAkBC,aAAAA;AACjD,WAAOA,SAASgB,KAAK1B,OAAOmC,cAAc;EAC5C,GAFgC;AAGhCpC,SAAO+B,IAAIiL,0CAAmBC,mBAAmBF,uBAAAA;AAEjD,QAAMG,6BAA6B,wBAACxM,SAAkBC,aAAAA;AACpD,WAAOA,SAASgB,KAAK1B,OAAO2C,2BAA2B;EACzD,GAFmC;AAGnC5C,SAAO+B,IAAIiL,0CAAmBG,UAAUD,0BAAAA;AAC1C;AAVgBJ;AAYT,SAAS1M,cACdC,SACAsC,UACAzC,MAAmF;AAEnF,QAAMkN,WAAW/M,UAAUgN,YAAYhN,OAAAA,IAAW;AAClD,MAAIF,OAAOwC;AACX,MAAIzC,MAAMoN,YAAY;AACpBnN,eAAOoN,kCAAUpN,MAAM;MAAEqN,SAAStN,KAAKoN;IAAW,CAAA;EACpD;AACA,MAAIpN,MAAMuF,qBAAqB,MAAM;AACnCgI,mCAA+BpN,SAASsC,QAAAA;EAC1C;AACA,MAAIA,SAASH,SAAS,KAAA,GAAQ;AAC5BrC,WAAO,IAAIwF,IAAIhD,QAAAA,EAAUkD;EAC3B;AACA1F,SAAO,QAAIuN,iCAASvN,MAAM,GAAA,CAAA;AAC1B,MAAID,MAAMI,iBAAiBH,KAAKwN,WAAWP,QAAAA,GAAW;AACpDjN,eAAOyN,kCAAUzN,MAAMiN,QAAAA;AACvBjN,WAAO,QAAIuN,iCAASvN,MAAM,GAAA,CAAA;EAC5B;AACA,SAAOA;AACT;AAtBgBC;AAwBhB,SAASqN,+BAA+BpN,SAAmCsC,UAAgB;AACzF,MAAI,CAACkL,iCAAiCxN,SAASsC,QAAAA,GAAW;AACxD,UAAMyC,MAAM,aAAazC,QAAAA,6BAAqCtC,UAAUyC,WAAWzC,OAAAA,IAAW,uBAAA,GAA0B;EAC1H;AACF;AAJSoN;AAMT,SAASI,iCAAiCxN,SAAmCsC,UAAgB;AAC3F,MAAI,CAACA,UAAU;AACb,WAAO;EACT,WAAW,CAACA,SAASH,SAAS,KAAA,GAAQ;AACpC,WAAO;EACT,WAAW,CAACnC,SAAS;AACnB,WAAO;EACT;AACA,SAAOsC,SAASgL,WAAW7K,WAAWzC,OAAAA,CAAAA;AACxC;AATSwN;AAWF,SAAS/K,WAAW4C,KAA8B;AACvD,MAAIrF,UAAUqF;AACd,MAAI,CAACrF,SAAS;AACZ,UAAMyN,aAASlO,iCAAI,YAAYD,SAASC,KAAKmO,UAAAA;AAC7C,QAAID,UAAUA,OAAOvD,SAAS,GAAG;AAC/BlK,gBAAU,IAAIsF,IAAImI,MAAAA;IACpB;EACF;AACA,MAAI,CAACzN,SAAS;AACZ,UAAM+E,MAAM,sBAAsB;EACpC;AACA,aAAO4I,gCAAQ3N,QAAQuF,SAAQ,GAAI,GAAA;AACrC;AAZgB9C;AAcT,SAASuK,YAAY3H,KAAkB;AAC5C,QAAM0H,WAAW,IAAIzH,IAAI7C,WAAW4C,GAAAA,CAAAA,EAAMG;AAC1C,MAAIuH,aAAa,MAAMA,aAAa,KAAK;AACvC,WAAO;EACT;AACA,SAAO,QAAIM,iCAASN,UAAU,GAAA,CAAA;AAChC;AANgBC;;;ADjpBhB,SAASY,0BAAAA;AACP,QAAMC,uBAAgF,IAAIC,uDAAAA,EACvFC,wCAAwCC,QAAQC,IAAIC,uCAAuC,EAC3FC,+BAA+BH,QAAQC,IAAIG,uCAAuC,EAClFC,WAAWL,QAAQC,IAAIK,2BAA2B,EAClDC,mBAAmBP,QAAQC,IAAIO,2BAA2B,EAC1DC,yBAAyB;IACxBC,MAAM;MAACV,QAAQC,IAAIU;MAAoDX,QAAQC,IAAIW;;EAGrF,CAAA,EACCC,+BAA+B;IAC9BC,MAAMd,QAAQC,IAAIc;IAClBC,QAAQhB,QAAQC,IAAIgB;IACpBC,MAAM;MACJC,KAAKnB,QAAQC,IAAImB;MACjBC,UAAUrB,QAAQC,IAAIqB;IACxB;IACAC,kBAAkBvB,QAAQC,IAAIuB;IAC9BC,YAAYzB,QAAQC,IAAIyB;EAC1B,CAAA,EACCC,oCACC3B,QAAQC,IAAI2B,iCACZ;IACEd,MAAMd,QAAQC,IAAI4B;IAClBb,QAAQhB,QAAQC,IAAI6B;EACtB,CAAA,EAEDC,MAAK;AACR,QAAMC,gBAAgB,IAAIC,uCAAAA,EACvBC,WAAW;IAAEC,QAAQnC,QAAQC,IAAImC;IAAsCC,YAAYrC,QAAQC,IAAIqC;EAA0C,CAAA,EACzIC,yBAAyBvC,QAAQC,IAAIuC,oBAAoB,EACzDC,uBAAuBzC,QAAQC,IAAIyC,mBAAmB,EACtDC,qBAAqB3C,QAAQC,IAAI2C,iBAAiB,EAClDC,kBAAkB;IACjB/B,MAAMd,QAAQC,IAAI6C;IAClB9B,QAAQhB,QAAQC,IAAI8C;EACtB,CAAA,EACCC,sCAAsCnD,oBAAAA,EACtCoD,iCAAgC,EAChCC,wBAAuB;AAE1B,MAAIlD,QAAQC,IAAIkD,gCAAgC;AAC9C,QAAI,CAACnD,QAAQC,IAAImD,mCAAmC;AAClD,YAAMC,MAAM,qEAAA;IACd;AACArB,kBAAcsB,2BAA2B;MACvCC,WAAWvD,QAAQC,IAAIkD;MACvBK,eAAexD,QAAQC,IAAIwD;MAC3BC,eAAe;QAAC1D,QAAQC,IAAImD;;IAC9B,CAAA;EACF;AAEA,SAAOpB,cAAcD,MAAK;AAC5B;AAtDSnC;AAqHF,IAAM+D,gBAAN,MAAMA;EA7Ib,OA6IaA;;;EACMC;EACTC,mBAAsD,oBAAIC,IAAAA;EACjDC;EACAC;EACAC;;EAEAC;EACAC;EAEjBC,YACEC,gBACAC,MACA;AACA,SAAKN,WAAW,IAAIO,IAAID,MAAME,WAAWxE,QAAQC,IAAIwE,YAAYH,MAAMI,QAAQC,gBAAgB/B,qBAAqB,kBAAA;AACpH,SAAKqB,kBAAkBI;AACvB,SAAKN,OAAOM,eAAeO;AAC3B,SAAKV,UAAUU,eAAAA,QAAQC,OAAM;AAC7B,SAAKjB,UAAUU,MAAMI,SAASJ,KAAKI,SAAS9E,wBAAAA;AAC5C,SAAKuE,gBACHG,KAAKQ,gBAAgB,KAAKlB,QAAQkB,eAAgB;MAAE,GAAGR,KAAKQ;MAAc,GAAG,KAAKlB,QAAQkB;IAAa,IAAuBC;AAEhIC,gCAA4B,KAAKC,QAAQ,KAAKP,QAAQ,KAAKb,gBAAgB;AAC3EqB,yBAAqB,KAAKD,QAAQ,KAAKP,MAAM;AAC7C,QAAIS;AACJ,QAAI,KAAKC,iCAAiCd,MAAMe,cAAcC,mBAAAA,GAAsB;AAClFH,0BAAoBI,oCAAoC,KAAKN,QAAQ,KAAKP,QAAQ;QAChF,GAAGJ,MAAMe,cAAcC;QACvBd,SAAS,KAAKA;MAChB,CAAA;IACF;AAEA,QAAIF,MAAMe,cAAcG,2BAA2BC,YAAY,SAASzF,QAAQC,IAAIyF,sCAAsC,QAAQ;AAChIC,oCAA8B,KAAKV,QAAQ,KAAKP,QAAQJ,MAAMe,cAAcG,2BAA2BL,iBAAAA;AACvGS,oCAA8B,KAAKX,QAAQ,KAAKP,QAAQJ,MAAMe,cAAcQ,yBAAAA;IAC9E;AACAC,+BAA2B,KAAKb,QAAQ,KAAKP,QAAQJ,MAAMe,cAAcU,sBAAAA;AACzEC,0BAAsB,KAAKf,QAAQ,KAAKP,QAAQ;MAC9C,GAAGJ,MAAMe,cAAcY;MACvBzB,SAAS,KAAKA;MACd0B,iCACE5B,KAAKe,cAAcY,mBAAmBC,oCACrC,KAAK/B,oBACFgC,sDAA8B;QAC5BC,gBAAgB,KAAKjC;QACrBkC,kBAAkB,KAAKzC,QAAQe,eAAe/B;QAC9C0D,qBAAqB,KAAK1C,QAAQe,eAAe4B,sBAAuB,CAAA;MAC1E,CAAA,IACAxB;IACR,CAAA;AACA,SAAKyB,0BAAyB;AAC9B,QAAI,CAAC,KAAKC,wBAAwBnC,MAAMe,cAAcY,mBAAmB3B,MAAMQ,YAAAA,GAAe;AAC5F4B,0BAAoB,KAAKzB,QAAQ,KAAKP,QAAQ;QAAE,GAAGJ,MAAMe,cAAcY;QAAmBzB,SAAS,KAAKA;MAAQ,CAAA;IAClH;AACA,QAAI,KAAKmC,wBAAwBrC,MAAMe,cAAcuB,aAAAA,GAAgB;AACnEC,6BAAuB,KAAK5B,QAAQ,KAAKP,QAAQ;QAAE,GAAGJ,MAAMe,cAAcuB;QAAepC,SAAS,KAAKA;MAAQ,CAAA;IACjH;AACA,QAAI,KAAKsC,wCAAwCxC,MAAMe,cAAc0B,0BAAAA,GAA6B;AAChG,UAAI,CAACzC,MAAMe,cAAc0B,4BAA4BC,8BAA8B;AACjF,cAAM3D,MAAM,+HAA+H;MAC7I,WAAW,CAACiB,MAAMe,cAAc0B,4BAA4BE,4BAA4B;AACtF,cAAM5D,MAAM,6HAA6H;MAC3I;AACA6D,qCAA+B,KAAKjC,QAAQ,KAAKP,QAAQ;QAAE,GAAGJ,MAAMe,cAAc0B;QAA4BvC,SAAS,KAAKA;MAAQ,CAAA;IACtI;AACA,SAAKT,KAAKoD,IAAIC,YAAY,KAAK5C,OAAO,GAAG,KAAKN,OAAO;EACvD;EAEA,IAAWmD,MAAe;AACxB,WAAO,KAAKtD;EACd;;;;EAMA,IAAWkB,SAAyB;AAClC,WAAO,KAAKf;EACd;EAEA,IAAIQ,SAAmB;AACrB,WAAO,KAAKd;EACd;EAEA,MAAa0D,OAAO;AAClB,QAAI,CAAC,KAAKrD,iBAAiB;AACzB,YAAMZ,MAAM,gFAAA;IACd;AACA,UAAM,KAAKY,gBAAgBqD,KAAI;EACjC;EAEQb,wBAAwBR,mBAAwCsB,kBAAmC;AACzG,WAAOtB,mBAAmBuB,0BAA0B,QAAQxH,QAAQC,IAAIwH,4BAA4B,UAAUF;EAChH;EAEQZ,wBAAwBe,oBAAkD;AAChF,WAAOA,oBAAoBjC,YAAY,SAASzF,QAAQC,IAAI0H,4BAA4B;EAC1F;EAEQvC,iCAAiCwC,qBAAoD;AAC3F,WAAOA,qBAAqBnC,YAAY,SAASzF,QAAQC,IAAI0H,4BAA4B;EAC3F;EAEQb,wCAAwCe,oCAA0E;AACxH,WAAOA,oCAAoCpC,YAAY,QAAQzF,QAAQC,IAAI6H,6CAA6C;EAC1H;EAEQtB,0BAA0BP,mBAAwC;AACxE,UAAM8B,aAAa,KAAKrD,OAAOC,eAAe4B;AAC9C,QAAI,KAAKE,wBAAwBR,mBAAmB,KAAKvB,OAAOI,YAAY,GAAG;AAC7E,UAAI,CAACiD,cAAcA,WAAW5F,WAAW,GAAG;AAC1C,cAAMkB,MACJ,iJAAiJ;MAErJ;AACA,UAAI,KAAKqB,OAAOI,cAAc;AAC5BkD,gBAAQC,IAAI,iEAAiEF,WAAW,CAAA,CAAE,EAAE;MAC9F,OAAO;AACLC,gBAAQC,IAAI,0CAA0C;MACxD;IACF,OAAO;AACL,UAAIF,cAAcA,WAAWG,KAAK,CAACC,OAAOA,OAAO,KAAKzD,OAAOC,eAAe/B,iBAAiB,GAAG;AAC9F,cAAMS,MACJ,qFAAqF0E,UAAAA,2EAAqF;MAE9K,WAAW,KAAK5D,eAAe;AAC7B,cAAMd,MAAM,6FAA6F;MAC3G;IACF;EACF;EACA,IAAImB,UAAe;AACjB,WAAO,KAAKR;EACd;AACF;;;ADvRA,IAAAoE,yBAAqE;","names":["import_oid4vci_issuer","import_oid4vc_common","import_oid4vci_common","import_oid4vci_issuer","import_ssi_express_support","handleTokenRequest","tokenExpiresIn","accessTokenEndpoint","accessTokenSignerCallback","accessTokenIssuer","cNonceExpiresIn","issuer","interval","dpop","request","response","set","Pragma","body","grant_type","GrantTypes","PRE_AUTHORIZED_CODE","sendErrorResponse","error","TokenErrorResponse","invalid_request","error_description","PRE_AUTHORIZED_CODE_REQUIRED_ERROR","headers","authorization","startsWith","DPoP","dPoPJwk","requireDPoP","console","fullUrl","protocol","get","originalUrl","verifyDPoP","method","jwtVerifyCallback","dPoPVerifyJwtCallback","expectAccessToken","maxIatAgeInSeconds","undefined","invalid_dpop_proof","Error","message","responseBody","createAccessTokenResponse","credentialOfferSessions","cNonces","cNonce","uuidv4","status","json","verifyTokenRequest","preAuthorizedCodeExpirationDuration","next","assertValidAccessTokenRequest","expirationDuration","TokenError","statusCode","responseError","getDescription","validateRequestBody","required","conditional","body","keys","Object","message","every","k","includes","toString","some","Error","expiresIn","process","env","EXPIRES_IN","parseInt","getIssueStatusEndpoint","router","issuer","opts","path","determinePath","baseUrl","stripBasePath","LOG","log","post","request","response","id","body","session","getCredentialOfferSessionById","credentialOffer","sendErrorResponse","error","error_description","authStatusBody","createdAt","lastUpdatedAt","expiresAt","status","statusLists","clientId","json","e","message","getCredentialOfferReferenceEndpoint","get","params","warning","credential_offer","isExternalAS","issuerMetadata","authorization_servers","some","as","includes","credential_issuer","authorizationChallengeEndpoint","endpoint","authorizationServerMetadata","authorization_challenge_endpoint","getBaseUrl","info","authorizationChallengeRequest","client_id","issuer_state","auth_session","presentation_during_issuance_session","authorizationChallengeErrorResponse","AuthorizationChallengeError","invalid_request","credentialOfferSessions","invalid_session","authRequestURI","createAuthRequestUriCallback","insufficient_authorization","presentation","verifiedResponse","verifyAuthResponseCallback","authorizationCode","generateRandomString","set","authorizationChallengeCodeResponse","authorization_code","accessTokenEndpoint","externalAS","asClientOpts","accessTokenProvider","enabled","accessTokenIssuer","ACCESS_TOKEN_ISSUER","preAuthorizedCodeExpirationDuration","getNumberOrUndefined","PRE_AUTHORIZED_CODE_EXPIRATION_DURATION","interval","INTERVAL","tokenExpiresIn","accessTokenSignerCallback","undefined","Error","JWT_SIGNER_CALLBACK_REQUIRED_ERROR","ACCESS_TOKEN_ISSUER_REQUIRED_ERROR","tokenPath","TOKEN_PATH","skipBaseUrlCheck","url","URL","toString","pathname","verifyTokenRequest","handleTokenRequest","cNonceExpiresIn","getCredentialEndpoint","credential_endpoint","credentialRequest","jwt","extractBearerToken","header","validateJWT","accessTokenVerificationCallback","jwtVerifyCallback","credential","issueCredential","notificationEndpoint","notification_endpoint","notificationRequest","event","event_description","notification_id","EVENTS","emit","NotificationStatusEventNames","OID4VCI_NOTIFICATION_RECEIVED","eventName","uuidv4","data","initiator","initiatorType","InitiatorType","EXTERNAL","system","System","OID4VCI","subsystem","SubSystem","API","jwtResult","accessToken","payload","errorOrSession","processNotification","preAuthorizedCode","notification","OID4VCI_NOTIFICATION_ERROR","OID4VCI_NOTIFICATION_PROCESSED","send","getCredentialOfferEndpoint","deleteCredentialOfferEndpoint","delete","deleteCredentialOfferSessionById","sendStatus","buildCredentialOfferReferenceUri","offerReferencePath","Promise","reject","protocol","headers","host","forwardedPort","forwardedPrefix","createCredentialOfferEndpoint","issuerPayloadPath","credentialOfferReferenceBasePath","specVersion","determineSpecVersionFromOffer","original_credential_offer","OpenId4VCIVersion","VER_1_0_13","TokenErrorResponse","invalid_client","grantTypes","determineGrantTypes","length","invalid_grant","grants","credentialConfigIds","credential_configuration_ids","qrCodeOpts","offerMode","defaultCredentialOfferMode","result","createCredentialOfferURI","correlationId","credentialOfferUri","resultResponse","pushedAuthorizationEndpoint","authRequestsData","handleHttpStatus400","req","res","next","required","conditional","validateRequestBody","client","scope","redirectUris","matched","filter","s","RegExp","replace","test","redirect_uri","split","every","uuid","requestUri","setTimeout","request_uri","expires_in","getMetadataEndpoints","credentialIssuerHandler","WellKnownEndpoints","OPENID4VCI_ISSUER","authorizationServerHandler","OAUTH_AS","basePath","getBasePath","prependUrl","adjustUrl","prepend","assertEndpointHasIssuerBaseUrl","trimBoth","startsWith","trimStart","validateEndpointHasIssuerBaseUrl","envUrl","ENV_PREFIX","trimEnd","buildVCIFromEnvironment","credentialsSupported","CredentialSupportedBuilderV1_13","withCredentialSigningAlgValuesSupported","process","env","credential_signing_alg_values_supported","withCryptographicBindingMethod","cryptographic_binding_methods_supported","withFormat","credential_supported_format","withCredentialName","credential_supported_name_1","withCredentialDefinition","type","credential_supported_1_definition_type_1","credential_supported_1_definition_type_2","withCredentialSupportedDisplay","name","credential_display_name","locale","credential_display_locale","logo","url","credential_display_logo_url","alt_text","credential_display_logo_alt_text","background_color","credential_display_background_color","text_color","credential_display_text_color","addCredentialSubjectPropertyDisplay","credential_subject_display_key1","credential_subject_display_key1_name","credential_subject_display_key1_locale","build","issuerBuilder","VcIssuerBuilder","withTXCode","length","user_pin_length","input_mode","user_pin_input_mode","withAuthorizationServers","authorization_server","withCredentialEndpoint","credential_endpoint","withCredentialIssuer","credential_issuer","withIssuerDisplay","issuer_name","issuer_locale","withCredentialConfigurationsSupported","withInMemoryCredentialOfferState","withInMemoryCNonceState","authorization_server_client_id","authorization_server_redirect_uri","Error","withASClientMetadataParams","client_id","client_secret","authorization_server_client_secret","redirect_uris","OID4VCIServer","_issuer","authRequestsData","Map","_app","_baseUrl","_expressSupport","_router","_asClientOpts","constructor","expressSupport","opts","URL","baseUrl","BASE_URL","issuer","issuerMetadata","express","Router","asClientOpts","undefined","pushedAuthorizationEndpoint","router","getMetadataEndpoints","issuerPayloadPath","isGetIssuePayloadEndpointEnabled","endpointOpts","getIssuePayloadOpts","getCredentialOfferReferenceEndpoint","createCredentialOfferOpts","enabled","CREDENTIAL_OFFER_ENDPOINT_ENABLED","createCredentialOfferEndpoint","deleteCredentialOfferEndpoint","deleteCredentialOfferOpts","getCredentialOfferEndpoint","getCredentialOfferOpts","getCredentialEndpoint","tokenEndpointOpts","accessTokenVerificationCallback","oidcAccessTokenVerifyCallback","clientMetadata","credentialIssuer","authorizationServer","authorization_servers","assertAccessTokenHandling","isTokenEndpointDisabled","accessTokenEndpoint","isStatusEndpointEnabled","getStatusOpts","getIssueStatusEndpoint","isAuthorizationChallengeEndpointEnabled","authorizationChallengeOpts","createAuthRequestUriCallback","verifyAuthResponseCallback","authorizationChallengeEndpoint","use","getBasePath","app","stop","asClientMetadata","tokenEndpointDisabled","TOKEN_ENDPOINT_DISABLED","statusEndpointOpts","STATUS_ENDPOINT_ENABLED","payloadEndpointOpts","authorizationChallengeEndpointOpts","AUTHORIZATION_CHALLENGE_ENDPOINT_ENABLED","authServer","console","log","some","as","import_oid4vci_common"]}