feat: remove TEMP_DISABLE_ISS_TYP_CHECK (#1374)

Signed-off-by: Mykhailo Sizov <[email protected]>
trustbloc · Jul 24, 2023 · 79c5330 · 79c5330
1 parent 784c1c4
commit 79c5330
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 12 deletions.
diff --git a/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4ci.go b/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4ci.go
@@ -23,6 +23,7 @@ import (
  "github.com/cli/browser"
  "github.com/google/uuid"
  "github.com/hyperledger/aries-framework-go-ext/component/vdr/jwk"
+ "github.com/hyperledger/aries-framework-go/pkg/doc/jose"
  "github.com/hyperledger/aries-framework-go/pkg/doc/jwt"
  "github.com/hyperledger/aries-framework-go/pkg/doc/verifiable"
  didkey "github.com/hyperledger/aries-framework-go/pkg/vdr/key"
@@ -574,7 +575,11 @@ func (s *Service) getCredential(
  signerKeyID = res.DIDDocument.VerificationMethod[0].ID
  }
 
- signedJWT, err := jwt.NewSigned(claims, nil,
+ headers := map[string]interface{}{
+ jose.HeaderType: jwtProofTypHeader,
+ }
+
+ signedJWT, err := jwt.NewSigned(claims, headers,
  NewJWSSigner(signerKeyID, string(s.vcProviderConf.WalletParams.SignType), kmsSigner))
  if err != nil {
  return nil, 0, fmt.Errorf("create signed jwt: %w", err)

diff --git a/pkg/restapi/v1/oidc4ci/controller.go b/pkg/restapi/v1/oidc4ci/controller.go
@@ -19,7 +19,6 @@ import (
  "io"
  "net/http"
  "net/url"
- "os"
  "strings"
  "time"
 
@@ -673,12 +672,8 @@ func (c *Controller) validateProofClaims(
  return "", resterr.NewOIDCError(string(resterr.InvalidOrMissingProofOIDCErr), errors.New("nonce expired"))
  }
 
- tmpDisableIssTypCheck := os.Getenv("TEMP_DISABLE_ISS_TYP_CHECK") == "true"
-
- if !tmpDisableIssTypCheck {
- if isPreAuthFlow, ok := session.Extra[preAuthKey].(bool); !ok || (!isPreAuthFlow && claims.Issuer != clientID) {
- return "", resterr.NewOIDCError(string(resterr.InvalidOrMissingProofOIDCErr), errors.New("invalid client_id"))
- }
+ if isPreAuthFlow, ok := session.Extra[preAuthKey].(bool); !ok || (!isPreAuthFlow && claims.Issuer != clientID) {
+ return "", resterr.NewOIDCError(string(resterr.InvalidOrMissingProofOIDCErr), errors.New("invalid client_id"))
  }
 
  if claims.IssuedAt == nil {
@@ -689,10 +684,8 @@ func (c *Controller) validateProofClaims(
  return "", resterr.NewOIDCError(string(resterr.InvalidOrMissingProofOIDCErr), errors.New("invalid nonce"))
  }
 
- if !tmpDisableIssTypCheck {
- if typ, ok := jws.Headers.Type(); ok && typ != jwtProofTypHeader {
- return "", resterr.NewOIDCError(string(resterr.InvalidOrMissingProofOIDCErr), errors.New("invalid typ"))
- }
+ if typ, ok := jws.Headers.Type(); ok && typ != jwtProofTypHeader {
+ return "", resterr.NewOIDCError(string(resterr.InvalidOrMissingProofOIDCErr), errors.New("invalid typ"))
  }
 
  keyID, ok := jws.Headers.KeyID()