From 39bde8f835a96509727f54cbdf2d4db9fa08df8b Mon Sep 17 00:00:00 2001
From: Timo Glastra <timo@animo.id>
Date: Wed, 13 Mar 2024 20:40:24 +0100
Subject: [PATCH] fix: use seconds for all expires in values

Signed-off-by: Timo Glastra <timo@animo.id>
---
 .../callback-example/lib/__tests__/issuerCallback.spec.ts | 2 +-
 packages/client/lib/__tests__/SdJwt.spec.ts               | 2 +-
 packages/issuer-rest/lib/__tests__/ClientIssuerIT.spec.ts | 2 +-
 .../issuer-rest/lib/__tests__/IssuerTokenServer.spec.ts   | 8 ++++----
 packages/issuer-rest/lib/oid4vci-api-functions.ts         | 4 ++--
 packages/issuer/lib/VcIssuer.ts                           | 7 ++-----
 packages/issuer/lib/__tests__/VcIssuer.spec.ts            | 2 +-
 packages/issuer/lib/tokens/index.ts                       | 3 ++-
 8 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/packages/callback-example/lib/__tests__/issuerCallback.spec.ts b/packages/callback-example/lib/__tests__/issuerCallback.spec.ts
index be47ffa6..5a27a7bf 100644
--- a/packages/callback-example/lib/__tests__/issuerCallback.spec.ts
+++ b/packages/callback-example/lib/__tests__/issuerCallback.spec.ts
@@ -267,7 +267,7 @@ describe('issuerCallback', () => {
 
     expect(credentialResponse).toEqual({
       c_nonce: expect.any(String),
-      c_nonce_expires_in: 300000,
+      c_nonce_expires_in: 300,
       credential: {
         '@context': ['https://www.w3.org/2018/credentials/v1', 'https://w3id.org/security/suites/ed25519-2020/v1'],
         credentialSubject: {
diff --git a/packages/client/lib/__tests__/SdJwt.spec.ts b/packages/client/lib/__tests__/SdJwt.spec.ts
index bb02c364..01629035 100644
--- a/packages/client/lib/__tests__/SdJwt.spec.ts
+++ b/packages/client/lib/__tests__/SdJwt.spec.ts
@@ -153,7 +153,7 @@ describe('sd-jwt vc', () => {
 
       expect(credentials).toEqual({
         c_nonce: 'new-c-nonce',
-        c_nonce_expires_in: 300000,
+        c_nonce_expires_in: 300,
         credential: 'sd-jwt',
         format: 'vc+sd-jwt',
       });
diff --git a/packages/issuer-rest/lib/__tests__/ClientIssuerIT.spec.ts b/packages/issuer-rest/lib/__tests__/ClientIssuerIT.spec.ts
index 229b4388..034b7a2b 100644
--- a/packages/issuer-rest/lib/__tests__/ClientIssuerIT.spec.ts
+++ b/packages/issuer-rest/lib/__tests__/ClientIssuerIT.spec.ts
@@ -327,7 +327,7 @@ describe('VcIssuer', () => {
       proofCallbacks: { signCallback: proofOfPossessionCallbackFunction },
     })
     expect(credentialResponse).toMatchObject({
-      c_nonce_expires_in: 300000,
+      c_nonce_expires_in: 300,
       credential: {
         '@context': ['https://www.w3.org/2018/credentials/v1'],
         credentialSubject: {},
diff --git a/packages/issuer-rest/lib/__tests__/IssuerTokenServer.spec.ts b/packages/issuer-rest/lib/__tests__/IssuerTokenServer.spec.ts
index fde3285a..c5c7e759 100644
--- a/packages/issuer-rest/lib/__tests__/IssuerTokenServer.spec.ts
+++ b/packages/issuer-rest/lib/__tests__/IssuerTokenServer.spec.ts
@@ -148,7 +148,7 @@ describe('OID4VCIServer', () => {
           accessTokenSignerCallback: signerCallback,
           accessTokenIssuer: 'https://www.example.com',
           preAuthorizedCodeExpirationDuration: 2000,
-          tokenExpiresIn: 300000,
+          tokenExpiresIn: 300,
         },
       },
     })
@@ -172,11 +172,11 @@ describe('OID4VCIServer', () => {
     expect(actual).toEqual({
       access_token: expect.stringContaining('eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQi'),
       token_type: 'bearer',
-      expires_in: 300000,
+      expires_in: 300,
       c_nonce: expect.any(String),
-      c_nonce_expires_in: 300000,
+      c_nonce_expires_in: 300,
       authorization_pending: false,
-      interval: 300000,
+      interval: 300,
     })
   })
   it('should return http code 400 with message User pin is required', async () => {
diff --git a/packages/issuer-rest/lib/oid4vci-api-functions.ts b/packages/issuer-rest/lib/oid4vci-api-functions.ts
index cb5d7073..e84c7efd 100644
--- a/packages/issuer-rest/lib/oid4vci-api-functions.ts
+++ b/packages/issuer-rest/lib/oid4vci-api-functions.ts
@@ -79,8 +79,8 @@ export function accessTokenEndpoint<DIDDoc extends object>(
   const accessTokenIssuer = opts?.accessTokenIssuer ?? process.env.ACCESS_TOKEN_ISSUER ?? issuer.issuerMetadata.credential_issuer
 
   const preAuthorizedCodeExpirationDuration =
-    opts?.preAuthorizedCodeExpirationDuration ?? getNumberOrUndefined(process.env.PRE_AUTHORIZED_CODE_EXPIRATION_DURATION) ?? 300000
-  const interval = opts?.interval ?? getNumberOrUndefined(process.env.INTERVAL) ?? 300000
+    opts?.preAuthorizedCodeExpirationDuration ?? getNumberOrUndefined(process.env.PRE_AUTHORIZED_CODE_EXPIRATION_DURATION) ?? 300
+  const interval = opts?.interval ?? getNumberOrUndefined(process.env.INTERVAL) ?? 300
   const tokenExpiresIn = opts?.tokenExpiresIn ?? 300
 
   // todo: this means we cannot sign JWTs or issue access tokens when configured from env vars!
diff --git a/packages/issuer/lib/VcIssuer.ts b/packages/issuer/lib/VcIssuer.ts
index 66ffbf8b..04e439de 100644
--- a/packages/issuer/lib/VcIssuer.ts
+++ b/packages/issuer/lib/VcIssuer.ts
@@ -41,8 +41,6 @@ import { assertValidPinNumber, createCredentialOfferObject, createCredentialOffe
 import { LookupStateManager } from './state-manager'
 import { CredentialDataSupplier, CredentialDataSupplierArgs, CredentialIssuanceInput, CredentialSignerCallback } from './types'
 
-const SECOND = 1000
-
 export class VcIssuer<DIDDoc extends object> {
   private readonly _issuerMetadata: CredentialIssuerMetadataOpts
   private readonly _userPinRequired: boolean
@@ -79,8 +77,7 @@ export class VcIssuer<DIDDoc extends object> {
     this._credentialSignerCallback = args?.credentialSignerCallback
     this._jwtVerifyCallback = args?.jwtVerifyCallback
     this._credentialDataSupplier = args?.credentialDataSupplier
-    this._cNonceExpiresIn =
-      ((args?.cNonceExpiresIn ?? (process.env.C_NONCE_EXPIRES_IN ? parseInt(process.env.C_NONCE_EXPIRES_IN) : 300)) as number) * SECOND
+    this._cNonceExpiresIn = (args?.cNonceExpiresIn ?? (process.env.C_NONCE_EXPIRES_IN ? parseInt(process.env.C_NONCE_EXPIRES_IN) : 300)) as number
   }
 
   public getCredentialOfferSessionById(id: string): Promise<CredentialOfferSession> {
@@ -247,7 +244,7 @@ export class VcIssuer<DIDDoc extends object> {
       }
       const validated = await this.validateCredentialRequestProof({
         ...opts,
-        tokenExpiresIn: opts.tokenExpiresIn ?? 180000,
+        tokenExpiresIn: opts.tokenExpiresIn ?? 180,
       })
       preAuthorizedCode = validated.preAuthorizedCode
       issuerState = validated.issuerState
diff --git a/packages/issuer/lib/__tests__/VcIssuer.spec.ts b/packages/issuer/lib/__tests__/VcIssuer.spec.ts
index 4b4b08d3..62cc8068 100644
--- a/packages/issuer/lib/__tests__/VcIssuer.spec.ts
+++ b/packages/issuer/lib/__tests__/VcIssuer.spec.ts
@@ -362,7 +362,7 @@ describe('VcIssuer', () => {
       }),
     ).resolves.toEqual({
       c_nonce: 'new-test-nonce',
-      c_nonce_expires_in: 300000,
+      c_nonce_expires_in: 300,
       credential: {
         '@context': ['https://www.w3.org/2018/credentials/v1'],
         credentialSubject: {},
diff --git a/packages/issuer/lib/tokens/index.ts b/packages/issuer/lib/tokens/index.ts
index 7fe85786..4a51584e 100644
--- a/packages/issuer/lib/tokens/index.ts
+++ b/packages/issuer/lib/tokens/index.ts
@@ -43,7 +43,8 @@ export const generateAccessToken = async (
   },
 ): Promise<string> => {
   const { accessTokenIssuer, alg, accessTokenSignerCallback, tokenExpiresIn, preAuthorizedCode } = opts
-  const iat = new Date().getTime()
+  // JWT uses seconds for iat and exp
+  const iat = new Date().getTime() / 1000
   const exp = iat + tokenExpiresIn
   const jwt: Jwt = {
     header: { typ: 'JWT', alg: alg ?? Alg.ES256K },