@blamejs/blamejs-shop 0.3.4 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/admin.js +428 -6
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/CHANGELOG.md +14 -0
- package/lib/vendor/blamejs/api-snapshot.json +2 -2
- package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
- package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
- package/lib/vendor/blamejs/lib/a2a.js +4 -4
- package/lib/vendor/blamejs/lib/acme.js +3 -3
- package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
- package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
- package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
- package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
- package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
- package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
- package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
- package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
- package/lib/vendor/blamejs/lib/ai-input.js +4 -4
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
- package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
- package/lib/vendor/blamejs/lib/archive-read.js +25 -25
- package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
- package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
- package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
- package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
- package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
- package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
- package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
- package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
- package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
- package/lib/vendor/blamejs/lib/audit.js +2 -2
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
- package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
- package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
- package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
- package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
- package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
- package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
- package/lib/vendor/blamejs/lib/backup/index.js +7 -7
- package/lib/vendor/blamejs/lib/base32.js +8 -8
- package/lib/vendor/blamejs/lib/budr.js +2 -2
- package/lib/vendor/blamejs/lib/cache-status.js +2 -2
- package/lib/vendor/blamejs/lib/calendar.js +29 -29
- package/lib/vendor/blamejs/lib/cbor.js +12 -12
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
- package/lib/vendor/blamejs/lib/cert.js +5 -5
- package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
- package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
- package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
- package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
- package/lib/vendor/blamejs/lib/compliance.js +29 -29
- package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
- package/lib/vendor/blamejs/lib/cookies.js +1 -1
- package/lib/vendor/blamejs/lib/cose.js +13 -13
- package/lib/vendor/blamejs/lib/cra-report.js +1 -1
- package/lib/vendor/blamejs/lib/crdt.js +1 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
- package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
- package/lib/vendor/blamejs/lib/crypto.js +6 -6
- package/lib/vendor/blamejs/lib/csp.js +2 -2
- package/lib/vendor/blamejs/lib/cwt.js +4 -4
- package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
- package/lib/vendor/blamejs/lib/data-act.js +2 -2
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
- package/lib/vendor/blamejs/lib/db-query.js +1 -1
- package/lib/vendor/blamejs/lib/db.js +6 -6
- package/lib/vendor/blamejs/lib/dbsc.js +13 -13
- package/lib/vendor/blamejs/lib/did.js +17 -17
- package/lib/vendor/blamejs/lib/dora.js +4 -4
- package/lib/vendor/blamejs/lib/dsr.js +1 -1
- package/lib/vendor/blamejs/lib/early-hints.js +2 -2
- package/lib/vendor/blamejs/lib/eat.js +4 -4
- package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
- package/lib/vendor/blamejs/lib/external-db.js +1 -1
- package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
- package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
- package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
- package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
- package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
- package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
- package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
- package/lib/vendor/blamejs/lib/guard-email.js +19 -19
- package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
- package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
- package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
- package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
- package/lib/vendor/blamejs/lib/guard-html.js +7 -7
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
- package/lib/vendor/blamejs/lib/guard-image.js +4 -4
- package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
- package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
- package/lib/vendor/blamejs/lib/guard-json.js +12 -12
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
- package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
- package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
- package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
- package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
- package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
- package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
- package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
- package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
- package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
- package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
- package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-time.js +15 -15
- package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
- package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
- package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
- package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
- package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
- package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
- package/lib/vendor/blamejs/lib/http-client.js +13 -10
- package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
- package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
- package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
- package/lib/vendor/blamejs/lib/inbox.js +4 -4
- package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
- package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
- package/lib/vendor/blamejs/lib/json-path.js +3 -3
- package/lib/vendor/blamejs/lib/json-schema.js +1 -1
- package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
- package/lib/vendor/blamejs/lib/jtd.js +2 -2
- package/lib/vendor/blamejs/lib/link-header.js +1 -1
- package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
- package/lib/vendor/blamejs/lib/log.js +8 -3
- package/lib/vendor/blamejs/lib/lro.js +4 -4
- package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
- package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
- package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
- package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
- package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
- package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
- package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
- package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
- package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
- package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
- package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
- package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
- package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
- package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
- package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
- package/lib/vendor/blamejs/lib/mail-store.js +8 -8
- package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
- package/lib/vendor/blamejs/lib/mail.js +4 -4
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
- package/lib/vendor/blamejs/lib/mcp.js +15 -15
- package/lib/vendor/blamejs/lib/mdoc.js +2 -2
- package/lib/vendor/blamejs/lib/metrics.js +8 -8
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
- package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
- package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
- package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
- package/lib/vendor/blamejs/lib/network-dns.js +29 -29
- package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
- package/lib/vendor/blamejs/lib/network-tls.js +100 -98
- package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
- package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
- package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
- package/lib/vendor/blamejs/lib/observability.js +8 -8
- package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
- package/lib/vendor/blamejs/lib/openapi.js +1 -1
- package/lib/vendor/blamejs/lib/outbox.js +6 -6
- package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
- package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
- package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
- package/lib/vendor/blamejs/lib/problem-details.js +5 -5
- package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
- package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
- package/lib/vendor/blamejs/lib/queue.js +4 -2
- package/lib/vendor/blamejs/lib/redact.js +2 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
- package/lib/vendor/blamejs/lib/router.js +10 -10
- package/lib/vendor/blamejs/lib/safe-async.js +2 -2
- package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
- package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
- package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
- package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
- package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
- package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
- package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
- package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
- package/lib/vendor/blamejs/lib/safe-url.js +1 -1
- package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
- package/lib/vendor/blamejs/lib/sandbox.js +5 -5
- package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
- package/lib/vendor/blamejs/lib/self-update.js +3 -3
- package/lib/vendor/blamejs/lib/server-timing.js +3 -3
- package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
- package/lib/vendor/blamejs/lib/session.js +8 -8
- package/lib/vendor/blamejs/lib/sse.js +12 -5
- package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
- package/lib/vendor/blamejs/lib/storage.js +2 -2
- package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
- package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
- package/lib/vendor/blamejs/lib/subject.js +1 -1
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
- package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
- package/lib/vendor/blamejs/lib/test-harness.js +1 -1
- package/lib/vendor/blamejs/lib/tracing.js +1 -1
- package/lib/vendor/blamejs/lib/tsa.js +5 -5
- package/lib/vendor/blamejs/lib/uri-template.js +5 -5
- package/lib/vendor/blamejs/lib/vault/index.js +2 -2
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
- package/lib/vendor/blamejs/lib/vc.js +2 -2
- package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
- package/lib/vendor/blamejs/lib/watcher.js +4 -4
- package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
- package/lib/vendor/blamejs/lib/webhook.js +2 -2
- package/lib/vendor/blamejs/lib/websocket.js +5 -5
- package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
- package/lib/vendor/blamejs/lib/ws-client.js +24 -24
- package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
- package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
- package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
- package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
- package/lib/vendor/blamejs/test/00-primitives.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
- package/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
- package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
- package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
- package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
- package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
- package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
|
@@ -131,9 +131,9 @@ function _signParamsForAlg(alg) {
|
|
|
131
131
|
if (alg === "RS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
132
132
|
if (alg === "RS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
133
133
|
if (alg === "RS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
134
|
-
if (alg === "PS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; //
|
|
135
|
-
if (alg === "PS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; //
|
|
136
|
-
if (alg === "PS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; //
|
|
134
|
+
if (alg === "PS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; // RFC 7518 PS256 salt length
|
|
135
|
+
if (alg === "PS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; // RFC 7518 PS384 salt length
|
|
136
|
+
if (alg === "PS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; // RFC 7518 PS512 salt length
|
|
137
137
|
if (alg === "ES256") return { hash: "sha256", dsaEncoding: "ieee-p1363" };
|
|
138
138
|
if (alg === "ES384") return { hash: "sha384", dsaEncoding: "ieee-p1363" };
|
|
139
139
|
if (alg === "ES512") return { hash: "sha512", dsaEncoding: "ieee-p1363" };
|
|
@@ -97,7 +97,7 @@ function _b64urlDecode(s) {
|
|
|
97
97
|
// node:crypto.X509Certificate accepts it.
|
|
98
98
|
function _derToPem(b64) {
|
|
99
99
|
var lines = [];
|
|
100
|
-
for (var i = 0; i < b64.length; i += 64) lines.push(b64.slice(i, i + 64)); //
|
|
100
|
+
for (var i = 0; i < b64.length; i += 64) lines.push(b64.slice(i, i + 64)); // RFC 7468 PEM line width
|
|
101
101
|
return "-----BEGIN CERTIFICATE-----\n" + lines.join("\n") +
|
|
102
102
|
"\n-----END CERTIFICATE-----\n";
|
|
103
103
|
}
|
|
@@ -145,9 +145,9 @@ function _verifyParamsForAlg(alg) {
|
|
|
145
145
|
case "RS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
146
146
|
case "RS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
147
147
|
case "RS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
148
|
-
case "PS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; //
|
|
149
|
-
case "PS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; //
|
|
150
|
-
case "PS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; //
|
|
148
|
+
case "PS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; // SHA-256 hash length
|
|
149
|
+
case "PS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; // SHA-384 hash length
|
|
150
|
+
case "PS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; // SHA-512 hash length
|
|
151
151
|
case "ES256": return { hash: "sha256", dsaEncoding: "ieee-p1363" };
|
|
152
152
|
case "ES384": return { hash: "sha384", dsaEncoding: "ieee-p1363" };
|
|
153
153
|
case "ES512": return { hash: "sha512", dsaEncoding: "ieee-p1363" };
|
|
@@ -292,7 +292,7 @@ function _getCache() {
|
|
|
292
292
|
_sharedCache = cache().create({
|
|
293
293
|
namespace: "auth-fido-mds3.blob",
|
|
294
294
|
ttlMs: MAX_CACHE_TTL_MS,
|
|
295
|
-
maxEntries: 8, //
|
|
295
|
+
maxEntries: 8, // operator-pinned URL set
|
|
296
296
|
});
|
|
297
297
|
return _sharedCache;
|
|
298
298
|
}
|
|
@@ -315,7 +315,7 @@ function _ttlFromNextUpdate(nextUpdateDate) {
|
|
|
315
315
|
// valid future timestamp and influence the cache-TTL clamp downstream.
|
|
316
316
|
function _parseNextUpdate(s) {
|
|
317
317
|
if (typeof s !== "string") return null;
|
|
318
|
-
var m = s.match(/^(\d{4})-(\d{2})-(\d{2})$/); //
|
|
318
|
+
var m = s.match(/^(\d{4})-(\d{2})-(\d{2})$/); // ISO-8601 date components
|
|
319
319
|
if (!m) return null;
|
|
320
320
|
var year = parseInt(m[1], 10);
|
|
321
321
|
var month = parseInt(m[2], 10) - 1;
|
|
@@ -464,7 +464,7 @@ async function fetch(opts) { // allow:raw-outbound-http — function name is f
|
|
|
464
464
|
throw new FidoMds3Error("fido-mds3/network",
|
|
465
465
|
"BLOB GET " + url + " failed: " + ((e && e.message) || String(e)));
|
|
466
466
|
}
|
|
467
|
-
if (rsp.statusCode < 200 || rsp.statusCode >= 300) { //
|
|
467
|
+
if (rsp.statusCode < 200 || rsp.statusCode >= 300) { // HTTP 2xx range
|
|
468
468
|
throw new FidoMds3Error("fido-mds3/bad-status",
|
|
469
469
|
"BLOB GET " + url + " returned " + rsp.statusCode);
|
|
470
470
|
}
|
|
@@ -539,7 +539,7 @@ function lookupAaguid(blob, aaguid) {
|
|
|
539
539
|
throw new FidoMds3Error("fido-mds3/bad-aaguid", "aaguid must be a non-empty string");
|
|
540
540
|
}
|
|
541
541
|
var canon = aaguid.replace(/-/g, "").toLowerCase();
|
|
542
|
-
if (!safeBuffer.isHex(canon, 32)) { //
|
|
542
|
+
if (!safeBuffer.isHex(canon, 32)) { // 32 = AAGUID hex-char count, not bytes
|
|
543
543
|
throw new FidoMds3Error("fido-mds3/bad-aaguid",
|
|
544
544
|
"aaguid must be a UUID (with or without dashes)");
|
|
545
545
|
}
|
|
@@ -130,6 +130,17 @@ async function parse(jar, opts) {
|
|
|
130
130
|
audience: opts.audience,
|
|
131
131
|
clockSkewMs: opts.clockSkewMs,
|
|
132
132
|
});
|
|
133
|
+
// RFC 9101 §10.8 — the request object MUST be explicitly typed so a JWT
|
|
134
|
+
// minted for another purpose (id_token / access-token / logout-token)
|
|
135
|
+
// and signed by the same client key cannot be replayed here as a request
|
|
136
|
+
// object (cross-JWT confusion). Require the registered media type, with or
|
|
137
|
+
// without the "application/" prefix; an absent or mismatched typ is refused.
|
|
138
|
+
var jarTyp = verified.header && verified.header.typ;
|
|
139
|
+
if (jarTyp !== JAR_TYP && jarTyp !== "application/" + JAR_TYP) {
|
|
140
|
+
throw new AuthJarError("auth-jar/bad-typ",
|
|
141
|
+
"jar.parse: request object header.typ must be \"" + JAR_TYP +
|
|
142
|
+
"\" (RFC 9101 §10.8 — cross-JWT-confusion defense)");
|
|
143
|
+
}
|
|
133
144
|
var payload = verified.claims;
|
|
134
145
|
|
|
135
146
|
// RFC 9101 §5.2 — the request object MUST carry a client_id claim,
|
|
@@ -75,9 +75,9 @@ var MAX_TOKEN_BYTES = C.BYTES.kib(16);
|
|
|
75
75
|
var REFUSED_ALGS = ["HS256", "HS384", "HS512", "none"];
|
|
76
76
|
|
|
77
77
|
// PSS salt lengths per RFC 7518 §3.5.
|
|
78
|
-
var PSS_SALT_SHA256 = 32; //
|
|
79
|
-
var PSS_SALT_SHA384 = 48; //
|
|
80
|
-
var PSS_SALT_SHA512 = 64; //
|
|
78
|
+
var PSS_SALT_SHA256 = 32; // RFC 7518 SHA-256 salt length
|
|
79
|
+
var PSS_SALT_SHA384 = 48; // RFC 7518 SHA-384 salt length
|
|
80
|
+
var PSS_SALT_SHA512 = 64; // RFC 7518 SHA-512 salt length
|
|
81
81
|
|
|
82
82
|
var SUPPORTED_CLASSICAL_ALGS = [
|
|
83
83
|
"RS256", "RS384", "RS512",
|
|
@@ -105,7 +105,7 @@ function _b64urlDecode(s) {
|
|
|
105
105
|
throw new AuthError("auth-jwt-external/bad-base64", "expected base64url string");
|
|
106
106
|
}
|
|
107
107
|
var padded = s.replace(/-/g, "+").replace(/_/g, "/");
|
|
108
|
-
while (padded.length % 4) padded += "="; //
|
|
108
|
+
while (padded.length % 4) padded += "="; // base64 quartet padding
|
|
109
109
|
return Buffer.from(padded, "base64");
|
|
110
110
|
}
|
|
111
111
|
|
|
@@ -241,7 +241,7 @@ async function _fetchJwks(uri, cacheMs) {
|
|
|
241
241
|
maxBytes: MAX_JWKS_BYTES,
|
|
242
242
|
timeoutMs: C.TIME.seconds(10),
|
|
243
243
|
});
|
|
244
|
-
if (res.statusCode < 200 || res.statusCode >= 300) { //
|
|
244
|
+
if (res.statusCode < 200 || res.statusCode >= 300) { // HTTP 2xx range
|
|
245
245
|
throw new AuthError("auth-jwt-external/jwks-fetch-failed",
|
|
246
246
|
"JWKS endpoint " + uri + " returned " + res.statusCode);
|
|
247
247
|
}
|
|
@@ -836,10 +836,10 @@ function create(opts) {
|
|
|
836
836
|
// only in claim validation (no nonce, audience = clientId, no
|
|
837
837
|
// ID-token-specific claims). We wrap verifyIdToken with the
|
|
838
838
|
// skip-nonce flag and apply JARM-specific claim checks below.
|
|
839
|
+
// verifyIdToken applies the create()-level accepted algorithms / JWKS /
|
|
840
|
+
// clock-skew; only the JARM-specific skip-nonce flag is passed here.
|
|
839
841
|
var verified = await verifyIdToken(responseJwt, {
|
|
840
842
|
skipNonceCheck: true,
|
|
841
|
-
acceptedAlgs: jopts.acceptedAlgs,
|
|
842
|
-
maxClockSkewMs: jopts.maxClockSkewMs,
|
|
843
843
|
});
|
|
844
844
|
var c = verified.claims;
|
|
845
845
|
// Per JARM §4: `iss` MUST match the OP issuer; `aud` MUST contain
|
|
@@ -1297,7 +1297,7 @@ function create(opts) {
|
|
|
1297
1297
|
if (!rv || typeof rv.request_uri !== "string" || rv.request_uri.length === 0) {
|
|
1298
1298
|
throw new OAuthError("auth-oauth/par-bad-response",
|
|
1299
1299
|
"pushAuthorizationRequest: IdP did not return a request_uri (got " +
|
|
1300
|
-
JSON.stringify(rv).slice(0, 200) + ")"); //
|
|
1300
|
+
JSON.stringify(rv).slice(0, 200) + ")"); // error-message snippet length
|
|
1301
1301
|
}
|
|
1302
1302
|
// Build the browser-side redirect URL: /authorize?client_id=...&request_uri=...
|
|
1303
1303
|
var authzEndpoint = await _resolveEndpoint("authorizationEndpoint");
|
|
@@ -1419,12 +1419,10 @@ function create(opts) {
|
|
|
1419
1419
|
}
|
|
1420
1420
|
// Reuse verifyIdToken's signature-verification path. It looks up
|
|
1421
1421
|
// the IdP JWKS and checks the JWS — same trust anchor.
|
|
1422
|
+
// verifyIdToken applies the create()-level issuer / clientId / accepted
|
|
1423
|
+
// algorithms / JWKS / clock-skew — the same trust anchor as id_tokens.
|
|
1424
|
+
// Only the per-call logout-token semantics are passed here.
|
|
1422
1425
|
var verified = await verifyIdToken(logoutToken, {
|
|
1423
|
-
issuer: issuer,
|
|
1424
|
-
clientId: clientId,
|
|
1425
|
-
acceptedAlgs: vopts.acceptedAlgs,
|
|
1426
|
-
jwksUri: vopts.jwksUri,
|
|
1427
|
-
maxClockSkewMs: vopts.maxClockSkewMs,
|
|
1428
1426
|
// Logout tokens have no nonce — disable the nonce check that
|
|
1429
1427
|
// verifyIdToken would otherwise enforce on id_tokens.
|
|
1430
1428
|
skipNonceCheck: true,
|
|
@@ -1953,7 +1951,7 @@ function create(opts) {
|
|
|
1953
1951
|
}
|
|
1954
1952
|
// Terminal errors.
|
|
1955
1953
|
throw new OAuthError("auth-oauth/device-" + (err || "unknown"),
|
|
1956
|
-
"pollDeviceCode: " + (parsed && parsed.error_description ? parsed.error_description : text.slice(0, 200))); //
|
|
1954
|
+
"pollDeviceCode: " + (parsed && parsed.error_description ? parsed.error_description : text.slice(0, 200))); // 200-char error-snippet cap, not bytes
|
|
1957
1955
|
}
|
|
1958
1956
|
throw new OAuthError("auth-oauth/device-poll-timeout",
|
|
1959
1957
|
"pollDeviceCode: exceeded maxWaitMs " + (popts.maxWaitMs || C.TIME.minutes(10)));
|
|
@@ -98,7 +98,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
|
|
|
98
98
|
}
|
|
99
99
|
var header, payload;
|
|
100
100
|
try {
|
|
101
|
-
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); //
|
|
101
|
+
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); // proof header cap
|
|
102
102
|
payload = safeJson.parse(_b64uDecodeStr(parts[1]), { maxBytes: MAX_PROOF_BYTES });
|
|
103
103
|
} catch (e) {
|
|
104
104
|
throw new AuthError("auth-oid4vci/bad-proof-decode",
|
|
@@ -240,7 +240,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
|
|
|
240
240
|
* tokenEndpoint: string, // public URL for /token (re-used by the pre-auth flow)
|
|
241
241
|
* sdJwtIssuer: <b.auth.sdJwtVc.issuer instance>, // mints the SD-JWT VC
|
|
242
242
|
* supportedCredentials: { [id]: { format, vct, claims, ... } },
|
|
243
|
-
* proofAlgorithms: string[], // default ["ES256", "ES384"]
|
|
243
|
+
* proofAlgorithms: string[], // default ["ES256", "ES384", "EdDSA"]
|
|
244
244
|
* preAuthCodeTtlMs?: number, // default 5m
|
|
245
245
|
* accessTokenTtlMs?: number, // default 15m
|
|
246
246
|
* cNonceTtlMs?: number, // default 5m
|
|
@@ -367,7 +367,7 @@ function create(opts) {
|
|
|
367
367
|
"createCredentialOffer: credentialId \"" + id + "\" not in supportedCredentials");
|
|
368
368
|
}
|
|
369
369
|
});
|
|
370
|
-
var preAuthCode = generateToken(32); //
|
|
370
|
+
var preAuthCode = generateToken(32); // 256-bit single-use pre-auth code
|
|
371
371
|
var txCode = coOpts.txCode || null;
|
|
372
372
|
if (txCode !== null) {
|
|
373
373
|
if (typeof txCode !== "object" || typeof txCode.value !== "string") {
|
|
@@ -388,7 +388,7 @@ function create(opts) {
|
|
|
388
388
|
"urn:ietf:params:oauth:grant-type:pre-authorized_code": {
|
|
389
389
|
"pre-authorized_code": preAuthCode,
|
|
390
390
|
tx_code: txCode ? {
|
|
391
|
-
length: typeof txCode.length === "number" ? txCode.length : 4, //
|
|
391
|
+
length: typeof txCode.length === "number" ? txCode.length : 4, // default tx-code 4 digits
|
|
392
392
|
input_mode: txCode.input_mode || "numeric",
|
|
393
393
|
description: txCode.description || undefined,
|
|
394
394
|
} : undefined,
|
|
@@ -467,8 +467,8 @@ function create(opts) {
|
|
|
467
467
|
}
|
|
468
468
|
}
|
|
469
469
|
await codeStore.delete(eopts.preAuthCode);
|
|
470
|
-
var accessToken = generateToken(32); //
|
|
471
|
-
var cNonce = generateToken(16); //
|
|
470
|
+
var accessToken = generateToken(32); // 256-bit access token
|
|
471
|
+
var cNonce = generateToken(16); // 128-bit c_nonce
|
|
472
472
|
var record = {
|
|
473
473
|
subject: entry.subject,
|
|
474
474
|
credentialIds: entry.credentialIds,
|
|
@@ -485,9 +485,9 @@ function create(opts) {
|
|
|
485
485
|
return {
|
|
486
486
|
access_token: accessToken,
|
|
487
487
|
token_type: "Bearer",
|
|
488
|
-
expires_in: Math.floor(accessTokenTtl / 1000), //
|
|
488
|
+
expires_in: Math.floor(accessTokenTtl / 1000), // ms→s
|
|
489
489
|
c_nonce: cNonce,
|
|
490
|
-
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), //
|
|
490
|
+
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), // ms→s
|
|
491
491
|
authorization_details: entry.credentialIds.map(function (id) {
|
|
492
492
|
return {
|
|
493
493
|
type: "openid_credential",
|
|
@@ -572,7 +572,7 @@ function create(opts) {
|
|
|
572
572
|
|
|
573
573
|
// Rotate c_nonce so a replayed proof-JWT for a follow-up
|
|
574
574
|
// batch_credential request is rejected.
|
|
575
|
-
var newCNonce = generateToken(16); //
|
|
575
|
+
var newCNonce = generateToken(16); // 128-bit c_nonce
|
|
576
576
|
await cNonceStore.set(iopts.accessToken, newCNonce);
|
|
577
577
|
|
|
578
578
|
// AUTH-6 — when single-use is on (default), DELETE the access token
|
|
@@ -600,7 +600,7 @@ function create(opts) {
|
|
|
600
600
|
format: spec.format,
|
|
601
601
|
credential: sdJwtToken.token,
|
|
602
602
|
c_nonce: newCNonce,
|
|
603
|
-
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), //
|
|
603
|
+
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), // ms→s
|
|
604
604
|
};
|
|
605
605
|
}
|
|
606
606
|
|
|
@@ -348,8 +348,8 @@ function create(opts) {
|
|
|
348
348
|
"createRequest: dcql is required");
|
|
349
349
|
}
|
|
350
350
|
_validateDcql(ropts.dcql);
|
|
351
|
-
var nonce = ropts.nonce || generateToken(16); //
|
|
352
|
-
var state = ropts.state || generateToken(16); //
|
|
351
|
+
var nonce = ropts.nonce || generateToken(16); // 128-bit nonce
|
|
352
|
+
var state = ropts.state || generateToken(16); // 128-bit state
|
|
353
353
|
var request = {
|
|
354
354
|
response_type: "vp_token",
|
|
355
355
|
response_mode: ropts.responseMode || "direct_post",
|
|
@@ -82,7 +82,7 @@ var _emitMetric = emit.metric;
|
|
|
82
82
|
|
|
83
83
|
var SUPPORTED_ALGS = ["ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "EdDSA"];
|
|
84
84
|
var MAX_STATEMENT_BYTES = 64 * 1024; // allow:raw-byte-literal — entity-statement size cap
|
|
85
|
-
var MAX_CHAIN_DEPTH = 10; //
|
|
85
|
+
var MAX_CHAIN_DEPTH = 10; // federation chain depth ceiling
|
|
86
86
|
|
|
87
87
|
function _b64uDecodeStr(s) { return Buffer.from(s, "base64url").toString("utf8"); }
|
|
88
88
|
|
|
@@ -117,7 +117,7 @@ function parseEntityStatement(jwt) {
|
|
|
117
117
|
}
|
|
118
118
|
var header, payload;
|
|
119
119
|
try {
|
|
120
|
-
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); //
|
|
120
|
+
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); // header cap
|
|
121
121
|
payload = safeJson.parse(_b64uDecodeStr(parts[1]), { maxBytes: MAX_STATEMENT_BYTES });
|
|
122
122
|
} catch (e) {
|
|
123
123
|
throw new AuthError("auth-openid-federation/bad-decode",
|
|
@@ -64,7 +64,7 @@ var { AuthError } = require("../framework-error");
|
|
|
64
64
|
// W3C WebAuthn name field cap — same as the rpName/userName ceiling in
|
|
65
65
|
// the spec's CredentialUserEntity / PublicKeyCredentialEntity dictionaries
|
|
66
66
|
// (no normative limit but RPs broadly cap at 256 to defeat DOM cost).
|
|
67
|
-
var MAX_NAME_LEN = 256; //
|
|
67
|
+
var MAX_NAME_LEN = 256; // UTF-16 codepoint count, not bytes
|
|
68
68
|
|
|
69
69
|
function _vendor() {
|
|
70
70
|
return _wa;
|
|
@@ -306,7 +306,7 @@ async function conditionalAuthOptions(opts) {
|
|
|
306
306
|
|
|
307
307
|
// CTAP2.1 §6.5 — PRF eval inputs are 32-byte salts. Caps every
|
|
308
308
|
// extension input that ships through the binary normalizer.
|
|
309
|
-
var MAX_EXT_INPUT_BYTES = 32; //
|
|
309
|
+
var MAX_EXT_INPUT_BYTES = 32; // CTAP2.1 §6.5 PRF salt length
|
|
310
310
|
|
|
311
311
|
function _b64urlExtInput(value, name, maxBytes) {
|
|
312
312
|
// Accept a base64url string OR a Buffer / Uint8Array. Normalize the
|
|
@@ -436,7 +436,7 @@ function _credBlobExt(args) {
|
|
|
436
436
|
throw new AuthError("auth-passkey/bad-credblob",
|
|
437
437
|
"extensions.credBlob blob must be a Uint8Array / Buffer");
|
|
438
438
|
}
|
|
439
|
-
if (buf.length === 0 || buf.length > 32) { //
|
|
439
|
+
if (buf.length === 0 || buf.length > 32) { // CTAP2.1 §11.1 credBlob max
|
|
440
440
|
throw new AuthError("auth-passkey/credblob-bad-length",
|
|
441
441
|
"extensions.credBlob blob must be 1-32 bytes (CTAP2.1 §11.1)");
|
|
442
442
|
}
|
|
@@ -592,10 +592,14 @@ function create(opts) {
|
|
|
592
592
|
var nameId = _textContent(nameIdEl);
|
|
593
593
|
var nameIdFormat = _attr(nameIdEl, "Format");
|
|
594
594
|
|
|
595
|
-
var nowSec = Math.floor((vopts.now || Date.now()) / 1000); //
|
|
595
|
+
var nowSec = Math.floor((vopts.now || Date.now()) / 1000); // ms→s
|
|
596
596
|
var confirmations = _findAllChildren(subject, "SubjectConfirmation", SAML_NS.assertion);
|
|
597
597
|
var bearerOk = false;
|
|
598
598
|
var hokOk = false;
|
|
599
|
+
// InResponseTo of the SubjectConfirmation that actually passed bearer
|
|
600
|
+
// validation — captured so the returned value can't be sourced from a
|
|
601
|
+
// different (non-validated) confirmation when several are present.
|
|
602
|
+
var matchedInResponseTo = null;
|
|
599
603
|
var hokFingerprint = null;
|
|
600
604
|
// Holder-of-Key SubjectConfirmation per SAML 2.0 Profile §3.1
|
|
601
605
|
// (urn:oasis:names:tc:SAML:2.0:cm:holder-of-key). The IdP binds
|
|
@@ -680,10 +684,10 @@ function create(opts) {
|
|
|
680
684
|
// as Bearer (Profile §3.1 incorporates §3 by reference).
|
|
681
685
|
var nbHok = _attr(scdHok, "NotBefore");
|
|
682
686
|
var noaHok = _attr(scdHok, "NotOnOrAfter");
|
|
683
|
-
if (nbHok && isFinite(Date.parse(nbHok) / 1000) && //
|
|
684
|
-
Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue; //
|
|
685
|
-
if (noaHok && isFinite(Date.parse(noaHok) / 1000) && //
|
|
686
|
-
Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue; //
|
|
687
|
+
if (nbHok && isFinite(Date.parse(nbHok) / 1000) && // ms→s
|
|
688
|
+
Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue; // ms→s
|
|
689
|
+
if (noaHok && isFinite(Date.parse(noaHok) / 1000) && // ms→s
|
|
690
|
+
Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue; // ms→s
|
|
687
691
|
var recipHok = _attr(scdHok, "Recipient");
|
|
688
692
|
if (recipHok && recipHok !== opts.assertionConsumerServiceUrl) continue;
|
|
689
693
|
hokOk = true;
|
|
@@ -694,14 +698,14 @@ function create(opts) {
|
|
|
694
698
|
if (!scd) continue;
|
|
695
699
|
var notOnOrAfter = _attr(scd, "NotOnOrAfter");
|
|
696
700
|
if (notOnOrAfter) {
|
|
697
|
-
var t = Date.parse(notOnOrAfter) / 1000; //
|
|
701
|
+
var t = Date.parse(notOnOrAfter) / 1000; // ms→s
|
|
698
702
|
if (!isFinite(t) || t < nowSec - clockSkewSec) {
|
|
699
703
|
continue; // expired confirmation — try next
|
|
700
704
|
}
|
|
701
705
|
}
|
|
702
706
|
var notBefore = _attr(scd, "NotBefore");
|
|
703
707
|
if (notBefore) {
|
|
704
|
-
var nb = Date.parse(notBefore) / 1000; //
|
|
708
|
+
var nb = Date.parse(notBefore) / 1000; // ms→s
|
|
705
709
|
if (isFinite(nb) && nb > nowSec + clockSkewSec) continue;
|
|
706
710
|
}
|
|
707
711
|
var recipient = _attr(scd, "Recipient");
|
|
@@ -721,6 +725,7 @@ function create(opts) {
|
|
|
721
725
|
"AuthnRequest ID (replay defense)");
|
|
722
726
|
}
|
|
723
727
|
}
|
|
728
|
+
matchedInResponseTo = inResponseTo;
|
|
724
729
|
bearerOk = true;
|
|
725
730
|
break;
|
|
726
731
|
}
|
|
@@ -736,14 +741,14 @@ function create(opts) {
|
|
|
736
741
|
var cNotBefore = _attr(conditions, "NotBefore");
|
|
737
742
|
var cNotOnOrAfter = _attr(conditions, "NotOnOrAfter");
|
|
738
743
|
if (cNotBefore) {
|
|
739
|
-
var cnb = Date.parse(cNotBefore) / 1000; //
|
|
744
|
+
var cnb = Date.parse(cNotBefore) / 1000; // ms→s
|
|
740
745
|
if (isFinite(cnb) && cnb > nowSec + clockSkewSec) {
|
|
741
746
|
throw new AuthError("auth-saml/conditions-not-yet-valid",
|
|
742
747
|
"Conditions NotBefore is in the future");
|
|
743
748
|
}
|
|
744
749
|
}
|
|
745
750
|
if (cNotOnOrAfter) {
|
|
746
|
-
var cnoa = Date.parse(cNotOnOrAfter) / 1000; //
|
|
751
|
+
var cnoa = Date.parse(cNotOnOrAfter) / 1000; // ms→s
|
|
747
752
|
if (isFinite(cnoa) && cnoa < nowSec - clockSkewSec) {
|
|
748
753
|
throw new AuthError("auth-saml/conditions-expired",
|
|
749
754
|
"Conditions NotOnOrAfter has passed");
|
|
@@ -787,8 +792,7 @@ function create(opts) {
|
|
|
787
792
|
sessionIndex: sessionIndex,
|
|
788
793
|
attributes: attributes,
|
|
789
794
|
audience: audience,
|
|
790
|
-
inResponseTo: bearerOk ?
|
|
791
|
-
"SubjectConfirmationData", SAML_NS.assertion), "InResponseTo") : null,
|
|
795
|
+
inResponseTo: bearerOk ? matchedInResponseTo : null,
|
|
792
796
|
issuer: issuer,
|
|
793
797
|
};
|
|
794
798
|
}
|
|
@@ -884,7 +888,7 @@ function create(opts) {
|
|
|
884
888
|
throw new AuthError("auth-saml/no-idp-slo",
|
|
885
889
|
"buildLogoutRequest: opts.idpSloUrl (or sp.create's opts.idpSloUrl) required");
|
|
886
890
|
}
|
|
887
|
-
var id = "_" + generateToken(20); //
|
|
891
|
+
var id = "_" + generateToken(20); // 20-byte SAML ID token
|
|
888
892
|
var issueInstant = new Date().toISOString();
|
|
889
893
|
var c14n = xmlC14n();
|
|
890
894
|
var nameIdFormatAttr = bopts.nameIdFormat
|
|
@@ -1085,7 +1089,7 @@ function create(opts) {
|
|
|
1085
1089
|
validateOpts.requireNonEmptyString(bopts.inResponseTo, "inResponseTo", AuthError, "auth-saml/no-in-response-to");
|
|
1086
1090
|
validateOpts.requireNonEmptyString(bopts.destination, "destination", AuthError, "auth-saml/no-destination");
|
|
1087
1091
|
var statusCode = bopts.statusCode || "urn:oasis:names:tc:SAML:2.0:status:Success";
|
|
1088
|
-
var id = "_" + generateToken(20); //
|
|
1092
|
+
var id = "_" + generateToken(20); // 20-byte SAML ID token
|
|
1089
1093
|
var issueInstant = new Date().toISOString();
|
|
1090
1094
|
var c14n = xmlC14n();
|
|
1091
1095
|
var xml =
|
|
@@ -1288,7 +1292,7 @@ function create(opts) {
|
|
|
1288
1292
|
throw new AuthError("auth-saml/no-idp-slo",
|
|
1289
1293
|
"buildLogoutRequestPost: opts.idpSloUrl required");
|
|
1290
1294
|
}
|
|
1291
|
-
var id = "_" + generateToken(20); //
|
|
1295
|
+
var id = "_" + generateToken(20); // 20-byte SAML ID token
|
|
1292
1296
|
var issueInstant = new Date().toISOString();
|
|
1293
1297
|
var c14n = xmlC14n();
|
|
1294
1298
|
var nameIdFormatAttr = bopts.nameIdFormat
|
|
@@ -1663,18 +1667,18 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1663
1667
|
var clearBytes;
|
|
1664
1668
|
if (contentAlg === "http://www.w3.org/2009/xmlenc11#aes128-gcm" ||
|
|
1665
1669
|
contentAlg === "http://www.w3.org/2009/xmlenc11#aes256-gcm") {
|
|
1666
|
-
var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256; //
|
|
1667
|
-
var expectedKeyBytes = aesBits / 8; //
|
|
1670
|
+
var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256; // AES key size
|
|
1671
|
+
var expectedKeyBytes = aesBits / 8; // bits→bytes
|
|
1668
1672
|
if (cek.length !== expectedKeyBytes) {
|
|
1669
1673
|
throw new AuthError("auth-saml/encrypted-wrong-cek-len",
|
|
1670
1674
|
"AES-" + aesBits + "-GCM CEK length is " + cek.length + ", expected " + expectedKeyBytes);
|
|
1671
1675
|
}
|
|
1672
|
-
if (contentBlob.length < 28) { //
|
|
1676
|
+
if (contentBlob.length < 28) { // 12 IV + 16 tag
|
|
1673
1677
|
throw new AuthError("auth-saml/encrypted-content-too-short",
|
|
1674
1678
|
"AES-GCM CipherValue too short to contain IV (12) + tag (16)");
|
|
1675
1679
|
}
|
|
1676
|
-
var iv = contentBlob.subarray(0, 12); //
|
|
1677
|
-
var tag = contentBlob.subarray(contentBlob.length - 16); //
|
|
1680
|
+
var iv = contentBlob.subarray(0, 12); // GCM IV size
|
|
1681
|
+
var tag = contentBlob.subarray(contentBlob.length - 16); // GCM tag size
|
|
1678
1682
|
var ct = contentBlob.subarray(12, contentBlob.length - 16);
|
|
1679
1683
|
var decipher = nodeCrypto.createDecipheriv("aes-" + aesBits + "-gcm", cek, iv);
|
|
1680
1684
|
decipher.setAuthTag(tag);
|
|
@@ -1684,16 +1688,16 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1684
1688
|
"AES-GCM authentication tag mismatch: " + ((eD && eD.message) || String(eD)));
|
|
1685
1689
|
}
|
|
1686
1690
|
} else if (contentAlg === "urn:blamejs:experimental:xmlenc:xchacha20-poly1305") {
|
|
1687
|
-
if (cek.length !== 32) { //
|
|
1691
|
+
if (cek.length !== 32) { // XChaCha20 key size
|
|
1688
1692
|
throw new AuthError("auth-saml/encrypted-wrong-cek-len",
|
|
1689
1693
|
"XChaCha20-Poly1305 CEK length is " + cek.length + ", expected 32");
|
|
1690
1694
|
}
|
|
1691
|
-
if (contentBlob.length < 40) { //
|
|
1695
|
+
if (contentBlob.length < 40) { // 24 nonce + 16 tag
|
|
1692
1696
|
throw new AuthError("auth-saml/encrypted-content-too-short",
|
|
1693
1697
|
"XChaCha20-Poly1305 CipherValue too short");
|
|
1694
1698
|
}
|
|
1695
|
-
var xnonce = contentBlob.subarray(0, 24); //
|
|
1696
|
-
var xtag = contentBlob.subarray(contentBlob.length - 16); //
|
|
1699
|
+
var xnonce = contentBlob.subarray(0, 24); // XChaCha20 nonce size
|
|
1700
|
+
var xtag = contentBlob.subarray(contentBlob.length - 16); // Poly1305 tag size
|
|
1697
1701
|
var xct = contentBlob.subarray(24, contentBlob.length - 16);
|
|
1698
1702
|
try {
|
|
1699
1703
|
clearBytes = bCrypto.aeadDecrypt({
|
|
@@ -1722,8 +1726,8 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1722
1726
|
|
|
1723
1727
|
// PQC SignatureMethod URIs used by the embedded XMLDSig signatures.
|
|
1724
1728
|
// Standard XMLDSig vocabulary classical signing URIs (W3C XMLDSig
|
|
1725
|
-
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn
|
|
1726
|
-
//
|
|
1729
|
+
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn (sign
|
|
1730
|
+
// side) and the SUPPORTED_SIG table (verify side). The framework adds two non-standard URNs for
|
|
1727
1731
|
// ML-DSA because no W3C/IETF XMLDSig URI registration exists for
|
|
1728
1732
|
// post-quantum signers yet (LAMPS WG has open drafts but none final).
|
|
1729
1733
|
// Operators integrating with PQC-aware IdPs that exchange those URNs
|
|
@@ -1971,7 +1975,7 @@ function _sigAlgUrn(alg) {
|
|
|
1971
1975
|
var keyObj = (sk && typeof sk === "object" && sk.type === "private") ? sk
|
|
1972
1976
|
: (typeof sk === "string" || (sk && sk.kty)) ? nodeCrypto.createPrivateKey(sk)
|
|
1973
1977
|
: nodeCrypto.createPrivateKey({ key: Buffer.concat([
|
|
1974
|
-
Buffer.from("302e020100300506032b657004220420", "hex"), //
|
|
1978
|
+
Buffer.from("302e020100300506032b657004220420", "hex"), // Ed25519 PKCS#8 prefix
|
|
1975
1979
|
Buffer.from(sk),
|
|
1976
1980
|
]), format: "der", type: "pkcs8" });
|
|
1977
1981
|
return nodeCrypto.sign(null, Buffer.from(bytes), keyObj);
|
|
@@ -1980,7 +1984,7 @@ function _sigAlgUrn(alg) {
|
|
|
1980
1984
|
var keyObj = (pk && typeof pk === "object" && pk.type === "public") ? pk
|
|
1981
1985
|
: (typeof pk === "string" || (pk && pk.kty)) ? nodeCrypto.createPublicKey(pk)
|
|
1982
1986
|
: nodeCrypto.createPublicKey({ key: Buffer.concat([
|
|
1983
|
-
Buffer.from("302a300506032b6570032100", "hex"), //
|
|
1987
|
+
Buffer.from("302a300506032b6570032100", "hex"), // Ed25519 SPKI prefix
|
|
1984
1988
|
Buffer.from(pk),
|
|
1985
1989
|
]), format: "der", type: "spki" });
|
|
1986
1990
|
return nodeCrypto.verify(null, Buffer.from(msg), keyObj, Buffer.from(sig));
|
|
@@ -2023,22 +2027,6 @@ function _sigAlgUrn(alg) {
|
|
|
2023
2027
|
return null;
|
|
2024
2028
|
}
|
|
2025
2029
|
|
|
2026
|
-
// Reverse lookup — SignatureMethod URI on the inbound wire → alg
|
|
2027
|
-
// shorthand for _sigAlgUrn dispatch. Used by _verifyEmbeddedXmlDsig
|
|
2028
|
-
// to pick the right verifier when an IdP signs with a classical alg.
|
|
2029
|
-
function _sigAlgFromUri(uri) {
|
|
2030
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-65") return "ml-dsa-65";
|
|
2031
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-87") return "ml-dsa-87";
|
|
2032
|
-
if (uri === "http://www.w3.org/2021/04/xmldsig-more#ed25519") return "ed25519";
|
|
2033
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") return "rsa-sha256";
|
|
2034
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") return "rsa-sha384";
|
|
2035
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512") return "rsa-sha512";
|
|
2036
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256") return "ecdsa-sha256";
|
|
2037
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384") return "ecdsa-sha384";
|
|
2038
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512") return "ecdsa-sha512";
|
|
2039
|
-
return null;
|
|
2040
|
-
}
|
|
2041
|
-
|
|
2042
2030
|
/**
|
|
2043
2031
|
* @primitive b.auth.saml.fetchMdq
|
|
2044
2032
|
* @signature b.auth.saml.fetchMdq(opts)
|
|
@@ -17,7 +17,7 @@ var nodeCrypto = require("node:crypto");
|
|
|
17
17
|
var safeJson = require("../safe-json");
|
|
18
18
|
var { AuthError } = require("../framework-error");
|
|
19
19
|
|
|
20
|
-
var DEFAULT_SALT_BYTES = 16; //
|
|
20
|
+
var DEFAULT_SALT_BYTES = 16; // 128-bit salt per spec recommendation
|
|
21
21
|
|
|
22
22
|
function _newSalt(opts) {
|
|
23
23
|
if (opts && opts.saltSource && typeof opts.saltSource === "function") {
|
|
@@ -239,8 +239,8 @@ function issue(opts) {
|
|
|
239
239
|
sdDigests.sort();
|
|
240
240
|
|
|
241
241
|
var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
|
|
242
|
-
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); //
|
|
243
|
-
var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60; //
|
|
242
|
+
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
|
|
243
|
+
var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60; // ms→s conversion + 30-day default in seconds
|
|
244
244
|
|
|
245
245
|
var payload = Object.assign({}, plainClaims, {
|
|
246
246
|
iss: opts.issuer,
|
|
@@ -355,7 +355,7 @@ function present(opts) {
|
|
|
355
355
|
"present: algorithm must be one of " + SUPPORTED_ALGS.join(", "));
|
|
356
356
|
}
|
|
357
357
|
var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
|
|
358
|
-
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); //
|
|
358
|
+
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
|
|
359
359
|
// The KB-JWT's hash binds it to the specific SD-JWT + presentation
|
|
360
360
|
var kbHashInput = presentation; // jwt~d1~d2~ (without KB)
|
|
361
361
|
// sd_hash uses the SAME hash algorithm the credential's _sd
|
|
@@ -505,7 +505,7 @@ async function verify(presentation, opts) {
|
|
|
505
505
|
|
|
506
506
|
// 2. Validate iss / iat / exp / vct
|
|
507
507
|
var nowSec = (typeof opts.now === "number" && isFinite(opts.now))
|
|
508
|
-
? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000); //
|
|
508
|
+
? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
|
|
509
509
|
var skew = (typeof opts.maxClockSkewSec === "number") ? opts.maxClockSkewSec : 60; // allow:raw-time-literal — default 60s clock-skew tolerance
|
|
510
510
|
if (typeof jwtParsed.payload.iat === "number" && jwtParsed.payload.iat > nowSec + skew) {
|
|
511
511
|
throw new AuthError("auth-sd-jwt-vc/iat-future",
|
|
@@ -597,7 +597,7 @@ async function verify(presentation, opts) {
|
|
|
597
597
|
}
|
|
598
598
|
// Verify KB-JWT signature
|
|
599
599
|
var kbHeaderObj;
|
|
600
|
-
try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies
|
|
600
|
+
try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies
|
|
601
601
|
catch (e) {
|
|
602
602
|
throw new AuthError("auth-sd-jwt-vc/bad-kb-header",
|
|
603
603
|
"verify: malformed KB-JWT header: " + e.message);
|
|
@@ -55,7 +55,7 @@ var { defineClass } = require("../framework-error");
|
|
|
55
55
|
|
|
56
56
|
var StatusListError = defineClass("StatusListError", { alwaysPermanent: true });
|
|
57
57
|
|
|
58
|
-
var SUPPORTED_BIT_SIZES = { 1: 1, 2: 1, 4: 1, 8: 1 }; //
|
|
58
|
+
var SUPPORTED_BIT_SIZES = { 1: 1, 2: 1, 4: 1, 8: 1 }; // bit-size enum (1/2/4/8 bits per status), not bytes
|
|
59
59
|
var STATUS_VALID = 0;
|
|
60
60
|
var STATUS_INVALID = 1;
|
|
61
61
|
var STATUS_SUSPENDED = 2;
|
|
@@ -107,7 +107,7 @@ function create(opts) {
|
|
|
107
107
|
var bits = opts.bits === undefined ? 1 : opts.bits;
|
|
108
108
|
_validateBits(bits);
|
|
109
109
|
// Allocate the bit-packed buffer up front. byteCount = ceil(size*bits/8).
|
|
110
|
-
var bitBytes = Math.ceil((size * bits) / 8); //
|
|
110
|
+
var bitBytes = Math.ceil((size * bits) / 8); // bits-per-byte conversion
|
|
111
111
|
var bytes = Buffer.alloc(bitBytes);
|
|
112
112
|
if (opts.fill !== undefined && opts.fill !== 0) {
|
|
113
113
|
_validateStatus(opts.fill, bits);
|
|
@@ -184,19 +184,19 @@ function create(opts) {
|
|
|
184
184
|
// ---- bit-packed helpers ----
|
|
185
185
|
|
|
186
186
|
function _setAt(bytes, bits, idx, status) {
|
|
187
|
-
if (bits === 8) { bytes[idx] = status & 0xff; return; } //
|
|
187
|
+
if (bits === 8) { bytes[idx] = status & 0xff; return; } // byte mask
|
|
188
188
|
var bitOffset = idx * bits;
|
|
189
|
-
var byteIdx = Math.floor(bitOffset / 8); //
|
|
190
|
-
var bitInByte = bitOffset % 8; //
|
|
189
|
+
var byteIdx = Math.floor(bitOffset / 8); // bits-per-byte
|
|
190
|
+
var bitInByte = bitOffset % 8; // bits-per-byte
|
|
191
191
|
var mask = ((1 << bits) - 1) << bitInByte;
|
|
192
192
|
bytes[byteIdx] = (bytes[byteIdx] & ~mask) | ((status << bitInByte) & mask);
|
|
193
193
|
}
|
|
194
194
|
|
|
195
195
|
function _getAt(bytes, bits, idx) {
|
|
196
|
-
if (bits === 8) return bytes[idx]; //
|
|
196
|
+
if (bits === 8) return bytes[idx]; // 8-bit fast path
|
|
197
197
|
var bitOffset = idx * bits;
|
|
198
|
-
var byteIdx = Math.floor(bitOffset / 8); //
|
|
199
|
-
var bitInByte = bitOffset % 8; //
|
|
198
|
+
var byteIdx = Math.floor(bitOffset / 8); // bits-per-byte
|
|
199
|
+
var bitInByte = bitOffset % 8; // bits-per-byte
|
|
200
200
|
var mask = (1 << bits) - 1;
|
|
201
201
|
return (bytes[byteIdx] >> bitInByte) & mask;
|
|
202
202
|
}
|
|
@@ -238,13 +238,13 @@ async function fromJwt(token, opts) {
|
|
|
238
238
|
"statusList.fromJwt: compressed list exceeds " + MAX_LIST_BYTES + " bytes");
|
|
239
239
|
}
|
|
240
240
|
var inflated;
|
|
241
|
-
try { inflated = zlib.inflateRawSync(deflated, { maxOutputLength: MAX_LIST_BYTES * 8 }); } //
|
|
241
|
+
try { inflated = zlib.inflateRawSync(deflated, { maxOutputLength: MAX_LIST_BYTES * 8 }); } // 8x compression-ratio cap
|
|
242
242
|
catch (e) {
|
|
243
243
|
throw new StatusListError("status-list/inflate-failed",
|
|
244
244
|
"statusList.fromJwt: zlib inflate failed: " + ((e && e.message) || String(e)));
|
|
245
245
|
}
|
|
246
246
|
// Reconstruct the list object pointing at the inflated bytes.
|
|
247
|
-
var size = (inflated.length * 8) / bits; //
|
|
247
|
+
var size = (inflated.length * 8) / bits; // bits-per-byte
|
|
248
248
|
return {
|
|
249
249
|
list: {
|
|
250
250
|
size: size,
|