Validate jwt: response token builder accept exp as function arg

.github/workflows/codeclimate-workflow-pr.yaml

@@ -43,7 +43,7 @@ jobs:
         run: npm run build
       - name: Lint packages
         run: npm run lint
-      - uses: paambaati/codeclimate-action@v2.7.1
+      - uses: paambaati/codeclimate-action@v2.6.0
         env:
           CC_TEST_REPORTER_ID: ${{secrets.CC_TEST_REPORTER_ID}}
           TEST_SECRETS: ${{secrets.INTEGRATION_TEST_SECRETS}}

.github/workflows/codeclimate-workflow.yaml

@@ -39,7 +39,7 @@ jobs:
         run: npm run build
       - name: Lint packages
         run: npm run lint
-      - uses: paambaati/codeclimate-action@v2.7.1
+      - uses: paambaati/codeclimate-action@v2.6.0
         env:
           CC_TEST_REPORTER_ID: ${{secrets.CC_TEST_REPORTER_ID}}
           TEST_SECRETS: ${{secrets.INTEGRATION_TEST_SECRETS}}

common-libs/did-auth-lib/CHANGELOG.md

@@ -1,3 +1,5 @@
+# release 3.0.0 (2023-08-29)
+* added expiration in Response Token Options
 # release 2.9.0 (2023-03-14)
 * add tenant token
 # release 2.8.0 (2023-03-08)

common-libs/did-auth-lib/README.md

@@ -76,6 +76,7 @@ Use `createDidAuthResponseToken` method to create `Did-Auth` response token(expi
  * authDidRequestToken {String} - signed JWT request token from the service
  * options {Object} (optional) - key value object with additional options
  * options.maxTokenValidInMs {Number} (optional) - maximum token validity period in milliseconds(12 hours by default)
+ * options.exp {Number} (optional) - `responseToken` expiration timestamp
  */
 const responseToken = await affinidiDidAuthService.createDidAuthResponseToken(authDidRequestToken, options)
 ```

common-libs/did-auth-lib/src/DidAuthService/DidAuthClientService.ts

@@ -25,7 +25,9 @@ export default class DidAuthClientService {
       )
     }
 
-    const jwtObject = await buildResponseJwtObject(didAuthRequestTokenStr)
+    const exp = options?.exp ?? undefined
+
+    const jwtObject = await buildResponseJwtObject(didAuthRequestTokenStr, exp)
 
     await this._signer.fillSignature(jwtObject)
 

common-libs/did-auth-lib/src/shared/builder.ts

@@ -1,15 +1,15 @@
 import { JwtService } from '@affinidi/tools-common'
 import { parse } from 'did-resolver'
 
-export const buildResponseJwtObject = async (didAuthRequestToken: string) => {
+export const buildResponseJwtObject = async (didAuthRequestToken: string, exp?: number) => {
   const didAuthRequestTokenDecoded = JwtService.fromJWT(didAuthRequestToken)
   const jwtType = 'DidAuthResponse'
   const NOW = Date.now()
 
   const jwtObject: any = await JwtService.buildJWTInteractionToken(null, jwtType, didAuthRequestTokenDecoded)
   jwtObject.payload.requestToken = didAuthRequestToken
   jwtObject.payload.aud = parse(didAuthRequestTokenDecoded.payload.iss).did
-  jwtObject.payload.exp = undefined
+  jwtObject.payload.exp = exp
   jwtObject.payload.createdAt = NOW
   return jwtObject
 }

common-libs/did-auth-lib/src/shared/types.ts

@@ -7,4 +7,5 @@ export interface VerifierOptions {
 
 export type CreateResponseTokenOptions = {
   maxTokenValidInMs?: number
+  exp?: number
 }

common-libs/did-auth-lib/test/integration/DidAuthService/DidAuthService.test.ts

@@ -5,6 +5,8 @@ import { Env } from '@affinidi/url-resolver'
 import AffinidiDidAuthService from './../../../src/DidAuthService/DidAuthService'
 import { verifierEncryptedSeed, verifierEncryptionKey, verifierFullDid, verifierDid } from '../../factory/verifier'
 import { holderEncryptedSeed, holderEncryptionKey, holderDid } from '../../factory/holder'
+import { DEFAULT_REQUEST_TOKEN_VALID_IN_MS } from './../../../src/shared/constants'
+import { CreateResponseTokenOptions } from './../../../src/shared/types'
 const { TEST_SECRETS } = process.env
 const { DEV_API_KEY_HASH } = JSON.parse(TEST_SECRETS)
 const env = {
@@ -74,7 +76,11 @@ module.exports = function () {
 
       const didAuthRequestToken = await verifierDidAuthService.createDidAuthRequestToken(holderDid)
 
-      const didAuthResponseToken = await holderDidAuthService.createDidAuthResponseToken(didAuthRequestToken)
+      const options: CreateResponseTokenOptions = {
+        exp: Date.now() + DEFAULT_REQUEST_TOKEN_VALID_IN_MS
+      }
+
+      const didAuthResponseToken = await holderDidAuthService.createDidAuthResponseToken(didAuthRequestToken, options)
 
       const result = await verifierDidAuthService.verifyDidAuthResponseToken(didAuthResponseToken, verifierOptions)
 

common-libs/did-auth-lib/test/unit/DidAuthService/DidAuthService.test.ts

@@ -12,6 +12,8 @@ import DidAuthServerService from '../../../src/DidAuthService/DidAuthServerServi
 import Signer from '../../../src/shared/Signer'
 import { Affinidi, KeysService, LocalKeyVault } from '@affinidi/common'
 import DidAuthClientService from '../../../src/DidAuthService/DidAuthClientService'
+import { DEFAULT_REQUEST_TOKEN_VALID_IN_MS } from './../../../src/shared/constants'
+import { CreateResponseTokenOptions } from './../../../src/shared/types'
 
 const env = {
   environment: <Env>'dev',
@@ -150,7 +152,11 @@ describe('AffinidiDidAuthService', () => {
 
     const didAuthRequestToken = await verifierDidAuthService.createDidAuthRequestToken(holderDid)
 
-    const didAuthResponseToken = await holderDidAuthService.createDidAuthResponseToken(didAuthRequestToken)
+    const options: CreateResponseTokenOptions = {
+      exp: Date.now() + DEFAULT_REQUEST_TOKEN_VALID_IN_MS
+    }
+
+    const didAuthResponseToken = await holderDidAuthService.createDidAuthResponseToken(didAuthRequestToken, options)
 
     const result = await verifierDidAuthService.verifyDidAuthResponseToken(didAuthResponseToken, verifierOptions)
 
@@ -174,7 +180,11 @@ describe('AffinidiDidAuthService', () => {
 
     const didAuthRequestToken = await serverService.createDidAuthRequestToken(holderDid)
 
-    const didAuthResponseToken = await clientService.createDidAuthResponseToken(didAuthRequestToken)
+    const options: CreateResponseTokenOptions = {
+      exp: Date.now() + DEFAULT_REQUEST_TOKEN_VALID_IN_MS
+    }
+
+    const didAuthResponseToken = await clientService.createDidAuthResponseToken(didAuthRequestToken, options)
 
     const result = await serverService.verifyDidAuthResponseToken(didAuthResponseToken)
 
@@ -267,4 +277,38 @@ describe('AffinidiDidAuthService', () => {
 
     expect(() => holderDidAuthService.isTokenExpired(token)).to.throw()
   })
+
+  it('#verifyDidAuthResponse -> invalid expiration for didAuthResponseToken ', async () => {
+    const { environment, accessApiKey } = env
+
+    nock(`https://affinity-registry.apse1.${environment}.affinidi.io`)
+      .post('/api/v1/did/resolve-did', /elem/gi)
+      .reply(200, mockVerifierElemDidDocument)
+
+    nock(`https://affinity-registry.apse1.${environment}.affinidi.io`)
+      .post('/api/v1/did/resolve-did', /elem/gi)
+      .reply(200, mockHolderElemDidDocument)
+
+    const clientService = createClientService()
+    const serverService = createServerService(environment, accessApiKey)
+
+    const didAuthRequestToken = await serverService.createDidAuthRequestToken(holderDid)
+
+    const options: CreateResponseTokenOptions = { exp: 42 }
+
+    const didAuthResponseToken = await clientService.createDidAuthResponseToken(didAuthRequestToken, options)
+
+    let invalidExpirationError
+    try {
+      console.log(didAuthResponseToken)
+      await serverService.verifyDidAuthResponseToken(didAuthResponseToken)
+    } catch (error) {
+      console.log(error.message)
+      invalidExpirationError = error
+    }
+
+    expect(invalidExpirationError).to.be.not.undefined
+    expect(invalidExpirationError.message).to.be.equal('Token expired or invalid expiration')
+    nock.cleanAll()
+  })
 })

common-libs/url-resolver/src/templates.ts

@@ -1,6 +1,6 @@
 import { Service } from './services'
 
-export const defaultTemplate = 'https://{{service}}.{{env}}.affinity-project.org'
+export const defaultTemplate = 'https://{{service}}.apse1.affinidi.io'
 
 export const defaultDevTemplate = 'https://{{service}}.apse1.{{env}}.affinidi.io'