From 6a43dfa5a0253fdec0f0c366479f6fe76b2b8ace Mon Sep 17 00:00:00 2001
From: Rein Krul <info@reinkrul.nl>
Date: Fri, 8 Dec 2023 10:34:24 +0100
Subject: [PATCH] add nonce empty test

---
 auth/api/iam/s2s_vptoken.go      |  8 ++++----
 auth/api/iam/s2s_vptoken_test.go | 35 ++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/auth/api/iam/s2s_vptoken.go b/auth/api/iam/s2s_vptoken.go
index 96b5a09c79..3fe1424424 100644
--- a/auth/api/iam/s2s_vptoken.go
+++ b/auth/api/iam/s2s_vptoken.go
@@ -238,9 +238,9 @@ func (r *Wrapper) validateS2SPresentationNonce(presentation vc.VerifiablePresent
 	var nonce string
 	switch presentation.Format() {
 	case vc.JWTPresentationProofFormat:
-		nonceRaw, hasNonce := presentation.JWT().Get("nonce")
-		nonce, hasNonce = nonceRaw.(string)
-		if !hasNonce {
+		nonceRaw, _ := presentation.JWT().Get("nonce")
+		nonce, _ = nonceRaw.(string)
+		if nonce == "" {
 			return oauth.OAuth2Error{
 				Code:        oauth.InvalidRequest,
 				Description: "presentation has invalid/missing nonce",
@@ -248,7 +248,7 @@ func (r *Wrapper) validateS2SPresentationNonce(presentation vc.VerifiablePresent
 		}
 	case vc.JSONLDPresentationProofFormat:
 		proof, err := credential.ParseLDProof(presentation)
-		if err != nil || proof.Nonce == nil {
+		if err != nil || proof.Nonce == nil || *proof.Nonce == "" {
 			return oauth.OAuth2Error{
 				Code:          oauth.InvalidRequest,
 				InternalError: err,
diff --git a/auth/api/iam/s2s_vptoken_test.go b/auth/api/iam/s2s_vptoken_test.go
index de36e661ac..b2fa4afedc 100644
--- a/auth/api/iam/s2s_vptoken_test.go
+++ b/auth/api/iam/s2s_vptoken_test.go
@@ -245,6 +245,19 @@ func TestWrapper_handleS2SAccessTokenRequest(t *testing.T) {
 			assert.EqualError(t, err, "invalid_request - presentation has invalid proof or nonce")
 			assert.Nil(t, resp)
 		})
+		t.Run("JSON-LD VP has empty nonce", func(t *testing.T) {
+			ctx := newTestClient(t)
+
+			proofVisitor := test.LDProofVisitor(func(proof *proof.LDProof) {
+				proof.Domain = &issuerDIDStr
+				proof.Nonce = new(string)
+			})
+			presentation := test.CreateJSONLDPresentation(t, *subjectDID, proofVisitor, verifiableCredential)
+
+			resp, err := ctx.client.handleS2SAccessTokenRequest(issuerDID, requestedScope, submissionJSON, presentation.Raw())
+			assert.EqualError(t, err, "invalid_request - presentation has invalid proof or nonce")
+			assert.Nil(t, resp)
+		})
 		t.Run("JWT VP is missing nonce", func(t *testing.T) {
 			ctx := newTestClient(t)
 			presentation := test.CreateJWTPresentation(t, *subjectDID, func(token jwt.Token) {
@@ -254,6 +267,28 @@ func TestWrapper_handleS2SAccessTokenRequest(t *testing.T) {
 
 			_, err := ctx.client.handleS2SAccessTokenRequest(issuerDID, requestedScope, submissionJSON, presentation.Raw())
 
+			require.EqualError(t, err, "invalid_request - presentation has invalid/missing nonce")
+		})
+		t.Run("JWT VP has empty nonce", func(t *testing.T) {
+			ctx := newTestClient(t)
+			presentation := test.CreateJWTPresentation(t, *subjectDID, func(token jwt.Token) {
+				_ = token.Set(jwt.AudienceKey, issuerDID.String())
+				_ = token.Set("nonce", "")
+			}, verifiableCredential)
+
+			_, err := ctx.client.handleS2SAccessTokenRequest(issuerDID, requestedScope, submissionJSON, presentation.Raw())
+
+			require.EqualError(t, err, "invalid_request - presentation has invalid/missing nonce")
+		})
+		t.Run("JWT VP nonce is not a string", func(t *testing.T) {
+			ctx := newTestClient(t)
+			presentation := test.CreateJWTPresentation(t, *subjectDID, func(token jwt.Token) {
+				_ = token.Set(jwt.AudienceKey, issuerDID.String())
+				_ = token.Set("nonce", true)
+			}, verifiableCredential)
+
+			_, err := ctx.client.handleS2SAccessTokenRequest(issuerDID, requestedScope, submissionJSON, presentation.Raw())
+
 			require.EqualError(t, err, "invalid_request - presentation has invalid/missing nonce")
 		})
 	})