{"version":3,"sources":["../lib/index.ts","../lib/builder/CredentialSupportedBuilderV1_15.ts","../lib/builder/VcIssuerBuilder.ts","../lib/VcIssuer.ts","../lib/functions/CredentialOfferUtils.ts","../lib/functions/ASOidcClient.ts","../lib/state-manager/MemoryStates.ts","../lib/state-manager/LookupStateManager.ts","../lib/state-manager/CredentialOfferStateBuilder.ts","../lib/builder/DisplayBuilder.ts","../lib/builder/IssuerMetadataBuilderV1_15.ts","../lib/builder/AuthorizationServerMetadataBuilder.ts","../lib/tokens/index.ts"],"sourcesContent":["import { VCI_LOGGERS } from '@sphereon/oid4vci-common'\nimport { ISimpleLogger } from '@sphereon/ssi-types'\n\nexport const LOG: ISimpleLogger = VCI_LOGGERS.get('sphereon:oid4vci:issuer')\n\nexport * from './builder'\nexport * from './functions'\nexport * from './VcIssuer'\nexport * from './state-manager'\nexport * from './tokens'\nexport * from './types'\n","import {\n ClaimsDescriptionV1_0_15,\n CredentialConfigurationSupportedV1_0_15,\n CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15,\n CredentialDefinitionJwtVcJsonV1_0_15,\n CredentialsSupportedDisplay,\n KeyProofType,\n OID4VCICredentialFormat,\n ProofType,\n ProofTypesSupported,\n TokenErrorResponse,\n} from '@sphereon/oid4vci-common'\n\nexport class CredentialSupportedBuilderV1_15 {\n format?: OID4VCICredentialFormat\n scope?: string\n credentialName?: string\n credentialDefinition?: CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15 | CredentialDefinitionJwtVcJsonV1_0_15\n cryptographicBindingMethodsSupported?: ('jwk' | 'cose_key' | 'did' | string)[]\n credentialSigningAlgValuesSupported?: string[]\n proofTypesSupported?: ProofTypesSupported\n display?: CredentialsSupportedDisplay[]\n claims?: ClaimsDescriptionV1_0_15[] // Changed to use claims path pointers in v15\n vct?: string // For dc+sd-jwt format\n doctype?: string // For mso_mdoc format\n\n withFormat(credentialFormat: OID4VCICredentialFormat): CredentialSupportedBuilderV1_15 {\n this.format = credentialFormat\n return this\n }\n\n withCredentialName(credentialName: string): CredentialSupportedBuilderV1_15 {\n this.credentialName = credentialName\n return this\n }\n\n withCredentialDefinition(\n credentialDefinition: CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15 | CredentialDefinitionJwtVcJsonV1_0_15,\n ): CredentialSupportedBuilderV1_15 {\n if (!credentialDefinition.type) {\n throw new Error('credentialDefinition should contain a type array')\n }\n this.credentialDefinition = credentialDefinition\n return this\n }\n\n withScope(scope: string): CredentialSupportedBuilderV1_15 {\n this.scope = scope\n return this\n }\n\n // New in v15: VCT support for dc+sd-jwt format\n withVct(vct: string): CredentialSupportedBuilderV1_15 {\n this.vct = vct\n return this\n }\n\n // New in v15: Doctype support for mso_mdoc format\n withDoctype(doctype: string): CredentialSupportedBuilderV1_15 {\n this.doctype = doctype\n return this\n }\n\n addCryptographicBindingMethod(method: string | string[]): CredentialSupportedBuilderV1_15 {\n if (!Array.isArray(method)) {\n this.cryptographicBindingMethodsSupported = this.cryptographicBindingMethodsSupported\n ? [...this.cryptographicBindingMethodsSupported, method]\n : [method]\n } else {\n this.cryptographicBindingMethodsSupported = this.cryptographicBindingMethodsSupported\n ? [...this.cryptographicBindingMethodsSupported, ...method]\n : method\n }\n return this\n }\n\n withCryptographicBindingMethod(method: string | string[]): CredentialSupportedBuilderV1_15 {\n this.cryptographicBindingMethodsSupported = Array.isArray(method) ? method : [method]\n return this\n }\n\n addCredentialSigningAlgValuesSupported(algValues: string | string[]): CredentialSupportedBuilderV1_15 {\n if (!Array.isArray(algValues)) {\n this.credentialSigningAlgValuesSupported = this.credentialSigningAlgValuesSupported\n ? [...this.credentialSigningAlgValuesSupported, algValues]\n : [algValues]\n } else {\n this.credentialSigningAlgValuesSupported = this.credentialSigningAlgValuesSupported\n ? [...this.credentialSigningAlgValuesSupported, ...algValues]\n : algValues\n }\n return this\n }\n\n withCredentialSigningAlgValuesSupported(algValues: string | string[]): CredentialSupportedBuilderV1_15 {\n this.credentialSigningAlgValuesSupported = Array.isArray(algValues) ? algValues : [algValues]\n return this\n }\n\n addProofTypesSupported(keyProofType: KeyProofType, proofType: ProofType): CredentialSupportedBuilderV1_15 {\n if (!this.proofTypesSupported) {\n this.proofTypesSupported = {}\n }\n this.proofTypesSupported[keyProofType] = proofType\n return this\n }\n\n withProofTypesSupported(proofTypesSupported: ProofTypesSupported): CredentialSupportedBuilderV1_15 {\n this.proofTypesSupported = proofTypesSupported\n return this\n }\n\n addCredentialSupportedDisplay(credentialDisplay: CredentialsSupportedDisplay | CredentialsSupportedDisplay[]): CredentialSupportedBuilderV1_15 {\n if (!Array.isArray(credentialDisplay)) {\n this.display = this.display ? [...this.display, credentialDisplay] : [credentialDisplay]\n } else {\n this.display = this.display ? [...this.display, ...credentialDisplay] : credentialDisplay\n }\n return this\n }\n\n withCredentialSupportedDisplay(credentialDisplay: CredentialsSupportedDisplay | CredentialsSupportedDisplay[]): CredentialSupportedBuilderV1_15 {\n this.display = Array.isArray(credentialDisplay) ? credentialDisplay : [credentialDisplay]\n return this\n }\n\n // New in v15: Claims description using path pointers\n withClaims(claims: ClaimsDescriptionV1_0_15[]): CredentialSupportedBuilderV1_15 {\n this.claims = claims\n return this\n }\n\n addClaim(claim: ClaimsDescriptionV1_0_15): CredentialSupportedBuilderV1_15 {\n if (!this.claims) {\n this.claims = []\n }\n this.claims.push(claim)\n return this\n }\n\n public build(): Record {\n if (!this.format) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n\n const credentialSupported: CredentialConfigurationSupportedV1_0_15 = {\n format: this.format,\n } as CredentialConfigurationSupportedV1_0_15\n\n if (!this.credentialName) {\n throw new Error('A unique credential name is required')\n }\n\n // Format-specific handling for v15\n if (this.format === 'dc+sd-jwt') {\n if (!this.vct) {\n throw new Error('vct is required for dc+sd-jwt format')\n }\n ;(credentialSupported as any).vct = this.vct\n } else if (this.format === 'mso_mdoc') {\n if (!this.doctype) {\n throw new Error('doctype is required for mso_mdoc format')\n }\n ;(credentialSupported as any).doctype = this.doctype\n } else {\n if (!this.credentialDefinition) {\n throw new Error('credentialDefinition is required')\n }\n credentialSupported.credential_definition = this.credentialDefinition\n }\n\n if (this.scope) {\n credentialSupported.scope = this.scope\n }\n if (this.credentialSigningAlgValuesSupported) {\n credentialSupported.credential_signing_alg_values_supported = this.credentialSigningAlgValuesSupported\n }\n if (this.cryptographicBindingMethodsSupported) {\n credentialSupported.cryptographic_binding_methods_supported = this.cryptographicBindingMethodsSupported\n }\n if (this.display) {\n credentialSupported.display = this.display\n }\n if (this.claims) {\n ;(credentialSupported as any).claims = this.claims\n }\n\n const supportedConfiguration: Record = {}\n supportedConfiguration[this.credentialName] = credentialSupported as CredentialConfigurationSupportedV1_0_15\n\n return supportedConfiguration\n }\n}\n","import {\n AuthorizationServerMetadata,\n ClientMetadata,\n ClientResponseType,\n CNonceState,\n CredentialConfigurationSupportedV1_0_15,\n CredentialIssuerMetadataOptsV1_0_15,\n CredentialOfferSession,\n IssuerMetadata,\n IssuerMetadataV1_0_15,\n IStateManager,\n JWTVerifyCallback,\n MetadataDisplay,\n TokenErrorResponse,\n TxCode,\n URIState,\n} from '@sphereon/oid4vci-common'\n\nimport { VcIssuer } from '../VcIssuer'\nimport { oidcAccessTokenVerifyCallback } from '../functions'\nimport { MemoryStates } from '../state-manager'\nimport { CredentialDataSupplier, CredentialSignerCallback } from '../types'\n\nimport { IssuerMetadataBuilderV1_15 } from './IssuerMetadataBuilderV1_15'\n\nexport class VcIssuerBuilder {\n issuerMetadataBuilder?: IssuerMetadataBuilderV1_15\n issuerMetadata: Partial = {}\n authorizationServerMetadata: Partial = {}\n asClientOpts?: ClientMetadata\n txCode?: TxCode\n defaultCredentialOfferBaseUri?: string\n userPinRequired?: boolean\n cNonceExpiresIn?: number\n credentialOfferStateManager?: IStateManager\n credentialOfferURIManager?: IStateManager\n cNonceStateManager?: IStateManager\n credentialSignerCallback?: CredentialSignerCallback\n jwtVerifyCallback?: JWTVerifyCallback\n credentialDataSupplier?: CredentialDataSupplier\n\n public withIssuerMetadata(issuerMetadata: IssuerMetadata) {\n if (!issuerMetadata.credential_configurations_supported) {\n throw new Error('IssuerMetadata should be from type v1_0_15 or higher.')\n }\n this.issuerMetadata = issuerMetadata as IssuerMetadataV1_0_15\n return this\n }\n\n public withASClientMetadata(clientMetadata: ClientMetadata): this {\n this.asClientOpts = clientMetadata\n return this\n }\n\n public withASClientMetadataParams({\n client_id,\n client_secret,\n redirect_uris,\n response_types,\n ...other\n }: { client_id: string; client_secret?: string; redirect_uris?: string[]; response_types?: ClientResponseType[] } & ClientMetadata): this {\n this.asClientOpts = { ...other, client_id, client_secret, redirect_uris, response_types }\n return this\n }\n\n public withAuthorizationMetadata(authorizationServerMetadata: AuthorizationServerMetadata) {\n this.authorizationServerMetadata = authorizationServerMetadata\n return this\n }\n\n public withIssuerMetadataBuilder(builder: IssuerMetadataBuilderV1_15) {\n this.issuerMetadataBuilder = builder\n return this\n }\n\n public withDefaultCredentialOfferBaseUri(baseUri: string) {\n this.defaultCredentialOfferBaseUri = baseUri\n return this\n }\n\n public withCredentialIssuer(issuer: string): this {\n this.issuerMetadata.credential_issuer = issuer\n return this\n }\n\n public withAuthorizationServers(authorizationServers: string | string[]): this {\n this.issuerMetadata.authorization_servers = typeof authorizationServers === 'string' ? [authorizationServers] : authorizationServers\n return this\n }\n\n public withCredentialEndpoint(credentialEndpoint: string): this {\n this.issuerMetadata.credential_endpoint = credentialEndpoint\n return this\n }\n\n public withTokenEndpoint(tokenEndpoint: string): this {\n this.issuerMetadata.token_endpoint = tokenEndpoint\n return this\n }\n\n public withNonceEndpoint(nonceEndpoint: string): this {\n this.issuerMetadata.nonce_endpoint = nonceEndpoint\n return this\n }\n\n public withIssuerDisplay(issuerDisplay: MetadataDisplay[] | MetadataDisplay): this {\n this.issuerMetadata.display = Array.isArray(issuerDisplay) ? issuerDisplay : [issuerDisplay]\n return this\n }\n\n public addIssuerDisplay(issuerDisplay: MetadataDisplay): this {\n this.issuerMetadata.display = [...(this.issuerMetadata.display ?? []), issuerDisplay]\n return this\n }\n\n public withCredentialConfigurationsSupported(credentialConfigurationsSupported: Record) {\n this.issuerMetadata.credential_configurations_supported = credentialConfigurationsSupported\n return this\n }\n\n public addCredentialConfigurationsSupported(id: string, supportedCredential: CredentialConfigurationSupportedV1_0_15) {\n if (!this.issuerMetadata.credential_configurations_supported) {\n this.issuerMetadata.credential_configurations_supported = {}\n }\n this.issuerMetadata.credential_configurations_supported[id] = supportedCredential\n return this\n }\n\n public withTXCode(txCode: TxCode): this {\n this.txCode = txCode\n return this\n }\n\n public withCredentialOfferURIStateManager(credentialOfferURIManager: IStateManager): this {\n this.credentialOfferURIManager = credentialOfferURIManager\n return this\n }\n\n public withInMemoryCredentialOfferURIState(): this {\n this.withCredentialOfferURIStateManager(new MemoryStates())\n return this\n }\n\n public withCredentialOfferStateManager(credentialOfferManager: IStateManager): this {\n this.credentialOfferStateManager = credentialOfferManager\n return this\n }\n\n public withInMemoryCredentialOfferState(): this {\n this.withCredentialOfferStateManager(new MemoryStates())\n return this\n }\n\n public withCNonceStateManager(cNonceManager: IStateManager): this {\n this.cNonceStateManager = cNonceManager\n return this\n }\n\n public withInMemoryCNonceState(): this {\n this.withCNonceStateManager(new MemoryStates())\n return this\n }\n\n public withCNonceExpiresIn(cNonceExpiresIn: number): this {\n this.cNonceExpiresIn = cNonceExpiresIn\n return this\n }\n\n public withCredentialSignerCallback(cb: CredentialSignerCallback): this {\n this.credentialSignerCallback = cb\n return this\n }\n\n public withJWTVerifyCallback(verifyCallback: JWTVerifyCallback): this {\n this.jwtVerifyCallback = verifyCallback\n return this\n }\n\n public withCredentialDataSupplier(credentialDataSupplier: CredentialDataSupplier): this {\n this.credentialDataSupplier = credentialDataSupplier\n return this\n }\n\n public build(): VcIssuer {\n if (!this.credentialOfferStateManager) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n if (!this.cNonceStateManager) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n if (Object.keys(this.issuerMetadata).length === 0) {\n throw new Error('issuerMetadata not set')\n }\n if (Object.keys(this.authorizationServerMetadata).length === 0) {\n throw new Error('authorizationServerMetadata not set')\n }\n\n const builder = this.issuerMetadataBuilder?.build()\n const metadata: Partial = { ...this.issuerMetadata, ...builder }\n // Let's make sure these get merged correctly:\n metadata.credential_configurations_supported = this.issuerMetadata.credential_configurations_supported\n metadata.display = [...(this.issuerMetadata.display ?? []), ...(builder?.display ?? [])]\n if (!metadata.credential_endpoint || !metadata.credential_issuer || !this.issuerMetadata.credential_configurations_supported) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n if (this.asClientOpts && typeof this.jwtVerifyCallback !== 'function') {\n if (!this.issuerMetadata.credential_issuer) {\n throw Error('issuerMetadata.credential_issuer is required when using asClientOpts')\n } else if (!this.issuerMetadata.authorization_servers) {\n throw Error('issuerMetadata.authorization_servers is required when using asClientOpts')\n }\n this.jwtVerifyCallback = oidcAccessTokenVerifyCallback({\n clientMetadata: this.asClientOpts,\n credentialIssuer: this.issuerMetadata.credential_issuer,\n authorizationServer: this.issuerMetadata.authorization_servers[0],\n })\n }\n return new VcIssuer(metadata as IssuerMetadataV1_0_15, this.authorizationServerMetadata as AuthorizationServerMetadata, {\n //TODO: discuss this with Niels. I did not find this in the spec. but I think we should somehow communicate this\n ...(this.txCode && { txCode: this.txCode }),\n defaultCredentialOfferBaseUri: this.defaultCredentialOfferBaseUri,\n credentialSignerCallback: this.credentialSignerCallback,\n jwtVerifyCallback: this.jwtVerifyCallback,\n credentialDataSupplier: this.credentialDataSupplier,\n credentialOfferSessions: this.credentialOfferStateManager,\n cNonces: this.cNonceStateManager,\n cNonceExpiresIn: this.cNonceExpiresIn,\n uris: this.credentialOfferURIManager,\n asClientOpts: this.asClientOpts,\n })\n }\n}\n","import { uuidv4 } from '@sphereon/oid4vc-common'\nimport {\n ALG_ERROR,\n AUD_ERROR,\n AuthorizationServerMetadata,\n ClientMetadata,\n CNonceState,\n CreateCredentialOfferURIResult,\n CREDENTIAL_MISSING_ERROR,\n CredentialDataSupplierInput,\n CredentialEventNames,\n CredentialIssuerMetadataOptsV1_0_15,\n CredentialOfferEventNames,\n CredentialOfferMode,\n CredentialOfferSession,\n CredentialOfferV1_0_15,\n CredentialRequest,\n CredentialRequestV1_0_15,\n CredentialResponse,\n DID_NO_DIDDOC_ERROR,\n EVENTS,\n IAT_ERROR,\n ISSUER_CONFIG_ERROR,\n IssueStatus,\n IStateManager,\n JsonLdIssuerCredentialDefinition,\n JWT_VERIFY_CONFIG_ERROR,\n JWTVerifyCallback,\n JwtVerifyResult,\n KID_DID_NO_DID_ERROR,\n KID_JWK_X5C_ERROR,\n NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT,\n NotificationRequest,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n PRE_AUTH_GRANT_LITERAL,\n ProofOfPossession,\n QRCodeOpts,\n StatusListOpts,\n TokenErrorResponse,\n toUniformCredentialOfferRequest,\n TxCode,\n TYP_ERROR,\n URIState,\n} from '@sphereon/oid4vci-common'\nimport { CompactSdJwtVc, CredentialMapper, InitiatorType, SubSystem, System, W3CVerifiableCredential } from '@sphereon/ssi-types'\nimport ShortUUID from 'short-uuid'\n\nimport { assertValidPinNumber, createCredentialOfferObject, createCredentialOfferURIFromObject, CredentialOfferGrantInput } from './functions'\nimport { LookupStateManager, lookupStateManagerMultiGetAsserted, MemoryStates } from './state-manager'\nimport { CredentialDataSupplier, CredentialDataSupplierArgs, CredentialIssuanceInput, CredentialSignerCallback, IssuerCorrelation } from './types'\n\nimport { LOG } from './index'\n\nconst shortUUID = ShortUUID()\n\nexport class VcIssuer {\n private _issuerMetadata: CredentialIssuerMetadataOptsV1_0_15 // TODO SSISDK-87 create proper solution to update issuer metadata\n private readonly _authorizationServerMetadata: AuthorizationServerMetadata\n private readonly _defaultCredentialOfferBaseUri?: string\n private readonly _credentialSignerCallback?: CredentialSignerCallback\n private readonly _jwtVerifyCallback?: JWTVerifyCallback\n private readonly _credentialDataSupplier?: CredentialDataSupplier\n private readonly _credentialOfferSessions: IStateManager\n private readonly _cNonces: IStateManager\n private readonly _uris: IStateManager\n private readonly _cNonceExpiresIn: number\n private readonly _asClientOpts?: ClientMetadata\n\n constructor(\n issuerMetadata: CredentialIssuerMetadataOptsV1_0_15,\n authorizationServerMetadata: AuthorizationServerMetadata,\n args: {\n txCode?: TxCode\n baseUri?: string\n credentialOfferSessions: IStateManager\n defaultCredentialOfferBaseUri?: string\n cNonces: IStateManager\n uris?: IStateManager\n credentialSignerCallback?: CredentialSignerCallback\n jwtVerifyCallback?: JWTVerifyCallback\n credentialDataSupplier?: CredentialDataSupplier\n cNonceExpiresIn?: number | undefined // expiration duration in seconds\n asClientOpts?: ClientMetadata\n },\n ) {\n this._issuerMetadata = issuerMetadata\n this._authorizationServerMetadata = authorizationServerMetadata\n this._defaultCredentialOfferBaseUri = args.defaultCredentialOfferBaseUri\n this._credentialOfferSessions = args.credentialOfferSessions ?? new MemoryStates()\n this._uris = args.uris ?? new MemoryStates()\n this._cNonces = args.cNonces\n this._credentialSignerCallback = args?.credentialSignerCallback\n this._jwtVerifyCallback = args?.jwtVerifyCallback\n this._credentialDataSupplier = args?.credentialDataSupplier\n this._cNonceExpiresIn = (args?.cNonceExpiresIn ?? (process.env.C_NONCE_EXPIRES_IN ? parseInt(process.env.C_NONCE_EXPIRES_IN) : 300)) as number\n this._asClientOpts = args?.asClientOpts\n }\n\n public async getCredentialOfferSessionById(\n id: string,\n lookups: Array<'uri' | 'preAuthorizedCode' | 'issuerState' | 'correlationId'> = ['preAuthorizedCode', 'issuerState', 'correlationId'],\n ): Promise {\n // preAuth and issuerState can be looked up directly\n if (Array.isArray(lookups) && lookups.length > 0) {\n if (!this.uris) {\n return Promise.reject(Error('Cannot lookup credential offer by id if URI state manager is not set'))\n }\n return lookupStateManagerMultiGetAsserted({\n id,\n keyValueMapper: this._uris,\n valueStateManager: this._credentialOfferSessions,\n lookups: ['preAuthorizedCode', 'issuerState', 'correlationId'],\n })\n // return new LookupStateManager(this.uris, this._credentialOfferSessions, lookup).getFromMultiple(id)\n }\n const session = await this._credentialOfferSessions.get(id)\n if (!session) {\n return Promise.reject(Error(`No session found for id ${id}`))\n }\n return session\n }\n\n public async deleteCredentialOfferSessionById(\n id: string,\n lookups: Array<'uri' | 'preAuthorizedCode' | 'issuerState' | 'correlationId'> = ['preAuthorizedCode', 'issuerState'],\n ): Promise {\n const session = await this.getCredentialOfferSessionById(id, lookups)\n if (session) {\n if (session.preAuthorizedCode && (await this._credentialOfferSessions.has(session.preAuthorizedCode))) {\n await this._credentialOfferSessions.delete(session.preAuthorizedCode)\n }\n if (session.issuerState && (await this._credentialOfferSessions.has(session.issuerState))) {\n await this._credentialOfferSessions.delete(session.issuerState)\n }\n }\n return session\n }\n\n public async processNotification({\n preAuthorizedCode,\n issuerState,\n notification,\n }: {\n preAuthorizedCode?: string\n issuerState?: string\n notification: NotificationRequest\n }): Promise {\n const sessionId = preAuthorizedCode ?? issuerState\n const session = sessionId ? await this.getCredentialOfferSessionById(sessionId) : undefined\n if (!session || !sessionId) {\n LOG.error(`No session or session id found ${sessionId}`)\n return Error('invalid_notification_request')\n }\n if (notification.notification_id !== session.notification_id) {\n LOG.error(`Notification id ${notification.notification_id} not found in session. session notification id ${session.notification_id}`)\n return Error('invalid_notification_id')\n } else if (session.notification) {\n LOG.info(`Overwriting existing notification, as a new notification came in ${session.notification_id}`)\n }\n await this.updateSession({ preAuthorizedCode: preAuthorizedCode, issuerState: issuerState, notification })\n LOG.info(`Processed notification ${notification} for ${session.notification_id}`)\n return session\n }\n\n public async createCredentialOfferURI(opts: {\n offerMode?: CredentialOfferMode\n grants?: CredentialOfferGrantInput\n client_id?: string\n redirectUri?: string\n credential_configuration_ids?: Array\n credentialDefinition?: JsonLdIssuerCredentialDefinition\n credentialOfferUri?: string\n credentialDataSupplierInput?: CredentialDataSupplierInput // Optional storage that can help the credential Data Supplier. For instance to store credential input data during offer creation, if no additional data can be supplied later on\n baseUri?: string\n scheme?: string\n pinLength?: number\n qrCodeOpts?: QRCodeOpts\n correlationId?: string\n statusListOpts?: Array\n sessionLifeTimeInSec?: number\n }): Promise {\n const {\n offerMode = 'VALUE',\n correlationId = shortUUID.generate(),\n credential_configuration_ids,\n statusListOpts,\n credentialOfferUri,\n redirectUri,\n } = opts\n if (offerMode === 'REFERENCE' && !credentialOfferUri) {\n return Promise.reject(Error('credentialOfferUri must be supplied for offerMode REFERENCE!'))\n }\n\n const grants = opts.grants ? { ...opts.grants } : {}\n // for backwards compat, would be better if user sets the prop on the grants directly\n if (opts.pinLength !== undefined) {\n if (grants[PRE_AUTH_GRANT_LITERAL]) {\n grants[PRE_AUTH_GRANT_LITERAL].tx_code = {\n ...grants[PRE_AUTH_GRANT_LITERAL].tx_code,\n length: grants[PRE_AUTH_GRANT_LITERAL].tx_code?.length ?? opts.pinLength,\n }\n }\n }\n if (grants[PRE_AUTH_GRANT_LITERAL]?.tx_code && !grants[PRE_AUTH_GRANT_LITERAL]?.tx_code?.length) {\n grants[PRE_AUTH_GRANT_LITERAL].tx_code.length = 4\n }\n\n const baseUri = opts?.baseUri ?? this.defaultCredentialOfferBaseUri\n const credentialOfferObject = createCredentialOfferObject(this._issuerMetadata, {\n ...opts,\n grants,\n credentialOffer: credential_configuration_ids\n ? {\n credential_issuer: this._issuerMetadata.credential_issuer,\n credential_configuration_ids,\n }\n : undefined,\n })\n\n const preAuthGrant = credentialOfferObject.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]\n const authGrant = credentialOfferObject.credential_offer.grants?.authorization_code\n\n const preAuthorizedCode = preAuthGrant?.['pre-authorized_code']\n const issuerState = authGrant?.issuer_state\n const txCode = preAuthGrant?.tx_code\n\n let userPin: string | undefined\n if (preAuthGrant?.tx_code) {\n const pinLength = preAuthGrant.tx_code.length ?? 4\n\n userPin = ('' + Math.round((Math.pow(10, pinLength) - 1) * Math.random())).padStart(pinLength, '0')\n assertValidPinNumber(userPin, pinLength)\n }\n const createdAt = +new Date()\n const lastUpdatedAt = createdAt\n const expirationInMs = (opts.sessionLifeTimeInSec ?? 10 * 60) * 1000\n const expiresAt = createdAt + Math.abs(expirationInMs)\n if (offerMode === 'REFERENCE') {\n if (!this.uris) {\n throw Error('No URI state manager set, whilst apparently credential offer by reference is being used')\n }\n\n const offerUri = opts.credentialOfferUri?.replace(':id', correlationId) // TODO how is this going to work with auth code flow?\n if (!offerUri) {\n return Promise.reject(Error('credentialOfferUri must be supplied for offerMode REFERENCE!'))\n }\n\n credentialOfferObject.credential_offer_uri = offerUri\n await this.uris.set(correlationId, {\n uri: offerUri,\n createdAt: createdAt,\n expiresAt,\n preAuthorizedCode,\n issuerState,\n correlationId: correlationId,\n })\n }\n\n const credentialOffer = await toUniformCredentialOfferRequest(\n {\n credential_offer: credentialOfferObject.credential_offer,\n credential_offer_uri: credentialOfferObject.credential_offer_uri,\n } as CredentialOfferV1_0_15,\n {\n version: OpenId4VCIVersion.VER_1_0_15,\n resolve: false, // We are creating the object, so do not resolve\n },\n )\n\n const status = IssueStatus.OFFER_CREATED\n const session: CredentialOfferSession = {\n redirectUri,\n preAuthorizedCode,\n issuerState,\n createdAt,\n lastUpdatedAt,\n expiresAt,\n status,\n notification_id: uuidv4(),\n ...(opts.client_id && { clientId: opts.client_id }),\n ...(userPin && { txCode: userPin }), // We used to use userPin according to older specs. We map these onto txCode now. If both are used, txCode in the end wins, even if they are different\n ...(opts.credentialDataSupplierInput && { credentialDataSupplierInput: opts.credentialDataSupplierInput }),\n credentialOffer,\n statusLists: statusListOpts,\n }\n\n const uri = createCredentialOfferURIFromObject(credentialOffer, offerMode, { ...opts, baseUri })\n if (preAuthorizedCode) {\n const lookupManager = new LookupStateManager(this.uris, this._credentialOfferSessions, 'correlationId')\n await lookupManager.setMapped(\n preAuthorizedCode,\n {\n preAuthorizedCode,\n uri,\n createdAt,\n expiresAt,\n correlationId,\n issuerState,\n },\n session,\n )\n // await this.credentialOfferSessions.set(preAuthorizedCode, session)\n }\n // todo: check whether we could have the same value for issuer state and pre auth code if both are supported.\n if (issuerState) {\n const lookupManager = new LookupStateManager(this.uris, this._credentialOfferSessions, 'correlationId')\n await lookupManager.setMapped(\n issuerState,\n {\n preAuthorizedCode,\n uri,\n createdAt,\n expiresAt,\n correlationId,\n issuerState,\n },\n session,\n )\n // await this.credentialOfferSessions.set(issuerState, session)\n }\n let qrCodeDataUri: string | undefined\n if (opts.qrCodeOpts) {\n const { AwesomeQR } = await import('awesome-qr')\n const qrCode = new AwesomeQR({ ...opts.qrCodeOpts, text: uri })\n qrCodeDataUri = `data:image/png;base64,${(await qrCode.draw())!.toString('base64')}`\n }\n const credentialOfferResult = {\n session,\n uri,\n qrCodeDataUri,\n correlationId,\n txCode,\n ...(userPin !== undefined && { userPin, pinLength: userPin?.length ?? 0 }),\n }\n EVENTS.emit(CredentialOfferEventNames.OID4VCI_OFFER_CREATED, {\n eventName: CredentialOfferEventNames.OID4VCI_OFFER_CREATED,\n id: correlationId,\n data: credentialOfferResult,\n initiator: '',\n initiatorType: InitiatorType.EXTERNAL,\n system: System.OID4VCI,\n issuer: this.issuerMetadata.credential_issuer,\n subsystem: SubSystem.API,\n createdAt,\n expiresAt,\n })\n return credentialOfferResult\n }\n\n /**\n * issueCredentialFromIssueRequest\n * @param opts issuerRequestParams\n * - issueCredentialsRequest the credential request\n * - issuerState the state of the issuer\n * - jwtVerifyCallback callback that verifies the Proof of Possession JWT\n * - issuerCallback callback to issue a Verifiable Credential\n * - cNonce an existing c_nonce\n */\n public async issueCredential(opts: {\n credentialRequest: CredentialRequest\n issuerCorrelation: IssuerCorrelation\n credential?: CredentialIssuanceInput\n credentialDataSupplier?: CredentialDataSupplier\n credentialDataSupplierInput?: CredentialDataSupplierInput\n newCNonce?: string\n cNonceExpiresIn?: number // expiration duration in seconds\n tokenExpiresIn?: number // expiration duration in seconds\n jwtVerifyCallback?: JWTVerifyCallback\n credentialSignerCallback?: CredentialSignerCallback\n responseCNonce?: string\n }): Promise {\n /*if (!('credential_identifier' in opts.credentialRequest)) {\n throw new Error('credential request should be of spec version 1.0.13 or above')\n }*/\n const credentialRequest = opts.credentialRequest as CredentialRequestV1_0_15\n const issuerCorrelation = opts.issuerCorrelation\n try {\n if (!('credential_identifier' in credentialRequest) && !('credential_configuration_id' in credentialRequest)) {\n throw Error('credential request should have either credential_identifier or credential_configuration_id')\n }\n\n // Validate the credential_configuration_id exists in metadata if used\n if ('credential_configuration_id' in credentialRequest && credentialRequest.credential_configuration_id) {\n if (!this._issuerMetadata.credential_configurations_supported?.[credentialRequest.credential_configuration_id]) {\n throw Error(TokenErrorResponse.invalid_request)\n }\n }\n\n // Validate credential_identifier against authorization_details if present\n if ('credential_identifier' in credentialRequest && credentialRequest.credential_identifier && issuerCorrelation.authorizationDetails) {\n const validIdentifiers = issuerCorrelation.authorizationDetails.flatMap((detail: any) => detail.credential_identifiers || [])\n\n if (!validIdentifiers.includes(credentialRequest.credential_identifier)) {\n throw Error('credential_identifier not found in authorization_details')\n }\n }\n\n let format = this.lookupCredentialFormat(credentialRequest)\n const validated = await this.validateCredentialRequestProof({\n ...opts,\n format,\n tokenExpiresIn: opts.tokenExpiresIn ?? 180,\n })\n if (validated.preAuthorizedCode && !issuerCorrelation.preAuthorizedCode) {\n issuerCorrelation.preAuthorizedCode = validated.preAuthorizedCode\n }\n if (validated.issuerState && !issuerCorrelation.issuerState) {\n issuerCorrelation.issuerState = validated.issuerState\n }\n\n const { preAuthSession, authSession, cNonceState, jwtVerifyResult } = validated\n const did = jwtVerifyResult.did\n const jwk = jwtVerifyResult.jwk\n const kid = jwtVerifyResult.kid\n const newcNonce = opts.newCNonce ? opts.newCNonce : uuidv4()\n const newcNonceState = {\n cNonce: newcNonce,\n createdAt: +new Date(),\n ...(authSession?.issuerState && { issuerState: authSession.issuerState }),\n ...(preAuthSession && { preAuthorizedCode: preAuthSession.preAuthorizedCode }),\n }\n await this.cNonces.set(newcNonce, newcNonceState)\n\n if (!opts.credential && this._credentialDataSupplier === undefined && opts.credentialDataSupplier === undefined) {\n throw Error(`Either a credential needs to be supplied or a credentialDataSupplier`)\n }\n let credential: CredentialIssuanceInput | undefined\n\n let signerCallback: CredentialSignerCallback | undefined = opts.credentialSignerCallback\n const session: CredentialOfferSession | undefined = issuerCorrelation.preAuthorizedCode && preAuthSession ? preAuthSession : authSession\n if (opts.credential) {\n credential = opts.credential\n } else {\n const credentialDataSupplier: CredentialDataSupplier | undefined =\n typeof opts.credentialDataSupplier === 'function' ? opts.credentialDataSupplier : this._credentialDataSupplier\n if (typeof credentialDataSupplier !== 'function') {\n throw Error('Data supplier is mandatory if no credential is supplied')\n }\n if (!session) {\n throw Error('Either a preAuth or Auth session is required, none found')\n }\n const credentialOffer = session.credentialOffer\n if (!credentialOffer) {\n throw Error('Credential Offer missing')\n }\n const credentialDataSupplierInput = opts.credentialDataSupplierInput ?? session.credentialDataSupplierInput\n\n const result = await credentialDataSupplier({\n ...(cNonceState ? { ...cNonceState } : { ...authSession }),\n credentialRequest: opts.credentialRequest,\n credentialSupplierConfig: this._issuerMetadata.credential_supplier_config,\n format,\n credentialOffer /*todo: clientId: */,\n ...(credentialDataSupplierInput && { credentialDataSupplierInput }),\n } as CredentialDataSupplierArgs)\n credential = result.credential\n if (result.format) {\n format = result.format\n }\n if (typeof result.signCallback === 'function') {\n signerCallback = result.signCallback\n }\n }\n if (!credential) {\n throw Error('A credential needs to be supplied at this point')\n }\n // Bind credential to the provided proof of possession\n if (CredentialMapper.isSdJwtDecodedCredentialPayload(credential) && (kid || jwk) && !credential.cnf) {\n if (kid) {\n credential.cnf = {\n kid,\n }\n }\n // else TODO temp workaround IATAB2B-57\n if (jwk) {\n credential.cnf = {\n jwk,\n }\n }\n } else if (did && !CredentialMapper.isSdJwtDecodedCredentialPayload(credential) && credential.credentialSubject !== undefined) {\n const credentialSubjects = Array.isArray(credential.credentialSubject) ? credential.credentialSubject : [credential.credentialSubject]\n credentialSubjects.map((subject) => {\n if (!subject.id) {\n subject.id = did\n }\n return subject\n })\n credential.credentialSubject = Array.isArray(credential.credentialSubject) ? credentialSubjects : credentialSubjects[0]\n } else {\n // Mdoc Format\n // Nothing to do here\n }\n\n let issuer: string | undefined = undefined\n if (credential.iss) {\n issuer = credential.iss\n } else if (credential.issuer) {\n if (typeof credential.issuer === 'string') {\n issuer = credential.issuer\n } else if (typeof credential.issuer === 'object' && 'id' in credential.issuer && typeof credential.issuer.id === 'string') {\n issuer = credential.issuer.id\n }\n }\n\n const verifiableCredential = await this.issueCredentialImpl(\n {\n credentialRequest: opts.credentialRequest,\n format,\n credential,\n jwtVerifyResult,\n issuer,\n ...(session && { statusLists: session.statusLists }),\n },\n signerCallback,\n )\n // TODO implement acceptance_token (deferred response)\n // TODO update verification accordingly\n if (!verifiableCredential) {\n // credential: OPTIONAL. Contains issued Credential. MUST be present when acceptance_token is not returned. MAY be a JSON string or a JSON object, depending on the Credential format. See Appendix E for the Credential format specific encoding requirements\n throw new Error(CREDENTIAL_MISSING_ERROR)\n }\n if (cNonceState) {\n // remove the previous nonce\n await this.cNonces.delete(cNonceState.cNonce)\n }\n\n let notification_id: string | undefined\n\n if (issuerCorrelation.preAuthorizedCode && preAuthSession) {\n preAuthSession.lastUpdatedAt = +new Date()\n preAuthSession.status = IssueStatus.CREDENTIAL_ISSUED\n notification_id = preAuthSession.notification_id\n await this._credentialOfferSessions.set(issuerCorrelation.preAuthorizedCode, preAuthSession)\n } else if (issuerCorrelation.issuerState && authSession) {\n // If both were set we used the pre auth flow above as well, hence the else if\n authSession.lastUpdatedAt = +new Date()\n authSession.status = IssueStatus.CREDENTIAL_ISSUED\n notification_id = authSession.notification_id\n await this._credentialOfferSessions.set(issuerCorrelation.issuerState, authSession)\n }\n\n const response: CredentialResponse = {\n credentials: [{ credential: verifiableCredential }],\n // format: credentialRequest.format,\n c_nonce: newcNonce,\n c_nonce_expires_in: this._cNonceExpiresIn,\n ...(notification_id && { notification_id }),\n }\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n const experimentalSubjectIssuance = opts.credentialRequest.credential_subject_issuance\n if (experimentalSubjectIssuance?.subject_proof_mode) {\n if (experimentalSubjectIssuance.subject_proof_mode !== 'proof_replace') {\n throw Error('Only proof replace is supported currently')\n }\n response.transaction_id = authSession?.issuerState\n response.credential_subject_issuance = experimentalSubjectIssuance\n }\n return response\n } catch (error: unknown) {\n await this.updateSession({ preAuthorizedCode: issuerCorrelation.preAuthorizedCode, issuerState: issuerCorrelation.issuerState, error })\n throw error\n }\n }\n\n private lookupCredentialFormat(credentialRequest: CredentialRequestV1_0_15): OID4VCICredentialFormat | undefined {\n let format: OID4VCICredentialFormat | undefined\n\n if ('credential_configuration_id' in credentialRequest && credentialRequest.credential_configuration_id) {\n const credentialConfig = this._issuerMetadata.credential_configurations_supported?.[credentialRequest.credential_configuration_id]\n format = credentialConfig?.format as OID4VCICredentialFormat\n } else if ('credential_identifier' in credentialRequest && credentialRequest.credential_identifier) {\n const credentialIdentifier: any = credentialRequest.credential_identifier\n const matchedConfig = Object.values(this._issuerMetadata.credential_configurations_supported || {}).find(\n (config) => credentialIdentifier === config.id || credentialIdentifier === config.vct,\n )\n\n return matchedConfig?.format as OID4VCICredentialFormat\n }\n return format\n }\n\n private async updateSession({\n preAuthorizedCode,\n error,\n issuerState,\n notification,\n }: {\n preAuthorizedCode?: string\n issuerState?: string\n error?: unknown\n notification?: NotificationRequest\n }) {\n let issueState: IssueStatus | undefined = undefined\n if (error) {\n issueState = IssueStatus.ERROR\n } else if (notification) {\n if (notification.event == 'credential_accepted') {\n issueState = IssueStatus.NOTIFICATION_CREDENTIAL_ACCEPTED\n } else if (notification.event == 'credential_deleted') {\n issueState = IssueStatus.NOTIFICATION_CREDENTIAL_DELETED\n } else if (notification.event == 'credential_failure') {\n issueState = IssueStatus.NOTIFICATION_CREDENTIAL_FAILURE\n }\n }\n\n if (preAuthorizedCode) {\n const preAuthSession = await this._credentialOfferSessions.get(preAuthorizedCode)\n if (preAuthSession) {\n preAuthSession.lastUpdatedAt = +new Date()\n if (issueState) {\n preAuthSession.status = issueState\n }\n if (error) {\n preAuthSession.error = error instanceof Error ? error.message : error?.toString()\n }\n preAuthSession.notification_id\n if (notification) {\n preAuthSession.notification = notification\n }\n await this._credentialOfferSessions.set(preAuthorizedCode, preAuthSession)\n }\n }\n if (issuerState) {\n const authSession = await this._credentialOfferSessions.get(issuerState)\n if (authSession) {\n authSession.lastUpdatedAt = +new Date()\n if (issueState) {\n authSession.status = issueState\n }\n if (error) {\n authSession.error = error instanceof Error ? error.message : error?.toString()\n }\n if (notification) {\n authSession.notification = notification\n }\n await this._credentialOfferSessions.set(issuerState, authSession)\n }\n }\n }\n\n /*\n private async retrieveGrantsAndCredentialOfferSession(id: string): Promise<{\n clientId?: string;\n grants?: Grant,\n session: CredentialOfferSession\n }> {\n const session: CredentialOfferSession | undefined = await this._credentialOfferSessions.getAsserted(id)\n const clientId = session?.clientId\n const grants = session?.credentialOffer?.credential_offer?.grants\n if (!grants?.authorization_code?.issuer_state && !grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL]) {\n throw new Error(GRANTS_MUST_NOT_BE_UNDEFINED)\n }\n return { session, clientId, grants }\n }*/\n\n private async validateCredentialRequestProof({\n credentialRequest,\n issuerCorrelation,\n format,\n jwtVerifyCallback,\n tokenExpiresIn,\n }: {\n credentialRequest: CredentialRequest\n issuerCorrelation: IssuerCorrelation\n format?: OID4VCICredentialFormat\n tokenExpiresIn: number // expiration duration in seconds\n // grants?: Grant,\n clientId?: string\n jwtVerifyCallback?: JWTVerifyCallback\n }) {\n let issuerState: string | undefined\n\n const supportedIssuanceFormats = ['jwt_vc_json', 'jwt_vc_json-ld', 'dc+sd-jwt', 'ldp_vc', 'mso_mdoc']\n try {\n if (format && !supportedIssuanceFormats.includes(format)) {\n throw Error(`Format ${format} not supported yet`)\n }\n\n const verifyFn: JWTVerifyCallback | undefined = jwtVerifyCallback ?? this._jwtVerifyCallback\n if (typeof verifyFn !== 'function') {\n throw Error(JWT_VERIFY_CONFIG_ERROR)\n }\n\n const credReq = credentialRequest as CredentialRequestV1_0_15\n\n // Validate request structure (mutually exclusive)\n if (credReq.proof && credReq.proofs) {\n throw Error('Credential request may not contain both proof and proofs parameters')\n }\n\n // Normalize candidates into a single array of ProofOfPossession objects\n const proofCandidates: Array = []\n\n if (credReq.proof) {\n proofCandidates.push(credReq.proof)\n } else if (credReq.proofs) {\n // Handle \"proofs\": prioritize 'jwt' as it's the only fully supported type\n if (Array.isArray(credReq.proofs.jwt)) {\n // Map to ProofOfPossession objects, handling both string and object formats\n for (const jwtProof of credReq.proofs.jwt) {\n if (typeof jwtProof === 'string') {\n // Handle case where jwt array contains strings instead of ProofOfPossession objects\n proofCandidates.push({\n proof_type: 'jwt',\n jwt: jwtProof,\n })\n } else if (jwtProof && typeof jwtProof === 'object' && 'jwt' in jwtProof) {\n // Handle proper ProofOfPossession object\n proofCandidates.push(jwtProof)\n }\n }\n }\n\n // Check if there are no supported proofs found\n if (proofCandidates.length === 0) {\n const availableTypes = Object.keys(credReq.proofs).join(', ')\n throw Error(`No supported proof types found in request. Available: [${availableTypes}]`)\n }\n } else {\n throw Error('Proof of possession is required. No proof or proofs value present in credential request')\n }\n\n // Execute verification\n let jwtVerifyResult: JwtVerifyResult | undefined\n const validationErrors: string[] = []\n\n for (const proof of proofCandidates) {\n try {\n jwtVerifyResult = await verifyFn({ jwt: proof.jwt })\n break\n } catch (error) {\n const msg = error instanceof Error ? error.message : String(error)\n validationErrors.push(msg)\n }\n }\n\n // Check success\n if (!jwtVerifyResult) {\n throw Error(`Unable to verify any provided proofs. Errors: ${validationErrors.join('; ')}`)\n }\n\n const { didDocument, did, jwt } = jwtVerifyResult\n const { header, payload } = jwt\n const { iss, aud, iat, nonce } = payload\n const issuer_state =\n 'issuer_state' in credentialRequest && credentialRequest.issuer_state ? credentialRequest.issuer_state : issuerCorrelation.issuerState\n if (!nonce && !issuer_state) {\n throw Error('No nonce or issuer_state was found in the Proof of Possession')\n }\n\n let createdAt: number = +new Date()\n let cNonceState: CNonceState | undefined\n if (nonce) {\n cNonceState = await this.cNonces.getAsserted(nonce)\n createdAt = cNonceState.createdAt\n }\n if (issuer_state) {\n const session = await this._credentialOfferSessions.getAsserted(issuer_state as string)\n issuerState = issuer_state as string | undefined\n createdAt = session.createdAt\n }\n\n // The verify callback should set the correct values, but let's look at the JWT ourselves to to be sure\n const alg = jwtVerifyResult.alg ?? header.alg\n const kid = jwtVerifyResult.kid ?? header.kid\n const jwk = jwtVerifyResult.jwk ?? header.jwk\n const x5c = jwtVerifyResult.x5c ?? header.x5c\n const typ = header.typ\n\n if (typ !== 'openid4vci-proof+jwt') {\n throw Error(TYP_ERROR)\n } else if (!alg) {\n throw Error(ALG_ERROR)\n } else if (x5c && (kid || jwk)) {\n // x5c cannot be used together with kid or jwk\n throw Error(KID_JWK_X5C_ERROR)\n } else if (kid && !did) {\n if (!jwk && !x5c) {\n // Make sure the callback function extracts the DID from the kid\n throw Error(KID_DID_NO_DID_ERROR)\n } else {\n // If JWK or x5c is present, log the information and proceed\n console.log(`KID present but no DID, using JWK or x5c`)\n }\n } else if (did && !didDocument) {\n // Make sure the callback function does DID resolution when a did is present\n throw Error(DID_NO_DIDDOC_ERROR)\n }\n\n const preAuthSession = issuerCorrelation.preAuthorizedCode\n ? await this.credentialOfferSessions.get(issuerCorrelation.preAuthorizedCode)\n : undefined\n const authSession = issuerState ? await this.credentialOfferSessions.get(issuerState) : undefined\n if (!preAuthSession && !authSession) {\n throw Error('Either a pre-authorized code or issuer state needs to be present')\n }\n if (preAuthSession) {\n if (!preAuthSession.preAuthorizedCode || preAuthSession.preAuthorizedCode !== issuerCorrelation.preAuthorizedCode) {\n throw Error('Invalid pre-authorized code')\n }\n preAuthSession.lastUpdatedAt = +new Date()\n preAuthSession.status = IssueStatus.CREDENTIAL_REQUEST_RECEIVED\n await this._credentialOfferSessions.set(issuerCorrelation.preAuthorizedCode, preAuthSession)\n }\n if (authSession) {\n if (!authSession.issuerState || authSession.issuerState !== issuerState) {\n throw Error('Invalid issuer state')\n }\n authSession.lastUpdatedAt = +new Date()\n authSession.status = IssueStatus.CREDENTIAL_REQUEST_RECEIVED\n }\n\n // https://www.rfc-editor.org/rfc/rfc6749.html#section-3.2.1\n // A client MAY use the \"client_id\" request parameter to identify itself\n // when sending requests to the token endpoint. In the\n // \"authorization_code\" \"grant_type\" request to the token endpoint, an\n // unauthenticated client MUST send its \"client_id\" to prevent itself\n // from inadvertently accepting a code intended for a client with a\n // different \"client_id\". This protects the client from substitution of\n // the authentication code. (It provides no additional security for the\n // protected resource.)\n if (!iss && authSession?.credentialOffer.credential_offer?.grants?.authorization_code) {\n throw new Error(NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT)\n }\n // iss: OPTIONAL (string). The value of this claim MUST be the client_id of the client making the credential request.\n // This claim MUST be omitted if the Access Token authorizing the issuance call was obtained from a Pre-Authorized Code Flow through anonymous access to the Token Endpoint.\n // TODO We need to investigate further what the comment above means, because it's not clear if the client or the user may be authorized anonymously\n // if (iss && grants && grants[PRE_AUTH_GRANT_LITERAL]) {\n // throw new Error(ISS_PRESENT_IN_PRE_AUTHORIZED_CODE_CONTEXT)\n // }\n /*if (iss && iss !== clientId) {\n throw new Error(ISS_MUST_BE_CLIENT_ID + `iss: ${iss}, client_id: ${clientId}`)\n }*/\n if (!aud || aud !== this._issuerMetadata.credential_issuer) {\n throw new Error(AUD_ERROR)\n }\n if (!iat) {\n throw new Error(IAT_ERROR)\n } else if (iat > Math.round(createdAt / 1000) + tokenExpiresIn) {\n // createdAt is in milliseconds whilst iat and tokenExpiresIn are in seconds\n throw new Error(IAT_ERROR)\n }\n // todo: Add a check of iat against current TS on server with a skew\n\n return { jwtVerifyResult, preAuthorizedCode: issuerCorrelation.preAuthorizedCode, preAuthSession, issuerState, authSession, cNonceState }\n } catch (error: unknown) {\n await this.updateSession({ preAuthorizedCode: issuerCorrelation.preAuthorizedCode, issuerState, error })\n throw error\n }\n }\n\n private async issueCredentialImpl(\n opts: {\n credentialRequest: CredentialRequest\n credential: CredentialIssuanceInput\n jwtVerifyResult: JwtVerifyResult\n format?: OID4VCICredentialFormat\n issuer?: string\n statusLists?: Array\n },\n issuerCallback?: CredentialSignerCallback,\n ): Promise {\n if ((!opts.credential && !opts.credentialRequest) || !this._credentialSignerCallback) {\n throw new Error(ISSUER_CONFIG_ERROR)\n }\n const credential = issuerCallback ? await issuerCallback(opts) : await this._credentialSignerCallback(opts)\n\n // TODO: Create builder\n EVENTS.emit(CredentialEventNames.OID4VCI_CREDENTIAL_ISSUED, {\n eventName: CredentialEventNames.OID4VCI_CREDENTIAL_ISSUED,\n id: uuidv4(),\n data: credential,\n // TODO: Format, request etc\n initiator: opts.issuer ?? '',\n initiatorType: InitiatorType.EXTERNAL,\n system: System.OID4VCI,\n subsystem: SubSystem.VC_ISSUER,\n })\n\n return credential\n }\n\n get credentialSignerCallback(): CredentialSignerCallback | undefined {\n return this._credentialSignerCallback\n }\n\n get jwtVerifyCallback(): JWTVerifyCallback | undefined {\n return this._jwtVerifyCallback\n }\n\n get credentialDataSupplier(): CredentialDataSupplier | undefined {\n return this._credentialDataSupplier\n }\n\n get uris(): IStateManager {\n return this._uris\n }\n\n get cNonceExpiresIn(): number {\n return this._cNonceExpiresIn\n }\n\n public get credentialOfferSessions(): IStateManager {\n return this._credentialOfferSessions\n }\n\n public get cNonces(): IStateManager {\n return this._cNonces\n }\n\n get defaultCredentialOfferBaseUri(): string | undefined {\n return this._defaultCredentialOfferBaseUri\n }\n\n public get issuerMetadata() {\n return this._issuerMetadata\n }\n\n // TODO SSISDK-87 create proper solution to update issuer metadata\n public set issuerMetadata(value: CredentialIssuerMetadataOptsV1_0_15) {\n this._issuerMetadata = value;\n }\n\n public get authorizationServerMetadata() {\n return this._authorizationServerMetadata\n }\n\n get asClientOpts() {\n return this._asClientOpts\n }\n}\n","import { uuidv4 } from '@sphereon/oid4vc-common'\nimport {\n AssertedUniformCredentialOffer,\n AuthorizationDetailsV1_0_15,\n CredentialIssuerMetadataOptsV1_0_15,\n CredentialOfferMode,\n CredentialOfferPayloadV1_0_15,\n CredentialOfferSession,\n CredentialOfferV1_0_15,\n Grant,\n GrantAuthorizationCode,\n GrantUrnIetf,\n IssuerMetadataV1_0_15,\n PIN_NOT_MATCH_ERROR,\n PRE_AUTH_GRANT_LITERAL,\n UniformCredentialOffer,\n} from '@sphereon/oid4vci-common'\n\nexport interface CredentialOfferGrantInput {\n authorization_code?: Partial\n [PRE_AUTH_GRANT_LITERAL]?: Partial\n 'urn:ietf:params:oauth:grant-type:pre-authorized_code'?: Partial // FIXME? Getting typscript errors when only PRE_AUTH_GRANT_LITERAL is there\n}\n\nfunction createCredentialOfferGrants(inputGrants?: CredentialOfferGrantInput) {\n // Grants is optional\n if (!inputGrants || Object.keys(inputGrants).length === 0) {\n return undefined\n }\n\n const grants: Grant = {}\n if (inputGrants?.[PRE_AUTH_GRANT_LITERAL]) {\n const grant = {\n ...inputGrants[PRE_AUTH_GRANT_LITERAL],\n 'pre-authorized_code': inputGrants[PRE_AUTH_GRANT_LITERAL]['pre-authorized_code'] ?? uuidv4(),\n }\n\n if (grant.tx_code && !grant.tx_code.length) {\n grant.tx_code.length = 4\n }\n\n grants[PRE_AUTH_GRANT_LITERAL] = grant\n }\n\n if (inputGrants?.authorization_code) {\n grants.authorization_code = {\n ...inputGrants.authorization_code,\n\n // TODO: it should be possible to create offer without issuer_state\n // this is added to avoid breaking changes.\n issuer_state: inputGrants.authorization_code.issuer_state ?? uuidv4(),\n }\n }\n\n return grants\n}\n\nfunction parseCredentialOfferSchemeAndBaseUri(scheme?: string, baseUri?: string, credentialIssuer?: string): { scheme: string; baseUri: string } {\n const newScheme = scheme?.replace('://', '') ?? (baseUri?.includes('://') ? baseUri.split('://')[0] : 'openid-credential-offer')\n let newBaseUri: string\n\n if (baseUri) {\n newBaseUri = baseUri\n } else if (newScheme.startsWith('http')) {\n if (credentialIssuer) {\n newBaseUri = credentialIssuer\n if (!newBaseUri.startsWith(`${newScheme}://`)) {\n throw Error(`scheme ${newScheme} is different from base uri ${newBaseUri}`)\n }\n } else {\n throw Error(`A '${newScheme}' scheme requires a URI to be present as baseUri`)\n }\n } else {\n newBaseUri = ''\n }\n newBaseUri = newBaseUri?.replace(`${newScheme}://`, '')\n\n return { scheme: newScheme, baseUri: newBaseUri }\n}\n\nexport function createCredentialOfferObject(\n issuerMetadata?: CredentialIssuerMetadataOptsV1_0_15,\n // todo: probably it's wise to create another builder for CredentialOfferPayload that will generate different kinds of CredentialOfferPayload\n opts?: {\n credentialOffer?: CredentialOfferPayloadV1_0_15\n credentialOfferUri?: string\n grants?: CredentialOfferGrantInput\n client_id?: string\n },\n): AssertedUniformCredentialOffer {\n if (!issuerMetadata && !opts?.credentialOffer && !opts?.credentialOfferUri) {\n throw new Error('You have to provide issuerMetadata or credentialOffer object for creating a deeplink')\n }\n\n const grants = createCredentialOfferGrants(opts?.grants)\n\n let credential_offer: CredentialOfferPayloadV1_0_15\n if (opts?.credentialOffer) {\n credential_offer = {\n ...opts.credentialOffer,\n }\n } else {\n if (!issuerMetadata?.credential_configurations_supported) {\n throw new Error('credential_configurations_supported is mandatory in the metadata')\n }\n credential_offer = {\n credential_issuer: issuerMetadata.credential_issuer,\n credential_configuration_ids: Object.keys(issuerMetadata.credential_configurations_supported),\n }\n }\n\n if (grants) {\n credential_offer.grants = grants\n }\n if (opts?.client_id) {\n credential_offer.client_id = opts.client_id\n }\n\n // todo: check payload against issuer metadata. Especially strings in the credentials array: When processing, the Wallet MUST resolve this string value to the respective object.\n return { credential_offer, credential_offer_uri: opts?.credentialOfferUri }\n}\n\nexport function createCredentialOfferURIFromObject(\n credentialOffer: CredentialOfferV1_0_15 | UniformCredentialOffer,\n offerMode: CredentialOfferMode,\n opts?: { scheme?: string; baseUri?: string },\n) {\n const { scheme, baseUri } = parseCredentialOfferSchemeAndBaseUri(opts?.scheme, opts?.baseUri, credentialOffer.credential_offer?.credential_issuer)\n\n if (offerMode === 'REFERENCE') {\n if (!credentialOffer.credential_offer_uri) {\n throw Error(`credential_offer_uri must be set for offerMode ${offerMode}`)\n }\n if (credentialOffer.credential_offer_uri.includes('credential_offer_uri=')) {\n // discard the scheme. Apparently a URI is set and it already contains the actual uri, so assume that takes priority\n return credentialOffer.credential_offer_uri\n }\n return `${scheme}://${baseUri}?credential_offer_uri=${encodeURIComponent(credentialOffer.credential_offer_uri)}`\n } else if (offerMode === 'VALUE') {\n return `${scheme}://${baseUri}?credential_offer=${encodeURIComponent(JSON.stringify(credentialOffer.credential_offer))}`\n }\n throw Error(`unsupported offerMode ${offerMode}`)\n}\n\nexport function createCredentialOfferURI(\n offerMode: CredentialOfferMode,\n issuerMetadata?: IssuerMetadataV1_0_15,\n // todo: probably it's wise to create another builder for CredentialOfferPayload that will generate different kinds of CredentialOfferPayload\n opts?: {\n credentialOffer?: CredentialOfferPayloadV1_0_15\n credentialOfferUri?: string\n scheme?: string\n baseUri?: string\n grants?: CredentialOfferGrantInput\n },\n): string {\n const credentialOffer = createCredentialOfferObject(issuerMetadata, opts)\n return createCredentialOfferURIFromObject(credentialOffer, offerMode, opts)\n}\n\nexport const isPreAuthorizedCodeExpired = (state: CredentialOfferSession, expirationDurationInSeconds: number) => {\n const now = +new Date()\n const expirationTime = state.createdAt + expirationDurationInSeconds * 1000\n return now >= expirationTime\n}\n\nexport const assertValidPinNumber = (pin?: string, pinLength?: number) => {\n if (pin && !RegExp(`[\\\\d\\\\D]{${pinLength ?? 6}}`).test(pin)) {\n throw Error(`${PIN_NOT_MATCH_ERROR}`)\n }\n}\n\n/**\n * Generates unique credential identifiers for authorization details\n * Each identifier represents a specific credential instance that can be issued\n */\nexport const generateCredentialIdentifiers = (authDetail: AuthorizationDetailsV1_0_15, session: CredentialOfferSession): string[] => {\n if (typeof authDetail === 'string') {\n return [uuidv4()]\n }\n\n const identifiers: string[] = []\n\n if (authDetail.credential_configuration_id) {\n const configId = authDetail.credential_configuration_id\n const hasConfig = session.credentialOffer.credential_offer.credential_configuration_ids?.includes(configId)\n\n if (hasConfig) {\n identifiers.push(`${configId}_${Date.now()}_${uuidv4()}`)\n }\n }\n\n if (identifiers.length === 0 && authDetail.format) {\n identifiers.push(`${authDetail.format}_${Date.now()}_${uuidv4()}`)\n }\n\n // Ultimate fallback\n if (identifiers.length === 0) {\n identifiers.push(uuidv4())\n }\n\n return identifiers\n}\n","import { decodeJwt, decodeProtectedHeader } from '@sphereon/oid4vc-common'\nimport { ClientMetadata, JWTHeader, JWTVerifyCallback, JwtVerifyResult } from '@sphereon/oid4vci-common'\nimport { oidcDiscoverIssuer, oidcGetClient } from '@sphereon/ssi-express-support'\n\nexport function oidcAccessTokenVerifyCallback(opts: {\n credentialIssuer: string\n authorizationServer: string\n clientMetadata?: ClientMetadata\n}): JWTVerifyCallback {\n const clientMetadata = opts.clientMetadata ?? { client_id: opts.credentialIssuer }\n\n return async (args: { jwt: string; kid?: string }): Promise => {\n const oidcIssuer = await oidcDiscoverIssuer({ issuerUrl: opts.authorizationServer })\n const oidcClient = await oidcGetClient(oidcIssuer.issuer, clientMetadata)\n const introspection = await oidcClient.introspect(args.jwt)\n if (!introspection.active) {\n return Promise.reject(Error('Access token is not active or invalid'))\n }\n const jwt = { header: decodeProtectedHeader(args.jwt) as JWTHeader, payload: decodeJwt(args.jwt) }\n\n return {\n jwt,\n alg: jwt.header.alg,\n ...(jwt.header.jwk && { jwk: jwt.header.jwk }),\n ...(jwt.header.x5c && { x5c: jwt.header.x5c }),\n ...(jwt.header.kid && { kid: jwt.header.kid }),\n // We could resolve the did document here if the kid is a VM\n }\n }\n}\n","import { IStateManager, STATE_MISSING_ERROR, StateType } from '@sphereon/oid4vci-common'\n\nexport class MemoryStates implements IStateManager {\n private readonly expiresInMS: number\n private readonly states: Map\n private cleanupIntervalId?: number | NodeJS.Timeout\n\n constructor(opts?: { expiresInSec?: number }) {\n this.expiresInMS = opts?.expiresInSec !== undefined ? opts?.expiresInSec * 1000 : 180000\n this.states = new Map()\n }\n\n async clearAll(): Promise {\n this.states.clear()\n }\n\n async clearExpired(timestamp?: number): Promise {\n const states = Array.from(this.states.entries())\n const ts = timestamp ?? +new Date()\n for (const [id, state] of states) {\n if (state.expiresAt && state.expiresAt < ts) {\n this.states.delete(id)\n } else if (!state.expiresAt) {\n // If there is no expiration set on the state itself, we will use the state manager expiresInMS value\n if (state.createdAt + this.expiresInMS < ts) {\n this.states.delete(id)\n }\n }\n }\n }\n\n async delete(id: string): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n return this.states.delete(id)\n }\n\n async getAsserted(id: string): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n let result: T | undefined\n if (await this.has(id)) {\n result = (await this.get(id)) as T\n }\n if (!result) {\n throw new Error(STATE_MISSING_ERROR + ` (${id})`)\n }\n return result\n }\n\n async get(id: string): Promise {\n return this.states.get(id)\n }\n\n async has(id: string): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n return this.states.has(id)\n }\n\n async set(id: string, stateValue: T): Promise {\n if (!id) {\n throw Error('No id supplied')\n }\n this.states.set(id, stateValue)\n }\n\n async startCleanupRoutine(timeout?: number): Promise {\n if (!this.cleanupIntervalId) {\n this.cleanupIntervalId = setInterval(() => this.clearExpired(), timeout ?? 30000)\n }\n }\n\n async stopCleanupRoutine(): Promise {\n if (this.cleanupIntervalId) {\n clearInterval(this.cleanupIntervalId)\n }\n }\n}\n","// noinspection ES6MissingAwait\n\nimport { IStateManager, StateType } from '@sphereon/oid4vci-common'\n\nexport async function lookupStateManagerMultiGetAsserted(args: {\n id: string\n lookups: string[]\n keyValueMapper: IStateManager\n valueStateManager: IStateManager\n}) {\n const value = await lookupStateManagerMultiGet(args)\n if (value) {\n return value\n }\n return Promise.reject(Error(`no value found for id ${args.id}`))\n}\nexport async function lookupStateManagerMultiGet({\n id,\n lookups,\n keyValueMapper,\n valueStateManager,\n}: {\n id: string\n lookups: string[]\n keyValueMapper: IStateManager\n valueStateManager: IStateManager\n}) {\n for (const lookup of lookups) {\n try {\n const value = await new LookupStateManager(keyValueMapper, valueStateManager, lookup).get(id)\n if (value) {\n return value\n }\n } catch (e) {\n // intentionally ignore the error\n }\n }\n return valueStateManager.get(id)\n}\n\nexport class LookupStateManager implements IStateManager {\n constructor(\n private keyValueMapper: IStateManager,\n private valueStateManager: IStateManager,\n private lookup: string,\n ) {}\n\n startCleanupRoutine(timeout?: number | undefined): Promise {\n this.keyValueMapper.startCleanupRoutine(timeout)\n return this.valueStateManager.startCleanupRoutine(timeout)\n }\n\n stopCleanupRoutine(): Promise {\n this.keyValueMapper.stopCleanupRoutine()\n return this.valueStateManager.stopCleanupRoutine()\n }\n\n async clearAll(): Promise {\n this.keyValueMapper.clearAll()\n this.valueStateManager.clearAll()\n }\n\n async clearExpired(timestamp?: number): Promise {\n this.keyValueMapper.clearExpired(timestamp)\n this.valueStateManager.clearExpired(timestamp)\n }\n\n private async assertedValueId(key: string): Promise {\n const prop = this.lookup\n const valueId = await this.keyValueMapper\n .getAsserted(key)\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n .then((keyState) => (keyState && prop in keyState ? keyState[prop] : undefined))\n if (typeof valueId !== 'string') {\n throw Error('no value id could be derived for key' + key)\n }\n return valueId\n }\n\n private async valueId(key: string): Promise {\n const prop = this.lookup\n return (await this.keyValueMapper\n .get(key)\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n .then((keyState) => (keyState && prop in keyState ? keyState[prop] : undefined))) as string\n }\n\n async delete(id: string): Promise {\n return await this.assertedValueId(id).then(async (value) => {\n await this.keyValueMapper.delete(id)\n return await this.valueStateManager.delete(value)\n })\n }\n\n async get(id: string): Promise {\n return this.valueId(id).then((value) => (value ? this.valueStateManager.get(value) : undefined))\n }\n\n async has(id: string): Promise {\n return this.valueId(id).then((value) => (value ? this.valueStateManager.has(value) : false))\n }\n\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n async set(_id: string, _stateValue: V): Promise {\n throw Error(`Please use the setMappedMethod that accepts both and id, value and object`)\n }\n\n async setMapped(valueKey: string, keyObject: K, stateValue: V): Promise {\n const keys = keyObject as any\n if (!(this.lookup in keys) || !keys[this.lookup]) {\n return Promise.reject(new Error(`keyValue ${keyObject} does not contain the lookup property ${this.lookup}`))\n }\n const key = keys[this.lookup]\n await this.keyValueMapper.set(key, keyObject)\n await this.valueStateManager.set(valueKey, stateValue)\n }\n\n async getAsserted(id: string): Promise {\n return this.assertedValueId(id).then((value) => this.valueStateManager.getAsserted(value))\n }\n}\n","import { AssertedUniformCredentialOffer, CredentialOfferSession } from '@sphereon/oid4vci-common'\n\nexport class CredentialOfferStateBuilder {\n private readonly credentialOfferState: Partial\n constructor() {\n this.credentialOfferState = {}\n }\n\n credentialOffer(credentialOffer: AssertedUniformCredentialOffer): CredentialOfferStateBuilder {\n this.credentialOfferState.credentialOffer = credentialOffer\n return this\n }\n\n createdAt(timestamp: number): CredentialOfferStateBuilder {\n this.credentialOfferState.createdAt = timestamp\n return this\n }\n\n build(): CredentialOfferSession {\n if (!this.credentialOfferState.createdAt) {\n this.credentialOfferState.createdAt = +new Date()\n }\n if (!this.credentialOfferState.credentialOffer) {\n throw new Error('Not all properties are present to build an IssuerState object')\n }\n return this.credentialOfferState as CredentialOfferSession\n }\n}\n","import { ImageInfo, MetadataDisplay } from '@sphereon/oid4vci-common'\n\nexport class DisplayBuilder {\n name?: string\n locale?: string\n additionalProperties: Record = {}\n\n logo?: ImageInfo\n backgroundColor?: string\n textColor?: string\n\n withName(name: string) {\n this.name = name\n return this\n }\n\n withLocale(locale: string) {\n this.locale = locale\n return this\n }\n\n withLogo(logo: ImageInfo) {\n if (logo) {\n if (!logo.uri) {\n throw Error(`logo without url will not work`)\n }\n }\n this.logo = logo\n return this\n }\n\n withBackgroundColor(backgroundColor: string) {\n this.backgroundColor = backgroundColor\n return this\n }\n\n withTextColor(textColor: string) {\n this.textColor = textColor\n return this\n }\n\n withAdditionalProperties(properties: Record) {\n this.additionalProperties = properties ?? {}\n return this\n }\n\n addAdditionalProperty(key: string, value: unknown) {\n this.additionalProperties[key] = value\n return this\n }\n\n build(): MetadataDisplay {\n return {\n ...this.additionalProperties,\n ...(this.name && { name: this.name }),\n ...(this.locale && { locale: this.locale }),\n ...(this.logo && { logo: this.logo }),\n ...(this.backgroundColor && { background_color: this.backgroundColor }),\n ...(this.textColor && { text_color: this.textColor }),\n }\n }\n}\n","import {\n BatchCredentialIssuance,\n CredentialConfigurationSupportedV1_0_15,\n IssuerMetadataV1_0_15,\n MetadataDisplay,\n ResponseEncryption,\n} from '@sphereon/oid4vci-common'\n\nimport { CredentialSupportedBuilderV1_15 } from './CredentialSupportedBuilderV1_15'\nimport { DisplayBuilder } from './DisplayBuilder'\n\nexport class IssuerMetadataBuilderV1_15 {\n credentialEndpoint?: string\n nonceEndpoint?: string // New in v15\n credentialIssuer?: string\n supportedBuilders: CredentialSupportedBuilderV1_15[] = []\n credentialConfigurationsSupported: Record = {}\n displayBuilders: DisplayBuilder[] = []\n display: MetadataDisplay[] = []\n batchCredentialIssuance?: BatchCredentialIssuance // Changed from batchCredentialEndpoint in v15\n authorizationServers?: string[]\n tokenEndpoint?: string\n authorizationChallengeEndpoint?: string\n credentialResponseEncryption?: ResponseEncryption\n signedMetadata?: string\n credentialIdentifiersSupported?: boolean\n\n // Removed withBatchCredentialEndpoint - replaced with batch issuance metadata\n public withBatchCredentialIssuance(batchCredentialIssuance: BatchCredentialIssuance) {\n this.batchCredentialIssuance = batchCredentialIssuance\n return this\n }\n\n public withAuthorizationServers(authorizationServers: string[]) {\n this.authorizationServers = authorizationServers\n return this\n }\n\n public withAuthorizationServer(authorizationServer: string) {\n if (this.authorizationServers === undefined) {\n this.authorizationServers = []\n }\n this.authorizationServers.push(authorizationServer)\n return this\n }\n\n public withAuthorizationChallengeEndpoint(authorizationChallengeEndpoint: string) {\n this.authorizationChallengeEndpoint = authorizationChallengeEndpoint\n return this\n }\n\n public withTokenEndpoint(tokenEndpoint: string) {\n this.tokenEndpoint = tokenEndpoint\n return this\n }\n\n public withCredentialEndpoint(credentialEndpoint: string): IssuerMetadataBuilderV1_15 {\n this.credentialEndpoint = credentialEndpoint\n return this\n }\n\n // New in v15: Nonce endpoint support\n public withNonceEndpoint(nonceEndpoint: string): IssuerMetadataBuilderV1_15 {\n this.nonceEndpoint = nonceEndpoint\n return this\n }\n\n public withCredentialIssuer(credentialIssuer: string): IssuerMetadataBuilderV1_15 {\n this.credentialIssuer = credentialIssuer\n return this\n }\n\n // New in v15: Credential response encryption support\n public withCredentialResponseEncryption(credentialResponseEncryption: ResponseEncryption): IssuerMetadataBuilderV1_15 {\n this.credentialResponseEncryption = credentialResponseEncryption\n return this\n }\n\n // New in v15: Signed metadata support\n public withSignedMetadata(signedMetadata: string): IssuerMetadataBuilderV1_15 {\n this.signedMetadata = signedMetadata\n return this\n }\n\n // New in v15: Credential identifiers support\n public withCredentialIdentifiersSupported(credentialIdentifiersSupported: boolean): IssuerMetadataBuilderV1_15 {\n this.credentialIdentifiersSupported = credentialIdentifiersSupported\n return this\n }\n\n public newSupportedCredentialBuilder(): CredentialSupportedBuilderV1_15 {\n const builder = new CredentialSupportedBuilderV1_15()\n this.addSupportedCredentialBuilder(builder)\n return builder\n }\n\n public addSupportedCredentialBuilder(supportedCredentialBuilder: CredentialSupportedBuilderV1_15) {\n this.supportedBuilders.push(supportedCredentialBuilder)\n return this\n }\n\n public addCredentialConfigurationsSupported(id: string, supportedCredential: CredentialConfigurationSupportedV1_0_15) {\n this.credentialConfigurationsSupported[id] = supportedCredential\n return this\n }\n\n public withIssuerDisplay(issuerDisplay: MetadataDisplay[] | MetadataDisplay): IssuerMetadataBuilderV1_15 {\n this.display = Array.isArray(issuerDisplay) ? issuerDisplay : [issuerDisplay]\n return this\n }\n\n public addDisplay(display: MetadataDisplay) {\n this.display.push(display)\n }\n\n public addDisplayBuilder(displayBuilder: DisplayBuilder) {\n this.displayBuilders.push(displayBuilder)\n }\n\n public newDisplayBuilder(): DisplayBuilder {\n const builder = new DisplayBuilder()\n this.addDisplayBuilder(builder)\n return builder\n }\n\n public build(): IssuerMetadataV1_0_15 {\n if (!this.credentialIssuer) {\n throw Error('No credential issuer supplied')\n } else if (!this.credentialEndpoint) {\n throw Error('No credential endpoint supplied')\n }\n const credential_configurations_supported: Record = this.credentialConfigurationsSupported\n const configurationsEntryList: Record[] = this.supportedBuilders.map((builder) =>\n builder.build(),\n )\n configurationsEntryList.forEach((configRecord) => {\n Object.keys(configRecord).forEach((key) => {\n credential_configurations_supported[key] = configRecord[key]\n })\n })\n if (Object.keys(credential_configurations_supported).length === 0) {\n throw Error('No supported credentials supplied')\n }\n\n const display: MetadataDisplay[] = []\n display.push(...this.display)\n display.push(...this.displayBuilders.map((builder) => builder.build()))\n\n const issuerMetadata: IssuerMetadataV1_0_15 = {\n credential_issuer: this.credentialIssuer,\n credential_endpoint: this.credentialEndpoint,\n credential_configurations_supported,\n ...(this.nonceEndpoint && { nonce_endpoint: this.nonceEndpoint }),\n ...(this.batchCredentialIssuance && { batch_credential_issuance: this.batchCredentialIssuance }),\n ...(this.authorizationServers && { authorization_servers: this.authorizationServers }),\n ...(this.tokenEndpoint && { token_endpoint: this.tokenEndpoint }),\n ...(this.authorizationChallengeEndpoint && { authorization_challenge_endpoint: this.authorizationChallengeEndpoint }),\n ...(this.credentialResponseEncryption && { credential_response_encryption: this.credentialResponseEncryption }),\n ...(this.signedMetadata && { signed_metadata: this.signedMetadata }),\n ...(this.credentialIdentifiersSupported !== undefined && { credential_identifiers_supported: this.credentialIdentifiersSupported }),\n ...(display.length > 0 && { display }),\n }\n\n return issuerMetadata\n }\n}\n","import { SigningAlgo } from '@sphereon/oid4vc-common'\nimport {\n AuthorizationServerMetadata,\n OAuthGrantType,\n OAuthResponseMode,\n OAuthResponseType,\n OAuthScope,\n PKCECodeChallengeMethod,\n RevocationEndpointAuthMethod,\n RevocationEndpointAuthSigningAlg,\n TokenEndpointAuthMethod,\n TokenEndpointAuthSigningAlg,\n} from '@sphereon/oid4vci-common'\n\nexport class AuthorizationServerMetadataBuilder {\n private metadata: Partial = {}\n\n public withIssuer(issuer: string): AuthorizationServerMetadataBuilder {\n this.metadata.issuer = issuer\n return this\n }\n\n public withAuthorizationEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.authorization_endpoint = endpoint\n return this\n }\n\n public withAuthorizationChallengeEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.authorization_challenge_endpoint = endpoint\n return this\n }\n\n public withTokenEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.token_endpoint = endpoint\n return this\n }\n\n public withNonceEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.nonce_endpoint = endpoint\n return this\n }\n\n public withTokenEndpointAuthMethodsSupported(methods: Array): AuthorizationServerMetadataBuilder {\n this.metadata.token_endpoint_auth_methods_supported = methods\n return this\n }\n\n public withTokenEndpointAuthSigningAlgValuesSupported(algs: Array): AuthorizationServerMetadataBuilder {\n this.metadata.token_endpoint_auth_signing_alg_values_supported = algs\n return this\n }\n\n public withRegistrationEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.registration_endpoint = endpoint\n return this\n }\n\n public withScopesSupported(scopes: Array): AuthorizationServerMetadataBuilder {\n this.metadata.scopes_supported = scopes\n return this\n }\n\n public withResponseTypesSupported(types: Array): AuthorizationServerMetadataBuilder {\n this.metadata.response_types_supported = types\n return this\n }\n\n public withResponseModesSupported(modes: Array): AuthorizationServerMetadataBuilder {\n this.metadata.response_modes_supported = modes\n return this\n }\n\n public withGrantTypesSupported(types: Array): AuthorizationServerMetadataBuilder {\n this.metadata.grant_types_supported = types\n return this\n }\n\n public withServiceDocumentation(url: string): AuthorizationServerMetadataBuilder {\n this.metadata.service_documentation = url\n return this\n }\n\n public withUILocalesSupported(locales: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.ui_locales_supported = locales\n return this\n }\n\n public withOpPolicyUri(uri: string): AuthorizationServerMetadataBuilder {\n this.metadata.op_policy_uri = uri\n return this\n }\n\n public withOpTosUri(uri: string): AuthorizationServerMetadataBuilder {\n this.metadata.op_tos_uri = uri\n return this\n }\n\n public withRevocationEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.revocation_endpoint = endpoint\n return this\n }\n\n public withRevocationEndpointAuthMethodsSupported(methods: Array): AuthorizationServerMetadataBuilder {\n this.metadata.revocation_endpoint_auth_methods_supported = methods\n return this\n }\n\n public withRevocationEndpointAuthSigningAlgValuesSupported(algs: Array): AuthorizationServerMetadataBuilder {\n this.metadata.revocation_endpoint_auth_signing_alg_values_supported = algs\n return this\n }\n\n public withIntrospectionEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.introspection_endpoint = endpoint\n return this\n }\n\n public withCodeChallengeMethodsSupported(methods: Array): AuthorizationServerMetadataBuilder {\n this.metadata.code_challenge_methods_supported = methods\n return this\n }\n\n public withPushedAuthorizationRequestEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.pushed_authorization_request_endpoint = endpoint\n return this\n }\n\n public withRequirePushedAuthorizationRequests(required: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.require_pushed_authorization_requests = required\n return this\n }\n\n public withPreAuthorizedGrantAnonymousAccessSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata['pre-authorized_grant_anonymous_access_supported'] = supported\n return this\n }\n\n public withDPoPSigningAlgValuesSupported(algs: (string | SigningAlgo)[]): AuthorizationServerMetadataBuilder {\n this.metadata.dpop_signing_alg_values_supported = algs\n return this\n }\n\n // OIDC specific methods\n public withFrontchannelLogoutSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.frontchannel_logout_supported = supported\n return this\n }\n\n public withFrontchannelLogoutSessionSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.frontchannel_logout_session_supported = supported\n return this\n }\n\n public withBackchannelLogoutSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.backchannel_logout_supported = supported\n return this\n }\n\n public withBackchannelLogoutSessionSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.backchannel_logout_session_supported = supported\n return this\n }\n\n public withUserinfoEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.userinfo_endpoint = endpoint\n return this\n }\n\n public withCheckSessionIframe(url: string): AuthorizationServerMetadataBuilder {\n this.metadata.check_session_iframe = url\n return this\n }\n\n public withEndSessionEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.end_session_endpoint = endpoint\n return this\n }\n\n public withAcrValuesSupported(values: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.acr_values_supported = values\n return this\n }\n\n public withSubjectTypesSupported(types: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.subject_types_supported = types\n return this\n }\n\n public withRequestObjectSigningAlgValuesSupported(algs: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.request_object_signing_alg_values_supported = algs\n return this\n }\n\n public withDisplayValuesSupported(values: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.display_values_supported = values\n return this\n }\n\n public withClaimTypesSupported(types: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.claim_types_supported = types\n return this\n }\n\n public withClaimsSupported(claims: string[]): AuthorizationServerMetadataBuilder {\n this.metadata.claims_supported = claims\n return this\n }\n\n public withClaimsParameterSupported(supported: boolean): AuthorizationServerMetadataBuilder {\n this.metadata.claims_parameter_supported = supported\n return this\n }\n\n // VCI specific methods\n public withCredentialEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.credential_endpoint = endpoint\n return this\n }\n\n public withDeferredCredentialEndpoint(endpoint: string): AuthorizationServerMetadataBuilder {\n this.metadata.deferred_credential_endpoint = endpoint\n return this\n }\n\n public build(): AuthorizationServerMetadata {\n if (!this.metadata.issuer) {\n throw new Error('Issuer is required')\n }\n\n if (!this.metadata.response_types_supported) {\n throw new Error('Response types supported is required')\n }\n\n return this.metadata as AuthorizationServerMetadata\n }\n}\n","import { calculateJwkThumbprint, JWK, uuidv4 } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenRequest,\n AccessTokenResponse,\n Alg,\n AuthorizationRequest,\n CNonceState,\n CredentialOfferSession,\n EXPIRED_PRE_AUTHORIZED_CODE,\n GrantTypes,\n INVALID_PRE_AUTHORIZED_CODE,\n IssueStatus,\n IStateManager,\n Jwt,\n JWTSignerCallback,\n JWTVerifyCallback,\n PIN_NOT_MATCH_ERROR,\n PIN_VALIDATION_ERROR,\n PRE_AUTH_CODE_LITERAL,\n PRE_AUTHORIZED_CODE_REQUIRED_ERROR,\n TokenError,\n TokenErrorResponse,\n UNSUPPORTED_GRANT_TYPE_ERROR,\n USER_PIN_NOT_REQUIRED_ERROR,\n USER_PIN_REQUIRED_ERROR,\n USER_PIN_TX_CODE_SPEC_ERROR,\n} from '@sphereon/oid4vci-common'\n\nimport { generateCredentialIdentifiers, isPreAuthorizedCodeExpired } from '../functions'\n\nexport interface ITokenEndpointOpts {\n tokenEndpointDisabled?: boolean // Disable if used in an existing OAuth2/OIDC environment and have the AS handle tokens\n tokenPath?: string // token path can either be defined here, or will be deduced from issuer metadata\n interval?: number\n cNonceExpiresIn?: number\n tokenExpiresIn?: number\n preAuthorizedCodeExpirationDuration?: number\n accessTokenSignerCallback?: JWTSignerCallback\n accessTokenVerificationCallback?: JWTVerifyCallback\n accessTokenIssuer?: string\n accessTokenProvider?: AccessTokenProvider\n}\n\nexport type AccessTokenProvider = 'internal' | 'oidc' | 'oauth2'\n\nexport const generateAccessToken = async (\n opts: Required> & {\n additionalClaims?: Record\n preAuthorizedCode?: string\n alg?: Alg\n dPoPJwk?: JWK\n },\n): Promise => {\n const {\n dPoPJwk,\n accessTokenIssuer,\n alg,\n accessTokenSignerCallback,\n tokenExpiresIn,\n preAuthorizedCode,\n additionalClaims,\n accessTokenProvider = 'internal',\n } = opts\n // JWT uses seconds for iat and exp\n if (accessTokenProvider !== 'internal') {\n throw new TokenError(\n 400,\n TokenErrorResponse.invalid_request,\n `Access token provider ${accessTokenProvider} is an external access token provider. We cannot generate tokens ourselves in this case`,\n )\n }\n const iat = new Date().getTime() / 1000\n const exp = iat + tokenExpiresIn\n const cnf = dPoPJwk ? { cnf: { jkt: await calculateJwkThumbprint(dPoPJwk, 'sha256') } } : undefined\n const jwt: Jwt = {\n header: { typ: 'JWT', alg: alg ?? Alg.ES256 },\n payload: {\n iat,\n exp,\n iss: accessTokenIssuer,\n ...cnf,\n ...(preAuthorizedCode && { preAuthorizedCode }),\n // Protected resources simultaneously supporting both the DPoP and Bearer schemes need to update how the\n // evaluation process is performed for bearer tokens to prevent downgraded usage of a DPoP-bound access token.\n // Specifically, such a protected resource MUST reject a DPoP-bound access token received as a bearer token per [RFC6750].\n token_type: dPoPJwk ? 'DPoP' : 'Bearer',\n ...additionalClaims,\n },\n }\n return await accessTokenSignerCallback(jwt)\n}\n\nexport const isValidGrant = (assertedState: CredentialOfferSession, grantType: string): boolean => {\n if (assertedState.credentialOffer?.credential_offer?.grants) {\n // TODO implement authorization_code\n return (\n Object.keys(assertedState.credentialOffer?.credential_offer?.grants).includes(GrantTypes.PRE_AUTHORIZED_CODE) &&\n grantType === GrantTypes.PRE_AUTHORIZED_CODE\n )\n }\n return false\n}\n\nexport const assertValidAccessTokenRequest = async (\n request: AccessTokenRequest,\n opts: {\n credentialOfferSessions: IStateManager\n expirationDuration: number\n authRequestsData?: Map\n },\n) => {\n const { credentialOfferSessions, expirationDuration, authRequestsData } = opts\n\n // Handle authorization code flow\n if (request.grant_type === GrantTypes.AUTHORIZATION_CODE) {\n if (!request.code || !authRequestsData) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, 'Authorization code required')\n }\n\n // Find the authorization request data by code\n // This is simplified - you'll need to implement proper code->request mapping\n const authRequestData: AuthorizationRequest | undefined = Array.from(authRequestsData.values()).find(\n (data) => data.authorization_code === request.code,\n )\n\n if (!authRequestData) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, 'Invalid authorization code')\n }\n\n // Create or update credential offer session with authorization_details\n const sessionId = request.code // or generate a proper session ID\n let credentialOfferSession = await credentialOfferSessions.get(sessionId)\n\n if (!credentialOfferSession) {\n // Create new session for authorization code flow\n credentialOfferSession = {\n createdAt: Date.now(),\n lastUpdatedAt: Date.now(),\n status: IssueStatus.ACCESS_TOKEN_REQUESTED,\n notification_id: uuidv4(),\n credentialOffer: {\n credential_offer: {\n credential_issuer: '', // Set appropriately\n credential_configuration_ids: [], // Set from authorization_details\n grants: {},\n },\n },\n authorizationDetails: authRequestData?.authorization_details,\n authorizationCode: request.code,\n }\n await credentialOfferSessions.set(sessionId, credentialOfferSession)\n } else {\n credentialOfferSession.authorizationDetails = authRequestData?.authorization_details\n credentialOfferSession.authorizationCode = request.code\n credentialOfferSession.status = IssueStatus.ACCESS_TOKEN_REQUESTED\n credentialOfferSession.lastUpdatedAt = Date.now()\n await credentialOfferSessions.set(sessionId, credentialOfferSession)\n }\n\n return { preAuthSession: credentialOfferSession }\n }\n\n // Handle pre-authorized code flow (existing logic)\n if (request.grant_type !== GrantTypes.PRE_AUTHORIZED_CODE) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, UNSUPPORTED_GRANT_TYPE_ERROR)\n }\n\n // Pre-auth flow\n if (!request[PRE_AUTH_CODE_LITERAL]) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, PRE_AUTHORIZED_CODE_REQUIRED_ERROR)\n }\n\n const credentialOfferSession = await credentialOfferSessions.getAsserted(request[PRE_AUTH_CODE_LITERAL])\n credentialOfferSession.status = IssueStatus.ACCESS_TOKEN_REQUESTED\n credentialOfferSession.lastUpdatedAt = +new Date()\n await credentialOfferSessions.set(request[PRE_AUTH_CODE_LITERAL], credentialOfferSession)\n if (!isValidGrant(credentialOfferSession, request.grant_type)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, UNSUPPORTED_GRANT_TYPE_ERROR)\n }\n\n /*\n invalid_request:\n the Authorization Server does not expect a PIN in the pre-authorized flow but the client provides a PIN\n */\n if (\n !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code &&\n request.tx_code &&\n !request.user_pin\n ) {\n // >= v13\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)\n } else if (\n !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.user_pin_required &&\n request.user_pin &&\n !request.tx_code\n ) {\n // <= v12\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)\n }\n /*\n invalid_request:\n the Authorization Server expects a PIN in the pre-authorized flow but the client does not provide a PIN\n */\n if (\n // >= v13\n !!credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code &&\n !request.tx_code\n ) {\n if (request.user_pin) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_TX_CODE_SPEC_ERROR)\n }\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_REQUIRED_ERROR)\n } else if (\n // <= v12\n credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.user_pin_required &&\n !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code &&\n !request.user_pin\n ) {\n if (request.tx_code) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_TX_CODE_SPEC_ERROR)\n }\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_REQUIRED_ERROR)\n }\n\n if (isPreAuthorizedCodeExpired(credentialOfferSession, expirationDuration)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, EXPIRED_PRE_AUTHORIZED_CODE)\n } else if (\n request[PRE_AUTH_CODE_LITERAL] !==\n credentialOfferSession.credentialOffer?.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.[PRE_AUTH_CODE_LITERAL]\n ) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, INVALID_PRE_AUTHORIZED_CODE)\n }\n /*\n invalid_grant:\n the Authorization Server expects a PIN in the pre-authorized flow but the client provides the wrong PIN\n the End-User provides the wrong Pre-Authorized Code or the Pre-Authorized Code has expired\n */\n if (request.tx_code) {\n const txCodeOffer = credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code\n if (!txCodeOffer) {\n throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)\n } else if (txCodeOffer.input_mode === 'text') {\n if (!RegExp(`[\\\\D]{${txCodeOffer.length}`).test(request.tx_code)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, `${PIN_VALIDATION_ERROR} ${txCodeOffer.length}`)\n }\n } else {\n if (!RegExp(`[\\\\d]{${txCodeOffer.length}}`).test(request.tx_code)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, `${PIN_VALIDATION_ERROR} ${txCodeOffer.length}`)\n }\n }\n if (request.tx_code !== credentialOfferSession.txCode) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, PIN_NOT_MATCH_ERROR)\n }\n } else if (request.user_pin) {\n if (!/[\\\\d]{1,8}/.test(request.user_pin)) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, `${PIN_VALIDATION_ERROR} 1-8`)\n } else if (request.user_pin !== credentialOfferSession.txCode) {\n throw new TokenError(400, TokenErrorResponse.invalid_grant, PIN_NOT_MATCH_ERROR)\n }\n }\n\n return { preAuthSession: credentialOfferSession }\n}\n\nexport const createAccessTokenResponse = async (\n request: AccessTokenRequest,\n opts: {\n credentialOfferSessions: IStateManager\n cNonces: IStateManager\n cNonce?: string\n cNonceExpiresIn?: number // expiration in seconds\n tokenExpiresIn: number // expiration in seconds\n // preAuthorizedCodeExpirationDuration?: number\n accessTokenSignerCallback: JWTSignerCallback\n accessTokenIssuer: string\n accessTokenProvider?: AccessTokenProvider\n interval?: number\n dPoPJwk?: JWK\n },\n) => {\n const {\n dPoPJwk,\n credentialOfferSessions,\n cNonces,\n cNonceExpiresIn,\n tokenExpiresIn,\n accessTokenIssuer,\n accessTokenSignerCallback,\n interval,\n accessTokenProvider = 'internal',\n } = opts\n\n let sessionKey: string\n let credentialOfferSession: CredentialOfferSession\n\n if (request.grant_type === GrantTypes.AUTHORIZATION_CODE) {\n sessionKey = request.code!\n credentialOfferSession = await credentialOfferSessions.getAsserted(sessionKey)\n } else {\n sessionKey = request[PRE_AUTH_CODE_LITERAL] as string\n credentialOfferSession = await credentialOfferSessions.getAsserted(sessionKey)\n }\n\n const cNonce = opts.cNonce ?? uuidv4()\n await cNonces.set(cNonce, { cNonce, createdAt: +new Date() })\n\n const access_token = await generateAccessToken({\n tokenExpiresIn,\n accessTokenSignerCallback,\n preAuthorizedCode: sessionKey,\n accessTokenIssuer,\n dPoPJwk,\n accessTokenProvider,\n })\n\n credentialOfferSession.status = IssueStatus.ACCESS_TOKEN_CREATED\n credentialOfferSession.lastUpdatedAt = +new Date()\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: dPoPJwk ? 'DPoP' : 'bearer',\n expires_in: tokenExpiresIn,\n c_nonce: cNonce,\n c_nonce_expires_in: cNonceExpiresIn,\n interval,\n ...(credentialOfferSession.authorizationDetails && {\n authorization_details: credentialOfferSession.authorizationDetails.map((detail) => {\n if (typeof detail === 'string') {\n return detail\n }\n return {\n ...detail,\n credential_identifiers: generateCredentialIdentifiers(detail, credentialOfferSession),\n }\n }),\n }),\n }\n await credentialOfferSessions.set(sessionKey, credentialOfferSession)\n return response\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,yBAA4B;;;ACA5B,4BAWO;AAEA,IAAMC,kCAAN,MAAMA;EAbb,OAaaA;;;EACXC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAEAC,WAAWC,kBAA4E;AACrF,SAAKZ,SAASY;AACd,WAAO;EACT;EAEAC,mBAAmBX,gBAAyD;AAC1E,SAAKA,iBAAiBA;AACtB,WAAO;EACT;EAEAY,yBACEX,sBACiC;AACjC,QAAI,CAACA,qBAAqBY,MAAM;AAC9B,YAAM,IAAIC,MAAM,kDAAA;IAClB;AACA,SAAKb,uBAAuBA;AAC5B,WAAO;EACT;EAEAc,UAAUhB,OAAgD;AACxD,SAAKA,QAAQA;AACb,WAAO;EACT;;EAGAiB,QAAQT,KAA8C;AACpD,SAAKA,MAAMA;AACX,WAAO;EACT;;EAGAU,YAAYT,SAAkD;AAC5D,SAAKA,UAAUA;AACf,WAAO;EACT;EAEAU,8BAA8BC,QAA4D;AACxF,QAAI,CAACC,MAAMC,QAAQF,MAAAA,GAAS;AAC1B,WAAKjB,uCAAuC,KAAKA,uCAC7C;WAAI,KAAKA;QAAsCiB;UAC/C;QAACA;;IACP,OAAO;AACL,WAAKjB,uCAAuC,KAAKA,uCAC7C;WAAI,KAAKA;WAAyCiB;UAClDA;IACN;AACA,WAAO;EACT;EAEAG,+BAA+BH,QAA4D;AACzF,SAAKjB,uCAAuCkB,MAAMC,QAAQF,MAAAA,IAAUA,SAAS;MAACA;;AAC9E,WAAO;EACT;EAEAI,uCAAuCC,WAA+D;AACpG,QAAI,CAACJ,MAAMC,QAAQG,SAAAA,GAAY;AAC7B,WAAKrB,sCAAsC,KAAKA,sCAC5C;WAAI,KAAKA;QAAqCqB;UAC9C;QAACA;;IACP,OAAO;AACL,WAAKrB,sCAAsC,KAAKA,sCAC5C;WAAI,KAAKA;WAAwCqB;UACjDA;IACN;AACA,WAAO;EACT;EAEAC,wCAAwCD,WAA+D;AACrG,SAAKrB,sCAAsCiB,MAAMC,QAAQG,SAAAA,IAAaA,YAAY;MAACA;;AACnF,WAAO;EACT;EAEAE,uBAAuBC,cAA4BC,WAAuD;AACxG,QAAI,CAAC,KAAKxB,qBAAqB;AAC7B,WAAKA,sBAAsB,CAAC;IAC9B;AACA,SAAKA,oBAAoBuB,YAAAA,IAAgBC;AACzC,WAAO;EACT;EAEAC,wBAAwBzB,qBAA2E;AACjG,SAAKA,sBAAsBA;AAC3B,WAAO;EACT;EAEA0B,8BAA8BC,mBAAiH;AAC7I,QAAI,CAACX,MAAMC,QAAQU,iBAAAA,GAAoB;AACrC,WAAK1B,UAAU,KAAKA,UAAU;WAAI,KAAKA;QAAS0B;UAAqB;QAACA;;IACxE,OAAO;AACL,WAAK1B,UAAU,KAAKA,UAAU;WAAI,KAAKA;WAAY0B;UAAqBA;IAC1E;AACA,WAAO;EACT;EAEAC,+BAA+BD,mBAAiH;AAC9I,SAAK1B,UAAUe,MAAMC,QAAQU,iBAAAA,IAAqBA,oBAAoB;MAACA;;AACvE,WAAO;EACT;;EAGAE,WAAW3B,QAAqE;AAC9E,SAAKA,SAASA;AACd,WAAO;EACT;EAEA4B,SAASC,OAAkE;AACzE,QAAI,CAAC,KAAK7B,QAAQ;AAChB,WAAKA,SAAS,CAAA;IAChB;AACA,SAAKA,OAAO8B,KAAKD,KAAAA;AACjB,WAAO;EACT;EAEOE,QAAiE;AACtE,QAAI,CAAC,KAAKvC,QAAQ;AAChB,YAAM,IAAIgB,MAAMwB,yCAAmBC,eAAe;IACpD;AAEA,UAAMC,sBAA+D;MACnE1C,QAAQ,KAAKA;IACf;AAEA,QAAI,CAAC,KAAKE,gBAAgB;AACxB,YAAM,IAAIc,MAAM,sCAAA;IAClB;AAGA,QAAI,KAAKhB,WAAW,aAAa;AAC/B,UAAI,CAAC,KAAKS,KAAK;AACb,cAAM,IAAIO,MAAM,sCAAA;MAClB;;AACE0B,0BAA4BjC,MAAM,KAAKA;IAC3C,WAAW,KAAKT,WAAW,YAAY;AACrC,UAAI,CAAC,KAAKU,SAAS;AACjB,cAAM,IAAIM,MAAM,yCAAA;MAClB;;AACE0B,0BAA4BhC,UAAU,KAAKA;IAC/C,OAAO;AACL,UAAI,CAAC,KAAKP,sBAAsB;AAC9B,cAAM,IAAIa,MAAM,kCAAA;MAClB;AACA0B,0BAAoBC,wBAAwB,KAAKxC;IACnD;AAEA,QAAI,KAAKF,OAAO;AACdyC,0BAAoBzC,QAAQ,KAAKA;IACnC;AACA,QAAI,KAAKI,qCAAqC;AAC5CqC,0BAAoBE,0CAA0C,KAAKvC;IACrE;AACA,QAAI,KAAKD,sCAAsC;AAC7CsC,0BAAoBG,0CAA0C,KAAKzC;IACrE;AACA,QAAI,KAAKG,SAAS;AAChBmC,0BAAoBnC,UAAU,KAAKA;IACrC;AACA,QAAI,KAAKC,QAAQ;;AACbkC,0BAA4BlC,SAAS,KAAKA;IAC9C;AAEA,UAAMsC,yBAAkF,CAAC;AACzFA,2BAAuB,KAAK5C,cAAc,IAAIwC;AAE9C,WAAOI;EACT;AACF;;;AChMA,IAAAC,yBAgBO;;;AChBP,IAAAC,wBAAuB;AACvB,IAAAC,yBA2CO;AACP,uBAA4G;AAC5G,wBAAsB;;;AC9CtB,2BAAuB;AACvB,IAAAC,yBAeO;AAQP,SAASC,4BAA4BC,aAAuC;AAE1E,MAAI,CAACA,eAAeC,OAAOC,KAAKF,WAAAA,EAAaG,WAAW,GAAG;AACzD,WAAOC;EACT;AAEA,QAAMC,SAAgB,CAAC;AACvB,MAAIL,cAAcM,6CAAAA,GAAyB;AACzC,UAAMC,QAAQ;MACZ,GAAGP,YAAYM,6CAAAA;MACf,uBAAuBN,YAAYM,6CAAAA,EAAwB,qBAAA,SAA0BE,6BAAAA;IACvF;AAEA,QAAID,MAAME,WAAW,CAACF,MAAME,QAAQN,QAAQ;AAC1CI,YAAME,QAAQN,SAAS;IACzB;AAEAE,WAAOC,6CAAAA,IAA0BC;EACnC;AAEA,MAAIP,aAAaU,oBAAoB;AACnCL,WAAOK,qBAAqB;MAC1B,GAAGV,YAAYU;;;MAIfC,cAAcX,YAAYU,mBAAmBC,oBAAgBH,6BAAAA;IAC/D;EACF;AAEA,SAAOH;AACT;AA/BSN;AAiCT,SAASa,qCAAqCC,QAAiBC,SAAkBC,kBAAyB;AACxG,QAAMC,YAAYH,QAAQI,QAAQ,OAAO,EAAA,MAAQH,SAASI,SAAS,KAAA,IAASJ,QAAQK,MAAM,KAAA,EAAO,CAAA,IAAK;AACtG,MAAIC;AAEJ,MAAIN,SAAS;AACXM,iBAAaN;EACf,WAAWE,UAAUK,WAAW,MAAA,GAAS;AACvC,QAAIN,kBAAkB;AACpBK,mBAAaL;AACb,UAAI,CAACK,WAAWC,WAAW,GAAGL,SAAAA,KAAc,GAAG;AAC7C,cAAMM,MAAM,UAAUN,SAAAA,+BAAwCI,UAAAA,EAAY;MAC5E;IACF,OAAO;AACL,YAAME,MAAM,MAAMN,SAAAA,kDAA2D;IAC/E;EACF,OAAO;AACLI,iBAAa;EACf;AACAA,eAAaA,YAAYH,QAAQ,GAAGD,SAAAA,OAAgB,EAAA;AAEpD,SAAO;IAAEH,QAAQG;IAAWF,SAASM;EAAW;AAClD;AArBSR;AAuBF,SAASW,4BACdC,gBAEAC,MAKC;AAED,MAAI,CAACD,kBAAkB,CAACC,MAAMC,mBAAmB,CAACD,MAAME,oBAAoB;AAC1E,UAAM,IAAIL,MAAM,sFAAA;EAClB;AAEA,QAAMjB,SAASN,4BAA4B0B,MAAMpB,MAAAA;AAEjD,MAAIuB;AACJ,MAAIH,MAAMC,iBAAiB;AACzBE,uBAAmB;MACjB,GAAGH,KAAKC;IACV;EACF,OAAO;AACL,QAAI,CAACF,gBAAgBK,qCAAqC;AACxD,YAAM,IAAIP,MAAM,kEAAA;IAClB;AACAM,uBAAmB;MACjBE,mBAAmBN,eAAeM;MAClCC,8BAA8B9B,OAAOC,KAAKsB,eAAeK,mCAAmC;IAC9F;EACF;AAEA,MAAIxB,QAAQ;AACVuB,qBAAiBvB,SAASA;EAC5B;AACA,MAAIoB,MAAMO,WAAW;AACnBJ,qBAAiBI,YAAYP,KAAKO;EACpC;AAGA,SAAO;IAAEJ;IAAkBK,sBAAsBR,MAAME;EAAmB;AAC5E;AAxCgBJ;AA0CT,SAASW,mCACdR,iBACAS,WACAV,MAA4C;AAE5C,QAAM,EAAEZ,QAAQC,QAAO,IAAKF,qCAAqCa,MAAMZ,QAAQY,MAAMX,SAASY,gBAAgBE,kBAAkBE,iBAAAA;AAEhI,MAAIK,cAAc,aAAa;AAC7B,QAAI,CAACT,gBAAgBO,sBAAsB;AACzC,YAAMX,MAAM,kDAAkDa,SAAAA,EAAW;IAC3E;AACA,QAAIT,gBAAgBO,qBAAqBf,SAAS,uBAAA,GAA0B;AAE1E,aAAOQ,gBAAgBO;IACzB;AACA,WAAO,GAAGpB,MAAAA,MAAYC,OAAAA,yBAAgCsB,mBAAmBV,gBAAgBO,oBAAoB,CAAA;EAC/G,WAAWE,cAAc,SAAS;AAChC,WAAO,GAAGtB,MAAAA,MAAYC,OAAAA,qBAA4BsB,mBAAmBC,KAAKC,UAAUZ,gBAAgBE,gBAAgB,CAAA,CAAA;EACtH;AACA,QAAMN,MAAM,yBAAyBa,SAAAA,EAAW;AAClD;AApBgBD;AAsBT,SAASK,yBACdJ,WACAX,gBAEAC,MAMC;AAED,QAAMC,kBAAkBH,4BAA4BC,gBAAgBC,IAAAA;AACpE,SAAOS,mCAAmCR,iBAAiBS,WAAWV,IAAAA;AACxE;AAdgBc;AAgBT,IAAMC,6BAA6B,wBAACC,OAA+BC,gCAAAA;AACxE,QAAMC,MAAM,CAAC,oBAAIC,KAAAA;AACjB,QAAMC,iBAAiBJ,MAAMK,YAAYJ,8BAA8B;AACvE,SAAOC,OAAOE;AAChB,GAJ0C;AAMnC,IAAME,uBAAuB,wBAACC,KAAcC,cAAAA;AACjD,MAAID,OAAO,CAACE,OAAO,YAAYD,aAAa,CAAA,GAAI,EAAEE,KAAKH,GAAAA,GAAM;AAC3D,UAAM1B,MAAM,GAAG8B,0CAAAA,EAAqB;EACtC;AACF,GAJoC;AAU7B,IAAMC,gCAAgC,wBAACC,YAAyCC,YAAAA;AACrF,MAAI,OAAOD,eAAe,UAAU;AAClC,WAAO;UAAC9C,6BAAAA;;EACV;AAEA,QAAMgD,cAAwB,CAAA;AAE9B,MAAIF,WAAWG,6BAA6B;AAC1C,UAAMC,WAAWJ,WAAWG;AAC5B,UAAME,YAAYJ,QAAQ7B,gBAAgBE,iBAAiBG,8BAA8Bb,SAASwC,QAAAA;AAElG,QAAIC,WAAW;AACbH,kBAAYI,KAAK,GAAGF,QAAAA,IAAYd,KAAKD,IAAG,CAAA,QAAMnC,6BAAAA,CAAAA,EAAU;IAC1D;EACF;AAEA,MAAIgD,YAAYrD,WAAW,KAAKmD,WAAWO,QAAQ;AACjDL,gBAAYI,KAAK,GAAGN,WAAWO,MAAM,IAAIjB,KAAKD,IAAG,CAAA,QAAMnC,6BAAAA,CAAAA,EAAU;EACnE;AAGA,MAAIgD,YAAYrD,WAAW,GAAG;AAC5BqD,gBAAYI,SAAKpD,6BAAAA,CAAAA;EACnB;AAEA,SAAOgD;AACT,GA1B6C;;;AChL7C,IAAAM,wBAAiD;AAEjD,iCAAkD;AAE3C,SAASC,8BAA8BC,MAI7C;AACC,QAAMC,iBAAiBD,KAAKC,kBAAkB;IAAEC,WAAWF,KAAKG;EAAiB;AAEjF,SAAO,OAAOC,SAAAA;AACZ,UAAMC,aAAa,UAAMC,+CAAmB;MAAEC,WAAWP,KAAKQ;IAAoB,CAAA;AAClF,UAAMC,aAAa,UAAMC,0CAAcL,WAAWM,QAAQV,cAAAA;AAC1D,UAAMW,gBAAgB,MAAMH,WAAWI,WAAWT,KAAKU,GAAG;AAC1D,QAAI,CAACF,cAAcG,QAAQ;AACzB,aAAOC,QAAQC,OAAOC,MAAM,uCAAA,CAAA;IAC9B;AACA,UAAMJ,MAAM;MAAEK,YAAQC,6CAAsBhB,KAAKU,GAAG;MAAgBO,aAASC,iCAAUlB,KAAKU,GAAG;IAAE;AAEjG,WAAO;MACLA;MACAS,KAAKT,IAAIK,OAAOI;MAChB,GAAIT,IAAIK,OAAOK,OAAO;QAAEA,KAAKV,IAAIK,OAAOK;MAAI;MAC5C,GAAIV,IAAIK,OAAOM,OAAO;QAAEA,KAAKX,IAAIK,OAAOM;MAAI;MAC5C,GAAIX,IAAIK,OAAOO,OAAO;QAAEA,KAAKZ,IAAIK,OAAOO;MAAI;IAE9C;EACF;AACF;AAzBgB3B;;;ACJhB,IAAA4B,yBAA8D;AAEvD,IAAMC,eAAN,MAAMA;EAFb,OAEaA;;;EACMC;EACAC;EACTC;EAER,YAAYC,MAAkC;AAC5C,SAAKH,cAAcG,MAAMC,iBAAiBC,SAAYF,MAAMC,eAAe,MAAO;AAClF,SAAKH,SAAS,oBAAIK,IAAAA;EACpB;EAEA,MAAMC,WAA0B;AAC9B,SAAKN,OAAOO,MAAK;EACnB;EAEA,MAAMC,aAAaC,WAAmC;AACpD,UAAMT,SAASU,MAAMC,KAAK,KAAKX,OAAOY,QAAO,CAAA;AAC7C,UAAMC,KAAKJ,aAAa,CAAC,oBAAIK,KAAAA;AAC7B,eAAW,CAACC,IAAIC,KAAAA,KAAUhB,QAAQ;AAChC,UAAIgB,MAAMC,aAAaD,MAAMC,YAAYJ,IAAI;AAC3C,aAAKb,OAAOkB,OAAOH,EAAAA;MACrB,WAAW,CAACC,MAAMC,WAAW;AAE3B,YAAID,MAAMG,YAAY,KAAKpB,cAAcc,IAAI;AAC3C,eAAKb,OAAOkB,OAAOH,EAAAA;QACrB;MACF;IACF;EACF;EAEA,MAAMG,OAAOH,IAA8B;AACzC,QAAI,CAACA,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,WAAO,KAAKpB,OAAOkB,OAAOH,EAAAA;EAC5B;EAEA,MAAMM,YAAYN,IAAwB;AACxC,QAAI,CAACA,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,QAAIE;AACJ,QAAI,MAAM,KAAKC,IAAIR,EAAAA,GAAK;AACtBO,eAAU,MAAM,KAAKE,IAAIT,EAAAA;IAC3B;AACA,QAAI,CAACO,QAAQ;AACX,YAAM,IAAIF,MAAMK,6CAAsB,KAAKV,EAAAA,GAAK;IAClD;AACA,WAAOO;EACT;EAEA,MAAME,IAAIT,IAAoC;AAC5C,WAAO,KAAKf,OAAOwB,IAAIT,EAAAA;EACzB;EAEA,MAAMQ,IAAIR,IAA8B;AACtC,QAAI,CAACA,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,WAAO,KAAKpB,OAAOuB,IAAIR,EAAAA;EACzB;EAEA,MAAMW,IAAIX,IAAYY,YAA8B;AAClD,QAAI,CAACZ,IAAI;AACP,YAAMK,MAAM,gBAAA;IACd;AACA,SAAKpB,OAAO0B,IAAIX,IAAIY,UAAAA;EACtB;EAEA,MAAMC,oBAAoBC,SAAiC;AACzD,QAAI,CAAC,KAAK5B,mBAAmB;AAC3B,WAAKA,oBAAoB6B,YAAY,MAAM,KAAKtB,aAAY,GAAIqB,WAAW,GAAA;IAC7E;EACF;EAEA,MAAME,qBAAoC;AACxC,QAAI,KAAK9B,mBAAmB;AAC1B+B,oBAAc,KAAK/B,iBAAiB;IACtC;EACF;AACF;;;AC7EA,eAAsBgC,mCAA6EC,MAKlG;AACC,QAAMC,QAAQ,MAAMC,2BAA2BF,IAAAA;AAC/C,MAAIC,OAAO;AACT,WAAOA;EACT;AACA,SAAOE,QAAQC,OAAOC,MAAM,yBAAyBL,KAAKM,EAAE,EAAE,CAAA;AAChE;AAXsBP;AAYtB,eAAsBG,2BAAqE,EACzFI,IACAC,SACAC,gBACAC,kBAAiB,GAMlB;AACC,aAAWC,UAAUH,SAAS;AAC5B,QAAI;AACF,YAAMN,QAAQ,MAAM,IAAIU,mBAAmBH,gBAAgBC,mBAAmBC,MAAAA,EAAQE,IAAIN,EAAAA;AAC1F,UAAIL,OAAO;AACT,eAAOA;MACT;IACF,SAASY,GAAG;IAEZ;EACF;AACA,SAAOJ,kBAAkBG,IAAIN,EAAAA;AAC/B;AAtBsBJ;AAwBf,IAAMS,qBAAN,MAAMA;EAxCb,OAwCaA;;;;;;EACX,YACUH,gBACAC,mBACAC,QACR;SAHQF,iBAAAA;SACAC,oBAAAA;SACAC,SAAAA;EACP;EAEHI,oBAAoBC,SAA6C;AAC/D,SAAKP,eAAeM,oBAAoBC,OAAAA;AACxC,WAAO,KAAKN,kBAAkBK,oBAAoBC,OAAAA;EACpD;EAEAC,qBAAoC;AAClC,SAAKR,eAAeQ,mBAAkB;AACtC,WAAO,KAAKP,kBAAkBO,mBAAkB;EAClD;EAEA,MAAMC,WAA0B;AAC9B,SAAKT,eAAeS,SAAQ;AAC5B,SAAKR,kBAAkBQ,SAAQ;EACjC;EAEA,MAAMC,aAAaC,WAAmC;AACpD,SAAKX,eAAeU,aAAaC,SAAAA;AACjC,SAAKV,kBAAkBS,aAAaC,SAAAA;EACtC;EAEA,MAAcC,gBAAgBC,KAA8B;AAC1D,UAAMC,OAAO,KAAKZ;AAClB,UAAMa,UAAU,MAAM,KAAKf,eACxBgB,YAAYH,GAAAA,EAGZI,KAAK,CAACC,aAAcA,YAAYJ,QAAQI,WAAWA,SAASJ,IAAAA,IAAQK,MAAAA;AACvE,QAAI,OAAOJ,YAAY,UAAU;AAC/B,YAAMlB,MAAM,yCAAyCgB,GAAAA;IACvD;AACA,WAAOE;EACT;EAEA,MAAcA,QAAQF,KAA0C;AAC9D,UAAMC,OAAO,KAAKZ;AAClB,WAAQ,MAAM,KAAKF,eAChBI,IAAIS,GAAAA,EAGJI,KAAK,CAACC,aAAcA,YAAYJ,QAAQI,WAAWA,SAASJ,IAAAA,IAAQK,MAAAA;EACzE;EAEA,MAAMC,OAAOtB,IAA8B;AACzC,WAAO,MAAM,KAAKc,gBAAgBd,EAAAA,EAAImB,KAAK,OAAOxB,UAAAA;AAChD,YAAM,KAAKO,eAAeoB,OAAOtB,EAAAA;AACjC,aAAO,MAAM,KAAKG,kBAAkBmB,OAAO3B,KAAAA;IAC7C,CAAA;EACF;EAEA,MAAMW,IAAIN,IAAoC;AAC5C,WAAO,KAAKiB,QAAQjB,EAAAA,EAAImB,KAAK,CAACxB,UAAWA,QAAQ,KAAKQ,kBAAkBG,IAAIX,KAAAA,IAAS0B,MAAAA;EACvF;EAEA,MAAME,IAAIvB,IAA8B;AACtC,WAAO,KAAKiB,QAAQjB,EAAAA,EAAImB,KAAK,CAACxB,UAAWA,QAAQ,KAAKQ,kBAAkBoB,IAAI5B,KAAAA,IAAS,KAAA;EACvF;;EAGA,MAAM6B,IAAIC,KAAaC,aAA+B;AACpD,UAAM3B,MAAM,2EAA2E;EACzF;EAEA,MAAM4B,UAAUC,UAAkBC,WAAcC,YAA8B;AAC5E,UAAMC,OAAOF;AACb,QAAI,EAAE,KAAKzB,UAAU2B,SAAS,CAACA,KAAK,KAAK3B,MAAM,GAAG;AAChD,aAAOP,QAAQC,OAAO,IAAIC,MAAM,YAAY8B,SAAAA,yCAAkD,KAAKzB,MAAM,EAAE,CAAA;IAC7G;AACA,UAAMW,MAAMgB,KAAK,KAAK3B,MAAM;AAC5B,UAAM,KAAKF,eAAesB,IAAIT,KAAKc,SAAAA;AACnC,UAAM,KAAK1B,kBAAkBqB,IAAII,UAAUE,UAAAA;EAC7C;EAEA,MAAMZ,YAAYlB,IAAwB;AACxC,WAAO,KAAKc,gBAAgBd,EAAAA,EAAImB,KAAK,CAACxB,UAAU,KAAKQ,kBAAkBe,YAAYvB,KAAAA,CAAAA;EACrF;AACF;;;ACxHO,IAAMqC,8BAAN,MAAMA;EAAb,OAAaA;;;EACMC;EACjB,cAAc;AACZ,SAAKA,uBAAuB,CAAC;EAC/B;EAEAC,gBAAgBA,iBAA8E;AAC5F,SAAKD,qBAAqBC,kBAAkBA;AAC5C,WAAO;EACT;EAEAC,UAAUC,WAAgD;AACxD,SAAKH,qBAAqBE,YAAYC;AACtC,WAAO;EACT;EAEAC,QAAgC;AAC9B,QAAI,CAAC,KAAKJ,qBAAqBE,WAAW;AACxC,WAAKF,qBAAqBE,YAAY,CAAC,oBAAIG,KAAAA;IAC7C;AACA,QAAI,CAAC,KAAKL,qBAAqBC,iBAAiB;AAC9C,YAAM,IAAIK,MAAM,+DAAA;IAClB;AACA,WAAO,KAAKN;EACd;AACF;;;AL2BA,IAAMO,gBAAYC,kBAAAA,SAAAA;AAEX,IAAMC,WAAN,MAAMA;EAxDb,OAwDaA;;;EACHC;EACSC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAEjB,YACEC,gBACAC,6BACAC,MAaA;AACA,SAAKb,kBAAkBW;AACvB,SAAKV,+BAA+BW;AACpC,SAAKV,iCAAiCW,KAAKC;AAC3C,SAAKR,2BAA2BO,KAAKE,2BAA2B,IAAIC,aAAAA;AACpE,SAAKR,QAAQK,KAAKI,QAAQ,IAAID,aAAAA;AAC9B,SAAKT,WAAWM,KAAKK;AACrB,SAAKf,4BAA4BU,MAAMM;AACvC,SAAKf,qBAAqBS,MAAMO;AAChC,SAAKf,0BAA0BQ,MAAMQ;AACrC,SAAKZ,mBAAoBI,MAAMS,oBAAoBC,QAAQC,IAAIC,qBAAqBC,SAASH,QAAQC,IAAIC,kBAAkB,IAAI;AAC/H,SAAKf,gBAAgBG,MAAMc;EAC7B;EAEA,MAAaC,8BACXC,IACAC,UAAgF;IAAC;IAAqB;IAAe;KACpF;AAEjC,QAAIC,MAAMC,QAAQF,OAAAA,KAAYA,QAAQG,SAAS,GAAG;AAChD,UAAI,CAAC,KAAKhB,MAAM;AACd,eAAOiB,QAAQC,OAAOC,MAAM,sEAAA,CAAA;MAC9B;AACA,aAAOC,mCAAmC;QACxCR;QACAS,gBAAgB,KAAK9B;QACrB+B,mBAAmB,KAAKjC;QACxBwB,SAAS;UAAC;UAAqB;UAAe;;MAChD,CAAA;IAEF;AACA,UAAMU,UAAU,MAAM,KAAKlC,yBAAyBmC,IAAIZ,EAAAA;AACxD,QAAI,CAACW,SAAS;AACZ,aAAON,QAAQC,OAAOC,MAAM,2BAA2BP,EAAAA,EAAI,CAAA;IAC7D;AACA,WAAOW;EACT;EAEA,MAAaE,iCACXb,IACAC,UAAgF;IAAC;IAAqB;KACrE;AACjC,UAAMU,UAAU,MAAM,KAAKZ,8BAA8BC,IAAIC,OAAAA;AAC7D,QAAIU,SAAS;AACX,UAAIA,QAAQG,qBAAsB,MAAM,KAAKrC,yBAAyBsC,IAAIJ,QAAQG,iBAAiB,GAAI;AACrG,cAAM,KAAKrC,yBAAyBuC,OAAOL,QAAQG,iBAAiB;MACtE;AACA,UAAIH,QAAQM,eAAgB,MAAM,KAAKxC,yBAAyBsC,IAAIJ,QAAQM,WAAW,GAAI;AACzF,cAAM,KAAKxC,yBAAyBuC,OAAOL,QAAQM,WAAW;MAChE;IACF;AACA,WAAON;EACT;EAEA,MAAaO,oBAAoB,EAC/BJ,mBACAG,aACAE,aAAY,GAK8B;AAC1C,UAAMC,YAAYN,qBAAqBG;AACvC,UAAMN,UAAUS,YAAY,MAAM,KAAKrB,8BAA8BqB,SAAAA,IAAaC;AAClF,QAAI,CAACV,WAAW,CAACS,WAAW;AAC1BE,UAAIC,MAAM,kCAAkCH,SAAAA,EAAW;AACvD,aAAOb,MAAM,8BAAA;IACf;AACA,QAAIY,aAAaK,oBAAoBb,QAAQa,iBAAiB;AAC5DF,UAAIC,MAAM,mBAAmBJ,aAAaK,eAAe,kDAAkDb,QAAQa,eAAe,EAAE;AACpI,aAAOjB,MAAM,yBAAA;IACf,WAAWI,QAAQQ,cAAc;AAC/BG,UAAIG,KAAK,oEAAoEd,QAAQa,eAAe,EAAE;IACxG;AACA,UAAM,KAAKE,cAAc;MAAEZ;MAAsCG;MAA0BE;IAAa,CAAA;AACxGG,QAAIG,KAAK,0BAA0BN,YAAAA,QAAoBR,QAAQa,eAAe,EAAE;AAChF,WAAOb;EACT;EAEA,MAAagB,yBAAyBC,MAgBM;AAC1C,UAAM,EACJC,YAAY,SACZC,gBAAgB9D,UAAU+D,SAAQ,GAClCC,8BACAC,gBACAC,oBACAC,YAAW,IACTP;AACJ,QAAIC,cAAc,eAAe,CAACK,oBAAoB;AACpD,aAAO7B,QAAQC,OAAOC,MAAM,8DAAA,CAAA;IAC9B;AAEA,UAAM6B,SAASR,KAAKQ,SAAS;MAAE,GAAGR,KAAKQ;IAAO,IAAI,CAAC;AAEnD,QAAIR,KAAKS,cAAchB,QAAW;AAChC,UAAIe,OAAOE,6CAAAA,GAAyB;AAClCF,eAAOE,6CAAAA,EAAwBC,UAAU;UACvC,GAAGH,OAAOE,6CAAAA,EAAwBC;UAClCnC,QAAQgC,OAAOE,6CAAAA,EAAwBC,SAASnC,UAAUwB,KAAKS;QACjE;MACF;IACF;AACA,QAAID,OAAOE,6CAAAA,GAAyBC,WAAW,CAACH,OAAOE,6CAAAA,GAAyBC,SAASnC,QAAQ;AAC/FgC,aAAOE,6CAAAA,EAAwBC,QAAQnC,SAAS;IAClD;AAEA,UAAMoC,UAAUZ,MAAMY,WAAW,KAAKvD;AACtC,UAAMwD,wBAAwBC,4BAA4B,KAAKvE,iBAAiB;MAC9E,GAAGyD;MACHQ;MACAO,iBAAiBX,+BACb;QACEY,mBAAmB,KAAKzE,gBAAgByE;QACxCZ;MACF,IACAX;IACN,CAAA;AAEA,UAAMwB,eAAeJ,sBAAsBK,iBAAiBV,SAASE,6CAAAA;AACrE,UAAMS,YAAYN,sBAAsBK,iBAAiBV,QAAQY;AAEjE,UAAMlC,oBAAoB+B,eAAe,qBAAA;AACzC,UAAM5B,cAAc8B,WAAWE;AAC/B,UAAMC,SAASL,cAAcN;AAE7B,QAAIY;AACJ,QAAIN,cAAcN,SAAS;AACzB,YAAMF,YAAYQ,aAAaN,QAAQnC,UAAU;AAEjD+C,iBAAW,KAAKC,KAAKC,OAAOD,KAAKE,IAAI,IAAIjB,SAAAA,IAAa,KAAKe,KAAKG,OAAM,CAAA,GAAKC,SAASnB,WAAW,GAAA;AAC/FoB,2BAAqBN,SAASd,SAAAA;IAChC;AACA,UAAMqB,YAAY,CAAC,oBAAIC,KAAAA;AACvB,UAAMC,gBAAgBF;AACtB,UAAMG,kBAAkBjC,KAAKkC,wBAAwB,KAAK,MAAM;AAChE,UAAMC,YAAYL,YAAYN,KAAKY,IAAIH,cAAAA;AACvC,QAAIhC,cAAc,aAAa;AAC7B,UAAI,CAAC,KAAKzC,MAAM;AACd,cAAMmB,MAAM,yFAAA;MACd;AAEA,YAAM0D,WAAWrC,KAAKM,oBAAoBgC,QAAQ,OAAOpC,aAAAA;AACzD,UAAI,CAACmC,UAAU;AACb,eAAO5D,QAAQC,OAAOC,MAAM,8DAAA,CAAA;MAC9B;AAEAkC,4BAAsB0B,uBAAuBF;AAC7C,YAAM,KAAK7E,KAAKgF,IAAItC,eAAe;QACjCuC,KAAKJ;QACLP;QACAK;QACAjD;QACAG;QACAa;MACF,CAAA;IACF;AAEA,UAAMa,kBAAkB,UAAM2B,wDAC5B;MACExB,kBAAkBL,sBAAsBK;MACxCqB,sBAAsB1B,sBAAsB0B;IAC9C,GACA;MACEI,SAASC,yCAAkBC;MAC3BC,SAAS;IACX,CAAA;AAGF,UAAMC,SAASC,mCAAYC;AAC3B,UAAMlE,UAAkC;MACtCwB;MACArB;MACAG;MACAyC;MACAE;MACAG;MACAY;MACAnD,qBAAiBsD,8BAAAA;MACjB,GAAIlD,KAAKmD,aAAa;QAAEC,UAAUpD,KAAKmD;MAAU;MACjD,GAAI5B,WAAW;QAAED,QAAQC;MAAQ;MACjC,GAAIvB,KAAKqD,+BAA+B;QAAEA,6BAA6BrD,KAAKqD;MAA4B;MACxGtC;MACAuC,aAAajD;IACf;AAEA,UAAMoC,MAAMc,mCAAmCxC,iBAAiBd,WAAW;MAAE,GAAGD;MAAMY;IAAQ,CAAA;AAC9F,QAAI1B,mBAAmB;AACrB,YAAMsE,gBAAgB,IAAIC,mBAAqD,KAAKjG,MAAM,KAAKX,0BAA0B,eAAA;AACzH,YAAM2G,cAAcE,UAClBxE,mBACA;QACEA;QACAuD;QACAX;QACAK;QACAjC;QACAb;MACF,GACAN,OAAAA;IAGJ;AAEA,QAAIM,aAAa;AACf,YAAMmE,gBAAgB,IAAIC,mBAAqD,KAAKjG,MAAM,KAAKX,0BAA0B,eAAA;AACzH,YAAM2G,cAAcE,UAClBrE,aACA;QACEH;QACAuD;QACAX;QACAK;QACAjC;QACAb;MACF,GACAN,OAAAA;IAGJ;AACA,QAAI4E;AACJ,QAAI3D,KAAK4D,YAAY;AACnB,YAAM,EAAEC,UAAS,IAAK,MAAM,OAAO,YAAA;AACnC,YAAMC,SAAS,IAAID,UAAU;QAAE,GAAG7D,KAAK4D;QAAYG,MAAMtB;MAAI,CAAA;AAC7DkB,sBAAgB,0BAA0B,MAAMG,OAAOE,KAAI,GAAKC,SAAS,QAAA,CAAA;IAC3E;AACA,UAAMC,wBAAwB;MAC5BnF;MACA0D;MACAkB;MACAzD;MACAoB;MACA,GAAIC,YAAY9B,UAAa;QAAE8B;QAASd,WAAWc,SAAS/C,UAAU;MAAE;IAC1E;AACA2F,kCAAOC,KAAKC,iDAA0BC,uBAAuB;MAC3DC,WAAWF,iDAA0BC;MACrClG,IAAI8B;MACJsE,MAAMN;MACNO,WAAW;MACXC,eAAeC,+BAAcC;MAC7BC,QAAQC,wBAAOC;MACfC,QAAQ,KAAK9H,eAAe8D;MAC5BiE,WAAWC,2BAAUC;MACrBrD;MACAK;IACF,CAAA;AACA,WAAO+B;EACT;;;;;;;;;;EAWA,MAAakB,gBAAgBpF,MAYG;AAI9B,UAAMqF,oBAAoBrF,KAAKqF;AAC/B,UAAMC,oBAAoBtF,KAAKsF;AAC/B,QAAI;AACF,UAAI,EAAE,2BAA2BD,sBAAsB,EAAE,iCAAiCA,oBAAoB;AAC5G,cAAM1G,MAAM,4FAAA;MACd;AAGA,UAAI,iCAAiC0G,qBAAqBA,kBAAkBE,6BAA6B;AACvG,YAAI,CAAC,KAAKhJ,gBAAgBiJ,sCAAsCH,kBAAkBE,2BAA2B,GAAG;AAC9G,gBAAM5G,MAAM8G,0CAAmBC,eAAe;QAChD;MACF;AAGA,UAAI,2BAA2BL,qBAAqBA,kBAAkBM,yBAAyBL,kBAAkBM,sBAAsB;AACrI,cAAMC,mBAAmBP,kBAAkBM,qBAAqBE,QAAQ,CAACC,WAAgBA,OAAOC,0BAA0B,CAAA,CAAE;AAE5H,YAAI,CAACH,iBAAiBI,SAASZ,kBAAkBM,qBAAqB,GAAG;AACvE,gBAAMhH,MAAM,0DAAA;QACd;MACF;AAEA,UAAIuH,SAAS,KAAKC,uBAAuBd,iBAAAA;AACzC,YAAMe,YAAY,MAAM,KAAKC,+BAA+B;QAC1D,GAAGrG;QACHkG;QACAI,gBAAgBtG,KAAKsG,kBAAkB;MACzC,CAAA;AACA,UAAIF,UAAUlH,qBAAqB,CAACoG,kBAAkBpG,mBAAmB;AACvEoG,0BAAkBpG,oBAAoBkH,UAAUlH;MAClD;AACA,UAAIkH,UAAU/G,eAAe,CAACiG,kBAAkBjG,aAAa;AAC3DiG,0BAAkBjG,cAAc+G,UAAU/G;MAC5C;AAEA,YAAM,EAAEkH,gBAAgBC,aAAaC,aAAaC,gBAAe,IAAKN;AACtE,YAAMO,MAAMD,gBAAgBC;AAC5B,YAAMC,MAAMF,gBAAgBE;AAC5B,YAAMC,MAAMH,gBAAgBG;AAC5B,YAAMC,YAAY9G,KAAK+G,YAAY/G,KAAK+G,gBAAY7D,8BAAAA;AACpD,YAAM8D,iBAAiB;QACrBC,QAAQH;QACRhF,WAAW,CAAC,oBAAIC,KAAAA;QAChB,GAAIyE,aAAanH,eAAe;UAAEA,aAAamH,YAAYnH;QAAY;QACvE,GAAIkH,kBAAkB;UAAErH,mBAAmBqH,eAAerH;QAAkB;MAC9E;AACA,YAAM,KAAKzB,QAAQ+E,IAAIsE,WAAWE,cAAAA;AAElC,UAAI,CAAChH,KAAKkH,cAAc,KAAKtK,4BAA4B6C,UAAaO,KAAKpC,2BAA2B6B,QAAW;AAC/G,cAAMd,MAAM,sEAAsE;MACpF;AACA,UAAIuI;AAEJ,UAAIC,iBAAuDnH,KAAKtC;AAChE,YAAMqB,UAA8CuG,kBAAkBpG,qBAAqBqH,iBAAiBA,iBAAiBC;AAC7H,UAAIxG,KAAKkH,YAAY;AACnBA,qBAAalH,KAAKkH;MACpB,OAAO;AACL,cAAMtJ,yBACJ,OAAOoC,KAAKpC,2BAA2B,aAAaoC,KAAKpC,yBAAyB,KAAKhB;AACzF,YAAI,OAAOgB,2BAA2B,YAAY;AAChD,gBAAMe,MAAM,yDAAA;QACd;AACA,YAAI,CAACI,SAAS;AACZ,gBAAMJ,MAAM,0DAAA;QACd;AACA,cAAMoC,kBAAkBhC,QAAQgC;AAChC,YAAI,CAACA,iBAAiB;AACpB,gBAAMpC,MAAM,0BAAA;QACd;AACA,cAAM0E,8BAA8BrD,KAAKqD,+BAA+BtE,QAAQsE;AAEhF,cAAM+D,SAAS,MAAMxJ,uBAAuB;UAC1C,GAAI6I,cAAc;YAAE,GAAGA;UAAY,IAAI;YAAE,GAAGD;UAAY;UACxDnB,mBAAmBrF,KAAKqF;UACxBgC,0BAA0B,KAAK9K,gBAAgB+K;UAC/CpB;UACAnF;UACA,GAAIsC,+BAA+B;YAAEA;UAA4B;QACnE,CAAA;AACA6D,qBAAaE,OAAOF;AACpB,YAAIE,OAAOlB,QAAQ;AACjBA,mBAASkB,OAAOlB;QAClB;AACA,YAAI,OAAOkB,OAAOG,iBAAiB,YAAY;AAC7CJ,2BAAiBC,OAAOG;QAC1B;MACF;AACA,UAAI,CAACL,YAAY;AACf,cAAMvI,MAAM,iDAAA;MACd;AAEA,UAAI6I,kCAAiBC,gCAAgCP,UAAAA,MAAgBL,OAAOD,QAAQ,CAACM,WAAWQ,KAAK;AACnG,YAAIb,KAAK;AACPK,qBAAWQ,MAAM;YACfb;UACF;QACF;AAEA,YAAID,KAAK;AACPM,qBAAWQ,MAAM;YACfd;UACF;QACF;MACF,WAAWD,OAAO,CAACa,kCAAiBC,gCAAgCP,UAAAA,KAAeA,WAAWS,sBAAsBlI,QAAW;AAC7H,cAAMmI,qBAAqBtJ,MAAMC,QAAQ2I,WAAWS,iBAAiB,IAAIT,WAAWS,oBAAoB;UAACT,WAAWS;;AACpHC,2BAAmBC,IAAI,CAACC,YAAAA;AACtB,cAAI,CAACA,QAAQ1J,IAAI;AACf0J,oBAAQ1J,KAAKuI;UACf;AACA,iBAAOmB;QACT,CAAA;AACAZ,mBAAWS,oBAAoBrJ,MAAMC,QAAQ2I,WAAWS,iBAAiB,IAAIC,qBAAqBA,mBAAmB,CAAA;MACvH,OAAO;MAGP;AAEA,UAAI5C,SAA6BvF;AACjC,UAAIyH,WAAWa,KAAK;AAClB/C,iBAASkC,WAAWa;MACtB,WAAWb,WAAWlC,QAAQ;AAC5B,YAAI,OAAOkC,WAAWlC,WAAW,UAAU;AACzCA,mBAASkC,WAAWlC;QACtB,WAAW,OAAOkC,WAAWlC,WAAW,YAAY,QAAQkC,WAAWlC,UAAU,OAAOkC,WAAWlC,OAAO5G,OAAO,UAAU;AACzH4G,mBAASkC,WAAWlC,OAAO5G;QAC7B;MACF;AAEA,YAAM4J,uBAAuB,MAAM,KAAKC,oBACtC;QACE5C,mBAAmBrF,KAAKqF;QACxBa;QACAgB;QACAR;QACA1B;QACA,GAAIjG,WAAW;UAAEuE,aAAavE,QAAQuE;QAAY;MACpD,GACA6D,cAAAA;AAIF,UAAI,CAACa,sBAAsB;AAEzB,cAAM,IAAIrJ,MAAMuJ,+CAAAA;MAClB;AACA,UAAIzB,aAAa;AAEf,cAAM,KAAKhJ,QAAQ2B,OAAOqH,YAAYQ,MAAM;MAC9C;AAEA,UAAIrH;AAEJ,UAAI0F,kBAAkBpG,qBAAqBqH,gBAAgB;AACzDA,uBAAevE,gBAAgB,CAAC,oBAAID,KAAAA;AACpCwE,uBAAexD,SAASC,mCAAYmF;AACpCvI,0BAAkB2G,eAAe3G;AACjC,cAAM,KAAK/C,yBAAyB2F,IAAI8C,kBAAkBpG,mBAAmBqH,cAAAA;MAC/E,WAAWjB,kBAAkBjG,eAAemH,aAAa;AAEvDA,oBAAYxE,gBAAgB,CAAC,oBAAID,KAAAA;AACjCyE,oBAAYzD,SAASC,mCAAYmF;AACjCvI,0BAAkB4G,YAAY5G;AAC9B,cAAM,KAAK/C,yBAAyB2F,IAAI8C,kBAAkBjG,aAAamH,WAAAA;MACzE;AAEA,YAAM4B,WAA+B;QACnCC,aAAa;UAAC;YAAEnB,YAAYc;UAAqB;;;QAEjDM,SAASxB;QACTyB,oBAAoB,KAAKvL;QACzB,GAAI4C,mBAAmB;UAAEA;QAAgB;MAC3C;AAGA,YAAM4I,8BAA8BxI,KAAKqF,kBAAkBoD;AAC3D,UAAID,6BAA6BE,oBAAoB;AACnD,YAAIF,4BAA4BE,uBAAuB,iBAAiB;AACtE,gBAAM/J,MAAM,2CAAA;QACd;AACAyJ,iBAASO,iBAAiBnC,aAAanH;AACvC+I,iBAASK,8BAA8BD;MACzC;AACA,aAAOJ;IACT,SAASzI,OAAgB;AACvB,YAAM,KAAKG,cAAc;QAAEZ,mBAAmBoG,kBAAkBpG;QAAmBG,aAAaiG,kBAAkBjG;QAAaM;MAAM,CAAA;AACrI,YAAMA;IACR;EACF;EAEQwG,uBAAuBd,mBAAkF;AAC/G,QAAIa;AAEJ,QAAI,iCAAiCb,qBAAqBA,kBAAkBE,6BAA6B;AACvG,YAAMqD,mBAAmB,KAAKrM,gBAAgBiJ,sCAAsCH,kBAAkBE,2BAA2B;AACjIW,eAAS0C,kBAAkB1C;IAC7B,WAAW,2BAA2Bb,qBAAqBA,kBAAkBM,uBAAuB;AAClG,YAAMkD,uBAA4BxD,kBAAkBM;AACpD,YAAMmD,gBAAgBC,OAAOC,OAAO,KAAKzM,gBAAgBiJ,uCAAuC,CAAC,CAAA,EAAGyD,KAClG,CAACC,WAAWL,yBAAyBK,OAAO9K,MAAMyK,yBAAyBK,OAAOC,GAAG;AAGvF,aAAOL,eAAe5C;IACxB;AACA,WAAOA;EACT;EAEA,MAAcpG,cAAc,EAC1BZ,mBACAS,OACAN,aACAE,aAAY,GAMX;AACD,QAAI6J,aAAsC3J;AAC1C,QAAIE,OAAO;AACTyJ,mBAAapG,mCAAYqG;IAC3B,WAAW9J,cAAc;AACvB,UAAIA,aAAa+J,SAAS,uBAAuB;AAC/CF,qBAAapG,mCAAYuG;MAC3B,WAAWhK,aAAa+J,SAAS,sBAAsB;AACrDF,qBAAapG,mCAAYwG;MAC3B,WAAWjK,aAAa+J,SAAS,sBAAsB;AACrDF,qBAAapG,mCAAYyG;MAC3B;IACF;AAEA,QAAIvK,mBAAmB;AACrB,YAAMqH,iBAAiB,MAAM,KAAK1J,yBAAyBmC,IAAIE,iBAAAA;AAC/D,UAAIqH,gBAAgB;AAClBA,uBAAevE,gBAAgB,CAAC,oBAAID,KAAAA;AACpC,YAAIqH,YAAY;AACd7C,yBAAexD,SAASqG;QAC1B;AACA,YAAIzJ,OAAO;AACT4G,yBAAe5G,QAAQA,iBAAiBhB,QAAQgB,MAAM+J,UAAU/J,OAAOsE,SAAAA;QACzE;AACAsC,uBAAe3G;AACf,YAAIL,cAAc;AAChBgH,yBAAehH,eAAeA;QAChC;AACA,cAAM,KAAK1C,yBAAyB2F,IAAItD,mBAAmBqH,cAAAA;MAC7D;IACF;AACA,QAAIlH,aAAa;AACf,YAAMmH,cAAc,MAAM,KAAK3J,yBAAyBmC,IAAIK,WAAAA;AAC5D,UAAImH,aAAa;AACfA,oBAAYxE,gBAAgB,CAAC,oBAAID,KAAAA;AACjC,YAAIqH,YAAY;AACd5C,sBAAYzD,SAASqG;QACvB;AACA,YAAIzJ,OAAO;AACT6G,sBAAY7G,QAAQA,iBAAiBhB,QAAQgB,MAAM+J,UAAU/J,OAAOsE,SAAAA;QACtE;AACA,YAAI1E,cAAc;AAChBiH,sBAAYjH,eAAeA;QAC7B;AACA,cAAM,KAAK1C,yBAAyB2F,IAAInD,aAAamH,WAAAA;MACvD;IACF;EACF;;;;;;;;;;;;;;;EAiBA,MAAcH,+BAA+B,EAC3ChB,mBACAC,mBACAY,QACAvI,mBACA2I,eAAc,GASb;AACD,QAAIjH;AAEJ,UAAMsK,2BAA2B;MAAC;MAAe;MAAkB;MAAa;MAAU;;AAC1F,QAAI;AACF,UAAIzD,UAAU,CAACyD,yBAAyB1D,SAASC,MAAAA,GAAS;AACxD,cAAMvH,MAAM,UAAUuH,MAAAA,oBAA0B;MAClD;AAEA,YAAM0D,WAA0CjM,qBAAqB,KAAKhB;AAC1E,UAAI,OAAOiN,aAAa,YAAY;AAClC,cAAMjL,MAAMkL,8CAAAA;MACd;AAEA,YAAMC,UAAUzE;AAGhB,UAAIyE,QAAQC,SAASD,QAAQE,QAAQ;AACnC,cAAMrL,MAAM,qEAAA;MACd;AAGA,YAAMsL,kBAA4C,CAAA;AAElD,UAAIH,QAAQC,OAAO;AACjBE,wBAAgBC,KAAKJ,QAAQC,KAAK;MACpC,WAAWD,QAAQE,QAAQ;AAEzB,YAAI1L,MAAMC,QAAQuL,QAAQE,OAAOG,GAAG,GAAG;AAErC,qBAAWC,YAAYN,QAAQE,OAAOG,KAAK;AACzC,gBAAI,OAAOC,aAAa,UAAU;AAEhCH,8BAAgBC,KAAK;gBACnBG,YAAY;gBACZF,KAAKC;cACP,CAAA;YACF,WAAWA,YAAY,OAAOA,aAAa,YAAY,SAASA,UAAU;AAExEH,8BAAgBC,KAAKE,QAAAA;YACvB;UACF;QACF;AAGA,YAAIH,gBAAgBzL,WAAW,GAAG;AAChC,gBAAM8L,iBAAiBvB,OAAOwB,KAAKT,QAAQE,MAAM,EAAEQ,KAAK,IAAA;AACxD,gBAAM7L,MAAM,0DAA0D2L,cAAAA,GAAiB;QACzF;MACF,OAAO;AACL,cAAM3L,MAAM,yFAAA;MACd;AAGA,UAAI+H;AACJ,YAAM+D,mBAA6B,CAAA;AAEnC,iBAAWV,SAASE,iBAAiB;AACnC,YAAI;AACFvD,4BAAkB,MAAMkD,SAAS;YAAEO,KAAKJ,MAAMI;UAAI,CAAA;AAClD;QACF,SAASxK,OAAO;AACd,gBAAM+K,MAAM/K,iBAAiBhB,QAAQgB,MAAM+J,UAAUiB,OAAOhL,KAAAA;AAC5D8K,2BAAiBP,KAAKQ,GAAAA;QACxB;MACF;AAGA,UAAI,CAAChE,iBAAiB;AACpB,cAAM/H,MAAM,iDAAiD8L,iBAAiBD,KAAK,IAAA,CAAA,EAAO;MAC5F;AAEA,YAAM,EAAEI,aAAajE,KAAKwD,IAAG,IAAKzD;AAClC,YAAM,EAAEmE,QAAQC,QAAO,IAAKX;AAC5B,YAAM,EAAEpC,KAAKgD,KAAKC,KAAKC,MAAK,IAAKH;AACjC,YAAMzJ,eACJ,kBAAkBgE,qBAAqBA,kBAAkBhE,eAAegE,kBAAkBhE,eAAeiE,kBAAkBjG;AAC7H,UAAI,CAAC4L,SAAS,CAAC5J,cAAc;AAC3B,cAAM1C,MAAM,+DAAA;MACd;AAEA,UAAImD,YAAoB,CAAC,oBAAIC,KAAAA;AAC7B,UAAI0E;AACJ,UAAIwE,OAAO;AACTxE,sBAAc,MAAM,KAAKhJ,QAAQyN,YAAYD,KAAAA;AAC7CnJ,oBAAY2E,YAAY3E;MAC1B;AACA,UAAIT,cAAc;AAChB,cAAMtC,UAAU,MAAM,KAAKlC,yBAAyBqO,YAAY7J,YAAAA;AAChEhC,sBAAcgC;AACdS,oBAAY/C,QAAQ+C;MACtB;AAGA,YAAMqJ,MAAMzE,gBAAgByE,OAAON,OAAOM;AAC1C,YAAMtE,MAAMH,gBAAgBG,OAAOgE,OAAOhE;AAC1C,YAAMD,MAAMF,gBAAgBE,OAAOiE,OAAOjE;AAC1C,YAAMwE,MAAM1E,gBAAgB0E,OAAOP,OAAOO;AAC1C,YAAMC,MAAMR,OAAOQ;AAEnB,UAAIA,QAAQ,wBAAwB;AAClC,cAAM1M,MAAM2M,gCAAAA;MACd,WAAW,CAACH,KAAK;AACf,cAAMxM,MAAM4M,gCAAAA;MACd,WAAWH,QAAQvE,OAAOD,MAAM;AAE9B,cAAMjI,MAAM6M,wCAAAA;MACd,WAAW3E,OAAO,CAACF,KAAK;AACtB,YAAI,CAACC,OAAO,CAACwE,KAAK;AAEhB,gBAAMzM,MAAM8M,2CAAAA;QACd,OAAO;AAELC,kBAAQC,IAAI,0CAA0C;QACxD;MACF,WAAWhF,OAAO,CAACiE,aAAa;AAE9B,cAAMjM,MAAMiN,0CAAAA;MACd;AAEA,YAAMrF,iBAAiBjB,kBAAkBpG,oBACrC,MAAM,KAAK5B,wBAAwB0B,IAAIsG,kBAAkBpG,iBAAiB,IAC1EO;AACJ,YAAM+G,cAAcnH,cAAc,MAAM,KAAK/B,wBAAwB0B,IAAIK,WAAAA,IAAeI;AACxF,UAAI,CAAC8G,kBAAkB,CAACC,aAAa;AACnC,cAAM7H,MAAM,kEAAA;MACd;AACA,UAAI4H,gBAAgB;AAClB,YAAI,CAACA,eAAerH,qBAAqBqH,eAAerH,sBAAsBoG,kBAAkBpG,mBAAmB;AACjH,gBAAMP,MAAM,6BAAA;QACd;AACA4H,uBAAevE,gBAAgB,CAAC,oBAAID,KAAAA;AACpCwE,uBAAexD,SAASC,mCAAY6I;AACpC,cAAM,KAAKhP,yBAAyB2F,IAAI8C,kBAAkBpG,mBAAmBqH,cAAAA;MAC/E;AACA,UAAIC,aAAa;AACf,YAAI,CAACA,YAAYnH,eAAemH,YAAYnH,gBAAgBA,aAAa;AACvE,gBAAMV,MAAM,sBAAA;QACd;AACA6H,oBAAYxE,gBAAgB,CAAC,oBAAID,KAAAA;AACjCyE,oBAAYzD,SAASC,mCAAY6I;MACnC;AAWA,UAAI,CAAC9D,OAAOvB,aAAazF,gBAAgBG,kBAAkBV,QAAQY,oBAAoB;AACrF,cAAM,IAAIzC,MAAMmN,2DAAAA;MAClB;AAUA,UAAI,CAACf,OAAOA,QAAQ,KAAKxO,gBAAgByE,mBAAmB;AAC1D,cAAM,IAAIrC,MAAMoN,gCAAAA;MAClB;AACA,UAAI,CAACf,KAAK;AACR,cAAM,IAAIrM,MAAMqN,gCAAAA;MAClB,WAAWhB,MAAMxJ,KAAKC,MAAMK,YAAY,GAAA,IAAQwE,gBAAgB;AAE9D,cAAM,IAAI3H,MAAMqN,gCAAAA;MAClB;AAGA,aAAO;QAAEtF;QAAiBxH,mBAAmBoG,kBAAkBpG;QAAmBqH;QAAgBlH;QAAamH;QAAaC;MAAY;IAC1I,SAAS9G,OAAgB;AACvB,YAAM,KAAKG,cAAc;QAAEZ,mBAAmBoG,kBAAkBpG;QAAmBG;QAAaM;MAAM,CAAA;AACtG,YAAMA;IACR;EACF;EAEA,MAAcsI,oBACZjI,MAQAiM,gBACmD;AACnD,QAAK,CAACjM,KAAKkH,cAAc,CAAClH,KAAKqF,qBAAsB,CAAC,KAAK3I,2BAA2B;AACpF,YAAM,IAAIiC,MAAMuN,0CAAAA;IAClB;AACA,UAAMhF,aAAa+E,iBAAiB,MAAMA,eAAejM,IAAAA,IAAQ,MAAM,KAAKtD,0BAA0BsD,IAAAA;AAGtGmE,kCAAOC,KAAK+H,4CAAqBC,2BAA2B;MAC1D7H,WAAW4H,4CAAqBC;MAChChO,QAAI8E,8BAAAA;MACJsB,MAAM0C;;MAENzC,WAAWzE,KAAKgF,UAAU;MAC1BN,eAAeC,+BAAcC;MAC7BC,QAAQC,wBAAOC;MACfE,WAAWC,2BAAUmH;IACvB,CAAA;AAEA,WAAOnF;EACT;EAEA,IAAIxJ,2BAAiE;AACnE,WAAO,KAAKhB;EACd;EAEA,IAAIiB,oBAAmD;AACrD,WAAO,KAAKhB;EACd;EAEA,IAAIiB,yBAA6D;AAC/D,WAAO,KAAKhB;EACd;EAEA,IAAIY,OAAgC;AAClC,WAAO,KAAKT;EACd;EAEA,IAAIc,kBAA0B;AAC5B,WAAO,KAAKb;EACd;EAEA,IAAWM,0BAAiE;AAC1E,WAAO,KAAKT;EACd;EAEA,IAAWY,UAAsC;AAC/C,WAAO,KAAKX;EACd;EAEA,IAAIO,gCAAoD;AACtD,WAAO,KAAKZ;EACd;EAEA,IAAWS,iBAAiB;AAC1B,WAAO,KAAKX;EACd;;EAGA,IAAWW,eAAeoP,OAA4C;AACpE,SAAK/P,kBAAkB+P;EACzB;EAEA,IAAWnP,8BAA8B;AACvC,WAAO,KAAKX;EACd;EAEA,IAAI0B,eAAe;AACjB,WAAO,KAAKjB;EACd;AACF;;;AD34BO,IAAMsP,kBAAN,MAAMA;EAzBb,OAyBaA;;;EACXC;EACAC,iBAA+D,CAAC;EAChEC,8BAAoE,CAAC;EACrEC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAEOC,mBAAmBb,gBAAgC;AACxD,QAAI,CAACA,eAAec,qCAAqC;AACvD,YAAM,IAAIC,MAAM,uDAAA;IAClB;AACA,SAAKf,iBAAiBA;AACtB,WAAO;EACT;EAEOgB,qBAAqBC,gBAAsC;AAChE,SAAKf,eAAee;AACpB,WAAO;EACT;EAEOC,2BAA2B,EAChCC,WACAC,eACAC,eACAC,gBACA,GAAGC,MAAAA,GACqI;AACxI,SAAKrB,eAAe;MAAE,GAAGqB;MAAOJ;MAAWC;MAAeC;MAAeC;IAAe;AACxF,WAAO;EACT;EAEOE,0BAA0BvB,6BAA0D;AACzF,SAAKA,8BAA8BA;AACnC,WAAO;EACT;EAEOwB,0BAA0BC,SAAqC;AACpE,SAAK3B,wBAAwB2B;AAC7B,WAAO;EACT;EAEOC,kCAAkCC,SAAiB;AACxD,SAAKxB,gCAAgCwB;AACrC,WAAO;EACT;EAEOC,qBAAqBC,QAAsB;AAChD,SAAK9B,eAAe+B,oBAAoBD;AACxC,WAAO;EACT;EAEOE,yBAAyBC,sBAA+C;AAC7E,SAAKjC,eAAekC,wBAAwB,OAAOD,yBAAyB,WAAW;MAACA;QAAwBA;AAChH,WAAO;EACT;EAEOE,uBAAuBC,oBAAkC;AAC9D,SAAKpC,eAAeqC,sBAAsBD;AAC1C,WAAO;EACT;EAEOE,kBAAkBC,eAA6B;AACpD,SAAKvC,eAAewC,iBAAiBD;AACrC,WAAO;EACT;EAEOE,kBAAkBC,eAA6B;AACpD,SAAK1C,eAAe2C,iBAAiBD;AACrC,WAAO;EACT;EAEOE,kBAAkBC,eAA0D;AACjF,SAAK7C,eAAe8C,UAAUC,MAAMC,QAAQH,aAAAA,IAAiBA,gBAAgB;MAACA;;AAC9E,WAAO;EACT;EAEOI,iBAAiBJ,eAAsC;AAC5D,SAAK7C,eAAe8C,UAAU;SAAK,KAAK9C,eAAe8C,WAAW,CAAA;MAAKD;;AACvE,WAAO;EACT;EAEOK,sCAAsCC,mCAA4F;AACvI,SAAKnD,eAAec,sCAAsCqC;AAC1D,WAAO;EACT;EAEOC,qCAAqCC,IAAYC,qBAA8D;AACpH,QAAI,CAAC,KAAKtD,eAAec,qCAAqC;AAC5D,WAAKd,eAAec,sCAAsC,CAAC;IAC7D;AACA,SAAKd,eAAec,oCAAoCuC,EAAAA,IAAMC;AAC9D,WAAO;EACT;EAEOC,WAAWpD,QAAsB;AACtC,SAAKA,SAASA;AACd,WAAO;EACT;EAEOqD,mCAAmChD,2BAA0D;AAClG,SAAKA,4BAA4BA;AACjC,WAAO;EACT;EAEOiD,sCAA4C;AACjD,SAAKD,mCAAmC,IAAIE,aAAAA,CAAAA;AAC5C,WAAO;EACT;EAEOC,gCAAgCC,wBAAqE;AAC1G,SAAKrD,8BAA8BqD;AACnC,WAAO;EACT;EAEOC,mCAAyC;AAC9C,SAAKF,gCAAgC,IAAID,aAAAA,CAAAA;AACzC,WAAO;EACT;EAEOI,uBAAuBC,eAAiD;AAC7E,SAAKtD,qBAAqBsD;AAC1B,WAAO;EACT;EAEOC,0BAAgC;AACrC,SAAKF,uBAAuB,IAAIJ,aAAAA,CAAAA;AAChC,WAAO;EACT;EAEOO,oBAAoB3D,iBAA+B;AACxD,SAAKA,kBAAkBA;AACvB,WAAO;EACT;EAEO4D,6BAA6BC,IAAoC;AACtE,SAAKzD,2BAA2ByD;AAChC,WAAO;EACT;EAEOC,sBAAsBC,gBAAyC;AACpE,SAAK1D,oBAAoB0D;AACzB,WAAO;EACT;EAEOC,2BAA2B1D,wBAAsD;AACtF,SAAKA,yBAAyBA;AAC9B,WAAO;EACT;EAEO2D,QAAkB;AACvB,QAAI,CAAC,KAAKhE,6BAA6B;AACrC,YAAM,IAAIQ,MAAMyD,0CAAmBC,eAAe;IACpD;AACA,QAAI,CAAC,KAAKhE,oBAAoB;AAC5B,YAAM,IAAIM,MAAMyD,0CAAmBC,eAAe;IACpD;AACA,QAAIC,OAAOC,KAAK,KAAK3E,cAAc,EAAE4E,WAAW,GAAG;AACjD,YAAM,IAAI7D,MAAM,wBAAA;IAClB;AACA,QAAI2D,OAAOC,KAAK,KAAK1E,2BAA2B,EAAE2E,WAAW,GAAG;AAC9D,YAAM,IAAI7D,MAAM,qCAAA;IAClB;AAEA,UAAMW,UAAU,KAAK3B,uBAAuBwE,MAAAA;AAC5C,UAAMM,WAA2C;MAAE,GAAG,KAAK7E;MAAgB,GAAG0B;IAAQ;AAEtFmD,aAAS/D,sCAAsC,KAAKd,eAAec;AACnE+D,aAAS/B,UAAU;SAAK,KAAK9C,eAAe8C,WAAW,CAAA;SAASpB,SAASoB,WAAW,CAAA;;AACpF,QAAI,CAAC+B,SAASxC,uBAAuB,CAACwC,SAAS9C,qBAAqB,CAAC,KAAK/B,eAAec,qCAAqC;AAC5H,YAAM,IAAIC,MAAMyD,0CAAmBC,eAAe;IACpD;AACA,QAAI,KAAKvE,gBAAgB,OAAO,KAAKS,sBAAsB,YAAY;AACrE,UAAI,CAAC,KAAKX,eAAe+B,mBAAmB;AAC1C,cAAMhB,MAAM,sEAAA;MACd,WAAW,CAAC,KAAKf,eAAekC,uBAAuB;AACrD,cAAMnB,MAAM,0EAAA;MACd;AACA,WAAKJ,oBAAoBmE,8BAA8B;QACrD7D,gBAAgB,KAAKf;QACrB6E,kBAAkB,KAAK/E,eAAe+B;QACtCiD,qBAAqB,KAAKhF,eAAekC,sBAAsB,CAAA;MACjE,CAAA;IACF;AACA,WAAO,IAAI+C,SAASJ,UAAmC,KAAK5E,6BAA4D;;MAEtH,GAAI,KAAKE,UAAU;QAAEA,QAAQ,KAAKA;MAAO;MACzCC,+BAA+B,KAAKA;MACpCM,0BAA0B,KAAKA;MAC/BC,mBAAmB,KAAKA;MACxBC,wBAAwB,KAAKA;MAC7BsE,yBAAyB,KAAK3E;MAC9B4E,SAAS,KAAK1E;MACdH,iBAAiB,KAAKA;MACtB8E,MAAM,KAAK5E;MACXN,cAAc,KAAKA;IACrB,CAAA;EACF;AACF;;;AOrOO,IAAMmF,iBAAN,MAAMA;EAAb,OAAaA;;;EACXC;EACAC;EACAC,uBAAgD,CAAC;EAEjDC;EACAC;EACAC;EAEAC,SAASN,MAAc;AACrB,SAAKA,OAAOA;AACZ,WAAO;EACT;EAEAO,WAAWN,QAAgB;AACzB,SAAKA,SAASA;AACd,WAAO;EACT;EAEAO,SAASL,MAAiB;AACxB,QAAIA,MAAM;AACR,UAAI,CAACA,KAAKM,KAAK;AACb,cAAMC,MAAM,gCAAgC;MAC9C;IACF;AACA,SAAKP,OAAOA;AACZ,WAAO;EACT;EAEAQ,oBAAoBP,iBAAyB;AAC3C,SAAKA,kBAAkBA;AACvB,WAAO;EACT;EAEAQ,cAAcP,WAAmB;AAC/B,SAAKA,YAAYA;AACjB,WAAO;EACT;EAEAQ,yBAAyBC,YAAqC;AAC5D,SAAKZ,uBAAuBY,cAAc,CAAC;AAC3C,WAAO;EACT;EAEAC,sBAAsBC,KAAaC,OAAgB;AACjD,SAAKf,qBAAqBc,GAAAA,IAAOC;AACjC,WAAO;EACT;EAEAC,QAAyB;AACvB,WAAO;MACL,GAAG,KAAKhB;MACR,GAAI,KAAKF,QAAQ;QAAEA,MAAM,KAAKA;MAAK;MACnC,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;MACzC,GAAI,KAAKE,QAAQ;QAAEA,MAAM,KAAKA;MAAK;MACnC,GAAI,KAAKC,mBAAmB;QAAEe,kBAAkB,KAAKf;MAAgB;MACrE,GAAI,KAAKC,aAAa;QAAEe,YAAY,KAAKf;MAAU;IACrD;EACF;AACF;;;AClDO,IAAMgB,6BAAN,MAAMA;EAHb,OAGaA;;;EACXC;EACAC;EACAC;EACAC,oBAAuD,CAAA;EACvDC,oCAA6F,CAAC;EAC9FC,kBAAoC,CAAA;EACpCC,UAA6B,CAAA;EAC7BC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;;EAGOC,4BAA4BP,yBAAkD;AACnF,SAAKA,0BAA0BA;AAC/B,WAAO;EACT;EAEOQ,yBAAyBP,sBAAgC;AAC9D,SAAKA,uBAAuBA;AAC5B,WAAO;EACT;EAEOQ,wBAAwBC,qBAA6B;AAC1D,QAAI,KAAKT,yBAAyBU,QAAW;AAC3C,WAAKV,uBAAuB,CAAA;IAC9B;AACA,SAAKA,qBAAqBW,KAAKF,mBAAAA;AAC/B,WAAO;EACT;EAEOG,mCAAmCV,gCAAwC;AAChF,SAAKA,iCAAiCA;AACtC,WAAO;EACT;EAEOW,kBAAkBZ,eAAuB;AAC9C,SAAKA,gBAAgBA;AACrB,WAAO;EACT;EAEOa,uBAAuBtB,oBAAwD;AACpF,SAAKA,qBAAqBA;AAC1B,WAAO;EACT;;EAGOuB,kBAAkBtB,eAAmD;AAC1E,SAAKA,gBAAgBA;AACrB,WAAO;EACT;EAEOuB,qBAAqBtB,kBAAsD;AAChF,SAAKA,mBAAmBA;AACxB,WAAO;EACT;;EAGOuB,iCAAiCd,8BAA8E;AACpH,SAAKA,+BAA+BA;AACpC,WAAO;EACT;;EAGOe,mBAAmBd,gBAAoD;AAC5E,SAAKA,iBAAiBA;AACtB,WAAO;EACT;;EAGOe,mCAAmCd,gCAAqE;AAC7G,SAAKA,iCAAiCA;AACtC,WAAO;EACT;EAEOe,gCAAiE;AACtE,UAAMC,UAAU,IAAIC,gCAAAA;AACpB,SAAKC,8BAA8BF,OAAAA;AACnC,WAAOA;EACT;EAEOE,8BAA8BC,4BAA6D;AAChG,SAAK7B,kBAAkBgB,KAAKa,0BAAAA;AAC5B,WAAO;EACT;EAEOC,qCAAqCC,IAAYC,qBAA8D;AACpH,SAAK/B,kCAAkC8B,EAAAA,IAAMC;AAC7C,WAAO;EACT;EAEOC,kBAAkBC,eAAgF;AACvG,SAAK/B,UAAUgC,MAAMC,QAAQF,aAAAA,IAAiBA,gBAAgB;MAACA;;AAC/D,WAAO;EACT;EAEOG,WAAWlC,SAA0B;AAC1C,SAAKA,QAAQa,KAAKb,OAAAA;EACpB;EAEOmC,kBAAkBC,gBAAgC;AACvD,SAAKrC,gBAAgBc,KAAKuB,cAAAA;EAC5B;EAEOC,oBAAoC;AACzC,UAAMd,UAAU,IAAIe,eAAAA;AACpB,SAAKH,kBAAkBZ,OAAAA;AACvB,WAAOA;EACT;EAEOgB,QAA+B;AACpC,QAAI,CAAC,KAAK3C,kBAAkB;AAC1B,YAAM4C,MAAM,+BAAA;IACd,WAAW,CAAC,KAAK9C,oBAAoB;AACnC,YAAM8C,MAAM,iCAAA;IACd;AACA,UAAMC,sCAA+F,KAAK3C;AAC1G,UAAM4C,0BAAqF,KAAK7C,kBAAkB8C,IAAI,CAACpB,YACrHA,QAAQgB,MAAK,CAAA;AAEfG,4BAAwBE,QAAQ,CAACC,iBAAAA;AAC/BC,aAAOC,KAAKF,YAAAA,EAAcD,QAAQ,CAACI,QAAAA;AACjCP,4CAAoCO,GAAAA,IAAOH,aAAaG,GAAAA;MAC1D,CAAA;IACF,CAAA;AACA,QAAIF,OAAOC,KAAKN,mCAAAA,EAAqCQ,WAAW,GAAG;AACjE,YAAMT,MAAM,mCAAA;IACd;AAEA,UAAMxC,UAA6B,CAAA;AACnCA,YAAQa,KAAI,GAAI,KAAKb,OAAO;AAC5BA,YAAQa,KAAI,GAAI,KAAKd,gBAAgB4C,IAAI,CAACpB,YAAYA,QAAQgB,MAAK,CAAA,CAAA;AAEnE,UAAMW,iBAAwC;MAC5CC,mBAAmB,KAAKvD;MACxBwD,qBAAqB,KAAK1D;MAC1B+C;MACA,GAAI,KAAK9C,iBAAiB;QAAE0D,gBAAgB,KAAK1D;MAAc;MAC/D,GAAI,KAAKM,2BAA2B;QAAEqD,2BAA2B,KAAKrD;MAAwB;MAC9F,GAAI,KAAKC,wBAAwB;QAAEqD,uBAAuB,KAAKrD;MAAqB;MACpF,GAAI,KAAKC,iBAAiB;QAAEqD,gBAAgB,KAAKrD;MAAc;MAC/D,GAAI,KAAKC,kCAAkC;QAAEqD,kCAAkC,KAAKrD;MAA+B;MACnH,GAAI,KAAKC,gCAAgC;QAAEqD,gCAAgC,KAAKrD;MAA6B;MAC7G,GAAI,KAAKC,kBAAkB;QAAEqD,iBAAiB,KAAKrD;MAAe;MAClE,GAAI,KAAKC,mCAAmCK,UAAa;QAAEgD,kCAAkC,KAAKrD;MAA+B;MACjI,GAAIP,QAAQiD,SAAS,KAAK;QAAEjD;MAAQ;IACtC;AAEA,WAAOkD;EACT;AACF;;;ACvJO,IAAMW,qCAAN,MAAMA;EAAb,OAAaA;;;EACHC,WAAiD,CAAC;EAEnDC,WAAWC,QAAoD;AACpE,SAAKF,SAASE,SAASA;AACvB,WAAO;EACT;EAEOC,0BAA0BC,UAAsD;AACrF,SAAKJ,SAASK,yBAAyBD;AACvC,WAAO;EACT;EAEOE,mCAAmCF,UAAsD;AAC9F,SAAKJ,SAASO,mCAAmCH;AACjD,WAAO;EACT;EAEOI,kBAAkBJ,UAAsD;AAC7E,SAAKJ,SAASS,iBAAiBL;AAC/B,WAAO;EACT;EAEOM,kBAAkBN,UAAsD;AAC7E,SAAKJ,SAASW,iBAAiBP;AAC/B,WAAO;EACT;EAEOQ,sCAAsCC,SAA6E;AACxH,SAAKb,SAASc,wCAAwCD;AACtD,WAAO;EACT;EAEOE,+CAA+CC,MAA8E;AAClI,SAAKhB,SAASiB,mDAAmDD;AACjE,WAAO;EACT;EAEOE,yBAAyBd,UAAsD;AACpF,SAAKJ,SAASmB,wBAAwBf;AACtC,WAAO;EACT;EAEOgB,oBAAoBC,QAAwE;AACjG,SAAKrB,SAASsB,mBAAmBD;AACjC,WAAO;EACT;EAEOE,2BAA2BC,OAAqE;AACrG,SAAKxB,SAASyB,2BAA2BD;AACzC,WAAO;EACT;EAEOE,2BAA2BC,OAAqE;AACrG,SAAK3B,SAAS4B,2BAA2BD;AACzC,WAAO;EACT;EAEOE,wBAAwBL,OAAkE;AAC/F,SAAKxB,SAAS8B,wBAAwBN;AACtC,WAAO;EACT;EAEOO,yBAAyBC,KAAiD;AAC/E,SAAKhC,SAASiC,wBAAwBD;AACtC,WAAO;EACT;EAEOE,uBAAuBC,SAAuD;AACnF,SAAKnC,SAASoC,uBAAuBD;AACrC,WAAO;EACT;EAEOE,gBAAgBC,KAAiD;AACtE,SAAKtC,SAASuC,gBAAgBD;AAC9B,WAAO;EACT;EAEOE,aAAaF,KAAiD;AACnE,SAAKtC,SAASyC,aAAaH;AAC3B,WAAO;EACT;EAEOI,uBAAuBtC,UAAsD;AAClF,SAAKJ,SAAS2C,sBAAsBvC;AACpC,WAAO;EACT;EAEOwC,2CAA2C/B,SAAkF;AAClI,SAAKb,SAAS6C,6CAA6ChC;AAC3D,WAAO;EACT;EAEOiC,oDAAoD9B,MAAmF;AAC5I,SAAKhB,SAAS+C,wDAAwD/B;AACtE,WAAO;EACT;EAEOgC,0BAA0B5C,UAAsD;AACrF,SAAKJ,SAASiD,yBAAyB7C;AACvC,WAAO;EACT;EAEO8C,kCAAkCrC,SAA6E;AACpH,SAAKb,SAASmD,mCAAmCtC;AACjD,WAAO;EACT;EAEOuC,uCAAuChD,UAAsD;AAClG,SAAKJ,SAASqD,wCAAwCjD;AACtD,WAAO;EACT;EAEOkD,uCAAuCC,UAAuD;AACnG,SAAKvD,SAASwD,wCAAwCD;AACtD,WAAO;EACT;EAEOE,+CAA+CC,WAAwD;AAC5G,SAAK1D,SAAS,iDAAA,IAAqD0D;AACnE,WAAO;EACT;EAEOC,kCAAkC3C,MAAoE;AAC3G,SAAKhB,SAAS4D,oCAAoC5C;AAClD,WAAO;EACT;;EAGO6C,gCAAgCH,WAAwD;AAC7F,SAAK1D,SAAS8D,gCAAgCJ;AAC9C,WAAO;EACT;EAEOK,uCAAuCL,WAAwD;AACpG,SAAK1D,SAASgE,wCAAwCN;AACtD,WAAO;EACT;EAEOO,+BAA+BP,WAAwD;AAC5F,SAAK1D,SAASkE,+BAA+BR;AAC7C,WAAO;EACT;EAEOS,sCAAsCT,WAAwD;AACnG,SAAK1D,SAASoE,uCAAuCV;AACrD,WAAO;EACT;EAEOW,qBAAqBjE,UAAsD;AAChF,SAAKJ,SAASsE,oBAAoBlE;AAClC,WAAO;EACT;EAEOmE,uBAAuBvC,KAAiD;AAC7E,SAAKhC,SAASwE,uBAAuBxC;AACrC,WAAO;EACT;EAEOyC,uBAAuBrE,UAAsD;AAClF,SAAKJ,SAAS0E,uBAAuBtE;AACrC,WAAO;EACT;EAEOuE,uBAAuBC,QAAsD;AAClF,SAAK5E,SAAS6E,uBAAuBD;AACrC,WAAO;EACT;EAEOE,0BAA0BtD,OAAqD;AACpF,SAAKxB,SAAS+E,0BAA0BvD;AACxC,WAAO;EACT;EAEOwD,2CAA2ChE,MAAoD;AACpG,SAAKhB,SAASiF,8CAA8CjE;AAC5D,WAAO;EACT;EAEOkE,2BAA2BN,QAAsD;AACtF,SAAK5E,SAASmF,2BAA2BP;AACzC,WAAO;EACT;EAEOQ,wBAAwB5D,OAAqD;AAClF,SAAKxB,SAASqF,wBAAwB7D;AACtC,WAAO;EACT;EAEO8D,oBAAoBC,QAAsD;AAC/E,SAAKvF,SAASwF,mBAAmBD;AACjC,WAAO;EACT;EAEOE,6BAA6B/B,WAAwD;AAC1F,SAAK1D,SAAS0F,6BAA6BhC;AAC3C,WAAO;EACT;;EAGOiC,uBAAuBvF,UAAsD;AAClF,SAAKJ,SAAS4F,sBAAsBxF;AACpC,WAAO;EACT;EAEOyF,+BAA+BzF,UAAsD;AAC1F,SAAKJ,SAAS8F,+BAA+B1F;AAC7C,WAAO;EACT;EAEO2F,QAAqC;AAC1C,QAAI,CAAC,KAAK/F,SAASE,QAAQ;AACzB,YAAM,IAAI8F,MAAM,oBAAA;IAClB;AAEA,QAAI,CAAC,KAAKhG,SAASyB,0BAA0B;AAC3C,YAAM,IAAIuE,MAAM,sCAAA;IAClB;AAEA,WAAO,KAAKhG;EACd;AACF;;;AC3OA,IAAAiG,wBAAoD;AACpD,IAAAC,yBAyBO;AAmBA,IAAMC,sBAAsB,8BACjCC,SAAAA;AAOA,QAAM,EACJC,SACAC,mBACAC,KACAC,2BACAC,gBACAC,mBACAC,kBACAC,sBAAsB,WAAU,IAC9BR;AAEJ,MAAIQ,wBAAwB,YAAY;AACtC,UAAM,IAAIC,kCACR,KACAC,0CAAmBC,iBACnB,yBAAyBH,mBAAAA,yFAA4G;EAEzI;AACA,QAAMI,OAAM,oBAAIC,KAAAA,GAAOC,QAAO,IAAK;AACnC,QAAMC,MAAMH,MAAMP;AAClB,QAAMW,MAAMf,UAAU;IAAEe,KAAK;MAAEC,KAAK,UAAMC,8CAAuBjB,SAAS,QAAA;IAAU;EAAE,IAAIkB;AAC1F,QAAMC,MAAW;IACfC,QAAQ;MAAEC,KAAK;MAAOnB,KAAKA,OAAOoB,2BAAIC;IAAM;IAC5CC,SAAS;MACPb;MACAG;MACAW,KAAKxB;MACL,GAAGc;MACH,GAAIV,qBAAqB;QAAEA;MAAkB;;;;MAI7CqB,YAAY1B,UAAU,SAAS;MAC/B,GAAGM;IACL;EACF;AACA,SAAO,MAAMH,0BAA0BgB,GAAAA;AACzC,GA7CmC;AA+C5B,IAAMQ,eAAe,wBAACC,eAAuCC,cAAAA;AAClE,MAAID,cAAcE,iBAAiBC,kBAAkBC,QAAQ;AAE3D,WACEC,OAAOC,KAAKN,cAAcE,iBAAiBC,kBAAkBC,MAAAA,EAAQG,SAASC,kCAAWC,mBAAmB,KAC5GR,cAAcO,kCAAWC;EAE7B;AACA,SAAO;AACT,GAT4B;AAWrB,IAAMC,gCAAgC,8BAC3CC,SACAxC,SAAAA;AAMA,QAAM,EAAEyC,yBAAyBC,oBAAoBC,iBAAgB,IAAK3C;AAG1E,MAAIwC,QAAQI,eAAeP,kCAAWQ,oBAAoB;AACxD,QAAI,CAACL,QAAQM,QAAQ,CAACH,kBAAkB;AACtC,YAAM,IAAIlC,kCAAW,KAAKC,0CAAmBC,iBAAiB,6BAAA;IAChE;AAIA,UAAMoC,kBAAoDC,MAAMC,KAAKN,iBAAiBO,OAAM,CAAA,EAAIC,KAC9F,CAACC,SAASA,KAAKC,uBAAuBb,QAAQM,IAAI;AAGpD,QAAI,CAACC,iBAAiB;AACpB,YAAM,IAAItC,kCAAW,KAAKC,0CAAmB4C,eAAe,4BAAA;IAC9D;AAGA,UAAMC,YAAYf,QAAQM;AAC1B,QAAIU,0BAAyB,MAAMf,wBAAwBgB,IAAIF,SAAAA;AAE/D,QAAI,CAACC,yBAAwB;AAE3BA,MAAAA,0BAAyB;QACvBE,WAAW7C,KAAK8C,IAAG;QACnBC,eAAe/C,KAAK8C,IAAG;QACvBE,QAAQC,mCAAYC;QACpBC,qBAAiBC,8BAAAA;QACjBlC,iBAAiB;UACfC,kBAAkB;YAChBkC,mBAAmB;YACnBC,8BAA8B,CAAA;YAC9BlC,QAAQ,CAAC;UACX;QACF;QACAmC,sBAAsBrB,iBAAiBsB;QACvCC,mBAAmB9B,QAAQM;MAC7B;AACA,YAAML,wBAAwB8B,IAAIhB,WAAWC,uBAAAA;IAC/C,OAAO;AACLA,MAAAA,wBAAuBY,uBAAuBrB,iBAAiBsB;AAC/Db,MAAAA,wBAAuBc,oBAAoB9B,QAAQM;AACnDU,MAAAA,wBAAuBK,SAASC,mCAAYC;AAC5CP,MAAAA,wBAAuBI,gBAAgB/C,KAAK8C,IAAG;AAC/C,YAAMlB,wBAAwB8B,IAAIhB,WAAWC,uBAAAA;IAC/C;AAEA,WAAO;MAAEgB,gBAAgBhB;IAAuB;EAClD;AAGA,MAAIhB,QAAQI,eAAeP,kCAAWC,qBAAqB;AACzD,UAAM,IAAI7B,kCAAW,KAAKC,0CAAmB4C,eAAemB,mDAAAA;EAC9D;AAGA,MAAI,CAACjC,QAAQkC,4CAAAA,GAAwB;AACnC,UAAM,IAAIjE,kCAAW,KAAKC,0CAAmBC,iBAAiBgE,yDAAAA;EAChE;AAEA,QAAMnB,yBAAyB,MAAMf,wBAAwBmC,YAAYpC,QAAQkC,4CAAAA,CAAsB;AACvGlB,yBAAuBK,SAASC,mCAAYC;AAC5CP,yBAAuBI,gBAAgB,CAAC,oBAAI/C,KAAAA;AAC5C,QAAM4B,wBAAwB8B,IAAI/B,QAAQkC,4CAAAA,GAAwBlB,sBAAAA;AAClE,MAAI,CAAC5B,aAAa4B,wBAAwBhB,QAAQI,UAAU,GAAG;AAC7D,UAAM,IAAInC,kCAAW,KAAKC,0CAAmB4C,eAAemB,mDAAAA;EAC9D;AAMA,MACE,CAACjB,uBAAuBzB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGuC,WACpGrC,QAAQqC,WACR,CAACrC,QAAQsC,UACT;AAEA,UAAM,IAAIrE,kCAAW,KAAKC,0CAAmBC,iBAAiBoE,kDAAAA;EAChE,WACE,CAACvB,uBAAuBzB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAG0C,qBACpGxC,QAAQsC,YACR,CAACtC,QAAQqC,SACT;AAEA,UAAM,IAAIpE,kCAAW,KAAKC,0CAAmBC,iBAAiBoE,kDAAAA;EAChE;AAKA;;IAEE,CAAC,CAACvB,uBAAuBzB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGuC,WACrG,CAACrC,QAAQqC;IACT;AACA,QAAIrC,QAAQsC,UAAU;AACpB,YAAM,IAAIrE,kCAAW,KAAKC,0CAAmBC,iBAAiBsE,kDAAAA;IAChE;AACA,UAAM,IAAIxE,kCAAW,KAAKC,0CAAmBC,iBAAiBuE,8CAAAA;EAChE;;IAEE1B,uBAAuBzB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAG0C,qBACnG,CAACxB,uBAAuBzB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGuC,WACpG,CAACrC,QAAQsC;IACT;AACA,QAAItC,QAAQqC,SAAS;AACnB,YAAM,IAAIpE,kCAAW,KAAKC,0CAAmBC,iBAAiBsE,kDAAAA;IAChE;AACA,UAAM,IAAIxE,kCAAW,KAAKC,0CAAmBC,iBAAiBuE,8CAAAA;EAChE;AAEA,MAAIC,2BAA2B3B,wBAAwBd,kBAAAA,GAAqB;AAC1E,UAAM,IAAIjC,kCAAW,KAAKC,0CAAmB4C,eAAe8B,kDAAAA;EAC9D,WACE5C,QAAQkC,4CAAAA,MACRlB,uBAAuBzB,iBAAiBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,IAAIoC,4CAAAA,GACrG;AACA,UAAM,IAAIjE,kCAAW,KAAKC,0CAAmB4C,eAAe+B,kDAAAA;EAC9D;AAMA,MAAI7C,QAAQqC,SAAS;AACnB,UAAMS,cAAc9B,uBAAuBzB,gBAAgBC,kBAAkBC,SAASI,kCAAWC,mBAAmB,GAAGuC;AACvH,QAAI,CAACS,aAAa;AAChB,YAAM,IAAI7E,kCAAW,KAAKC,0CAAmBC,iBAAiBoE,kDAAAA;IAChE,WAAWO,YAAYC,eAAe,QAAQ;AAC5C,UAAI,CAACC,OAAO,SAASF,YAAYG,MAAM,EAAE,EAAEC,KAAKlD,QAAQqC,OAAO,GAAG;AAChE,cAAM,IAAIpE,kCAAW,KAAKC,0CAAmB4C,eAAe,GAAGqC,2CAAAA,IAAwBL,YAAYG,MAAM,EAAE;MAC7G;IACF,OAAO;AACL,UAAI,CAACD,OAAO,SAASF,YAAYG,MAAM,GAAG,EAAEC,KAAKlD,QAAQqC,OAAO,GAAG;AACjE,cAAM,IAAIpE,kCAAW,KAAKC,0CAAmB4C,eAAe,GAAGqC,2CAAAA,IAAwBL,YAAYG,MAAM,EAAE;MAC7G;IACF;AACA,QAAIjD,QAAQqC,YAAYrB,uBAAuBoC,QAAQ;AACrD,YAAM,IAAInF,kCAAW,KAAKC,0CAAmB4C,eAAeuC,0CAAAA;IAC9D;EACF,WAAWrD,QAAQsC,UAAU;AAC3B,QAAI,CAAC,aAAaY,KAAKlD,QAAQsC,QAAQ,GAAG;AACxC,YAAM,IAAIrE,kCAAW,KAAKC,0CAAmB4C,eAAe,GAAGqC,2CAAAA,MAA0B;IAC3F,WAAWnD,QAAQsC,aAAatB,uBAAuBoC,QAAQ;AAC7D,YAAM,IAAInF,kCAAW,KAAKC,0CAAmB4C,eAAeuC,0CAAAA;IAC9D;EACF;AAEA,SAAO;IAAErB,gBAAgBhB;EAAuB;AAClD,GA/J6C;AAiKtC,IAAMsC,4BAA4B,8BACvCtD,SACAxC,SAAAA;AAcA,QAAM,EACJC,SACAwC,yBACAsD,SACAC,iBACA3F,gBACAH,mBACAE,2BACA6F,UACAzF,sBAAsB,WAAU,IAC9BR;AAEJ,MAAIkG;AACJ,MAAI1C;AAEJ,MAAIhB,QAAQI,eAAeP,kCAAWQ,oBAAoB;AACxDqD,iBAAa1D,QAAQM;AACrBU,6BAAyB,MAAMf,wBAAwBmC,YAAYsB,UAAAA;EACrE,OAAO;AACLA,iBAAa1D,QAAQkC,4CAAAA;AACrBlB,6BAAyB,MAAMf,wBAAwBmC,YAAYsB,UAAAA;EACrE;AAEA,QAAMC,SAASnG,KAAKmG,cAAUlC,8BAAAA;AAC9B,QAAM8B,QAAQxB,IAAI4B,QAAQ;IAAEA;IAAQzC,WAAW,CAAC,oBAAI7C,KAAAA;EAAO,CAAA;AAE3D,QAAMuF,eAAe,MAAMrG,oBAAoB;IAC7CM;IACAD;IACAE,mBAAmB4F;IACnBhG;IACAD;IACAO;EACF,CAAA;AAEAgD,yBAAuBK,SAASC,mCAAYuC;AAC5C7C,yBAAuBI,gBAAgB,CAAC,oBAAI/C,KAAAA;AAE5C,QAAMyF,WAAgC;IACpCF;IACAzE,YAAY1B,UAAU,SAAS;IAC/BsG,YAAYlG;IACZmG,SAASL;IACTM,oBAAoBT;IACpBC;IACA,GAAIzC,uBAAuBY,wBAAwB;MACjDC,uBAAuBb,uBAAuBY,qBAAqBsC,IAAI,CAACC,WAAAA;AACtE,YAAI,OAAOA,WAAW,UAAU;AAC9B,iBAAOA;QACT;AACA,eAAO;UACL,GAAGA;UACHC,wBAAwBC,8BAA8BF,QAAQnD,sBAAAA;QAChE;MACF,CAAA;IACF;EACF;AACA,QAAMf,wBAAwB8B,IAAI2B,YAAY1C,sBAAAA;AAC9C,SAAO8C;AACT,GA3EyC;;;AZrQlC,IAAMQ,MAAuCC,mCAAYC,IAAI,yBAAA;","names":["import_oid4vci_common","CredentialSupportedBuilderV1_15","format","scope","credentialName","credentialDefinition","cryptographicBindingMethodsSupported","credentialSigningAlgValuesSupported","proofTypesSupported","display","claims","vct","doctype","withFormat","credentialFormat","withCredentialName","withCredentialDefinition","type","Error","withScope","withVct","withDoctype","addCryptographicBindingMethod","method","Array","isArray","withCryptographicBindingMethod","addCredentialSigningAlgValuesSupported","algValues","withCredentialSigningAlgValuesSupported","addProofTypesSupported","keyProofType","proofType","withProofTypesSupported","addCredentialSupportedDisplay","credentialDisplay","withCredentialSupportedDisplay","withClaims","addClaim","claim","push","build","TokenErrorResponse","invalid_request","credentialSupported","credential_definition","credential_signing_alg_values_supported","cryptographic_binding_methods_supported","supportedConfiguration","import_oid4vci_common","import_oid4vc_common","import_oid4vci_common","import_oid4vci_common","createCredentialOfferGrants","inputGrants","Object","keys","length","undefined","grants","PRE_AUTH_GRANT_LITERAL","grant","uuidv4","tx_code","authorization_code","issuer_state","parseCredentialOfferSchemeAndBaseUri","scheme","baseUri","credentialIssuer","newScheme","replace","includes","split","newBaseUri","startsWith","Error","createCredentialOfferObject","issuerMetadata","opts","credentialOffer","credentialOfferUri","credential_offer","credential_configurations_supported","credential_issuer","credential_configuration_ids","client_id","credential_offer_uri","createCredentialOfferURIFromObject","offerMode","encodeURIComponent","JSON","stringify","createCredentialOfferURI","isPreAuthorizedCodeExpired","state","expirationDurationInSeconds","now","Date","expirationTime","createdAt","assertValidPinNumber","pin","pinLength","RegExp","test","PIN_NOT_MATCH_ERROR","generateCredentialIdentifiers","authDetail","session","identifiers","credential_configuration_id","configId","hasConfig","push","format","import_oid4vc_common","oidcAccessTokenVerifyCallback","opts","clientMetadata","client_id","credentialIssuer","args","oidcIssuer","oidcDiscoverIssuer","issuerUrl","authorizationServer","oidcClient","oidcGetClient","issuer","introspection","introspect","jwt","active","Promise","reject","Error","header","decodeProtectedHeader","payload","decodeJwt","alg","jwk","x5c","kid","import_oid4vci_common","MemoryStates","expiresInMS","states","cleanupIntervalId","opts","expiresInSec","undefined","Map","clearAll","clear","clearExpired","timestamp","Array","from","entries","ts","Date","id","state","expiresAt","delete","createdAt","Error","getAsserted","result","has","get","STATE_MISSING_ERROR","set","stateValue","startCleanupRoutine","timeout","setInterval","stopCleanupRoutine","clearInterval","lookupStateManagerMultiGetAsserted","args","value","lookupStateManagerMultiGet","Promise","reject","Error","id","lookups","keyValueMapper","valueStateManager","lookup","LookupStateManager","get","e","startCleanupRoutine","timeout","stopCleanupRoutine","clearAll","clearExpired","timestamp","assertedValueId","key","prop","valueId","getAsserted","then","keyState","undefined","delete","has","set","_id","_stateValue","setMapped","valueKey","keyObject","stateValue","keys","CredentialOfferStateBuilder","credentialOfferState","credentialOffer","createdAt","timestamp","build","Date","Error","shortUUID","ShortUUID","VcIssuer","_issuerMetadata","_authorizationServerMetadata","_defaultCredentialOfferBaseUri","_credentialSignerCallback","_jwtVerifyCallback","_credentialDataSupplier","_credentialOfferSessions","_cNonces","_uris","_cNonceExpiresIn","_asClientOpts","issuerMetadata","authorizationServerMetadata","args","defaultCredentialOfferBaseUri","credentialOfferSessions","MemoryStates","uris","cNonces","credentialSignerCallback","jwtVerifyCallback","credentialDataSupplier","cNonceExpiresIn","process","env","C_NONCE_EXPIRES_IN","parseInt","asClientOpts","getCredentialOfferSessionById","id","lookups","Array","isArray","length","Promise","reject","Error","lookupStateManagerMultiGetAsserted","keyValueMapper","valueStateManager","session","get","deleteCredentialOfferSessionById","preAuthorizedCode","has","delete","issuerState","processNotification","notification","sessionId","undefined","LOG","error","notification_id","info","updateSession","createCredentialOfferURI","opts","offerMode","correlationId","generate","credential_configuration_ids","statusListOpts","credentialOfferUri","redirectUri","grants","pinLength","PRE_AUTH_GRANT_LITERAL","tx_code","baseUri","credentialOfferObject","createCredentialOfferObject","credentialOffer","credential_issuer","preAuthGrant","credential_offer","authGrant","authorization_code","issuer_state","txCode","userPin","Math","round","pow","random","padStart","assertValidPinNumber","createdAt","Date","lastUpdatedAt","expirationInMs","sessionLifeTimeInSec","expiresAt","abs","offerUri","replace","credential_offer_uri","set","uri","toUniformCredentialOfferRequest","version","OpenId4VCIVersion","VER_1_0_15","resolve","status","IssueStatus","OFFER_CREATED","uuidv4","client_id","clientId","credentialDataSupplierInput","statusLists","createCredentialOfferURIFromObject","lookupManager","LookupStateManager","setMapped","qrCodeDataUri","qrCodeOpts","AwesomeQR","qrCode","text","draw","toString","credentialOfferResult","EVENTS","emit","CredentialOfferEventNames","OID4VCI_OFFER_CREATED","eventName","data","initiator","initiatorType","InitiatorType","EXTERNAL","system","System","OID4VCI","issuer","subsystem","SubSystem","API","issueCredential","credentialRequest","issuerCorrelation","credential_configuration_id","credential_configurations_supported","TokenErrorResponse","invalid_request","credential_identifier","authorizationDetails","validIdentifiers","flatMap","detail","credential_identifiers","includes","format","lookupCredentialFormat","validated","validateCredentialRequestProof","tokenExpiresIn","preAuthSession","authSession","cNonceState","jwtVerifyResult","did","jwk","kid","newcNonce","newCNonce","newcNonceState","cNonce","credential","signerCallback","result","credentialSupplierConfig","credential_supplier_config","signCallback","CredentialMapper","isSdJwtDecodedCredentialPayload","cnf","credentialSubject","credentialSubjects","map","subject","iss","verifiableCredential","issueCredentialImpl","CREDENTIAL_MISSING_ERROR","CREDENTIAL_ISSUED","response","credentials","c_nonce","c_nonce_expires_in","experimentalSubjectIssuance","credential_subject_issuance","subject_proof_mode","transaction_id","credentialConfig","credentialIdentifier","matchedConfig","Object","values","find","config","vct","issueState","ERROR","event","NOTIFICATION_CREDENTIAL_ACCEPTED","NOTIFICATION_CREDENTIAL_DELETED","NOTIFICATION_CREDENTIAL_FAILURE","message","supportedIssuanceFormats","verifyFn","JWT_VERIFY_CONFIG_ERROR","credReq","proof","proofs","proofCandidates","push","jwt","jwtProof","proof_type","availableTypes","keys","join","validationErrors","msg","String","didDocument","header","payload","aud","iat","nonce","getAsserted","alg","x5c","typ","TYP_ERROR","ALG_ERROR","KID_JWK_X5C_ERROR","KID_DID_NO_DID_ERROR","console","log","DID_NO_DIDDOC_ERROR","CREDENTIAL_REQUEST_RECEIVED","NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT","AUD_ERROR","IAT_ERROR","issuerCallback","ISSUER_CONFIG_ERROR","CredentialEventNames","OID4VCI_CREDENTIAL_ISSUED","VC_ISSUER","value","VcIssuerBuilder","issuerMetadataBuilder","issuerMetadata","authorizationServerMetadata","asClientOpts","txCode","defaultCredentialOfferBaseUri","userPinRequired","cNonceExpiresIn","credentialOfferStateManager","credentialOfferURIManager","cNonceStateManager","credentialSignerCallback","jwtVerifyCallback","credentialDataSupplier","withIssuerMetadata","credential_configurations_supported","Error","withASClientMetadata","clientMetadata","withASClientMetadataParams","client_id","client_secret","redirect_uris","response_types","other","withAuthorizationMetadata","withIssuerMetadataBuilder","builder","withDefaultCredentialOfferBaseUri","baseUri","withCredentialIssuer","issuer","credential_issuer","withAuthorizationServers","authorizationServers","authorization_servers","withCredentialEndpoint","credentialEndpoint","credential_endpoint","withTokenEndpoint","tokenEndpoint","token_endpoint","withNonceEndpoint","nonceEndpoint","nonce_endpoint","withIssuerDisplay","issuerDisplay","display","Array","isArray","addIssuerDisplay","withCredentialConfigurationsSupported","credentialConfigurationsSupported","addCredentialConfigurationsSupported","id","supportedCredential","withTXCode","withCredentialOfferURIStateManager","withInMemoryCredentialOfferURIState","MemoryStates","withCredentialOfferStateManager","credentialOfferManager","withInMemoryCredentialOfferState","withCNonceStateManager","cNonceManager","withInMemoryCNonceState","withCNonceExpiresIn","withCredentialSignerCallback","cb","withJWTVerifyCallback","verifyCallback","withCredentialDataSupplier","build","TokenErrorResponse","invalid_request","Object","keys","length","metadata","oidcAccessTokenVerifyCallback","credentialIssuer","authorizationServer","VcIssuer","credentialOfferSessions","cNonces","uris","DisplayBuilder","name","locale","additionalProperties","logo","backgroundColor","textColor","withName","withLocale","withLogo","uri","Error","withBackgroundColor","withTextColor","withAdditionalProperties","properties","addAdditionalProperty","key","value","build","background_color","text_color","IssuerMetadataBuilderV1_15","credentialEndpoint","nonceEndpoint","credentialIssuer","supportedBuilders","credentialConfigurationsSupported","displayBuilders","display","batchCredentialIssuance","authorizationServers","tokenEndpoint","authorizationChallengeEndpoint","credentialResponseEncryption","signedMetadata","credentialIdentifiersSupported","withBatchCredentialIssuance","withAuthorizationServers","withAuthorizationServer","authorizationServer","undefined","push","withAuthorizationChallengeEndpoint","withTokenEndpoint","withCredentialEndpoint","withNonceEndpoint","withCredentialIssuer","withCredentialResponseEncryption","withSignedMetadata","withCredentialIdentifiersSupported","newSupportedCredentialBuilder","builder","CredentialSupportedBuilderV1_15","addSupportedCredentialBuilder","supportedCredentialBuilder","addCredentialConfigurationsSupported","id","supportedCredential","withIssuerDisplay","issuerDisplay","Array","isArray","addDisplay","addDisplayBuilder","displayBuilder","newDisplayBuilder","DisplayBuilder","build","Error","credential_configurations_supported","configurationsEntryList","map","forEach","configRecord","Object","keys","key","length","issuerMetadata","credential_issuer","credential_endpoint","nonce_endpoint","batch_credential_issuance","authorization_servers","token_endpoint","authorization_challenge_endpoint","credential_response_encryption","signed_metadata","credential_identifiers_supported","AuthorizationServerMetadataBuilder","metadata","withIssuer","issuer","withAuthorizationEndpoint","endpoint","authorization_endpoint","withAuthorizationChallengeEndpoint","authorization_challenge_endpoint","withTokenEndpoint","token_endpoint","withNonceEndpoint","nonce_endpoint","withTokenEndpointAuthMethodsSupported","methods","token_endpoint_auth_methods_supported","withTokenEndpointAuthSigningAlgValuesSupported","algs","token_endpoint_auth_signing_alg_values_supported","withRegistrationEndpoint","registration_endpoint","withScopesSupported","scopes","scopes_supported","withResponseTypesSupported","types","response_types_supported","withResponseModesSupported","modes","response_modes_supported","withGrantTypesSupported","grant_types_supported","withServiceDocumentation","url","service_documentation","withUILocalesSupported","locales","ui_locales_supported","withOpPolicyUri","uri","op_policy_uri","withOpTosUri","op_tos_uri","withRevocationEndpoint","revocation_endpoint","withRevocationEndpointAuthMethodsSupported","revocation_endpoint_auth_methods_supported","withRevocationEndpointAuthSigningAlgValuesSupported","revocation_endpoint_auth_signing_alg_values_supported","withIntrospectionEndpoint","introspection_endpoint","withCodeChallengeMethodsSupported","code_challenge_methods_supported","withPushedAuthorizationRequestEndpoint","pushed_authorization_request_endpoint","withRequirePushedAuthorizationRequests","required","require_pushed_authorization_requests","withPreAuthorizedGrantAnonymousAccessSupported","supported","withDPoPSigningAlgValuesSupported","dpop_signing_alg_values_supported","withFrontchannelLogoutSupported","frontchannel_logout_supported","withFrontchannelLogoutSessionSupported","frontchannel_logout_session_supported","withBackchannelLogoutSupported","backchannel_logout_supported","withBackchannelLogoutSessionSupported","backchannel_logout_session_supported","withUserinfoEndpoint","userinfo_endpoint","withCheckSessionIframe","check_session_iframe","withEndSessionEndpoint","end_session_endpoint","withAcrValuesSupported","values","acr_values_supported","withSubjectTypesSupported","subject_types_supported","withRequestObjectSigningAlgValuesSupported","request_object_signing_alg_values_supported","withDisplayValuesSupported","display_values_supported","withClaimTypesSupported","claim_types_supported","withClaimsSupported","claims","claims_supported","withClaimsParameterSupported","claims_parameter_supported","withCredentialEndpoint","credential_endpoint","withDeferredCredentialEndpoint","deferred_credential_endpoint","build","Error","import_oid4vc_common","import_oid4vci_common","generateAccessToken","opts","dPoPJwk","accessTokenIssuer","alg","accessTokenSignerCallback","tokenExpiresIn","preAuthorizedCode","additionalClaims","accessTokenProvider","TokenError","TokenErrorResponse","invalid_request","iat","Date","getTime","exp","cnf","jkt","calculateJwkThumbprint","undefined","jwt","header","typ","Alg","ES256","payload","iss","token_type","isValidGrant","assertedState","grantType","credentialOffer","credential_offer","grants","Object","keys","includes","GrantTypes","PRE_AUTHORIZED_CODE","assertValidAccessTokenRequest","request","credentialOfferSessions","expirationDuration","authRequestsData","grant_type","AUTHORIZATION_CODE","code","authRequestData","Array","from","values","find","data","authorization_code","invalid_grant","sessionId","credentialOfferSession","get","createdAt","now","lastUpdatedAt","status","IssueStatus","ACCESS_TOKEN_REQUESTED","notification_id","uuidv4","credential_issuer","credential_configuration_ids","authorizationDetails","authorization_details","authorizationCode","set","preAuthSession","UNSUPPORTED_GRANT_TYPE_ERROR","PRE_AUTH_CODE_LITERAL","PRE_AUTHORIZED_CODE_REQUIRED_ERROR","getAsserted","tx_code","user_pin","USER_PIN_NOT_REQUIRED_ERROR","user_pin_required","USER_PIN_TX_CODE_SPEC_ERROR","USER_PIN_REQUIRED_ERROR","isPreAuthorizedCodeExpired","EXPIRED_PRE_AUTHORIZED_CODE","INVALID_PRE_AUTHORIZED_CODE","txCodeOffer","input_mode","RegExp","length","test","PIN_VALIDATION_ERROR","txCode","PIN_NOT_MATCH_ERROR","createAccessTokenResponse","cNonces","cNonceExpiresIn","interval","sessionKey","cNonce","access_token","ACCESS_TOKEN_CREATED","response","expires_in","c_nonce","c_nonce_expires_in","map","detail","credential_identifiers","generateCredentialIdentifiers","LOG","VCI_LOGGERS","get"]}