baseid_oid4vci/

wallet.rs

//! OID4VCI wallet/holder flow for the pre-authorized code grant.
//!
//! Orchestrates the end-to-end credential issuance flow:
//! offer → metadata discovery → token exchange → credential request.

use baseid_crypto::Signer;

use crate::client::HttpClient;
use crate::credential::{
    CredentialRequest, CredentialResponse, ProofOfPossession, PRE_AUTHORIZED_CODE_GRANT_TYPE,
};
use crate::credential_offer::CredentialOffer;
use crate::error::Oid4vciError;
use crate::token::{NonceResponse, TokenResponse};
use crate::{metadata, IssuerMetadata};

/// Wallet-side OID4VCI client for credential issuance.
pub struct Oid4vciWallet<'a, C: HttpClient> {
    client: &'a C,
    signer: &'a dyn Signer,
    holder_did: String,
}

impl<'a, C: HttpClient> Oid4vciWallet<'a, C> {
    /// Create a new wallet client.
    pub fn new(client: &'a C, signer: &'a dyn Signer, holder_did: String) -> Self {
        Self {
            client,
            signer,
            holder_did,
        }
    }

    /// Execute the pre-authorized code flow end-to-end.
    ///
    /// 1. Discovers issuer metadata
    /// 2. Exchanges the pre-authorized code for an access token (with tx_code if required)
    /// 3. Builds a proof-of-possession JWT (if nonce provided)
    /// 4. Requests the credential from the issuer
    ///
    /// If the credential offer requires a transaction code (PIN), pass it via `tx_code`.
    pub async fn accept_offer(
        &self,
        offer: &CredentialOffer,
        tx_code: Option<&str>,
    ) -> baseid_core::Result<CredentialResponse> {
        // 1. Discover issuer metadata
        let metadata = metadata::discover(self.client, &offer.credential_issuer).await?;

        // 2. Extract pre-authorized code
        let pre_auth_grant = offer
            .grants
            .as_ref()
            .and_then(|g| g.pre_authorized_code.as_ref())
            .ok_or(Oid4vciError::UnsupportedGrantType)?;

        // 3. Exchange code for token
        let token_response = self
            .exchange_token(&metadata, &pre_auth_grant.pre_authorized_code, tx_code)
            .await?;

        // 4. Obtain nonce: prefer token response c_nonce, fall back to nonce endpoint
        let c_nonce = if let Some(nonce) = token_response.c_nonce.clone() {
            Some(nonce)
        } else if let Some(ref nonce_url) = metadata.nonce_endpoint {
            self.fetch_nonce(nonce_url).await.ok().map(|r| r.c_nonce)
        } else {
            None
        };

        // 5. Build proof-of-possession if nonce is present
        let proof = if let Some(ref nonce) = c_nonce {
            let jwt = crate::proof::create_proof_jwt(
                self.signer,
                &offer.credential_issuer,
                nonce,
                &self.holder_did,
            )?;
            Some(ProofOfPossession {
                proof_type: "jwt".to_string(),
                jwt,
            })
        } else {
            None
        };

        // 6. Request credential using the first offered credential configuration
        let config_id = offer
            .credential_configuration_ids
            .first()
            .cloned()
            .unwrap_or_else(|| "jwt_vc_json".to_string());

        self.request_credential(&metadata, &token_response.access_token, &config_id, proof)
            .await
    }

    /// Fetch a challenge nonce from the nonce endpoint (OID4VCI 1.0).
    async fn fetch_nonce(&self, nonce_url: &str) -> baseid_core::Result<NonceResponse> {
        let json =
            self.client
                .post_form(nonce_url, &[])
                .await
                .map_err(|e| -> baseid_core::Error {
                    Oid4vciError::TokenRequestFailed(format!("nonce endpoint failed: {e}")).into()
                })?;

        serde_json::from_value(json).map_err(|e| -> baseid_core::Error {
            Oid4vciError::TokenRequestFailed(format!("invalid nonce response: {e}")).into()
        })
    }

    /// Exchange a pre-authorized code for an access token.
    async fn exchange_token(
        &self,
        metadata: &IssuerMetadata,
        pre_authorized_code: &str,
        tx_code: Option<&str>,
    ) -> baseid_core::Result<TokenResponse> {
        let token_endpoint = metadata
            .token_endpoint
            .clone()
            .or_else(|| {
                metadata
                    .authorization_server
                    .as_deref()
                    .map(|s| format!("{}/token", s.trim_end_matches('/')))
            })
            .unwrap_or_else(|| {
                format!("{}/token", metadata.credential_issuer.trim_end_matches('/'))
            });

        let mut params = vec![
            ("grant_type", PRE_AUTHORIZED_CODE_GRANT_TYPE),
            ("pre-authorized_code", pre_authorized_code),
        ];
        if let Some(code) = tx_code {
            params.push(("tx_code", code));
        }

        let json = self
            .client
            .post_form(&token_endpoint, &params)
            .await
            .map_err(|e| -> baseid_core::Error {
                Oid4vciError::TokenRequestFailed(e.to_string()).into()
            })?;

        serde_json::from_value(json).map_err(|e| -> baseid_core::Error {
            Oid4vciError::TokenRequestFailed(e.to_string()).into()
        })
    }

    /// Request a credential from the issuer's credential endpoint.
    async fn request_credential(
        &self,
        metadata: &IssuerMetadata,
        access_token: &str,
        credential_configuration_id: &str,
        proof: Option<ProofOfPossession>,
    ) -> baseid_core::Result<CredentialResponse> {
        let cred_request = CredentialRequest {
            credential_configuration_id: Some(credential_configuration_id.to_string()),
            credential_identifier: None,
            format: None,
            credential_definition: None,
            proof,
        };

        let body = serde_json::to_value(&cred_request).map_err(|e| -> baseid_core::Error {
            Oid4vciError::CredentialRequestFailed(e.to_string()).into()
        })?;

        let json = self
            .client
            .post_json_bearer(&metadata.credential_endpoint, &body, access_token)
            .await
            .map_err(|e| -> baseid_core::Error {
                Oid4vciError::CredentialRequestFailed(e.to_string()).into()
            })?;

        // Check for server error response
        if let Some(error) = json.get("error").and_then(|v| v.as_str()) {
            let error_description = json
                .get("error_description")
                .and_then(|v| v.as_str())
                .unwrap_or("no description");
            return Err(Oid4vciError::ServerError {
                error: error.to_string(),
                error_description: error_description.to_string(),
            }
            .into());
        }

        serde_json::from_value(json).map_err(|e| -> baseid_core::Error {
            Oid4vciError::CredentialRequestFailed(e.to_string()).into()
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::client::HttpClient;
    use crate::credential_offer::{Grants, PreAuthorizedCodeGrant};
    use baseid_core::types::KeyType;
    use baseid_crypto::KeyPair;
    use std::sync::Mutex;

    /// A mock HTTP client that returns pre-configured responses in sequence.
    struct MockSequenceClient {
        responses: Mutex<Vec<serde_json::Value>>,
    }

    impl MockSequenceClient {
        fn new(responses: Vec<serde_json::Value>) -> Self {
            let mut responses = responses;
            responses.reverse();
            Self {
                responses: Mutex::new(responses),
            }
        }

        fn next_response(&self) -> baseid_core::Result<serde_json::Value> {
            self.responses
                .lock()
                .unwrap()
                .pop()
                .ok_or_else(|| baseid_core::error::ProtocolError::InvalidResponse.into())
        }
    }

    impl HttpClient for MockSequenceClient {
        async fn get_json(&self, _url: &str) -> baseid_core::Result<serde_json::Value> {
            self.next_response()
        }
        async fn post_form(
            &self,
            _url: &str,
            _params: &[(&str, &str)],
        ) -> baseid_core::Result<serde_json::Value> {
            self.next_response()
        }
        async fn post_json_bearer(
            &self,
            _url: &str,
            _body: &serde_json::Value,
            _token: &str,
        ) -> baseid_core::Result<serde_json::Value> {
            self.next_response()
        }
        async fn post_json(
            &self,
            _url: &str,
            _body: &serde_json::Value,
        ) -> baseid_core::Result<serde_json::Value> {
            self.next_response()
        }
        async fn get(
            &self,
            _url: &str,
        ) -> baseid_core::Result<baseid_transport::http::HttpResponse> {
            unimplemented!()
        }
        async fn post_raw(
            &self,
            _url: &str,
            _body: &[u8],
            _content_type: &str,
        ) -> baseid_core::Result<baseid_transport::http::HttpResponse> {
            unimplemented!()
        }
    }

    fn test_offer() -> CredentialOffer {
        CredentialOffer {
            credential_issuer: "https://issuer.example.com".to_string(),
            credential_configuration_ids: vec!["UniversityDegree".to_string()],
            grants: Some(Grants {
                authorization_code: None,
                pre_authorized_code: Some(PreAuthorizedCodeGrant {
                    pre_authorized_code: "pre-auth-code-123".to_string(),
                    tx_code: None,
                }),
            }),
        }
    }

    fn metadata_json() -> serde_json::Value {
        serde_json::json!({
            "credential_issuer": "https://issuer.example.com",
            "credential_endpoint": "https://issuer.example.com/credential",
            "credential_configurations_supported": {
                "UniversityDegree": {
                    "format": "jwt_vc_json"
                }
            }
        })
    }

    fn token_json() -> serde_json::Value {
        serde_json::json!({
            "access_token": "access-token-xyz",
            "token_type": "Bearer",
            "c_nonce": "server-nonce-456",
            "c_nonce_expires_in": 300
        })
    }

    fn credential_json() -> serde_json::Value {
        serde_json::json!({
            "credentials": [
                { "credential": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9..." }
            ]
        })
    }

    #[tokio::test]
    async fn token_exchange_pre_auth() {
        let client = MockSequenceClient::new(vec![token_json()]);
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let metadata = IssuerMetadata {
            credential_issuer: "https://issuer.example.com".to_string(),
            authorization_server: None,
            credential_endpoint: "https://issuer.example.com/credential".to_string(),
            token_endpoint: None,
            nonce_endpoint: None,
            deferred_credential_endpoint: None,
            notification_endpoint: None,
            credential_configurations_supported: Default::default(),
        };
        let token = wallet
            .exchange_token(&metadata, "pre-auth-code-123", None)
            .await
            .unwrap();
        assert_eq!(token.access_token, "access-token-xyz");
        assert_eq!(token.c_nonce.as_deref(), Some("server-nonce-456"));
    }

    #[tokio::test]
    async fn credential_request_with_proof() {
        let client = MockSequenceClient::new(vec![credential_json()]);
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());

        let metadata = IssuerMetadata {
            credential_issuer: "https://issuer.example.com".to_string(),
            authorization_server: None,
            credential_endpoint: "https://issuer.example.com/credential".to_string(),
            token_endpoint: None,
            nonce_endpoint: None,
            deferred_credential_endpoint: None,
            notification_endpoint: None,
            credential_configurations_supported: Default::default(),
        };

        let proof_jwt = crate::proof::create_proof_jwt(
            &kp,
            "https://issuer.example.com",
            "nonce-abc",
            "did:key:z6Mk...",
        )
        .unwrap();

        let proof = Some(ProofOfPossession {
            proof_type: "jwt".to_string(),
            jwt: proof_jwt,
        });

        let resp = wallet
            .request_credential(&metadata, "access-token-xyz", "UniversityDegree", proof)
            .await
            .unwrap();

        assert_eq!(
            resp.first_credential().unwrap(),
            &serde_json::json!("eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...")
        );
    }

    #[tokio::test]
    async fn full_pre_auth_flow() {
        let client =
            MockSequenceClient::new(vec![metadata_json(), token_json(), credential_json()]);

        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let offer = test_offer();

        let resp = wallet.accept_offer(&offer, None).await.unwrap();
        assert_eq!(
            resp.first_credential().unwrap(),
            &serde_json::json!("eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...")
        );
    }

    #[tokio::test]
    async fn server_error_propagation() {
        let error_response = serde_json::json!({
            "error": "invalid_grant",
            "error_description": "The pre-authorized code has expired"
        });
        let client = MockSequenceClient::new(vec![metadata_json(), token_json(), error_response]);

        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let offer = test_offer();

        let result = wallet.accept_offer(&offer, None).await;
        assert!(result.is_err());
    }

    /// A mock HTTP client that captures POST form params.
    struct ParamCapturingClient {
        response: serde_json::Value,
        captured_params: Mutex<Vec<(String, String)>>,
    }

    impl ParamCapturingClient {
        fn new(response: serde_json::Value) -> Self {
            Self {
                response,
                captured_params: Mutex::new(Vec::new()),
            }
        }
    }

    impl HttpClient for ParamCapturingClient {
        async fn get_json(&self, _url: &str) -> baseid_core::Result<serde_json::Value> {
            unimplemented!()
        }
        async fn post_form(
            &self,
            _url: &str,
            params: &[(&str, &str)],
        ) -> baseid_core::Result<serde_json::Value> {
            let mut captured = self.captured_params.lock().unwrap();
            for (k, v) in params {
                captured.push((k.to_string(), v.to_string()));
            }
            Ok(self.response.clone())
        }
        async fn post_json_bearer(
            &self,
            _url: &str,
            _body: &serde_json::Value,
            _token: &str,
        ) -> baseid_core::Result<serde_json::Value> {
            unimplemented!()
        }
        async fn post_json(
            &self,
            _url: &str,
            _body: &serde_json::Value,
        ) -> baseid_core::Result<serde_json::Value> {
            unimplemented!()
        }
        async fn get(
            &self,
            _url: &str,
        ) -> baseid_core::Result<baseid_transport::http::HttpResponse> {
            unimplemented!()
        }
        async fn post_raw(
            &self,
            _url: &str,
            _body: &[u8],
            _content_type: &str,
        ) -> baseid_core::Result<baseid_transport::http::HttpResponse> {
            unimplemented!()
        }
    }

    #[tokio::test]
    async fn tx_code_forwarded_to_token_exchange() {
        let client = ParamCapturingClient::new(token_json());
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let metadata = IssuerMetadata {
            credential_issuer: "https://issuer.example.com".to_string(),
            authorization_server: None,
            credential_endpoint: "https://issuer.example.com/credential".to_string(),
            token_endpoint: None,
            nonce_endpoint: None,
            deferred_credential_endpoint: None,
            notification_endpoint: None,
            credential_configurations_supported: Default::default(),
        };
        wallet
            .exchange_token(&metadata, "pre-auth-code-123", Some("493536"))
            .await
            .unwrap();

        let captured = client.captured_params.lock().unwrap();
        assert!(captured
            .iter()
            .any(|(k, v)| k == "tx_code" && v == "493536"));
    }

    #[tokio::test]
    async fn tx_code_omitted_when_none() {
        let client = ParamCapturingClient::new(token_json());
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let metadata = IssuerMetadata {
            credential_issuer: "https://issuer.example.com".to_string(),
            authorization_server: None,
            credential_endpoint: "https://issuer.example.com/credential".to_string(),
            token_endpoint: None,
            nonce_endpoint: None,
            deferred_credential_endpoint: None,
            notification_endpoint: None,
            credential_configurations_supported: Default::default(),
        };
        wallet
            .exchange_token(&metadata, "pre-auth-code-123", None)
            .await
            .unwrap();

        let captured = client.captured_params.lock().unwrap();
        assert!(!captured.iter().any(|(k, _)| k == "tx_code"));
    }

    #[tokio::test]
    async fn nonce_from_dedicated_endpoint() {
        // Token response without c_nonce, metadata has nonce_endpoint.
        // Sequence: metadata → token (no nonce) → nonce endpoint → credential
        let token_no_nonce = serde_json::json!({
            "access_token": "access-token-xyz",
            "token_type": "Bearer"
        });
        let nonce_resp = serde_json::json!({ "c_nonce": "endpoint-nonce-789" });
        let client = MockSequenceClient::new(vec![
            // metadata includes nonce_endpoint
            serde_json::json!({
                "credential_issuer": "https://issuer.example.com",
                "credential_endpoint": "https://issuer.example.com/credential",
                "nonce_endpoint": "https://issuer.example.com/nonce",
                "credential_configurations_supported": {
                    "UniversityDegree": { "format": "jwt_vc_json" }
                }
            }),
            token_no_nonce,
            nonce_resp,
            credential_json(),
        ]);
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let offer = test_offer();

        let resp = wallet.accept_offer(&offer, None).await.unwrap();
        // Should succeed — nonce was fetched from dedicated endpoint
        assert!(resp.first_credential().is_some());
    }

    #[tokio::test]
    async fn nonce_from_token_response_preferred() {
        // Token response WITH c_nonce — nonce endpoint should NOT be called.
        // Sequence: metadata (has nonce_endpoint) → token (with c_nonce) → credential
        // Only 3 responses queued — if nonce endpoint were called, it would exhaust the queue.
        let client = MockSequenceClient::new(vec![
            serde_json::json!({
                "credential_issuer": "https://issuer.example.com",
                "credential_endpoint": "https://issuer.example.com/credential",
                "nonce_endpoint": "https://issuer.example.com/nonce",
                "credential_configurations_supported": {
                    "UniversityDegree": { "format": "jwt_vc_json" }
                }
            }),
            token_json(), // has c_nonce
            credential_json(),
        ]);
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let offer = test_offer();

        let resp = wallet.accept_offer(&offer, None).await.unwrap();
        assert!(resp.first_credential().is_some());
    }

    #[tokio::test]
    async fn missing_pre_auth_grant_rejected() {
        let client = MockSequenceClient::new(vec![metadata_json()]);
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());

        let offer = CredentialOffer {
            credential_issuer: "https://issuer.example.com".to_string(),
            credential_configuration_ids: vec!["Degree".to_string()],
            grants: None,
        };

        let result = wallet.accept_offer(&offer, None).await;
        assert!(result.is_err());
    }

    /// A mock HTTP client that captures the URL of POST form requests.
    struct UrlCapturingClient {
        response: serde_json::Value,
        captured_urls: Mutex<Vec<String>>,
    }

    impl UrlCapturingClient {
        fn new(response: serde_json::Value) -> Self {
            Self {
                response,
                captured_urls: Mutex::new(Vec::new()),
            }
        }
    }

    impl HttpClient for UrlCapturingClient {
        async fn get_json(&self, _url: &str) -> baseid_core::Result<serde_json::Value> {
            unimplemented!()
        }
        async fn post_form(
            &self,
            url: &str,
            _params: &[(&str, &str)],
        ) -> baseid_core::Result<serde_json::Value> {
            self.captured_urls.lock().unwrap().push(url.to_string());
            Ok(self.response.clone())
        }
        async fn post_json_bearer(
            &self,
            _url: &str,
            _body: &serde_json::Value,
            _token: &str,
        ) -> baseid_core::Result<serde_json::Value> {
            unimplemented!()
        }
        async fn post_json(
            &self,
            _url: &str,
            _body: &serde_json::Value,
        ) -> baseid_core::Result<serde_json::Value> {
            unimplemented!()
        }
        async fn get(
            &self,
            _url: &str,
        ) -> baseid_core::Result<baseid_transport::http::HttpResponse> {
            unimplemented!()
        }
        async fn post_raw(
            &self,
            _url: &str,
            _body: &[u8],
            _content_type: &str,
        ) -> baseid_core::Result<baseid_transport::http::HttpResponse> {
            unimplemented!()
        }
    }

    #[tokio::test]
    async fn token_endpoint_resolution_priority() {
        let kp = KeyPair::generate(KeyType::P256).unwrap();

        // Priority 1: explicit token_endpoint
        {
            let client = UrlCapturingClient::new(token_json());
            let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
            let metadata = IssuerMetadata {
                credential_issuer: "https://issuer.example.com".to_string(),
                authorization_server: Some("https://auth.example.com".to_string()),
                credential_endpoint: "https://issuer.example.com/credential".to_string(),
                token_endpoint: Some("https://issuer.example.com/explicit-token".to_string()),
                nonce_endpoint: None,
                deferred_credential_endpoint: None,
                notification_endpoint: None,
                credential_configurations_supported: Default::default(),
            };
            wallet
                .exchange_token(&metadata, "code", None)
                .await
                .unwrap();
            let urls = client.captured_urls.lock().unwrap();
            assert_eq!(
                urls[0], "https://issuer.example.com/explicit-token",
                "token_endpoint should be used when set"
            );
        }

        // Priority 2: authorization_server fallback
        {
            let client = UrlCapturingClient::new(token_json());
            let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
            let metadata = IssuerMetadata {
                credential_issuer: "https://issuer.example.com".to_string(),
                authorization_server: Some("https://auth.example.com".to_string()),
                credential_endpoint: "https://issuer.example.com/credential".to_string(),
                token_endpoint: None,
                nonce_endpoint: None,
                deferred_credential_endpoint: None,
                notification_endpoint: None,
                credential_configurations_supported: Default::default(),
            };
            wallet
                .exchange_token(&metadata, "code", None)
                .await
                .unwrap();
            let urls = client.captured_urls.lock().unwrap();
            assert_eq!(
                urls[0], "https://auth.example.com/token",
                "authorization_server + /token should be used when token_endpoint is None"
            );
        }

        // Priority 3: credential_issuer fallback
        {
            let client = UrlCapturingClient::new(token_json());
            let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
            let metadata = IssuerMetadata {
                credential_issuer: "https://issuer.example.com".to_string(),
                authorization_server: None,
                credential_endpoint: "https://issuer.example.com/credential".to_string(),
                token_endpoint: None,
                nonce_endpoint: None,
                deferred_credential_endpoint: None,
                notification_endpoint: None,
                credential_configurations_supported: Default::default(),
            };
            wallet
                .exchange_token(&metadata, "code", None)
                .await
                .unwrap();
            let urls = client.captured_urls.lock().unwrap();
            assert_eq!(
                urls[0], "https://issuer.example.com/token",
                "credential_issuer + /token should be used as last resort"
            );
        }
    }

    #[tokio::test]
    async fn credential_request_no_nonce_no_proof() {
        // Token response without c_nonce, metadata without nonce_endpoint.
        // Sequence: metadata → token (no nonce) → credential
        // No nonce endpoint call, no proof generated.
        let token_no_nonce = serde_json::json!({
            "access_token": "access-token-xyz",
            "token_type": "Bearer"
        });
        let client = MockSequenceClient::new(vec![
            serde_json::json!({
                "credential_issuer": "https://issuer.example.com",
                "credential_endpoint": "https://issuer.example.com/credential",
                "credential_configurations_supported": {
                    "UniversityDegree": { "format": "jwt_vc_json" }
                }
            }),
            token_no_nonce,
            credential_json(),
        ]);
        let kp = KeyPair::generate(KeyType::P256).unwrap();
        let wallet = Oid4vciWallet::new(&client, &kp, "did:key:z6Mk...".to_string());
        let offer = test_offer();

        // Should succeed without proof — only 3 responses queued (metadata, token, credential)
        let resp = wallet.accept_offer(&offer, None).await.unwrap();
        assert!(resp.first_credential().is_some());
    }
}