@blamejs/blamejs-shop 0.3.5 → 0.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/CHANGELOG.md +14 -0
- package/lib/vendor/blamejs/api-snapshot.json +2 -2
- package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
- package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
- package/lib/vendor/blamejs/lib/a2a.js +4 -4
- package/lib/vendor/blamejs/lib/acme.js +3 -3
- package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
- package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
- package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
- package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
- package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
- package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
- package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
- package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
- package/lib/vendor/blamejs/lib/ai-input.js +4 -4
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
- package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
- package/lib/vendor/blamejs/lib/archive-read.js +25 -25
- package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
- package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
- package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
- package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
- package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
- package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
- package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
- package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
- package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
- package/lib/vendor/blamejs/lib/audit.js +2 -2
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
- package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
- package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
- package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
- package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
- package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
- package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
- package/lib/vendor/blamejs/lib/backup/index.js +7 -7
- package/lib/vendor/blamejs/lib/base32.js +8 -8
- package/lib/vendor/blamejs/lib/budr.js +2 -2
- package/lib/vendor/blamejs/lib/cache-status.js +2 -2
- package/lib/vendor/blamejs/lib/calendar.js +29 -29
- package/lib/vendor/blamejs/lib/cbor.js +12 -12
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
- package/lib/vendor/blamejs/lib/cert.js +5 -5
- package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
- package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
- package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
- package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
- package/lib/vendor/blamejs/lib/compliance.js +29 -29
- package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
- package/lib/vendor/blamejs/lib/cookies.js +1 -1
- package/lib/vendor/blamejs/lib/cose.js +13 -13
- package/lib/vendor/blamejs/lib/cra-report.js +1 -1
- package/lib/vendor/blamejs/lib/crdt.js +1 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
- package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
- package/lib/vendor/blamejs/lib/crypto.js +6 -6
- package/lib/vendor/blamejs/lib/csp.js +2 -2
- package/lib/vendor/blamejs/lib/cwt.js +4 -4
- package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
- package/lib/vendor/blamejs/lib/data-act.js +2 -2
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
- package/lib/vendor/blamejs/lib/db-query.js +1 -1
- package/lib/vendor/blamejs/lib/db.js +6 -6
- package/lib/vendor/blamejs/lib/dbsc.js +13 -13
- package/lib/vendor/blamejs/lib/did.js +17 -17
- package/lib/vendor/blamejs/lib/dora.js +4 -4
- package/lib/vendor/blamejs/lib/dsr.js +1 -1
- package/lib/vendor/blamejs/lib/early-hints.js +2 -2
- package/lib/vendor/blamejs/lib/eat.js +4 -4
- package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
- package/lib/vendor/blamejs/lib/external-db.js +1 -1
- package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
- package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
- package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
- package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
- package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
- package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
- package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
- package/lib/vendor/blamejs/lib/guard-email.js +19 -19
- package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
- package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
- package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
- package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
- package/lib/vendor/blamejs/lib/guard-html.js +7 -7
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
- package/lib/vendor/blamejs/lib/guard-image.js +4 -4
- package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
- package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
- package/lib/vendor/blamejs/lib/guard-json.js +12 -12
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
- package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
- package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
- package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
- package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
- package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
- package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
- package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
- package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
- package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
- package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
- package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-time.js +15 -15
- package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
- package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
- package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
- package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
- package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
- package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
- package/lib/vendor/blamejs/lib/http-client.js +13 -10
- package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
- package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
- package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
- package/lib/vendor/blamejs/lib/inbox.js +4 -4
- package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
- package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
- package/lib/vendor/blamejs/lib/json-path.js +3 -3
- package/lib/vendor/blamejs/lib/json-schema.js +1 -1
- package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
- package/lib/vendor/blamejs/lib/jtd.js +2 -2
- package/lib/vendor/blamejs/lib/link-header.js +1 -1
- package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
- package/lib/vendor/blamejs/lib/log.js +8 -3
- package/lib/vendor/blamejs/lib/lro.js +4 -4
- package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
- package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
- package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
- package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
- package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
- package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
- package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
- package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
- package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
- package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
- package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
- package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
- package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
- package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
- package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
- package/lib/vendor/blamejs/lib/mail-store.js +8 -8
- package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
- package/lib/vendor/blamejs/lib/mail.js +4 -4
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
- package/lib/vendor/blamejs/lib/mcp.js +15 -15
- package/lib/vendor/blamejs/lib/mdoc.js +2 -2
- package/lib/vendor/blamejs/lib/metrics.js +8 -8
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
- package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
- package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
- package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
- package/lib/vendor/blamejs/lib/network-dns.js +29 -29
- package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
- package/lib/vendor/blamejs/lib/network-tls.js +100 -98
- package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
- package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
- package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
- package/lib/vendor/blamejs/lib/observability.js +8 -8
- package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
- package/lib/vendor/blamejs/lib/openapi.js +1 -1
- package/lib/vendor/blamejs/lib/outbox.js +6 -6
- package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
- package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
- package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
- package/lib/vendor/blamejs/lib/problem-details.js +5 -5
- package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
- package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
- package/lib/vendor/blamejs/lib/queue.js +4 -2
- package/lib/vendor/blamejs/lib/redact.js +2 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
- package/lib/vendor/blamejs/lib/router.js +10 -10
- package/lib/vendor/blamejs/lib/safe-async.js +2 -2
- package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
- package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
- package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
- package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
- package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
- package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
- package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
- package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
- package/lib/vendor/blamejs/lib/safe-url.js +1 -1
- package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
- package/lib/vendor/blamejs/lib/sandbox.js +5 -5
- package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
- package/lib/vendor/blamejs/lib/self-update.js +3 -3
- package/lib/vendor/blamejs/lib/server-timing.js +3 -3
- package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
- package/lib/vendor/blamejs/lib/session.js +8 -8
- package/lib/vendor/blamejs/lib/sse.js +12 -5
- package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
- package/lib/vendor/blamejs/lib/storage.js +2 -2
- package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
- package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
- package/lib/vendor/blamejs/lib/subject.js +1 -1
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
- package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
- package/lib/vendor/blamejs/lib/test-harness.js +1 -1
- package/lib/vendor/blamejs/lib/tracing.js +1 -1
- package/lib/vendor/blamejs/lib/tsa.js +5 -5
- package/lib/vendor/blamejs/lib/uri-template.js +5 -5
- package/lib/vendor/blamejs/lib/vault/index.js +2 -2
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
- package/lib/vendor/blamejs/lib/vc.js +2 -2
- package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
- package/lib/vendor/blamejs/lib/watcher.js +4 -4
- package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
- package/lib/vendor/blamejs/lib/webhook.js +2 -2
- package/lib/vendor/blamejs/lib/websocket.js +5 -5
- package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
- package/lib/vendor/blamejs/lib/ws-client.js +24 -24
- package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
- package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
- package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
- package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
- package/lib/vendor/blamejs/test/00-primitives.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
- package/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
- package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
- package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
- package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
- package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
- package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
|
@@ -668,11 +668,11 @@ async function rotateSigningKey(rotOpts) {
|
|
|
668
668
|
// small (a few KB) and signed audit checkpoints can be decades old.
|
|
669
669
|
var iso = new Date().toISOString().replace(/[:.]/g, "-");
|
|
670
670
|
if (currentMode === "wrapped" && paths && paths.sealed) {
|
|
671
|
-
var historyPath = paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /*
|
|
671
|
+
var historyPath = paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /* fingerprint hex truncation count */;
|
|
672
672
|
try { await atomicFile.copy(paths.sealed, historyPath); }
|
|
673
673
|
catch (_e) { /* history copy is best-effort; the in-memory rotation still proceeds */ }
|
|
674
674
|
} else if (currentMode === "plaintext" && paths && paths.plaintext) {
|
|
675
|
-
var historyPathP = paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /*
|
|
675
|
+
var historyPathP = paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /* fingerprint hex truncation count */;
|
|
676
676
|
try { await atomicFile.copy(paths.plaintext, historyPathP); }
|
|
677
677
|
catch (_e) { /* history copy is best-effort */ }
|
|
678
678
|
}
|
|
@@ -707,7 +707,7 @@ async function rotateSigningKey(rotOpts) {
|
|
|
707
707
|
algorithm: newAlg,
|
|
708
708
|
fingerprint: newFingerprint,
|
|
709
709
|
};
|
|
710
|
-
log("audit-signing keypair rotated (alg=" + newAlg + ", fp=" + newFingerprint.slice(0, 16) + "...)"); /*
|
|
710
|
+
log("audit-signing keypair rotated (alg=" + newAlg + ", fp=" + newFingerprint.slice(0, 16) + "...)"); /* fingerprint hex truncation count */
|
|
711
711
|
|
|
712
712
|
return {
|
|
713
713
|
previousFingerprint: prevFingerprint,
|
|
@@ -717,9 +717,9 @@ async function rotateSigningKey(rotOpts) {
|
|
|
717
717
|
algorithm: newAlg,
|
|
718
718
|
rotatedAt: new Date().toISOString(),
|
|
719
719
|
historyPath: (currentMode === "wrapped" && paths && paths.sealed)
|
|
720
|
-
? paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /*
|
|
720
|
+
? paths.sealed + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /* fingerprint hex truncation count */
|
|
721
721
|
: (currentMode === "plaintext" && paths && paths.plaintext)
|
|
722
|
-
? paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /*
|
|
722
|
+
? paths.plaintext + ".history-" + iso + "-" + prevFingerprint.slice(0, 16) /* fingerprint hex truncation count */
|
|
723
723
|
: null,
|
|
724
724
|
};
|
|
725
725
|
}
|
|
@@ -1083,7 +1083,7 @@ function _toCadfEvent(row) {
|
|
|
1083
1083
|
name: "blamejs.audit",
|
|
1084
1084
|
},
|
|
1085
1085
|
reason: row.reason ? {
|
|
1086
|
-
reasonCode: String(row.reason).slice(0, 256), //
|
|
1086
|
+
reasonCode: String(row.reason).slice(0, 256), // reason cap
|
|
1087
1087
|
policyType: "blamejs.audit-chain",
|
|
1088
1088
|
} : undefined,
|
|
1089
1089
|
attachments: meta ? [{
|
|
@@ -304,11 +304,11 @@ var FRAMEWORK_NAMESPACES = [
|
|
|
304
304
|
"session", // b.sessionDeviceBinding (session.device.bound / drift / refused)
|
|
305
305
|
"sandbox", // b.sandbox (sandbox.run / sandbox.run.refused — operator-supplied transform isolation)
|
|
306
306
|
"safeurl", // b.safeUrl.parse (safeurl.idn_homograph.refused — UTS #39 mixed-script host-label refusal)
|
|
307
|
-
"http", // b.middleware.bodyParser (http.chunked.malformed.refused — RFC 9112 §7.1 chunked-decode failure with Connection: close) //
|
|
307
|
+
"http", // b.middleware.bodyParser (http.chunked.malformed.refused — RFC 9112 §7.1 chunked-decode failure with Connection: close) // RFC number in prose
|
|
308
308
|
"cryptofield", // b.cryptoField.eraseRow (cryptofield.vacuum.skipped — F-RTBF-2 vacuum-after-erase signal when DB not initialized at erase time)
|
|
309
309
|
"acme", // b.acme (acme.account.registered / order.* / cert.issued / cert.renewed / cert.renew.skipped — RFC 8555 + RFC 9773 ARI workflow)
|
|
310
310
|
"cert", // b.cert (cert.account.generated / cert.issued / cert.renewed / cert.renew-failed / cert.challenge-cleanup — turnkey cert-manager lifecycle)
|
|
311
|
-
"tls", // b.router 0-RTT posture (tls.0rtt.refused / tls.0rtt.replayed) — RFC 8446 §8 anti-replay surface //
|
|
311
|
+
"tls", // b.router 0-RTT posture (tls.0rtt.refused / tls.0rtt.replayed) — RFC 8446 §8 anti-replay surface // RFC number in prose
|
|
312
312
|
"workerpool", // b.workerPool (workerpool.created / terminated / task.completed / task.failed / task.timeout / spawn.failed — generic worker_threads pool)
|
|
313
313
|
"jwt", // b.auth.jwt-external (jwt.jwe.refused — RFC 7516 5-segment JWE refusal)
|
|
314
314
|
"dr", // b.drRunbook (dr.runbook.emitted)
|
|
@@ -87,7 +87,7 @@ var BUILTIN_RANKS = {
|
|
|
87
87
|
"ial2": 30,
|
|
88
88
|
"fal2": 30,
|
|
89
89
|
"aal2": 35,
|
|
90
|
-
"urn:mace:incommon:iap:silver": 32, //
|
|
90
|
+
"urn:mace:incommon:iap:silver": 32, // ACR rank, not bytes
|
|
91
91
|
|
|
92
92
|
// Phishing-resistant multi-factor (passkey UV)
|
|
93
93
|
"phrh": 60, // allow:raw-time-literal — ACR rank, not seconds
|
|
@@ -98,7 +98,7 @@ var BUILTIN_RANKS = {
|
|
|
98
98
|
"ial3": 75,
|
|
99
99
|
"fal3": 75,
|
|
100
100
|
"aal3": 75,
|
|
101
|
-
"urn:mace:incommon:iap:gold": 80, //
|
|
101
|
+
"urn:mace:incommon:iap:gold": 80, // ACR rank, not bytes
|
|
102
102
|
|
|
103
103
|
// In-person identity-proofed + hardware-bound
|
|
104
104
|
"loa4": 95,
|
|
@@ -97,7 +97,7 @@ var MAX_TOKEN_BYTES = C.BYTES.kib(4);
|
|
|
97
97
|
// headroom; operators can override per-call but cannot drop below
|
|
98
98
|
// MIN_TIMEOUT_MS without the create() factory refusing the opts.
|
|
99
99
|
var DEFAULT_TIMEOUT_MS = C.TIME.seconds(5);
|
|
100
|
-
var MIN_TIMEOUT_MS = 500; // anti-misconfiguration floor //
|
|
100
|
+
var MIN_TIMEOUT_MS = 500; // anti-misconfiguration floor // 500ms wall-clock floor, not a byte literal
|
|
101
101
|
|
|
102
102
|
// Response-body cap. Provider siteverify responses are small JSON
|
|
103
103
|
// (well under 4 KiB); a multi-MiB response is either a redirect to
|
|
@@ -116,7 +116,7 @@ var EXPECTED_CONTENT_TYPE_PREFIX = "application/json";
|
|
|
116
116
|
// the surfaced bytes are not the secret token (≈ 48 bits visible vs.
|
|
117
117
|
// ~2 KiB total), but large enough to cluster verifications belonging
|
|
118
118
|
// to the same widget render in a debug session.
|
|
119
|
-
var TOKEN_PREFIX_AUDIT_CHARS = 8; //
|
|
119
|
+
var TOKEN_PREFIX_AUDIT_CHARS = 8; // debug-prefix length, not a byte literal
|
|
120
120
|
|
|
121
121
|
// ---- provider catalog ----
|
|
122
122
|
//
|
|
@@ -440,7 +440,7 @@ function create(opts) {
|
|
|
440
440
|
"siteverify transport failure: " + ((e && e.message) || String(e)));
|
|
441
441
|
}
|
|
442
442
|
|
|
443
|
-
if (res.statusCode < 200 || res.statusCode >= 300) { //
|
|
443
|
+
if (res.statusCode < 200 || res.statusCode >= 300) { // HTTP 2xx range bounds
|
|
444
444
|
_safeAudit(safeEmit, "auth.bot_challenge.verify", "failure", {
|
|
445
445
|
provider: providerKey, ok: false, reason: "non-2xx",
|
|
446
446
|
statusCode: res.statusCode, prefix: tokenPrefix,
|
|
@@ -174,7 +174,7 @@ function create(opts) {
|
|
|
174
174
|
// 2026-05-11). CIBA §7.1.2 requires the token be opaque + hard to
|
|
175
175
|
// guess; the framework's other token-shaped primitives enforce 32
|
|
176
176
|
// chars minimum. A 4-char token was previously accepted; refuse.
|
|
177
|
-
if (clientNotificationToken !== null && clientNotificationToken.length < 32) { //
|
|
177
|
+
if (clientNotificationToken !== null && clientNotificationToken.length < 32) { // RFC 9700 §7.1.2 token char-length minimum, not bytes
|
|
178
178
|
throw new AuthError("auth-ciba/notification-token-too-short",
|
|
179
179
|
"auth.ciba.client.create: clientNotificationToken must be >= 32 chars " +
|
|
180
180
|
"(generate via b.crypto.generateToken(32) or stronger; CIBA §7.1.2 " +
|
|
@@ -239,7 +239,7 @@ function create(opts) {
|
|
|
239
239
|
(cc >= 0x200b && cc <= 0x200f) ||
|
|
240
240
|
(cc >= 0x202a && cc <= 0x202e) ||
|
|
241
241
|
(cc >= 0x2066 && cc <= 0x2069) ||
|
|
242
|
-
cc === 0xfeff) { //
|
|
242
|
+
cc === 0xfeff) { // codepoint constants for control / bidi / zero-width / BOM
|
|
243
243
|
throw new AuthError("auth-ciba/binding-message-control-chars",
|
|
244
244
|
"ciba: bindingMessage contains control / bidi / zero-width characters");
|
|
245
245
|
}
|
|
@@ -278,7 +278,7 @@ function create(opts) {
|
|
|
278
278
|
var err;
|
|
279
279
|
try { err = safeJson.parse(bodyText, { maxBytes: MAX_RESPONSE_BYTES }); } catch (_e) { /* silent-catch: non-JSON IdP error body falls through to the bodyText snippet path below */ }
|
|
280
280
|
var code = (err && err.error) || ("http-" + res.statusCode);
|
|
281
|
-
var msg = (err && (err.error_description || err.error)) || bodyText.slice(0, 200); //
|
|
281
|
+
var msg = (err && (err.error_description || err.error)) || bodyText.slice(0, 200); // error-message snippet length
|
|
282
282
|
var aerr = new AuthError("auth-ciba/" + code, "ciba: " + msg);
|
|
283
283
|
aerr.cibaError = err || null;
|
|
284
284
|
aerr.statusCode = res.statusCode;
|
|
@@ -355,8 +355,8 @@ function create(opts) {
|
|
|
355
355
|
if (clientAuth === "jwt") {
|
|
356
356
|
var assertion = await opts.clientAssertionSigner({
|
|
357
357
|
iss: opts.clientId, sub: opts.clientId, aud: endpoint,
|
|
358
|
-
iat: Math.floor(Date.now() / 1000), //
|
|
359
|
-
exp: Math.floor(Date.now() / 1000) + 300, //
|
|
358
|
+
iat: Math.floor(Date.now() / 1000), // ms→s
|
|
359
|
+
exp: Math.floor(Date.now() / 1000) + 300, // assertion 5m TTL
|
|
360
360
|
jti: generateToken(16),
|
|
361
361
|
});
|
|
362
362
|
body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
|
|
@@ -465,8 +465,8 @@ function create(opts) {
|
|
|
465
465
|
if (clientAuth === "jwt") {
|
|
466
466
|
var assertion = await opts.clientAssertionSigner({
|
|
467
467
|
iss: opts.clientId, sub: opts.clientId, aud: endpoint,
|
|
468
|
-
iat: Math.floor(Date.now() / 1000), //
|
|
469
|
-
exp: Math.floor(Date.now() / 1000) + 300, //
|
|
468
|
+
iat: Math.floor(Date.now() / 1000), // ms→s
|
|
469
|
+
exp: Math.floor(Date.now() / 1000) + 300, // assertion 5m TTL
|
|
470
470
|
jti: generateToken(16),
|
|
471
471
|
});
|
|
472
472
|
body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
|
|
@@ -131,9 +131,9 @@ function _signParamsForAlg(alg) {
|
|
|
131
131
|
if (alg === "RS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
132
132
|
if (alg === "RS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
133
133
|
if (alg === "RS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
134
|
-
if (alg === "PS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; //
|
|
135
|
-
if (alg === "PS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; //
|
|
136
|
-
if (alg === "PS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; //
|
|
134
|
+
if (alg === "PS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; // RFC 7518 PS256 salt length
|
|
135
|
+
if (alg === "PS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; // RFC 7518 PS384 salt length
|
|
136
|
+
if (alg === "PS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; // RFC 7518 PS512 salt length
|
|
137
137
|
if (alg === "ES256") return { hash: "sha256", dsaEncoding: "ieee-p1363" };
|
|
138
138
|
if (alg === "ES384") return { hash: "sha384", dsaEncoding: "ieee-p1363" };
|
|
139
139
|
if (alg === "ES512") return { hash: "sha512", dsaEncoding: "ieee-p1363" };
|
|
@@ -97,7 +97,7 @@ function _b64urlDecode(s) {
|
|
|
97
97
|
// node:crypto.X509Certificate accepts it.
|
|
98
98
|
function _derToPem(b64) {
|
|
99
99
|
var lines = [];
|
|
100
|
-
for (var i = 0; i < b64.length; i += 64) lines.push(b64.slice(i, i + 64)); //
|
|
100
|
+
for (var i = 0; i < b64.length; i += 64) lines.push(b64.slice(i, i + 64)); // RFC 7468 PEM line width
|
|
101
101
|
return "-----BEGIN CERTIFICATE-----\n" + lines.join("\n") +
|
|
102
102
|
"\n-----END CERTIFICATE-----\n";
|
|
103
103
|
}
|
|
@@ -145,9 +145,9 @@ function _verifyParamsForAlg(alg) {
|
|
|
145
145
|
case "RS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
146
146
|
case "RS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
147
147
|
case "RS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
148
|
-
case "PS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; //
|
|
149
|
-
case "PS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; //
|
|
150
|
-
case "PS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; //
|
|
148
|
+
case "PS256": return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 32 }; // SHA-256 hash length
|
|
149
|
+
case "PS384": return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 48 }; // SHA-384 hash length
|
|
150
|
+
case "PS512": return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: 64 }; // SHA-512 hash length
|
|
151
151
|
case "ES256": return { hash: "sha256", dsaEncoding: "ieee-p1363" };
|
|
152
152
|
case "ES384": return { hash: "sha384", dsaEncoding: "ieee-p1363" };
|
|
153
153
|
case "ES512": return { hash: "sha512", dsaEncoding: "ieee-p1363" };
|
|
@@ -292,7 +292,7 @@ function _getCache() {
|
|
|
292
292
|
_sharedCache = cache().create({
|
|
293
293
|
namespace: "auth-fido-mds3.blob",
|
|
294
294
|
ttlMs: MAX_CACHE_TTL_MS,
|
|
295
|
-
maxEntries: 8, //
|
|
295
|
+
maxEntries: 8, // operator-pinned URL set
|
|
296
296
|
});
|
|
297
297
|
return _sharedCache;
|
|
298
298
|
}
|
|
@@ -315,7 +315,7 @@ function _ttlFromNextUpdate(nextUpdateDate) {
|
|
|
315
315
|
// valid future timestamp and influence the cache-TTL clamp downstream.
|
|
316
316
|
function _parseNextUpdate(s) {
|
|
317
317
|
if (typeof s !== "string") return null;
|
|
318
|
-
var m = s.match(/^(\d{4})-(\d{2})-(\d{2})$/); //
|
|
318
|
+
var m = s.match(/^(\d{4})-(\d{2})-(\d{2})$/); // ISO-8601 date components
|
|
319
319
|
if (!m) return null;
|
|
320
320
|
var year = parseInt(m[1], 10);
|
|
321
321
|
var month = parseInt(m[2], 10) - 1;
|
|
@@ -464,7 +464,7 @@ async function fetch(opts) { // allow:raw-outbound-http — function name is f
|
|
|
464
464
|
throw new FidoMds3Error("fido-mds3/network",
|
|
465
465
|
"BLOB GET " + url + " failed: " + ((e && e.message) || String(e)));
|
|
466
466
|
}
|
|
467
|
-
if (rsp.statusCode < 200 || rsp.statusCode >= 300) { //
|
|
467
|
+
if (rsp.statusCode < 200 || rsp.statusCode >= 300) { // HTTP 2xx range
|
|
468
468
|
throw new FidoMds3Error("fido-mds3/bad-status",
|
|
469
469
|
"BLOB GET " + url + " returned " + rsp.statusCode);
|
|
470
470
|
}
|
|
@@ -539,7 +539,7 @@ function lookupAaguid(blob, aaguid) {
|
|
|
539
539
|
throw new FidoMds3Error("fido-mds3/bad-aaguid", "aaguid must be a non-empty string");
|
|
540
540
|
}
|
|
541
541
|
var canon = aaguid.replace(/-/g, "").toLowerCase();
|
|
542
|
-
if (!safeBuffer.isHex(canon, 32)) { //
|
|
542
|
+
if (!safeBuffer.isHex(canon, 32)) { // 32 = AAGUID hex-char count, not bytes
|
|
543
543
|
throw new FidoMds3Error("fido-mds3/bad-aaguid",
|
|
544
544
|
"aaguid must be a UUID (with or without dashes)");
|
|
545
545
|
}
|
|
@@ -130,6 +130,17 @@ async function parse(jar, opts) {
|
|
|
130
130
|
audience: opts.audience,
|
|
131
131
|
clockSkewMs: opts.clockSkewMs,
|
|
132
132
|
});
|
|
133
|
+
// RFC 9101 §10.8 — the request object MUST be explicitly typed so a JWT
|
|
134
|
+
// minted for another purpose (id_token / access-token / logout-token)
|
|
135
|
+
// and signed by the same client key cannot be replayed here as a request
|
|
136
|
+
// object (cross-JWT confusion). Require the registered media type, with or
|
|
137
|
+
// without the "application/" prefix; an absent or mismatched typ is refused.
|
|
138
|
+
var jarTyp = verified.header && verified.header.typ;
|
|
139
|
+
if (jarTyp !== JAR_TYP && jarTyp !== "application/" + JAR_TYP) {
|
|
140
|
+
throw new AuthJarError("auth-jar/bad-typ",
|
|
141
|
+
"jar.parse: request object header.typ must be \"" + JAR_TYP +
|
|
142
|
+
"\" (RFC 9101 §10.8 — cross-JWT-confusion defense)");
|
|
143
|
+
}
|
|
133
144
|
var payload = verified.claims;
|
|
134
145
|
|
|
135
146
|
// RFC 9101 §5.2 — the request object MUST carry a client_id claim,
|
|
@@ -75,9 +75,9 @@ var MAX_TOKEN_BYTES = C.BYTES.kib(16);
|
|
|
75
75
|
var REFUSED_ALGS = ["HS256", "HS384", "HS512", "none"];
|
|
76
76
|
|
|
77
77
|
// PSS salt lengths per RFC 7518 §3.5.
|
|
78
|
-
var PSS_SALT_SHA256 = 32; //
|
|
79
|
-
var PSS_SALT_SHA384 = 48; //
|
|
80
|
-
var PSS_SALT_SHA512 = 64; //
|
|
78
|
+
var PSS_SALT_SHA256 = 32; // RFC 7518 SHA-256 salt length
|
|
79
|
+
var PSS_SALT_SHA384 = 48; // RFC 7518 SHA-384 salt length
|
|
80
|
+
var PSS_SALT_SHA512 = 64; // RFC 7518 SHA-512 salt length
|
|
81
81
|
|
|
82
82
|
var SUPPORTED_CLASSICAL_ALGS = [
|
|
83
83
|
"RS256", "RS384", "RS512",
|
|
@@ -105,7 +105,7 @@ function _b64urlDecode(s) {
|
|
|
105
105
|
throw new AuthError("auth-jwt-external/bad-base64", "expected base64url string");
|
|
106
106
|
}
|
|
107
107
|
var padded = s.replace(/-/g, "+").replace(/_/g, "/");
|
|
108
|
-
while (padded.length % 4) padded += "="; //
|
|
108
|
+
while (padded.length % 4) padded += "="; // base64 quartet padding
|
|
109
109
|
return Buffer.from(padded, "base64");
|
|
110
110
|
}
|
|
111
111
|
|
|
@@ -241,7 +241,7 @@ async function _fetchJwks(uri, cacheMs) {
|
|
|
241
241
|
maxBytes: MAX_JWKS_BYTES,
|
|
242
242
|
timeoutMs: C.TIME.seconds(10),
|
|
243
243
|
});
|
|
244
|
-
if (res.statusCode < 200 || res.statusCode >= 300) { //
|
|
244
|
+
if (res.statusCode < 200 || res.statusCode >= 300) { // HTTP 2xx range
|
|
245
245
|
throw new AuthError("auth-jwt-external/jwks-fetch-failed",
|
|
246
246
|
"JWKS endpoint " + uri + " returned " + res.statusCode);
|
|
247
247
|
}
|
|
@@ -836,10 +836,10 @@ function create(opts) {
|
|
|
836
836
|
// only in claim validation (no nonce, audience = clientId, no
|
|
837
837
|
// ID-token-specific claims). We wrap verifyIdToken with the
|
|
838
838
|
// skip-nonce flag and apply JARM-specific claim checks below.
|
|
839
|
+
// verifyIdToken applies the create()-level accepted algorithms / JWKS /
|
|
840
|
+
// clock-skew; only the JARM-specific skip-nonce flag is passed here.
|
|
839
841
|
var verified = await verifyIdToken(responseJwt, {
|
|
840
842
|
skipNonceCheck: true,
|
|
841
|
-
acceptedAlgs: jopts.acceptedAlgs,
|
|
842
|
-
maxClockSkewMs: jopts.maxClockSkewMs,
|
|
843
843
|
});
|
|
844
844
|
var c = verified.claims;
|
|
845
845
|
// Per JARM §4: `iss` MUST match the OP issuer; `aud` MUST contain
|
|
@@ -1297,7 +1297,7 @@ function create(opts) {
|
|
|
1297
1297
|
if (!rv || typeof rv.request_uri !== "string" || rv.request_uri.length === 0) {
|
|
1298
1298
|
throw new OAuthError("auth-oauth/par-bad-response",
|
|
1299
1299
|
"pushAuthorizationRequest: IdP did not return a request_uri (got " +
|
|
1300
|
-
JSON.stringify(rv).slice(0, 200) + ")"); //
|
|
1300
|
+
JSON.stringify(rv).slice(0, 200) + ")"); // error-message snippet length
|
|
1301
1301
|
}
|
|
1302
1302
|
// Build the browser-side redirect URL: /authorize?client_id=...&request_uri=...
|
|
1303
1303
|
var authzEndpoint = await _resolveEndpoint("authorizationEndpoint");
|
|
@@ -1419,12 +1419,10 @@ function create(opts) {
|
|
|
1419
1419
|
}
|
|
1420
1420
|
// Reuse verifyIdToken's signature-verification path. It looks up
|
|
1421
1421
|
// the IdP JWKS and checks the JWS — same trust anchor.
|
|
1422
|
+
// verifyIdToken applies the create()-level issuer / clientId / accepted
|
|
1423
|
+
// algorithms / JWKS / clock-skew — the same trust anchor as id_tokens.
|
|
1424
|
+
// Only the per-call logout-token semantics are passed here.
|
|
1422
1425
|
var verified = await verifyIdToken(logoutToken, {
|
|
1423
|
-
issuer: issuer,
|
|
1424
|
-
clientId: clientId,
|
|
1425
|
-
acceptedAlgs: vopts.acceptedAlgs,
|
|
1426
|
-
jwksUri: vopts.jwksUri,
|
|
1427
|
-
maxClockSkewMs: vopts.maxClockSkewMs,
|
|
1428
1426
|
// Logout tokens have no nonce — disable the nonce check that
|
|
1429
1427
|
// verifyIdToken would otherwise enforce on id_tokens.
|
|
1430
1428
|
skipNonceCheck: true,
|
|
@@ -1953,7 +1951,7 @@ function create(opts) {
|
|
|
1953
1951
|
}
|
|
1954
1952
|
// Terminal errors.
|
|
1955
1953
|
throw new OAuthError("auth-oauth/device-" + (err || "unknown"),
|
|
1956
|
-
"pollDeviceCode: " + (parsed && parsed.error_description ? parsed.error_description : text.slice(0, 200))); //
|
|
1954
|
+
"pollDeviceCode: " + (parsed && parsed.error_description ? parsed.error_description : text.slice(0, 200))); // 200-char error-snippet cap, not bytes
|
|
1957
1955
|
}
|
|
1958
1956
|
throw new OAuthError("auth-oauth/device-poll-timeout",
|
|
1959
1957
|
"pollDeviceCode: exceeded maxWaitMs " + (popts.maxWaitMs || C.TIME.minutes(10)));
|
|
@@ -98,7 +98,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
|
|
|
98
98
|
}
|
|
99
99
|
var header, payload;
|
|
100
100
|
try {
|
|
101
|
-
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); //
|
|
101
|
+
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); // proof header cap
|
|
102
102
|
payload = safeJson.parse(_b64uDecodeStr(parts[1]), { maxBytes: MAX_PROOF_BYTES });
|
|
103
103
|
} catch (e) {
|
|
104
104
|
throw new AuthError("auth-oid4vci/bad-proof-decode",
|
|
@@ -240,7 +240,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
|
|
|
240
240
|
* tokenEndpoint: string, // public URL for /token (re-used by the pre-auth flow)
|
|
241
241
|
* sdJwtIssuer: <b.auth.sdJwtVc.issuer instance>, // mints the SD-JWT VC
|
|
242
242
|
* supportedCredentials: { [id]: { format, vct, claims, ... } },
|
|
243
|
-
* proofAlgorithms: string[], // default ["ES256", "ES384"]
|
|
243
|
+
* proofAlgorithms: string[], // default ["ES256", "ES384", "EdDSA"]
|
|
244
244
|
* preAuthCodeTtlMs?: number, // default 5m
|
|
245
245
|
* accessTokenTtlMs?: number, // default 15m
|
|
246
246
|
* cNonceTtlMs?: number, // default 5m
|
|
@@ -367,7 +367,7 @@ function create(opts) {
|
|
|
367
367
|
"createCredentialOffer: credentialId \"" + id + "\" not in supportedCredentials");
|
|
368
368
|
}
|
|
369
369
|
});
|
|
370
|
-
var preAuthCode = generateToken(32); //
|
|
370
|
+
var preAuthCode = generateToken(32); // 256-bit single-use pre-auth code
|
|
371
371
|
var txCode = coOpts.txCode || null;
|
|
372
372
|
if (txCode !== null) {
|
|
373
373
|
if (typeof txCode !== "object" || typeof txCode.value !== "string") {
|
|
@@ -388,7 +388,7 @@ function create(opts) {
|
|
|
388
388
|
"urn:ietf:params:oauth:grant-type:pre-authorized_code": {
|
|
389
389
|
"pre-authorized_code": preAuthCode,
|
|
390
390
|
tx_code: txCode ? {
|
|
391
|
-
length: typeof txCode.length === "number" ? txCode.length : 4, //
|
|
391
|
+
length: typeof txCode.length === "number" ? txCode.length : 4, // default tx-code 4 digits
|
|
392
392
|
input_mode: txCode.input_mode || "numeric",
|
|
393
393
|
description: txCode.description || undefined,
|
|
394
394
|
} : undefined,
|
|
@@ -467,8 +467,8 @@ function create(opts) {
|
|
|
467
467
|
}
|
|
468
468
|
}
|
|
469
469
|
await codeStore.delete(eopts.preAuthCode);
|
|
470
|
-
var accessToken = generateToken(32); //
|
|
471
|
-
var cNonce = generateToken(16); //
|
|
470
|
+
var accessToken = generateToken(32); // 256-bit access token
|
|
471
|
+
var cNonce = generateToken(16); // 128-bit c_nonce
|
|
472
472
|
var record = {
|
|
473
473
|
subject: entry.subject,
|
|
474
474
|
credentialIds: entry.credentialIds,
|
|
@@ -485,9 +485,9 @@ function create(opts) {
|
|
|
485
485
|
return {
|
|
486
486
|
access_token: accessToken,
|
|
487
487
|
token_type: "Bearer",
|
|
488
|
-
expires_in: Math.floor(accessTokenTtl / 1000), //
|
|
488
|
+
expires_in: Math.floor(accessTokenTtl / 1000), // ms→s
|
|
489
489
|
c_nonce: cNonce,
|
|
490
|
-
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), //
|
|
490
|
+
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), // ms→s
|
|
491
491
|
authorization_details: entry.credentialIds.map(function (id) {
|
|
492
492
|
return {
|
|
493
493
|
type: "openid_credential",
|
|
@@ -572,7 +572,7 @@ function create(opts) {
|
|
|
572
572
|
|
|
573
573
|
// Rotate c_nonce so a replayed proof-JWT for a follow-up
|
|
574
574
|
// batch_credential request is rejected.
|
|
575
|
-
var newCNonce = generateToken(16); //
|
|
575
|
+
var newCNonce = generateToken(16); // 128-bit c_nonce
|
|
576
576
|
await cNonceStore.set(iopts.accessToken, newCNonce);
|
|
577
577
|
|
|
578
578
|
// AUTH-6 — when single-use is on (default), DELETE the access token
|
|
@@ -600,7 +600,7 @@ function create(opts) {
|
|
|
600
600
|
format: spec.format,
|
|
601
601
|
credential: sdJwtToken.token,
|
|
602
602
|
c_nonce: newCNonce,
|
|
603
|
-
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), //
|
|
603
|
+
c_nonce_expires_in: Math.floor(cNonceTtl / 1000), // ms→s
|
|
604
604
|
};
|
|
605
605
|
}
|
|
606
606
|
|
|
@@ -348,8 +348,8 @@ function create(opts) {
|
|
|
348
348
|
"createRequest: dcql is required");
|
|
349
349
|
}
|
|
350
350
|
_validateDcql(ropts.dcql);
|
|
351
|
-
var nonce = ropts.nonce || generateToken(16); //
|
|
352
|
-
var state = ropts.state || generateToken(16); //
|
|
351
|
+
var nonce = ropts.nonce || generateToken(16); // 128-bit nonce
|
|
352
|
+
var state = ropts.state || generateToken(16); // 128-bit state
|
|
353
353
|
var request = {
|
|
354
354
|
response_type: "vp_token",
|
|
355
355
|
response_mode: ropts.responseMode || "direct_post",
|
|
@@ -82,7 +82,7 @@ var _emitMetric = emit.metric;
|
|
|
82
82
|
|
|
83
83
|
var SUPPORTED_ALGS = ["ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "EdDSA"];
|
|
84
84
|
var MAX_STATEMENT_BYTES = 64 * 1024; // allow:raw-byte-literal — entity-statement size cap
|
|
85
|
-
var MAX_CHAIN_DEPTH = 10; //
|
|
85
|
+
var MAX_CHAIN_DEPTH = 10; // federation chain depth ceiling
|
|
86
86
|
|
|
87
87
|
function _b64uDecodeStr(s) { return Buffer.from(s, "base64url").toString("utf8"); }
|
|
88
88
|
|
|
@@ -117,7 +117,7 @@ function parseEntityStatement(jwt) {
|
|
|
117
117
|
}
|
|
118
118
|
var header, payload;
|
|
119
119
|
try {
|
|
120
|
-
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); //
|
|
120
|
+
header = safeJson.parse(_b64uDecodeStr(parts[0]), { maxBytes: 4096 }); // header cap
|
|
121
121
|
payload = safeJson.parse(_b64uDecodeStr(parts[1]), { maxBytes: MAX_STATEMENT_BYTES });
|
|
122
122
|
} catch (e) {
|
|
123
123
|
throw new AuthError("auth-openid-federation/bad-decode",
|
|
@@ -64,7 +64,7 @@ var { AuthError } = require("../framework-error");
|
|
|
64
64
|
// W3C WebAuthn name field cap — same as the rpName/userName ceiling in
|
|
65
65
|
// the spec's CredentialUserEntity / PublicKeyCredentialEntity dictionaries
|
|
66
66
|
// (no normative limit but RPs broadly cap at 256 to defeat DOM cost).
|
|
67
|
-
var MAX_NAME_LEN = 256; //
|
|
67
|
+
var MAX_NAME_LEN = 256; // UTF-16 codepoint count, not bytes
|
|
68
68
|
|
|
69
69
|
function _vendor() {
|
|
70
70
|
return _wa;
|
|
@@ -306,7 +306,7 @@ async function conditionalAuthOptions(opts) {
|
|
|
306
306
|
|
|
307
307
|
// CTAP2.1 §6.5 — PRF eval inputs are 32-byte salts. Caps every
|
|
308
308
|
// extension input that ships through the binary normalizer.
|
|
309
|
-
var MAX_EXT_INPUT_BYTES = 32; //
|
|
309
|
+
var MAX_EXT_INPUT_BYTES = 32; // CTAP2.1 §6.5 PRF salt length
|
|
310
310
|
|
|
311
311
|
function _b64urlExtInput(value, name, maxBytes) {
|
|
312
312
|
// Accept a base64url string OR a Buffer / Uint8Array. Normalize the
|
|
@@ -436,7 +436,7 @@ function _credBlobExt(args) {
|
|
|
436
436
|
throw new AuthError("auth-passkey/bad-credblob",
|
|
437
437
|
"extensions.credBlob blob must be a Uint8Array / Buffer");
|
|
438
438
|
}
|
|
439
|
-
if (buf.length === 0 || buf.length > 32) { //
|
|
439
|
+
if (buf.length === 0 || buf.length > 32) { // CTAP2.1 §11.1 credBlob max
|
|
440
440
|
throw new AuthError("auth-passkey/credblob-bad-length",
|
|
441
441
|
"extensions.credBlob blob must be 1-32 bytes (CTAP2.1 §11.1)");
|
|
442
442
|
}
|