pagopa · paolomanca-pagopa · Feb 8, 2026 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026
@@ -51,6 +51,6 @@ FEATURE_FLAG_IMPROVED_PRODUCER_VERIFICATION_CLAIMS=false
 FEATURE_FLAG_CLIENT_ASSERTION_STRICT_CLAIMS_VALIDATION=false
 
 DPOP_CACHE_TABLE=dpop-cache
-DPOP_HTU=test/authorization-server/token.oauth2
+DPOP_HTU_BASE=test/authorization-server/token.oauth2
 DPOP_IAT_TOLERANCE_SECONDS=10
 DPOP_DURATION_SECONDS=60
@@ -74,6 +74,8 @@ import {
 } from "../model/domain/errors.js";
 import { HttpDPoPHeader } from "../model/domain/models.js";
 
+const EXPECTED_HTM = "POST";
+
 export type GeneratedTokenData =
   | {
       limitReached: true;
@@ -545,7 +547,8 @@ const validateDPoPProof = async (
   const { data, errors: dpopProofErrors } = dpopProofHeader
     ? verifyDPoPProof({
         dpopProofJWS: dpopProofHeader,
-        expectedDPoPProofHtu: config.dpopHtu,
+        expectedDPoPProofHtu: config.dpopHtuBase,
+        expectedDPoPProofHtm: EXPECTED_HTM,
         dpopProofIatToleranceSeconds: config.dpopIatToleranceSeconds,
         dpopProofDurationSeconds: config.dpopDurationSeconds,
       })

@@ -1,5 +1,11 @@
 import { JsonWebKey } from "crypto";
-import { calculateKid, createJWK, sortJWK } from "pagopa-interop-commons";
+import {
+  calculateKid,
+  calculateJWKThumbprint,
+  createJWK,
+  sortJWK,
+} from "pagopa-interop-commons";
+import { keyTypeNotAllowed, invalidJWKClaim } from "pagopa-interop-models";
 import { describe, expect, it } from "vitest";
 
 describe("jwk test", () => {
@@ -22,4 +28,99 @@ describe("jwk test", () => {
     );
     expect(kid).toEqual(expetedKid);
   });
+
+  describe("calculateJWKThumbprint", () => {
+    // https://datatracker.ietf.org/doc/html/rfc7638#section-3.1 (example from RFC 7638)
+    const validRsaKey: JsonWebKey = {
+      kty: "RSA",
+      n: "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+      e: "AQAB",
+    };
+    const validEcKey: JsonWebKey = {
+      kty: "EC",
+      crv: "P-256",
+      x: "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
+      y: "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
+    };
+
+    it("should return the correct SHA-256 thumbprint (RFC 7638 match)", () => {
+      expect(calculateJWKThumbprint(validRsaKey)).toEqual(
+        "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"
+      );
+    });
+
+    it("should return the correct SHA-256 thumbprint for EC", () => {
+      expect(calculateJWKThumbprint(validEcKey)).toEqual(
+        "cn-I_WNMClehiVp51i_0VpOENW1upEerA8sEam5hn-s"
+      );
+    });
+
+    it("should throw if there are extra properties (RSA)", () => {
+      const keyWithExtras: JsonWebKey = {
+        ...validRsaKey,
+        alg: "RS256",
+        kid: "ignore-me",
+        use: "sig",
+      };
+      expect(() => calculateJWKThumbprint(keyWithExtras)).toThrow(
+        invalidJWKClaim()
+      );
+    });
+    it("should throw if there are extra properties (EC)", () => {
+      const keyWithExtras: JsonWebKey = {
+        ...validEcKey,
+        alg: "ES256",
+        kid: "ignore-me-ec",
+        use: "sig",
+      };
+      expect(() => calculateJWKThumbprint(keyWithExtras)).toThrow(
+        invalidJWKClaim()
+      );
+    });
+
+    it.skip("should produce the same thumbprint ignoring extra properties (RSA)", () => {
+      const keyWithExtras: JsonWebKey = {
+        ...validRsaKey,
+        alg: "RS256",
+        kid: "ignore-me",
+        use: "sig",
+      };
+
+      const hashClean = calculateJWKThumbprint(validRsaKey);
+      const hashExtras = calculateJWKThumbprint(keyWithExtras);
+
+      expect(hashExtras).toEqual(hashClean);
+    });
+
+    it.skip("should produce the same thumbprint ignoring extra properties (EC)", () => {
+      const keyWithExtras: JsonWebKey = {
+        ...validEcKey,
+        alg: "ES256",
+        kid: "ignore-me-ec",
+        use: "sig",
+      };
+
+      const hashClean = calculateJWKThumbprint(validEcKey);
+      const hashExtras = calculateJWKThumbprint(keyWithExtras);
+
+      expect(hashExtras).toEqual(hashClean);
+    });
+
+    it("should throw if kty is unsupported (e.g. oct)", () => {
+      const octKey: JsonWebKey = { kty: "oct", k: "secret-key" };
+      expect(() => calculateJWKThumbprint(octKey)).toThrow(
+        keyTypeNotAllowed("oct")
+      );
+    });
+
+    it("should throw if required RSA properties (n, e) are missing", () => {
+      const missingE = { kty: "RSA", n: "foo" } as JsonWebKey;
+      expect(() => calculateJWKThumbprint(missingE)).toThrow(invalidJWKClaim());
+    });
+
+    it("should throw if required EC properties (crv, x, y) are missing", () => {
+      const missingX = { kty: "EC", crv: "P-256", y: "bar" } as JsonWebKey;
+      expect(() => calculateJWKThumbprint(missingX)).toThrow(invalidJWKClaim());
+    });
+  });
 });
@@ -0,0 +1,90 @@
+import { describe, it, expect, vi, afterEach } from "vitest";
+import { missingHeader, badDPoPToken } from "pagopa-interop-models";
+import {
+  genericLogger,
+  jwtsFromAuthAndDPoPHeaders,
+} from "pagopa-interop-commons";
+
+describe("headers", () => {
+  // eslint-disable-next-line @typescript-eslint/explicit-function-return-type
+  const mockRequest = (headers: Record<string, string | undefined>) =>
+    ({
+      headers,
+      method: "GET",
+      url: "/test/example/endpoint",
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    } as any);
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe("jwtsFromAuthAndDPoPHeaders", () => {
+    it("Should correctly extract Access Token and DPoP Proof when headers are valid", () => {
+      const req = mockRequest({
+        authorization: "DPoP some-access-token",
+        dpop: "some-dpop-proof",
+      });
+
+      const result = jwtsFromAuthAndDPoPHeaders(req, genericLogger);
+
+      expect(result).toEqual({
+        accessToken: "some-access-token",
+        dpopProofJWS: "some-dpop-proof",
+      });
+    });
+
+    it("Should throw missingHeader('Authorization') if Authorization header is missing", () => {
+      const req = mockRequest({
+        dpop: "some-dpop-proof",
+      });
+
+      expect(() => jwtsFromAuthAndDPoPHeaders(req, genericLogger)).toThrowError(
+        missingHeader("Authorization")
+      );
+    });
+
+    it("Should throw badDPoPToken if Authorization token scheme is not 'DPoP'", () => {
+      const req = mockRequest({
+        authorization: "Bearer some-token",
+        dpop: "some-dpop-proof",
+      });
+
+      expect(() => jwtsFromAuthAndDPoPHeaders(req, genericLogger)).toThrowError(
+        badDPoPToken
+      );
+    });
+
+    it("Should throw badDPoPToken if Authorization token value is missing", () => {
+      const req = mockRequest({
+        authorization: "DPoP",
+        dpop: "some-dpop-proof",
+      });
+
+      expect(() => jwtsFromAuthAndDPoPHeaders(req, genericLogger)).toThrowError(
+        badDPoPToken
+      );
+    });
+
+    it("Should throw missingHeader('DPoP') if DPoP header is missing", () => {
+      const req = mockRequest({
+        authorization: "DPoP valid-token",
+      });
+
+      expect(() => jwtsFromAuthAndDPoPHeaders(req, genericLogger)).toThrowError(
+        missingHeader("DPoP")
+      );
+    });
+
+    it("Should throw missingHeader('DPoP') if DPoP header is empty string", () => {
+      const req = mockRequest({
+        authorization: "DPoP valid-token",
+        dpop: "",
+      });
+
+      expect(() => jwtsFromAuthAndDPoPHeaders(req, genericLogger)).toThrowError(
+        missingHeader("DPoP")
+      );
+    });
+  });
+});
@@ -1,5 +1,9 @@
 import { Request, Response } from "express";
-import { badBearerToken, missingHeader } from "pagopa-interop-models";
+import {
+  badBearerToken,
+  badDPoPToken,
+  missingHeader,
+} from "pagopa-interop-models";
 import { z } from "zod";
 import { Logger } from "../logging/index.js";
 
@@ -22,14 +26,30 @@ export function parseAuthHeader(req: Request): string | undefined {
   return undefined;
 }
 
+export function parseDPoPHeader(req: Request, logger: Logger): string {
+  const parsed = z.object({ dpop: z.string().min(1) }).safeParse(req.headers);
+
+  if (!parsed.success) {
+    logger.warn(
+      `Invalid authentication provided for this call ${req.method} ${req.url} - missing or malformed DPoP header`
+    );
+    throw missingHeader("DPoP");
+  }
+
+  return parsed.data.dpop;
+}
+
 export function jwtFromAuthHeader(req: Request, logger: Logger): string {
   const authHeader = parseAuthHeader(req);
   if (!authHeader) {
     throw missingHeader("Authorization");
   }
 
   const authHeaderParts = authHeader.split(" ");
-  if (authHeaderParts.length !== 2 || authHeaderParts[0] !== "Bearer") {
+  if (
+    authHeaderParts.length !== 2 ||
+    authHeaderParts[0].toLowerCase() !== "bearer"
+  ) {
     logger.warn(
       `Invalid authentication provided for this call ${req.method} ${req.url}`
     );
@@ -39,6 +59,48 @@ export function jwtFromAuthHeader(req: Request, logger: Logger): string {
   return authHeaderParts[1];
 }
 
+/**
+ * Extracts and validates the presence of the:
+ * (1) Access Token DPoP and
+ * (2) the DPoP Proof
+ * from the HTTP request headers.
+ *
+ * This function performs a syntax and presence check on the `Authorization` and `DPoP` headers.
+ * It does not verify the cryptographic signatures or the claims of the tokens.
+ *
+ * @param req - The Express `Request` object containing the HTTP headers.
+ * @param logger - The `Logger` instance used to log warnings in case of missing or malformed headers.
+ *
+ * @returns An object containing the raw strings of the Access Token and the DPoP Proof JWS.
+ *
+ * @throws {missingHeader} If the `Authorization` header is missing entirely.
+ * @throws {badDPoPToken} If the `Authorization` scheme is not "DPoP" or the token value is missing.
+ * @throws {missingHeader} If the `DPoP` header is missing or malformed (e.g., empty or invalid format according to `parseDPoPHeader`)
+ *
+ */
+export function jwtsFromAuthAndDPoPHeaders(
+  req: Request,
+  logger: Logger
+): { accessToken: string; dpopProofJWS: string } {
+  const authHeader = parseAuthHeader(req);
+  if (!authHeader) {
+    throw missingHeader("Authorization");
+  }
+
+  const [scheme, accessToken] = authHeader.split(" ");
+  if (scheme.toLowerCase() !== "dpop" || !accessToken) {
+    logger.warn(
+      `Invalid authentication provided for this call ${req.method} ${req.url}`
+    );
+    throw badDPoPToken;
+  }
+  const dpopProofJWS = parseDPoPHeader(req, logger);
+  return {
+    accessToken,
+    dpopProofJWS,
+  };
+}
+
 export const METADATA_VERSION_HEADER = "x-metadata-version";
 export function setMetadataVersionHeader(
   res: Response,

@@ -1,14 +1,19 @@
-import crypto, { JsonWebKey, KeyObject } from "crypto";
+import crypto, { createHash, JsonWebKey, KeyObject } from "crypto";
 import jwksClient, { JwksClient } from "jwks-rsa";
 import {
   notAnRSAKey,
   invalidKeyLength,
   invalidPublicKey,
   jwkDecodingError,
+  invalidJWKClaim,
   notAllowedCertificateException,
   notAllowedMultipleKeysException,
   notAllowedPrivateKeyException,
+  keyTypeNotAllowed,
+  JWKKeyRS256,
+  JWKKeyES256,
 } from "pagopa-interop-models";
+import { match } from "ts-pattern";
 import { JWTConfig } from "../config/index.js";
 
 export const decodeBase64ToPem = (base64String: string): string => {
@@ -35,12 +40,40 @@ export const calculateKid = (jwk: JsonWebKey): string => {
   const jwkString = JSON.stringify(sortedJwk);
   return crypto.createHash("sha256").update(jwkString).digest("base64url");
 };
-
 /* This is to avoid repeating the logic of the "calculateKid", 
 and to have a more meaningful name 
 for the generation of the CNF field inside the DPoP tokens */
 export const calculateDPoPThumbprint = calculateKid;
 
+export const calculateJWKThumbprint = (jwk: JsonWebKey): string => {
+  const parsedJwk = match(jwk.kty)
+    .with("RSA", () => {
+      const result = JWKKeyRS256.safeParse(jwk);
+
+      if (!result.success) {
+        throw invalidJWKClaim();
+      }
+      return result.data;
+    })
+    .with("EC", () => {
+      const result = JWKKeyES256.safeParse(jwk);
+
+      if (!result.success) {
+        throw invalidJWKClaim();
+      }
+      return result.data;
+    })
+    .otherwise(() => {
+      throw keyTypeNotAllowed(jwk.kty);
+    });
+
+  const canonicalJwk = sortJWK(parsedJwk);
+
+  return createHash("sha256")
+    .update(JSON.stringify(canonicalJwk))
+    .digest("base64url");
+};
+
 function assertNotCertificate(key: string): void {
   try {
     new crypto.X509Certificate(key);