feature: Add Berlin Group PSD2 signature support

constantine2nd · constantine2nd · commit 95c7a3761633 · 2026-02-11T14:00:58.000+01:00
Files Created 1. server/types/berlin-group.ts - TypeScript interfaces: BerlinGroupConfig, BerlinGroupHeaders, BerlinGroupSessionData 2. server/services/BerlinGroupSignatureService.ts - New @service() class that: - Loads private key and certificate PEM files from VITE_BG_PRIVATE_KEY_PATH and VITE_BG_CERTIFICATE_PATH at construction - isEnabled() checks if certificates are loaded - static isBerlinGroupPath(path) detects "/berlin-group/" in request paths - generateHeaders(method, body, consentId?) generates required PSD2 headers: Date X-Request-ID Digest (SHA-256) Signature (RSA-SHA256) TPP-Signature-Certificate PSU headers Redirect URIs (POST only) Optional Consent-ID Files Modified 3. server/services/OBPClientService.ts - get(), create(), update(), discard() now check isBerlinGroupPath() && isEnabled() - Routes Berlin Group requests to new private method requestWithBerlinGroupHeaders() - Merges signature headers with op
diff --git a/.env.example b/.env.example
@@ -48,6 +48,17 @@ VITE_OBP_CONSUMER_KEY=your-obp-oidc-client-id
 # VITE_CUSTOM_OIDC_CLIENT_ID=your-custom-client-id
 # VITE_CUSTOM_OIDC_CLIENT_SECRET=your-custom-client-secret
 
+### Berlin Group TPP Signature Certificate Configuration (Optional) ###
+# VITE_BG_PRIVATE_KEY_PATH=./certs/private_key.pem
+# VITE_BG_CERTIFICATE_PATH=./certs/certificate.pem
+# VITE_BG_KEY_ID=SN=1082, CA=CN=Your Name, O=YourOrg
+# VITE_BG_API_VERSION=v1.3
+# VITE_BG_PSU_DEVICE_ID=device-1234567890
+# VITE_BG_PSU_DEVICE_NAME=API-Explorer-II
+# VITE_BG_PSU_IP_ADDRESS=127.0.0.1
+# VITE_BG_TPP_REDIRECT_URI=https://your-app.com/berlin-group/redirect
+# VITE_BG_TPP_NOK_REDIRECT_URI=https://your-app.com/berlin-group/error
+
 ### Chatbot Configuration (Optional) ###
 VITE_CHATBOT_ENABLED=false
 # VITE_CHATBOT_URL=http://localhost:5000
diff --git a/server/app.ts b/server/app.ts
@@ -36,6 +36,7 @@ import { Container } from 'typedi'
 import path from 'path'
 import { execSync } from 'child_process'
 import { OAuth2ProviderManager } from './services/OAuth2ProviderManager.js'
+import { BerlinGroupSignatureService } from './services/BerlinGroupSignatureService.js'
 import { fileURLToPath } from 'url'
 import { dirname } from 'path'
 
@@ -169,6 +170,18 @@ let instance: any
   }
   console.log(`-----------------------------------------------------------------`)
 
+  // Berlin Group TPP Signature Certificate Setup
+  console.log('--- Berlin Group TPP Signature Certificate -----------------------')
+  const bgService = Container.get(BerlinGroupSignatureService)
+  if (bgService.isEnabled()) {
+    console.log('OK Berlin Group TPP Signature Certificate is configured and loaded')
+    console.log(`  API Version: ${bgService.getApiVersion()}`)
+  } else {
+    console.log('Berlin Group TPP Signature Certificate is NOT configured')
+    console.log('  Set VITE_BG_PRIVATE_KEY_PATH and VITE_BG_CERTIFICATE_PATH to enable')
+  }
+  console.log(`-----------------------------------------------------------------`)
+
   const routePrefix = '/api'
 
   // Register all routes (plain Express)
diff --git a/server/routes/obp.ts b/server/routes/obp.ts
@@ -54,7 +54,11 @@ router.get('/get', async (req: Request, res: Response) => {
     const path = req.query.path as string
     const session = req.session as any
 
-    const oauthConfig = session.clientConfig
+    const oauthConfig = session.clientConfig || {}
+    const bgConsentId = req.headers['x-bg-consent-id'] as string | undefined
+    if (bgConsentId) {
+      oauthConfig.berlinGroup = { consentId: bgConsentId }
+    }
 
     const result = await obpClientService.get(path, oauthConfig)
     res.json(result)
@@ -85,7 +89,11 @@ router.post('/create', async (req: Request, res: Response) => {
     const data = req.body
     const session = req.session as any
 
-    const oauthConfig = session.clientConfig
+    const oauthConfig = session.clientConfig || {}
+    const bgConsentId = req.headers['x-bg-consent-id'] as string | undefined
+    if (bgConsentId) {
+      oauthConfig.berlinGroup = { consentId: bgConsentId }
+    }
 
     // Debug logging to diagnose authentication issues
     console.log('OBP.create - Debug Info:')
@@ -95,6 +103,7 @@ router.post('/create', async (req: Request, res: Response) => {
     console.log('  oauth2 exists:', oauthConfig?.oauth2 ? 'YES' : 'NO')
     console.log('  accessToken exists:', oauthConfig?.oauth2?.accessToken ? 'YES' : 'NO')
     console.log('  oauth2_user exists:', session?.oauth2_user ? 'YES' : 'NO')
+    console.log('  berlinGroup consentId:', bgConsentId || 'N/A')
 
     const result = await obpClientService.create(path, data, oauthConfig)
     res.json(result)
@@ -120,7 +129,11 @@ router.put('/update', async (req: Request, res: Response) => {
     const data = req.body
     const session = req.session as any
 
-    const oauthConfig = session.clientConfig
+    const oauthConfig = session.clientConfig || {}
+    const bgConsentId = req.headers['x-bg-consent-id'] as string | undefined
+    if (bgConsentId) {
+      oauthConfig.berlinGroup = { consentId: bgConsentId }
+    }
 
     const result = await obpClientService.update(path, data, oauthConfig)
     res.json(result)
@@ -144,7 +157,11 @@ router.delete('/delete', async (req: Request, res: Response) => {
     const path = req.query.path as string
     const session = req.session as any
 
-    const oauthConfig = session.clientConfig
+    const oauthConfig = session.clientConfig || {}
+    const bgConsentId = req.headers['x-bg-consent-id'] as string | undefined
+    if (bgConsentId) {
+      oauthConfig.berlinGroup = { consentId: bgConsentId }
+    }
 
     const result = await obpClientService.discard(path, oauthConfig)
     res.json(result)
diff --git a/server/services/BerlinGroupSignatureService.ts b/server/services/BerlinGroupSignatureService.ts
@@ -0,0 +1,184 @@
+/*
+ * Open Bank Project - API Explorer II
+ * Copyright (C) 2023-2025, TESOBE GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Email: contact@tesobe.com
+ * TESOBE GmbH
+ * Osloerstrasse 16/17
+ * Berlin 13359, Germany
+ *
+ *   This product includes software developed at
+ *   TESOBE (http://www.tesobe.com/)
+ *
+ */
+
+import { Service } from 'typedi'
+import crypto from 'crypto'
+import fs from 'fs'
+import type { BerlinGroupConfig, BerlinGroupHeaders } from '../types/berlin-group.js'
+
+/**
+ * BerlinGroupSignatureService generates RSA-SHA256 digital signatures,
+ * SHA-256 body digests, and TPP certificate headers required by
+ * Berlin Group PSD2 APIs.
+ *
+ * Configuration is loaded from environment variables at construction.
+ * If certificate files are not configured, the service gracefully degrades
+ * and isEnabled() returns false.
+ */
+@Service()
+export class BerlinGroupSignatureService {
+  private privateKey: string | null = null
+  private certificate: string | null = null
+  private config: BerlinGroupConfig | null = null
+
+  constructor() {
+    this.loadConfig()
+  }
+
+  private loadConfig(): void {
+    const privateKeyPath = process.env.VITE_BG_PRIVATE_KEY_PATH
+    const certificatePath = process.env.VITE_BG_CERTIFICATE_PATH
+
+    if (!privateKeyPath || !certificatePath) {
+      console.log('BerlinGroupSignatureService: Certificate paths not configured, signing disabled')
+      return
+    }
+
+    try {
+      this.privateKey = fs.readFileSync(privateKeyPath, 'utf8')
+      this.certificate = fs.readFileSync(certificatePath, 'utf8')
+
+      this.config = {
+        privateKeyPath,
+        certificatePath,
+        keyId: process.env.VITE_BG_KEY_ID || 'SN=unknown, CA=CN=unknown',
+        apiVersion: process.env.VITE_BG_API_VERSION || 'v1.3',
+        psuDeviceId: process.env.VITE_BG_PSU_DEVICE_ID || 'device-api-explorer-ii',
+        psuDeviceName: process.env.VITE_BG_PSU_DEVICE_NAME || 'API-Explorer-II',
+        psuIpAddress: process.env.VITE_BG_PSU_IP_ADDRESS || '127.0.0.1',
+        tppRedirectUri: process.env.VITE_BG_TPP_REDIRECT_URI || '',
+        tppNokRedirectUri: process.env.VITE_BG_TPP_NOK_REDIRECT_URI || ''
+      }
+
+      console.log('BerlinGroupSignatureService: Private key and certificate loaded successfully')
+    } catch (error: any) {
+      console.error('BerlinGroupSignatureService: Failed to load certificate files:', error.message)
+      this.privateKey = null
+      this.certificate = null
+      this.config = null
+    }
+  }
+
+  /**
+   * Check if Berlin Group signing is enabled (certificates are loaded)
+   */
+  isEnabled(): boolean {
+    return this.privateKey !== null && this.certificate !== null && this.config !== null
+  }
+
+  /**
+   * Get the configured Berlin Group API version
+   */
+  getApiVersion(): string {
+    return this.config?.apiVersion || 'v1.3'
+  }
+
+  /**
+   * Detect whether a request path is a Berlin Group API path
+   */
+  static isBerlinGroupPath(path: string): boolean {
+    return path.includes('/berlin-group/')
+  }
+
+  /**
+   * Generate all required Berlin Group PSD2 headers for a request
+   *
+   * @param method - HTTP method (GET, POST, PUT, DELETE)
+   * @param body - Request body (empty string for GET/DELETE)
+   * @param consentId - Optional Consent-ID for account data endpoints
+   * @returns Object containing all required Berlin Group headers
+   */
+  generateHeaders(
+    method: string,
+    body: string,
+    consentId?: string
+  ): BerlinGroupHeaders {
+    if (!this.privateKey || !this.certificate || !this.config) {
+      throw new Error('BerlinGroupSignatureService: Cannot generate headers - not configured')
+    }
+
+    // Use empty string body for GET and DELETE requests
+    const effectiveBody = method === 'GET' || method === 'DELETE' ? '' : body
+
+    // Generate Date in RFC 7231 format
+    const dateHeader = new Date().toUTCString()
+
+    // Generate UUID v4 for X-Request-ID
+    const xRequestId = crypto.randomUUID()
+
+    // Compute SHA-256 digest of the body
+    const digestValue = crypto.createHash('sha256').update(effectiveBody).digest('base64')
+    const digestHeader = `SHA-256=${digestValue}`
+
+    // Create the string to sign per PSD2 spec
+    const dataToSign = `digest: ${digestHeader}\ndate: ${dateHeader}\nx-request-id: ${xRequestId}`
+
+    // Sign with RSA-SHA256
+    const sign = crypto.createSign('RSA-SHA256')
+    sign.update(dataToSign)
+    sign.end()
+    const signature = sign.sign(this.privateKey, 'base64')
+
+    // Build Signature header
+    const signatureHeader = `keyId="${this.config.keyId}", algorithm="rsa-sha256", headers="digest date x-request-id", signature="${signature}"`
+
+    // Base64-encode the certificate
+    const certificateBase64 = Buffer.from(this.certificate).toString('base64')
+
+    // Build headers object
+    const headers: BerlinGroupHeaders = {
+      'Content-Type': 'application/json',
+      Date: dateHeader,
+      'X-Request-ID': xRequestId,
+      Digest: digestHeader,
+      Signature: signatureHeader,
+      'TPP-Signature-Certificate': certificateBase64,
+      'PSU-Device-ID': this.config.psuDeviceId,
+      'PSU-Device-Name': this.config.psuDeviceName,
+      'PSU-IP-Address': this.config.psuIpAddress
+    }
+
+    // Add redirect URIs for POST requests
+    if (method === 'POST' && this.config.tppRedirectUri) {
+      headers['TPP-Redirect-URI'] = this.config.tppRedirectUri
+    }
+    if (method === 'POST' && this.config.tppNokRedirectUri) {
+      headers['TPP-Nok-Redirect-URI'] = this.config.tppNokRedirectUri
+    }
+
+    // Add Consent-ID when provided
+    if (consentId) {
+      headers['Consent-ID'] = consentId
+    }
+
+    console.log(`BerlinGroupSignatureService: Generated headers for ${method} request`)
+    console.log(`  X-Request-ID: ${xRequestId}`)
+    console.log(`  Digest: ${digestHeader}`)
+
+    return headers
+  }
+}
diff --git a/server/services/OAuth2ProviderFactory.ts b/server/services/OAuth2ProviderFactory.ts
@@ -72,10 +72,10 @@ export class OAuth2ProviderFactory {
       process.env.VITE_OAUTH2_REDIRECT_URL || 'http://localhost:5173/api/oauth2/callback'
 
     // OBP-OIDC Strategy
-    if (process.env.VITE_OBP_OIDC_CLIENT_ID) {
+    if (process.env.VITE_OBP_OAUTH2_CLIENT_ID) {
       this.strategies.set('obp-oidc', {
-        clientId: process.env.VITE_OBP_OIDC_CLIENT_ID,
-        clientSecret: process.env.VITE_OBP_OIDC_CLIENT_SECRET || '',
+        clientId: process.env.VITE_OBP_OAUTH2_CLIENT_ID,
+        clientSecret: process.env.VITE_OBP_OAUTH2_CLIENT_SECRET || '',
         redirectUri: sharedRedirectUri,
         scopes: ['openid', 'profile', 'email']
       })
@@ -133,7 +133,7 @@ export class OAuth2ProviderFactory {
       console.warn('OAuth2ProviderFactory: WARNING - No provider strategies configured!')
       console.warn('OAuth2ProviderFactory: Set environment variables for at least one provider')
       console.warn(
-        'OAuth2ProviderFactory: Example: VITE_OBP_OIDC_CLIENT_ID, VITE_OBP_OIDC_CLIENT_SECRET'
+        'OAuth2ProviderFactory: Example: VITE_OBP_OAUTH2_CLIENT_ID, VITE_OBP_OAUTH2_CLIENT_SECRET'
       )
     }
   }
diff --git a/server/services/OBPClientService.ts b/server/services/OBPClientService.ts
diff --git a/server/types/berlin-group.ts b/server/types/berlin-group.ts
