database

type ClaimsQueryDB struct {
	// REQUIRED if claim_sets is present in the Credential Query; OPTIONAL otherwise. A string identifying the particular claim. The value MUST be a non-empty string consisting of alphanumeric, underscore (_), or hyphen (-) characters. Within the particular claims array, the same id MUST NOT be present more than once.
	Id string `json:"id,omitempty" mapstructure:"id,omitempty"`
	//  The value MUST be a non-empty array representing a claims path pointer that specifies the path to a claim within the Credential. See https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-claims-path-pointer
	Path []interface{} `json:"path,omitempty" mapstructure:"path,omitempty"`
	// A non-empty array of strings, integers or boolean values that specifies the expected values of the claim. If the values property is present, the Wallet SHOULD return the claim only if the type and value of the claim both match exactly for at least one of the elements in the array.
	Values []interface{} `json:"values,omitempty" mapstructure:"values,omitempty"`
	// MDoc specific parameter, ignored for all other types. The flag can be set to inform that the reader wishes to keep(store) the data. In case of false, its data is only used to be dispalyed and verified.
	IntentToRetain bool `json:"intent_to_retain,omitempty" mapstructure:"intent_to_retain,omitempty"`
	// MDoc specific parameter, ignored for all other types. Refers to a namespace inside an mdoc.
	Namespace string `json:"namespace,omitempty" mapstructure:"namespace,omitempty"`
	// MDoc specific parameter, ignored for all other types. Identifier for the data-element in the namespace.
	ClaimName string `json:"claimName,omitempty" mapstructure:"claimName,omitempty"`
}

type CredentialDB struct {
	// Type of the credential
	Type string `json:"credentialType" mapstructure:"credentialType"`
	// Set if the holder id should be verified
	VerifyHolder bool `json:"verifyHolder" mapstructure:"verifyHolder"`
	// A list of (EBSI Trusted Issuers Registry compatible) endpoints to  retrieve the trusted issuers from. The attributes need to be formated to comply with the verifiers requirements.
	TrustedIssuersLists []config.EndpointEntry `json:"trustedLists,omitempty" mapstructure:"trustedLists,omitempty"`
	// Configuration of Holder Verfification
	HolderVerification config.HolderVerification `json:"holderVerification" mapstructure:"holderVerification"`
	// Does the given credential require a compliancy credential
	RequireCompliance bool `json:"requireCompliance" mapstructure:"requireCompliance"`
	// Configuration for the credential its inclusion into the JWT.
	JwtInclusion config.JwtInclusion `json:"jwtInclusion" mapstructure:"jwtInclusion"`
	// Per-credential configuration for the W3C Bitstring Status List /
	// StatusList2021 revocation-list check. When omitted or disabled no
	// revocation check is performed for credentials of this type, preserving
	// prior behaviour for configurations that do not opt in.
	CredentialStatus config.CredentialStatus `json:"credentialStatus,omitempty" mapstructure:"credentialStatus,omitempty"`
}

type CredentialQueryDB struct {
	// A string identifying the Credential in the response and, if provided, the constraints in credential_sets. The value MUST be a non-empty string consisting of alphanumeric, underscore (_), or hyphen (-) characters. Within the Authorization Request, the same id MUST NOT be present more than once.
	Id string `json:"id,omitempty" mapstructure:"id,omitempty"`
	// A string that specifies the format of the requested Credential.
	Format string `json:"format,omitempty" mapstructure:"format,omitempty"`
	// A boolean which indicates whether multiple Credentials can be returned for this Credential Query. If omitted, the default value is false.
	Multiple bool `json:"multiple" mapstructure:"multiple" default:"false"`
	// A non-empty array of objects  that specifies claims in the requested Credential. Verifiers MUST NOT point to the same claim more than once in a single query. Wallets SHOULD ignore such duplicate claim queries.
	Claims []ClaimsQueryDB `json:"claims" mapstructure:"claims"`
	// Defines additional properties requested by the Verifier that apply to the metadata and validity data of the Credential. The properties of this object are defined per Credential Format. If empty, no specific constraints are placed on the metadata or validity of the requested Credential.
	Meta *config.MetaDataQuery `json:"meta,omitempty" mapstructure:"meta,omitempty"`
	// A boolean which indicates whether the Verifier requires a Cryptographic Holder Binding proof. The default value is true, i.e., a Verifiable Presentation with Cryptographic Holder Binding is required. If set to false, the Verifier accepts a Credential without Cryptographic Holder Binding proof.
	RequireCryptographicHolderBinding bool `json:"requireCryptographicHolderBinding,omitempty" mapstructure:"requireCryptographicHolderBinding,omitempty" default:"false"`
	// A non-empty array containing arrays of identifiers for elements in claims that specifies which combinations of claims for the Credential are requested.
	ClaimSets [][]string `json:"claimSets,omitempty" mapstructure:"claimSets,omitempty"`
	// A non-empty array of objects  that specifies expected authorities or trust frameworks that certify Issuers, that the Verifier will accept. Every Credential returned by the Wallet SHOULD match at least one of the conditions present in the corresponding trusted_authorities array if present.
	TrustedAuthorities []config.TrustedAuthorityQuery `json:"trustedAuthorities" mapstructure:"trustedAuthorities" default:"[]"`
}

type DCQLDB struct {
	// A non-empty array of Credential Queries that specify the requested Credentials.
	Credentials []CredentialQueryDB `json:"credentials" mapstructure:"credentials"`
	// A non-empty array of Credential Set Queries that specifies additional constraints on which of the requested Credentials to return.
	CredentialSets []config.CredentialSetQuery `json:"credentialSets,omitempty" mapstructure:"credentialSets,omitempty"`
}

type FormatObjectDB struct {
	// format of the key
	FormatKey string `json:"formatKey" mapstructure:"formatKey"`
	// list of algorithms to be requested for credential - f.e. ES256
	Alg       []string `json:"alg" mapstructure:"alg"`
	ProofType []string `json:"proofType,omitempty" mapstructure:"proofType"`
}

type InputDescriptorDB struct {
	// Id of the descriptor
	Id string `json:"id" mapstructure:"id"`
	// defines the information to be requested
	Constraints config.Constraints `json:"constraints" mapstructure:"constraints"`
	// Format of the credential to be requested
	Format []FormatObjectDB `json:"format" mapstructure:"format"`
}

type PresentationDefinitionDB struct {
	// Id of the definition
	Id string `json:"id" mapstructure:"id"`

	// List of requested inputs
	InputDescriptors []InputDescriptorDB `json:"inputDescriptors" mapstructure:"inputDescriptors"`
	// Format of the credential to be requested
	Format []FormatObjectDB `json:"format" mapstructure:"format"`
}

type RefreshTokenRepository interface {
	// StoreRefreshToken persists a new refresh token row.
	StoreRefreshToken(ctx context.Context, row RefreshTokenRow) error

	// GetAndDeleteRefreshToken atomically retrieves and deletes a refresh
	// token (single-use). Returns ErrRefreshTokenNotFound if the token does
	// not exist.
	GetAndDeleteRefreshToken(ctx context.Context, token string) (*RefreshTokenRow, error)

	// DeleteExpiredTokens removes all refresh token rows whose expires_at
	// is in the past. Returns the number of rows deleted.
	DeleteExpiredTokens(ctx context.Context) (int64, error)

	// SetCleanupInterval starts a background goroutine that periodically calls
	// DeleteExpiredTokens at the given interval. If interval is zero or
	// negative, any running cleanup goroutine is cancelled and no new one is
	// started. Calling again with a new interval replaces the previous one.
	// The goroutine stops when ctx is cancelled.
	SetCleanupInterval(ctx context.Context, interval time.Duration)
}

type RefreshTokenRow struct {
	// Token is the primary key: the raw token when hashing is disabled, or the
	// HMAC-SHA256 hex digest when hashing is enabled.
	Token string
	// TokenSuffix holds the last 5 characters of the original plaintext token,
	// always stored regardless of hashing, for operational identification.
	TokenSuffix string
	// ClientID identifies the relying party that requested the token.
	ClientID string
	// Claims is the JSON payload extracted from the original access token JWT
	// (base64url-decoded middle segment). On exchange these claims are used to
	// re-issue a new access token without re-applying credential inclusion
	// configurations.
	Claims string
	// Integrity is the HMAC-SHA256 hex digest over the raw refresh token,
	// client ID, and claims. It is computed and verified by the repository;
	// callers of StoreRefreshToken do not need to set this field.
	Integrity string
	// ExpiresAt is the Unix timestamp (seconds) at which this refresh token
	// expires.
	ExpiresAt int64
}

type ScopeEntryDB struct {
	// credential types with their trust configuration
	Credentials []CredentialDB `json:"credentials" mapstructure:"credentials"`
	// 	Proofs to be requested - see https://identity.foundation/presentation-exchange/#presentation-definition
	PresentationDefinition *PresentationDefinitionDB `json:"presentationDefinition" mapstructure:"presentationDefinition"`
	// JSON encoded query to request the credentials to be included in the presentation
	DCQL *DCQLDB `json:"dcql" mapstructure:"dcql"`
	// When set, the claim are flatten to plain JWT-claims before beeing included, instead of keeping the credential/presentation structure, where the claims are under the key vc or vp
	FlatClaims bool `json:"flatClaims" mapstructure:"flatClaims"`
}

type ScopeEntryRow struct {
	// ID is the auto-generated primary key.
	ID int64
	// ServiceID is the foreign key referencing service.id.
	ServiceID string
	// ScopeKey is the OIDC scope name (map key in ServiceScopes).
	ScopeKey string
	// Credentials is a JSON-encoded array of config.Credential objects.
	Credentials string
	// PresentationDefinition is a JSON-encoded config.PresentationDefinition; may be nil.
	PresentationDefinition *string
	// FlatClaims indicates whether claims should be flattened in the JWT.
	FlatClaims bool
	// DcqlQuery is a JSON-encoded config.DCQL object; may be nil.
	DcqlQuery *string
}

type ServiceRepository interface {
	// CreateService persists a new service together with all its scope entries.
	// Returns ErrServiceAlreadyExists if a service with the same ID exists.
	CreateService(ctx context.Context, service config.ConfiguredService) error

	// GetService retrieves a single service by ID, including all scope entries.
	// Returns ErrServiceNotFound if the ID does not exist.
	GetService(ctx context.Context, id string) (config.ConfiguredService, error)

	// GetAllServices returns a page of services ordered by ID and the total
	// count across all pages. page is zero-based.
	GetAllServices(ctx context.Context, page, pageSize int) ([]config.ConfiguredService, int, error)

	// UpdateService replaces the service row and all its scope entries.
	// Returns ErrServiceNotFound if the ID does not exist. Returns the
	// updated service (re-read from DB) for response purposes.
	UpdateService(ctx context.Context, id string, service config.ConfiguredService) (config.ConfiguredService, error)

	// DeleteService removes a service and its scope entries (via CASCADE).
	// Returns ErrServiceNotFound if the ID does not exist.
	DeleteService(ctx context.Context, id string) error

	// GetServiceScopes returns the credential types required for a scope.
	// When oidcScope is nil, the service's default scope is used.
	// Returns ErrServiceNotFound when the service does not exist, or
	// config.ErrorNoSuchScope when the resolved scope is not configured.
	GetServiceScopes(ctx context.Context, id string, oidcScope *string) ([]string, error)

	// ServiceExists checks whether a service with the given ID exists.
	ServiceExists(ctx context.Context, id string) (bool, error)
}

type ServiceRow struct {
	// ID is the unique service identifier (primary key).
	ID string
	// DefaultOidcScope is the default OIDC scope name; may be nil.
	DefaultOidcScope *string
	// AuthorizationType describes the authorization mode; may be nil.
	AuthorizationType *string
}

type SqlRefreshTokenRepository struct {
	// contains filtered or unexported fields
}

type SqlServiceRepository struct {
	// contains filtered or unexported fields
}