Skip to content

fix: [WLEO-990] add missing trust_chain, iat and exp claims in wallet attestation#44

Merged
flaviodelgrosso merged 2 commits intomainfrom
fix/missing-claims-wallet-attestation
Mar 3, 2026
Merged

fix: [WLEO-990] add missing trust_chain, iat and exp claims in wallet attestation#44
flaviodelgrosso merged 2 commits intomainfrom
fix/missing-claims-wallet-attestation

Conversation

@flaviodelgrosso
Copy link
Copy Markdown
Collaborator

@flaviodelgrosso flaviodelgrosso commented Feb 27, 2026

This pull request refactors how federation metadata and entity statements are handled in the wallet attestation flow, improving modularity and ensuring that JWTs are properly linked to the federation entity statement. The changes also update the wallet attestation creation logic to include additional fields and the trust chain in the JWT header.

Federation Metadata & Entity Statement Refactoring:

  • Split the logic for fetching federation metadata into a new function getFederationMetadataPayload, and introduced getFederationEntityStatement to generate a signed JWT entity statement. getFederationMetadata now references getFederationEntityStatement for clarity and modularity. [1] [2]
  • Updated imports in wallet-attestations.ts to use the new getFederationEntityStatement function, ensuring consistent access to federation entity statements.

Wallet Attestation JWT Improvements:

  • Modified the wallet attestation creation logic to fetch the federation entity statement JWT and include it in the trust_chain array of the JWT header, along with new fields exp and iat in the payload. This strengthens attestation validity and traceability.

Test Consistency:

  • Updated the mock setup in the wallet attestation tests to use .mockReturnValue instead of .mockReturnValueOnce, ensuring consistent test behavior.

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Feb 27, 2026

⚠️ No Changeset found

Latest commit: 847c778

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions github-actions bot added the apps label Feb 27, 2026
@flaviodelgrosso
Copy link
Copy Markdown
Collaborator Author

flaviodelgrosso commented Feb 27, 2026

I've just added the entity configuration jwt in the trust chain but do we need to also have subordinate statements emitted from TA? @manuraf

@manuraf
Copy link
Copy Markdown
Contributor

manuraf commented Feb 27, 2026

I think we can ignore subordinate statement

@flaviodelgrosso flaviodelgrosso marked this pull request as ready for review February 27, 2026 15:07
@flaviodelgrosso flaviodelgrosso requested a review from a team as a code owner February 27, 2026 15:07
@flaviodelgrosso flaviodelgrosso merged commit adc63eb into main Mar 3, 2026
11 checks passed
@flaviodelgrosso flaviodelgrosso deleted the fix/missing-claims-wallet-attestation branch March 3, 2026 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manuraf manuraf manuraf approved these changes

@mastro993 mastro993 Awaiting requested review from mastro993 mastro993 is a code owner automatically assigned from pagopa/io-wallet

Assignees

@flaviodelgrosso flaviodelgrosso

Labels

apps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flaviodelgrosso @manuraf