merge

Dockerfile

@@ -1,5 +1,5 @@
 # golang alpine
-FROM golang:1.21.1-alpine as builder
+FROM golang:1.21.3-alpine as builder
 
 ARG TARGETARCH
 ARG TARGETOS

auth/api/auth/v1/api_test.go

@@ -40,6 +40,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 	"net/http"
+	"net/http/httptest"
 	"net/url"
 	"reflect"
 	"testing"
@@ -165,8 +166,12 @@ func TestWrapper_GetSignSessionStatus(t *testing.T) {
 
 		response, err := ctx.wrapper.GetSignSessionStatus(ctx.audit, sessionObj)
 
-		assert.Equal(t, expectedResponse, response)
-		assert.NoError(t, err)
+		require.NoError(t, err)
+		actualResponseJSON := httptest.NewRecorder()
+		require.NoError(t, response.VisitGetSignSessionStatusResponse(actualResponseJSON))
+		expectedResponseJSON := httptest.NewRecorder()
+		require.NoError(t, expectedResponse.VisitGetSignSessionStatusResponse(expectedResponseJSON))
+		assert.JSONEq(t, string(expectedResponseJSON.Body.Bytes()), string(actualResponseJSON.Body.Bytes()))
 	})
 
 	t.Run("nok - SigningSessionStatus returns error", func(t *testing.T) {

auth/api/iam/api.go

@@ -36,7 +36,6 @@ import (
 	"html/template"
 	"net/http"
 	"strings"
-	"sync"
 )
 
 var _ core.Routable = &Wrapper{}
@@ -51,27 +50,25 @@ var assets embed.FS
 
 // Wrapper handles OAuth2 flows.
 type Wrapper struct {
-	vcr             vcr.VCR
-	vdr             vdr.VDR
-	auth            auth.AuthenticationServices
-	sessions        *SessionManager
-	storageInstance storage.Engine
-	templates       *template.Template
+	vcr           vcr.VCR
+	vdr           vdr.VDR
+	auth          auth.AuthenticationServices
+	templates     *template.Template
+	storageEngine storage.Engine
 }
 
-func New(authInstance auth.AuthenticationServices, vcrInstance vcr.VCR, vdrInstance vdr.VDR, storageInstance storage.Engine) *Wrapper {
+func New(authInstance auth.AuthenticationServices, vcrInstance vcr.VCR, vdrInstance vdr.VDR, storageEngine storage.Engine) *Wrapper {
 	templates := template.New("oauth2 templates")
 	_, err := templates.ParseFS(assets, "assets/*.html")
 	if err != nil {
 		panic(err)
 	}
 	return &Wrapper{
-		sessions:        &SessionManager{sessions: new(sync.Map)},
-		storageInstance: storageInstance,
-		auth:            authInstance,
-		vcr:             vcrInstance,
-		vdr:             vdrInstance,
-		templates:       templates,
+		storageEngine: storageEngine,
+		auth:          authInstance,
+		vcr:           vcrInstance,
+		vdr:           vdrInstance,
+		templates:     templates,
 	}
 }
 

auth/api/iam/api_test.go

@@ -254,7 +254,6 @@ func newTestClient(t testing.TB) *testCtx {
 	mockVerifier := verifier.NewMockVerifier(ctrl)
 	mockVCR := vcr.NewMockVCR(ctrl)
 	mockVCR.EXPECT().Verifier().Return(mockVerifier).AnyTimes()
-
 	authnServices := auth.NewMockAuthenticationServices(ctrl)
 	authnServices.EXPECT().PublicURL().Return(publicURL).AnyTimes()
 	presentationDefinitionResolver := pe.DefinitionResolver{}
@@ -265,17 +264,18 @@ func newTestClient(t testing.TB) *testCtx {
 	resolver := resolver.NewMockDIDResolver(ctrl)
 	vdr := vdr.NewMockVDR(ctrl)
 	vdr.EXPECT().Resolver().Return(resolver).AnyTimes()
+
 	return &testCtx{
 		authnServices: authnServices,
 		resolver:      resolver,
 		vdr:           vdr,
 		verifier:      mockVerifier,
 		vcr:           mockVCR,
 		client: &Wrapper{
-			auth:            authnServices,
-			vdr:             vdr,
-			vcr:             mockVCR,
-			storageInstance: storageEngine,
+			auth:          authnServices,
+			vdr:           vdr,
+			vcr:           mockVCR,
+			storageEngine: storageEngine,
 		},
 	}
 }

auth/api/iam/metadata.go

@@ -36,13 +36,7 @@ const (
 // IssuerIdToWellKnown converts the OAuth2 Issuer identity to the specified well-known endpoint by inserting the well-known at the root of the path.
 // It returns no url and an error when issuer is not a valid URL.
 func IssuerIdToWellKnown(issuer string, wellKnown string, strictmode bool) (*url.URL, error) {
-	var issuerURL *url.URL
-	var err error
-	if strictmode {
-		issuerURL, err = core.ParsePublicURL(issuer, false, "https")
-	} else {
-		issuerURL, err = core.ParsePublicURL(issuer, true, "https", "http")
-	}
+	issuerURL, err := core.ParsePublicURL(issuer, strictmode)
 	if err != nil {
 		return nil, err
 	}

auth/api/iam/openid4vp.go

@@ -24,6 +24,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 	ssi "github.com/nuts-foundation/go-did"
 	"github.com/nuts-foundation/go-did/did"
@@ -33,8 +34,11 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 )
 
+const sessionExpiry = 5 * time.Minute
+
 // createPresentationRequest creates a new Authorization Request as specified by OpenID4VP: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html.
 // It is sent by a verifier to a wallet, to request one or more verifiable credentials as verifiable presentation from the wallet.
 func (r *Wrapper) sendPresentationRequest(ctx context.Context, response http.ResponseWriter, scope string,
@@ -145,7 +149,12 @@ func (r *Wrapper) handlePresentationRequest(params map[string]string, session *S
 	}
 	session.ServerState["openid4vp_credentials"] = credentialIDs
 
-	templateParams.SessionID = r.sessions.Create(*session)
+	sessionID := uuid.NewString()
+	err = r.storageEngine.GetSessionDatabase().GetStore(sessionExpiry, session.OwnDID.String(), "session").Put(sessionID, *session)
+	if err != nil {
+		return nil, err
+	}
+	templateParams.SessionID = sessionID
 
 	// TODO: Support multiple languages
 	buf := new(bytes.Buffer)
@@ -162,12 +171,16 @@ func (r *Wrapper) handlePresentationRequest(params map[string]string, session *S
 // handleAuthConsent handles the authorization consent form submission.
 func (r *Wrapper) handlePresentationRequestAccept(c echo.Context) error {
 	// TODO: Needs authentication?
-	var session *Session
-	if sessionID := c.FormValue("sessionID"); sessionID != "" {
-		session = r.sessions.Get(sessionID)
+	sessionID := c.FormValue("sessionID")
+	if sessionID == "" {
+		return errors.New("missing sessionID parameter")
 	}
-	if session == nil {
-		return errors.New("invalid session")
+
+	var session Session
+	sessionStore := r.storageEngine.GetSessionDatabase().GetStore(sessionExpiry, "openid", session.OwnDID.String(), "session")
+	err := sessionStore.Get(sessionID, &session)
+	if err != nil {
+		return fmt.Errorf("invalid session: %w", err)
 	}
 
 	// TODO: Change to loading from wallet

auth/api/iam/openid4vp_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/nuts-foundation/go-did/did"
 	"github.com/nuts-foundation/go-did/vc"
 	"github.com/nuts-foundation/nuts-node/auth"
+	"github.com/nuts-foundation/nuts-node/storage"
 	"github.com/nuts-foundation/nuts-node/vcr"
 	"github.com/nuts-foundation/nuts-node/vcr/credential"
 	"github.com/nuts-foundation/nuts-node/vcr/holder"
@@ -92,7 +93,7 @@ func TestWrapper_handlePresentationRequest(t *testing.T) {
 	t.Run("with scope", func(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		peStore := &pe.DefinitionResolver{}
-		_ = peStore.LoadFromFile("test/presentation_definition_mapping.json")
+		require.NoError(t, peStore.LoadFromFile("test/presentation_definition_mapping.json"))
 		mockVDR := vdr.NewMockVDR(ctrl)
 		mockVCR := vcr.NewMockVCR(ctrl)
 		mockWallet := holder.NewMockWallet(ctrl)
@@ -101,7 +102,7 @@ func TestWrapper_handlePresentationRequest(t *testing.T) {
 		mockAuth.EXPECT().PresentationDefinitions().Return(peStore)
 		mockWallet.EXPECT().List(gomock.Any(), holderDID).Return(walletCredentials, nil)
 		mockVDR.EXPECT().IsOwner(gomock.Any(), holderDID).Return(true, nil)
-		instance := New(mockAuth, mockVCR, mockVDR, nil)
+		instance := New(mockAuth, mockVCR, mockVDR, storage.NewTestStorageEngine(t))
 
 		params := map[string]string{
 			"scope":               "eOverdracht-overdrachtsbericht",