From 57ca0203bb9f90bb9e9b21e22aa5bc492bfcff4c Mon Sep 17 00:00:00 2001
From: Mirko Mollik <mirkomollik@gmail.com>
Date: Thu, 25 Jul 2024 18:38:53 +0200
Subject: [PATCH 1/3] fix: remove bug for txCode

Signed-off-by: Mirko Mollik <mirkomollik@gmail.com>
---
 packages/issuer/lib/VcIssuer.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/issuer/lib/VcIssuer.ts b/packages/issuer/lib/VcIssuer.ts
index 3cd70b08..a5cfa435 100644
--- a/packages/issuer/lib/VcIssuer.ts
+++ b/packages/issuer/lib/VcIssuer.ts
@@ -192,7 +192,6 @@ export class VcIssuer<DIDDoc extends object> {
       status,
       notification_id: v4(),
       ...(userPin && { txCode: userPin }), // We used to use userPin according to older specs. We map these onto txCode now. If both are used, txCode in the end wins, even if they are different
-      ...(txCode && { txCode }),
       ...(opts.credentialDataSupplierInput && { credentialDataSupplierInput: opts.credentialDataSupplierInput }),
       credentialOffer,
     }

From 7e06eb3a7527df839b3e42e0c8218f96592f2da8 Mon Sep 17 00:00:00 2001
From: Mirko Mollik <mirkomollik@gmail.com>
Date: Fri, 26 Jul 2024 13:47:08 +0200
Subject: [PATCH 2/3] set tx_code in request

Signed-off-by: Mirko Mollik <mirkomollik@gmail.com>
---
 packages/client/lib/AccessTokenClient.ts         | 2 +-
 packages/common/lib/types/Authorization.types.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/client/lib/AccessTokenClient.ts b/packages/client/lib/AccessTokenClient.ts
index adc0afcc..064da005 100644
--- a/packages/client/lib/AccessTokenClient.ts
+++ b/packages/client/lib/AccessTokenClient.ts
@@ -104,7 +104,7 @@ export class AccessTokenClient {
 
     if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
       this.assertAlphanumericPin(opts.pinMetadata, pin);
-      request.user_pin = pin;
+      request.tx_code = pin;
 
       request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
       // we actually know it is there because of the isPreAuthCode call
diff --git a/packages/common/lib/types/Authorization.types.ts b/packages/common/lib/types/Authorization.types.ts
index d52e9753..f2bf12f5 100644
--- a/packages/common/lib/types/Authorization.types.ts
+++ b/packages/common/lib/types/Authorization.types.ts
@@ -312,7 +312,7 @@ export interface AccessTokenRequest {
   'pre-authorized_code': string;
   redirect_uri?: string;
   scope?: string;
-  user_pin?: string; //pre draft 13
+  user_pin?: string; //this is for v11, not required in v13 anymore
   tx_code?: string; //draft 13
   [s: string]: unknown;
 }

From 5ca1eda0f55e5b777c01ab99edbd53108b2f3767 Mon Sep 17 00:00:00 2001
From: Mirko Mollik <mirkomollik@gmail.com>
Date: Mon, 29 Jul 2024 15:57:27 +0200
Subject: [PATCH 3/3] set both variables to be compliant

Signed-off-by: Mirko Mollik <mirkomollik@gmail.com>
---
 packages/client/lib/AccessTokenClient.ts | 1 +
 packages/issuer/lib/tokens/index.ts      | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/packages/client/lib/AccessTokenClient.ts b/packages/client/lib/AccessTokenClient.ts
index 064da005..f7c0d44d 100644
--- a/packages/client/lib/AccessTokenClient.ts
+++ b/packages/client/lib/AccessTokenClient.ts
@@ -104,6 +104,7 @@ export class AccessTokenClient {
 
     if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
       this.assertAlphanumericPin(opts.pinMetadata, pin);
+      request.user_pin = pin;
       request.tx_code = pin;
 
       request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
diff --git a/packages/issuer/lib/tokens/index.ts b/packages/issuer/lib/tokens/index.ts
index be5ef9f1..dfe5d568 100644
--- a/packages/issuer/lib/tokens/index.ts
+++ b/packages/issuer/lib/tokens/index.ts
@@ -102,12 +102,17 @@ export const assertValidAccessTokenRequest = async (
  invalid_request:
  the Authorization Server does not expect a PIN in the pre-authorized flow but the client provides a PIN
   */
-  if (!credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code && request.tx_code) {
+  if (
+    !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.tx_code &&
+    request.tx_code &&
+    !request.user_pin
+  ) {
     // >= v13
     throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)
   } else if (
     !credentialOfferSession.credentialOffer.credential_offer?.grants?.[GrantTypes.PRE_AUTHORIZED_CODE]?.user_pin_required &&
-    request.user_pin
+    request.user_pin &&
+    !request.tx_code
   ) {
     // <= v12
     throw new TokenError(400, TokenErrorResponse.invalid_request, USER_PIN_NOT_REQUIRED_ERROR)