feat: dart auth provider

packages/dart/affinidi_auth_provider/.env.example

@@ -0,0 +1,10 @@
+# Personal access token
+PROJECT_ID=""
+TOKEN_ID=""
+PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
+PASSPHRASE="" # Optional. Required if private key is encrypted
+KEY_ID="" # Optional. Required if token's key id is different from token id
+
+# Iota (Websocket)
+IOTA_CONFIG_ID=""
+DID="" # Usually obtained at runtime from the registered user

packages/dart/affinidi_auth_provider/.gitignore

@@ -0,0 +1,11 @@
+# https://dart.dev/guides/libraries/private-files
+# Created by `dart pub`
+.dart_tool/
+
+# Avoid committing pubspec.lock for library packages; see
+# https://dart.dev/guides/libraries/private-files#pubspeclock.
+pubspec.lock
+
+# env files
+.env*
+!.env.example

packages/dart/affinidi_auth_provider/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 1.0.0
+
+- Initial version.

packages/dart/affinidi_auth_provider/README.md

@@ -0,0 +1,39 @@
+<!-- 
+This README describes the package. If you publish this package to pub.dev,
+this README's contents appear on the landing page for your package.
+
+For information about how to write a good package README, see the guide for
+[writing package pages](https://dart.dev/guides/libraries/writing-package-pages). 
+
+For general information about developing packages, see the Dart guide for
+[creating packages](https://dart.dev/guides/libraries/create-library-packages)
+and the Flutter guide for
+[developing packages and plugins](https://flutter.dev/developing-packages). 
+-->
+
+TODO: Put a short description of the package here that helps potential users
+know whether this package might be useful for them.
+
+## Features
+
+TODO: List what your package can do. Maybe include images, gifs, or videos.
+
+## Getting started
+
+TODO: List prerequisites and provide or point to information on how to
+start using the package.
+
+## Usage
+
+TODO: Include short and useful examples for package users. Add longer examples
+to `/example` folder. 
+
+```dart
+const like = 'sample';
+```
+
+## Additional information
+
+TODO: Tell users more about the package: where to find more information, how to 
+contribute to the package, how to file issues, what response they can expect 
+from the package authors, and more.

packages/dart/affinidi_auth_provider/analysis_options.yaml

@@ -0,0 +1,30 @@
+# This file configures the static analysis results for your project (errors,
+# warnings, and lints).
+#
+# This enables the 'recommended' set of lints from `package:lints`.
+# This set helps identify many issues that may lead to problems when running
+# or consuming Dart code, and enforces writing Dart using a single, idiomatic
+# style and format.
+#
+# If you want a smaller set of lints you can change this to specify
+# 'package:lints/core.yaml'. These are just the most critical lints
+# (the recommended set includes the core lints).
+# The core lints are also what is used by pub.dev for scoring packages.
+
+include: package:lints/recommended.yaml
+
+# Uncomment the following section to specify additional rules.
+
+# linter:
+#   rules:
+#     - camel_case_types
+
+# analyzer:
+#   exclude:
+#     - path/to/excluded/files/**
+
+# For more information about the core and recommended set of lints, see
+# https://dart.dev/go/core-lints
+
+# For additional information about configuring this file, see
+# https://dart.dev/guides/language/analysis-options

packages/dart/affinidi_auth_provider/example/iota_token.dart

@@ -0,0 +1,33 @@
+import 'package:affinidi_auth_provider/affinidi_auth_provider.dart';
+import 'package:dotenv/dotenv.dart';
+
+void main() async {
+  var env = DotEnv()..load();
+  if (!env.isEveryDefined(
+      ['PROJECT_ID', 'TOKEN_ID', 'PRIVATE_KEY', 'IOTA_CONFIG_ID', 'DID'])) {
+    print(
+        'Missing environment variables. Please provide PROJECT_ID, TOKEN_ID, PRIVATE_KEY, DID');
+    return;
+  }
+  // Workaround for dotenv multiline limitations
+  final privateKey = env['PRIVATE_KEY']!.replaceAll('\\n', '\n');
+
+  final provider = AuthProvider(
+    projectId: env['PROJECT_ID']!,
+    tokenId: env['TOKEN_ID']!,
+    privateKey: privateKey,
+    // Optional parameters
+    keyId: env['KEY_ID'],
+    passphrase: env['PASSPHRASE'],
+  );
+
+  try {
+    // Fetch iota token (websocket). Did is usually obtained at runtime from the registered user
+    final iotaToken = provider.createIotaToken(
+        iotaConfigId: env['IOTA_CONFIG_ID']!, did: env['DID']!);
+    print('Successfully obtained iota token:');
+    print(iotaToken);
+  } catch (e) {
+    print('Error obtaining token: $e');
+  }
+}

packages/dart/affinidi_auth_provider/example/project_scoped_token.dart

@@ -0,0 +1,31 @@
+import 'package:affinidi_auth_provider/affinidi_auth_provider.dart';
+import 'package:dotenv/dotenv.dart';
+
+void main() async {
+  final env = DotEnv(includePlatformEnvironment: true)..load();
+  if (!env.isEveryDefined(['PROJECT_ID', 'TOKEN_ID', 'PRIVATE_KEY'])) {
+    print(
+        'Missing environment variables. Please provide PROJECT_ID, TOKEN_ID, PRIVATE_KEY');
+    return;
+  }
+  // Workaround for dotenv multiline limitations
+  final privateKey = env['PRIVATE_KEY']!.replaceAll('\\n', '\n');
+
+  final provider = AuthProvider(
+    projectId: env['PROJECT_ID']!,
+    tokenId: env['TOKEN_ID']!,
+    privateKey: privateKey,
+    // Optional parameters
+    keyId: env['KEY_ID'],
+    passphrase: env['PASSPHRASE'],
+  );
+
+  try {
+    // Fetch project scoped token
+    final projectScopedToken = await provider.fetchProjectScopedToken();
+    print('Successfully obtained project scoped token:');
+    print(projectScopedToken);
+  } catch (e) {
+    print('Error obtaining token: $e');
+  }
+}

packages/dart/affinidi_auth_provider/lib/affinidi_auth_provider.dart

@@ -0,0 +1,8 @@
+/// Support for doing something awesome.
+///
+/// More dartdocs go here.
+library;
+
+export 'src/auth_provider.dart';
+
+// TODO: Export any libraries intended for clients of this package.

packages/dart/affinidi_auth_provider/lib/src/auth_provider.dart

@@ -0,0 +1,136 @@
+import 'dart:convert';
+
+import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
+import 'package:affinidi_auth_provider/src/jwt_helper.dart';
+import 'package:affinidi_common/affinidi_common.dart';
+import 'package:http/http.dart' as http;
+import 'package:uuid/uuid.dart';
+
+class AuthProvider {
+  final String projectId;
+  final String tokenId;
+  final String privateKey;
+  final String? keyId;
+  final String? passphrase;
+  final String apiGatewayUrl;
+  final String tokenEndpoint;
+
+  AuthProvider(
+      {required this.projectId,
+      required this.tokenId,
+      required this.privateKey,
+      this.keyId,
+      this.passphrase})
+      : apiGatewayUrl = Environment.fetchApiGwUrl(),
+        tokenEndpoint = Environment.fetchElementsAuthTokenUrl();
+
+  AuthProvider.withEnv(
+      {required this.projectId,
+      required this.tokenId,
+      required this.privateKey,
+      this.keyId,
+      this.passphrase,
+      required this.apiGatewayUrl,
+      required this.tokenEndpoint});
+
+  ECPublicKey? publicKey;
+  String? projectScopedToken;
+
+  Future<bool> _shouldFetchToken() async {
+    if (projectScopedToken == null) {
+      return true;
+    }
+    publicKey ??= await JWTHelper.fetchPublicKey(apiGatewayUrl);
+    try {
+      JWT.verify(projectScopedToken!, publicKey!);
+      return false;
+    } on JWTExpiredException {
+      return true;
+    }
+  }
+
+  Future<String> fetchProjectScopedToken() async {
+    if (await _shouldFetchToken()) {
+      projectScopedToken =
+          await _getProjectScopedToken(audience: tokenEndpoint);
+    }
+    return projectScopedToken!;
+  }
+
+  Future<String> _getUserAccessToken({required String audience}) async {
+    final token = JWTHelper.signPayload(
+      audience: audience,
+      tokenId: tokenId,
+      privateKey: privateKey,
+      keyId: keyId,
+      passphrase: passphrase,
+    );
+
+    final response = await http.post(
+      Uri.parse(audience),
+      headers: {'Content-Type': 'application/x-www-form-urlencoded'},
+      body: {
+        'grant_type': 'client_credentials',
+        'scope': 'openid',
+        'client_assertion_type':
+            'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        'client_assertion': token,
+        'client_id': tokenId,
+      },
+    );
+
+    if (response.statusCode != 200) {
+      throw Exception('Failed to get user access token');
+    }
+
+    final data = jsonDecode(response.body);
+    return data['access_token'];
+  }
+
+  Future<String> _getProjectScopedToken({
+    required String audience,
+  }) async {
+    final userAccessToken = await _getUserAccessToken(audience: audience);
+
+    final response = await http.post(
+      Uri.parse('$apiGatewayUrl/iam/v1/sts/create-project-scoped-token'),
+      headers: {
+        'Authorization': 'Bearer $userAccessToken',
+        'Content-Type': 'application/json',
+      },
+      body: jsonEncode({'projectId': projectId}),
+    );
+
+    if (response.statusCode != 200) {
+      throw Exception('Failed to get project scoped token');
+    }
+
+    final data = jsonDecode(response.body);
+    return data['accessToken'];
+  }
+
+  ({String iotaJwt, String iotaSessionId}) createIotaToken({
+    required String iotaConfigId,
+    required String did,
+    String? iotaSessionId,
+  }) {
+    final sessionId = iotaSessionId ?? Uuid().v4();
+
+    return (
+      iotaJwt: JWTHelper.signPayload(
+        audience: did,
+        tokenId: 'token/$tokenId',
+        privateKey: privateKey,
+        keyId: keyId,
+        passphrase: passphrase,
+        additionalPayload: {
+          'project_id': projectId,
+          'iota_configuration_id': iotaConfigId,
+          'iota_session_id': iotaSessionId,
+          'scope': 'iota_channel',
+        },
+      ),
+      iotaSessionId: sessionId,
+    );
+  }
+}