npm - @blamejs/blamejs-shop - Versions diffs - 0.3.69 → 0.3.71 - Mend

@blamejs/blamejs-shop 0.3.69 → 0.3.71

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js CHANGED Viewed

@@ -119,6 +119,66 @@ async function run() {
   check("frameToValue: error becomes _redisError marker",
         efv && efv._redisError === true && efv.message === "ERR boom");
+  // ---- create() config-time opt validation ----
+  // db / connectTimeoutMs / commandTimeoutMs / maxReconnectAttempts were
+  // coerced with bare Number() + falsy fallback: a bad type silently became
+  // the default (or, for a negative timeout, sailed into setTimeout; for a
+  // non-numeric maxReconnectAttempts, NaN made the `>= 0` reconnect cap
+  // false and disabled the bound entirely). They now throw at the entry
+  // point. db and maxReconnectAttempts must still allow 0.
+  function _createThrows(label, badOpts) {
+    var threw = false;
+    var msg = "";
+    try { redis.create(Object.assign({ url: "redis://127.0.0.1:1/0" }, badOpts)); }
+    catch (e) { threw = true; msg = (e && e.message) || ""; }
+    check("create rejects " + label, threw);
+    check("create rejects " + label + " with a clear message",
+          threw && msg.length > 0 && /must be/.test(msg));
+  }
+  _createThrows("connectTimeoutMs:\"abc\"", { connectTimeoutMs: "abc" });
+  _createThrows("connectTimeoutMs:-1", { connectTimeoutMs: -1 });
+  _createThrows("connectTimeoutMs:0", { connectTimeoutMs: 0 });
+  _createThrows("commandTimeoutMs:\"abc\"", { commandTimeoutMs: "abc" });
+  _createThrows("commandTimeoutMs:-5", { commandTimeoutMs: -5 });
+  _createThrows("db:\"3\"", { db: "3" });
+  _createThrows("db:-1", { db: -1 });
+  _createThrows("db:1.5", { db: 1.5 });
+  _createThrows("maxReconnectAttempts:\"abc\"", { maxReconnectAttempts: "abc" });
+  _createThrows("maxReconnectAttempts:-1", { maxReconnectAttempts: -1 });
+  _createThrows("maxReconnectAttempts:2.5", { maxReconnectAttempts: 2.5 });
+  // Absent opts keep the documented defaults.
+  var cDefaults = redis.create({ url: "redis://127.0.0.1:6379/0" });
+  var sDefaults = cDefaults._state();
+  check("create default connectTimeoutMs is 5000", sDefaults.connectTimeoutMs === 5000);
+  check("create default commandTimeoutMs is 10000", sDefaults.commandTimeoutMs === 10000);
+  check("create default maxReconnectAttempts is 10", sDefaults.maxReconnectAttempts === 10);
+  check("create default db comes from url (0)", sDefaults.db === 0);
+  // Valid values flow through unchanged.
+  var cValid = redis.create({
+    url: "redis://127.0.0.1:6379/0",
+    db: 7, connectTimeoutMs: 3000, commandTimeoutMs: 8000, maxReconnectAttempts: 3,
+  });
+  var sValid = cValid._state();
+  check("create accepts valid db", sValid.db === 7);
+  check("create accepts valid connectTimeoutMs", sValid.connectTimeoutMs === 3000);
+  check("create accepts valid commandTimeoutMs", sValid.commandTimeoutMs === 8000);
+  check("create accepts valid maxReconnectAttempts", sValid.maxReconnectAttempts === 3);
+  // 0 is a legitimate value for both db and maxReconnectAttempts and must
+  // NOT throw. db:0 = no SELECT on connect; maxReconnectAttempts:0 = give
+  // up immediately (the `reconnectAttempt >= maxReconnectAttempts` gate is
+  // true on the first reconnect call) — both preserved from prior behavior.
+  var cZero = redis.create({
+    url: "redis://127.0.0.1:6379/0", db: 0, maxReconnectAttempts: 0,
+  });
+  var sZero = cZero._state();
+  check("create accepts db:0", sZero.db === 0);
+  check("create accepts maxReconnectAttempts:0 (give-up-immediately bound)",
+        sZero.maxReconnectAttempts === 0);
   // ---- close()/reconnect leak guard (v0.13.40) ----
   // After close(), a reconnect timer scheduled during backoff must be
   // cancelled and _connect() must refuse to re-open — otherwise a post-

package/lib/vendor/blamejs/test/layer-0-primitives/safe-redirect.test.js ADDED Viewed

@@ -0,0 +1,118 @@
+"use strict";
+/**
+ * b.safeRedirect — open-redirect (CWE-601) defense for operator-supplied
+ * post-login redirect targets.
+ *
+ * Run standalone: `node test/layer-0-primitives/safe-redirect.test.js`
+ * Or via smoke:   `node test/smoke.js`
+ */
+var helpers = require("../helpers");
+var b     = helpers.b;
+var check = helpers.check;
+function testSurface() {
+  check("b.safeRedirect is object",            typeof b.safeRedirect === "object");
+  check("b.safeRedirect.resolve is fn",        typeof b.safeRedirect.resolve === "function");
+  check("b.safeRedirect.DEFAULT_FALLBACK",     b.safeRedirect.DEFAULT_FALLBACK === "/");
+}
+function testRelativeAndFragmentTargets() {
+  check("relative path is same-origin safe",
+        b.safeRedirect.resolve("/dashboard", { fallback: "/x" }) === "/dashboard");
+  check("query-only target is safe",
+        b.safeRedirect.resolve("?q=1", { fallback: "/x" }) === "?q=1");
+  check("fragment target is safe",
+        b.safeRedirect.resolve("#section", { fallback: "/x" }) === "#section");
+}
+function testHostileTargetsFallBack() {
+  check("protocol-relative // → fallback",
+        b.safeRedirect.resolve("//attacker.example.com", { fallback: "/safe" }) === "/safe");
+  check("backslash-relative \\\\ → fallback",
+        b.safeRedirect.resolve("\\\\attacker.example.com", { fallback: "/safe" }) === "/safe");
+  check("control char → fallback",
+        b.safeRedirect.resolve("/a\nb", { fallback: "/safe" }) === "/safe");
+  check("empty target → fallback",
+        b.safeRedirect.resolve("", { fallback: "/safe" }) === "/safe");
+  check("full URL with no allowlist → fallback",
+        b.safeRedirect.resolve("https://attacker.example.com/x", { fallback: "/safe" }) === "/safe");
+}
+function testAllowedOriginsAndHosts() {
+  check("full URL matching allowedOrigins passes",
+        b.safeRedirect.resolve("https://app.example.com/next",
+          { allowedOrigins: ["https://app.example.com"], fallback: "/safe" })
+        === "https://app.example.com/next");
+  check("full URL not in allowedOrigins → fallback",
+        b.safeRedirect.resolve("https://evil.example.com/x",
+          { allowedOrigins: ["https://app.example.com"], fallback: "/safe" })
+        === "/safe");
+  check("full URL matching allowedHosts passes",
+        b.safeRedirect.resolve("https://app.example.com/next",
+          { allowedHosts: ["app.example.com"], fallback: "/safe" })
+        === "https://app.example.com/next");
+}
+// ---- base wiring (opts.base is the app's own origin) ----
+function testBaseOriginImplicitlyAllowed() {
+  // A full URL on the same origin as base is same-origin by definition,
+  // so it passes even without an explicit allowedOrigins / allowedHosts.
+  check("full URL on base origin allowed via base alone",
+        b.safeRedirect.resolve("https://app.example.com/dashboard",
+          { base: "https://app.example.com", fallback: "/safe" })
+        === "https://app.example.com/dashboard");
+  // A cross-origin full URL is still refused when only base is supplied.
+  check("cross-origin full URL refused with base only",
+        b.safeRedirect.resolve("https://attacker.example.com/x",
+          { base: "https://app.example.com", fallback: "/safe" })
+        === "/safe");
+  // base combines with allowedOrigins (both are accepted).
+  check("base origin allowed alongside allowedOrigins",
+        b.safeRedirect.resolve("https://app.example.com/y",
+          { base: "https://app.example.com",
+            allowedOrigins: ["https://other.example.com"], fallback: "/safe" })
+        === "https://app.example.com/y");
+  // A different port is a different origin → refused.
+  check("base origin port mismatch refused",
+        b.safeRedirect.resolve("https://app.example.com:8443/x",
+          { base: "https://app.example.com", fallback: "/safe" })
+        === "/safe");
+}
+function testBaseDefaultBehaviorUnchanged() {
+  // No base + no allowlist → full URLs still refused (default safe).
+  check("no base, no allowlist → full URL fallback",
+        b.safeRedirect.resolve("https://app.example.com/x", { fallback: "/safe" }) === "/safe");
+  // Relative paths are unaffected by base.
+  check("relative path safe regardless of base",
+        b.safeRedirect.resolve("/home", { base: "https://app.example.com", fallback: "/safe" })
+        === "/home");
+  // A malformed / non-http(s) base is ignored (no crash, falls through
+  // to refuse the full URL with no other allowlist).
+  check("malformed base ignored → full URL fallback",
+        b.safeRedirect.resolve("https://app.example.com/x",
+          { base: "not a url", fallback: "/safe" })
+        === "/safe");
+}
+function run() {
+  testSurface();
+  testRelativeAndFragmentTargets();
+  testHostileTargetsFallBack();
+  testAllowedOriginsAndHosts();
+  testBaseOriginImplicitlyAllowed();
+  testBaseDefaultBehaviorUnchanged();
+  console.log("OK — safe-redirect tests");
+}
+module.exports = { run: run };
+if (require.main === module) {
+  try { run(); process.exit(0); } catch (e) { console.error(e); process.exit(1); }
+}

package/lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js CHANGED Viewed

@@ -92,6 +92,7 @@ async function run() {
   check("BulkResponse URN exported",      scimMod.SCIM_MESSAGE_BULK_RESPONSE === "urn:ietf:params:scim:api:messages:2.0:BulkResponse");
   await _runBulkTests();
+  await _runBulkRefOrderingTests();
 }
 // RFC 7644 §3.7 — /Bulk operations.
@@ -247,6 +248,264 @@ async function _runBulkTests() {
   check("bulk: bad maxOperations refused",   threwCap);
 }
+// Deep-walk a value asserting no string carries an unresolved
+// "bulkId:<id>" cross-reference token (RFC 7644 §3.7.2 — a literal token
+// must never reach the adapter as if it were a real resource id).
+function _containsBulkIdToken(value) {
+  if (typeof value === "string") return /^bulkId:/.test(value);
+  if (Array.isArray(value)) return value.some(_containsBulkIdToken);
+  if (value && typeof value === "object") {
+    return Object.keys(value).some(function (k) { return _containsBulkIdToken(value[k]); });
+  }
+  return false;
+}
+// A user adapter that records every data object it is handed so a test
+// can assert the adapter NEVER received a literal "bulkId:<id>" token.
+function _mkRecordingUsers() {
+  return {
+    _records:  new Map(),
+    _seq:      0,
+    _received: [],
+    async create(rec) {
+      this._received.push(rec);
+      var id = "u-" + (++this._seq);
+      var out = Object.assign({ id: id, meta: { resourceType: "User" } }, rec);
+      this._records.set(id, out);
+      return out;
+    },
+    async read(id)        { return this._records.get(id) || null; },
+    async update(id, rec) { this._received.push(rec); var r = Object.assign({}, rec, { id: id }); this._records.set(id, r); return r; },
+    async patch(id, ops)  { this._received.push(ops); var r = this._records.get(id); return r; },
+    async remove(id)      { this._records.delete(id); },
+    async list()          { return { totalResults: this._records.size, Resources: Array.from(this._records.values()) }; },
+  };
+}
+function _mkRecordingGroups() {
+  return {
+    _records:    new Map(),
+    _seq:        0,
+    _received:   [],
+    _lastCreate: null,
+    async create(rec) {
+      this._received.push(rec);
+      var id = "g-" + (++this._seq);
+      var out = Object.assign({ id: id, meta: { resourceType: "Group" } }, rec);
+      this._records.set(id, out);
+      this._lastCreate = out;
+      return out;
+    },
+    async read(id)        { return this._records.get(id) || null; },
+    async update(id, rec) { this._received.push(rec); var r = Object.assign({}, rec, { id: id }); this._records.set(id, r); return r; },
+    async patch(id, ops)  { this._received.push(ops); var r = this._records.get(id); return r; },
+    async remove(id)      { this._records.delete(id); },
+    async list()          { return { totalResults: this._records.size, Resources: Array.from(this._records.values()) }; },
+  };
+}
+// RFC 7644 §3.7.2 — forward references, circular references, undeclared
+// references, and failed-dependency references.
+async function _runBulkRefOrderingTests() {
+  // --- Forward reference: the GROUP op references the USER op that comes
+  // AFTER it in request order. Both must succeed and the token must be
+  // substituted with the real id (success path, end-to-end).
+  var fwdUsers  = _mkRecordingUsers();
+  var fwdGroups = _mkRecordingGroups();
+  var fwdMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: fwdUsers, groups: fwdGroups, bulk: { maxOperations: 10 },
+  });
+  var fwd = await _bulkBody(fwdMw, [
+    { method: "POST", path: "/Groups", bulkId: "admins",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:Group"], displayName: "Admins",
+              members: [{ value: "bulkId:carol" }] } },
+    { method: "POST", path: "/Users", bulkId: "carol",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "carol" } },
+  ]);
+  var fwdResp = JSON.parse(fwd.res._body());
+  check("bulk fwd-ref: 200 envelope",        fwd.res._sc() === 200);
+  check("bulk fwd-ref: both succeed",        fwdResp.Operations[0].status === "201" && fwdResp.Operations[1].status === "201");
+  // Response array stays in ORIGINAL request order (group first, user second).
+  check("bulk fwd-ref: response in request order",
+        fwdResp.Operations[0].bulkId === "admins" && fwdResp.Operations[1].bulkId === "carol");
+  var fwdUserId  = Array.from(fwdUsers._records.keys())[0];
+  var fwdMembers = fwdGroups._lastCreate && fwdGroups._lastCreate.members;
+  check("bulk fwd-ref: token resolved to real id",
+        Array.isArray(fwdMembers) && fwdMembers[0].value === fwdUserId);
+  check("bulk fwd-ref: adapter never saw a literal token",
+        !fwdGroups._received.some(_containsBulkIdToken) && !fwdUsers._received.some(_containsBulkIdToken));
+  // --- Circular reference: two POSTs each reference the other's bulkId.
+  // Both fail with HTTP 409 (RFC 7644 §3.7.1) and the adapter is NEVER
+  // called with a literal token (in fact never called at all here).
+  var cycUsers  = _mkRecordingUsers();
+  var cycGroups = _mkRecordingGroups();
+  var cycMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: cycUsers, groups: cycGroups, bulk: { maxOperations: 10 },
+  });
+  var cyc = await _bulkBody(cycMw, [
+    { method: "POST", path: "/Users", bulkId: "ua",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "ua",
+              manager: { value: "bulkId:ub" } } },
+    { method: "POST", path: "/Users", bulkId: "ub",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "ub",
+              manager: { value: "bulkId:ua" } } },
+  ]);
+  var cycResp = JSON.parse(cyc.res._body());
+  check("bulk circular: 200 envelope",       cyc.res._sc() === 200);
+  check("bulk circular: 2 results in order", cycResp.Operations.length === 2 &&
+        cycResp.Operations[0].bulkId === "ua" && cycResp.Operations[1].bulkId === "ub");
+  check("bulk circular: both fail 409",      cycResp.Operations[0].status === "409" && cycResp.Operations[1].status === "409");
+  check("bulk circular: adapter never called with token",
+        !cycUsers._received.some(_containsBulkIdToken));
+  check("bulk circular: nothing persisted",  cycUsers._records.size === 0);
+  // --- Undeclared reference: a member points at a bulkId no operation
+  // declares — that op fails invalidValue; the well-formed op succeeds.
+  var undUsers  = _mkRecordingUsers();
+  var undGroups = _mkRecordingGroups();
+  var undMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: undUsers, groups: undGroups, bulk: { maxOperations: 10 },
+  });
+  var und = await _bulkBody(undMw, [
+    { method: "POST", path: "/Users", bulkId: "real",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "real" } },
+    { method: "POST", path: "/Groups", bulkId: "grp",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:Group"], displayName: "G",
+              members: [{ value: "bulkId:ghost" }] } },
+  ]);
+  var undResp = JSON.parse(und.res._body());
+  check("bulk undeclared: real op succeeds", undResp.Operations[0].status === "201");
+  check("bulk undeclared: ref op fails 400", undResp.Operations[1].status === "400" &&
+        undResp.Operations[1].response.scimType === "invalidValue");
+  check("bulk undeclared: group adapter never saw token",
+        !undGroups._received.some(_containsBulkIdToken));
+  check("bulk undeclared: no group persisted", undGroups._records.size === 0);
+  // --- Failed dependency: the creating op fails, so the op that
+  // references it must fail invalidValue rather than receive the token.
+  var depUsersBase = _mkRecordingUsers();
+  var depUsers = {
+    _records: depUsersBase._records,
+    _received: depUsersBase._received,
+    create: async function (rec) {
+      depUsersBase._received.push(rec);
+      var e = new Error("user create rejected"); e.statusCode = 409; e.scimType = "uniqueness"; throw e;
+    },
+    read: depUsersBase.read.bind(depUsersBase), update: depUsersBase.update.bind(depUsersBase),
+    patch: depUsersBase.patch.bind(depUsersBase), remove: depUsersBase.remove.bind(depUsersBase),
+    list: depUsersBase.list.bind(depUsersBase),
+  };
+  var depGroups = _mkRecordingGroups();
+  var depMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: depUsers, groups: depGroups, bulk: { maxOperations: 10 },
+  });
+  var dep = await _bulkBody(depMw, [
+    { method: "POST", path: "/Users", bulkId: "willfail",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "willfail" } },
+    { method: "POST", path: "/Groups", bulkId: "grp",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:Group"], displayName: "G",
+              members: [{ value: "bulkId:willfail" }] } },
+  ]);
+  var depResp = JSON.parse(dep.res._body());
+  check("bulk failed-dep: creator fails 409", depResp.Operations[0].status === "409");
+  check("bulk failed-dep: dependent fails 400 invalidValue",
+        depResp.Operations[1].status === "400" && depResp.Operations[1].response.scimType === "invalidValue");
+  check("bulk failed-dep: group adapter never saw token",
+        !depGroups._received.some(_containsBulkIdToken));
+  check("bulk failed-dep: no group persisted", depGroups._records.size === 0);
+  // --- Backward reference unchanged: a member references an EARLIER POST.
+  var bwUsers  = _mkRecordingUsers();
+  var bwGroups = _mkRecordingGroups();
+  var bwMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: bwUsers, groups: bwGroups, bulk: { maxOperations: 10 },
+  });
+  var bw = await _bulkBody(bwMw, [
+    { method: "POST", path: "/Users", bulkId: "dave",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "dave" } },
+    { method: "POST", path: "/Groups", bulkId: "team",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:Group"], displayName: "Team",
+              members: [{ value: "bulkId:dave" }] } },
+  ]);
+  var bwResp = JSON.parse(bw.res._body());
+  check("bulk back-ref: both succeed",       bwResp.Operations[0].status === "201" && bwResp.Operations[1].status === "201");
+  var bwUserId  = Array.from(bwUsers._records.keys())[0];
+  var bwMembers = bwGroups._lastCreate && bwGroups._lastCreate.members;
+  check("bulk back-ref: token resolved",     Array.isArray(bwMembers) && bwMembers[0].value === bwUserId);
+  check("bulk back-ref: adapter never saw token",
+        !bwGroups._received.some(_containsBulkIdToken));
+  // --- PATH references (RFC 7644 §3.7.2) — a bulkId can appear as the
+  // resource id in an operation's path ("PATCH /Users/bulkId:u1"), not
+  // just in operation data. Forward path refs order like data refs and
+  // the path token is substituted with the real id before dispatch.
+  var pthUsers = _mkRecordingUsers();
+  var pthPatchedIds = [];
+  var pthPatchInner = pthUsers.patch.bind(pthUsers);
+  pthUsers.patch = async function (id, ops) { pthPatchedIds.push(id); return pthPatchInner(id, ops); };
+  var pthMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: pthUsers, bulk: { maxOperations: 10 },
+  });
+  var pth = await _bulkBody(pthMw, [
+    { method: "PATCH", path: "/Users/bulkId:newbie",
+      data: { Operations: [{ op: "replace", path: "active", value: true }] } },
+    { method: "POST", path: "/Users", bulkId: "newbie",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "newbie" } },
+  ]);
+  var pthResp = JSON.parse(pth.res._body());
+  check("bulk path-ref: 200 envelope",      pth.res._sc() === 200);
+  check("bulk path-ref: both succeed",
+        pthResp.Operations[0].status === "200" && pthResp.Operations[1].status === "201");
+  check("bulk path-ref: response in request order",
+        pthResp.Operations[1].bulkId === "newbie");
+  var pthUserId = Array.from(pthUsers._records.keys())[0];
+  check("bulk path-ref: patch received the real id, not the token",
+        pthPatchedIds.length === 1 && pthPatchedIds[0] === pthUserId);
+  // Backward path ref on DELETE: the created resource is removable via
+  // its bulkId path token in the same request.
+  var delUsers = _mkRecordingUsers();
+  var delMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: delUsers, bulk: { maxOperations: 10 },
+  });
+  var del = await _bulkBody(delMw, [
+    { method: "POST", path: "/Users", bulkId: "gone",
+      data: { schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"], userName: "gone" } },
+    { method: "DELETE", path: "/Users/bulkId:gone" },
+  ]);
+  var delResp = JSON.parse(del.res._body());
+  check("bulk path-ref delete: both succeed",
+        delResp.Operations[0].status === "201" && delResp.Operations[1].status === "204");
+  check("bulk path-ref delete: record removed", delUsers._records.size === 0);
+  // Undeclared path ref: fails per-op invalidValue, adapter never called.
+  var updUsers = _mkRecordingUsers();
+  var updMw = b.middleware.scimServer({
+    basePath: "/scim/v2", users: updUsers, bulk: { maxOperations: 10 },
+  });
+  var upd = await _bulkBody(updMw, [
+    { method: "DELETE", path: "/Users/bulkId:phantom" },
+  ]);
+  var updResp = JSON.parse(upd.res._body());
+  check("bulk path-ref undeclared: fails 400 invalidValue",
+        updResp.Operations[0].status === "400" &&
+        updResp.Operations[0].response.scimType === "invalidValue");
+  check("bulk path-ref undeclared: adapter untouched",
+        updUsers._received.length === 0 && updUsers._records.size === 0);
+  // --- maxPageSize garbage throws at create() (entry-point tier).
+  var threwPage = false;
+  try { b.middleware.scimServer({ basePath: "/scim/v2", users: _mkUsers(), maxPageSize: "lots" }); }
+  catch (e) { threwPage = /bad-max-page-size/.test(e.code || ""); }
+  check("maxPageSize garbage refused at create()", threwPage);
+  var threwPage2 = false;
+  try { b.middleware.scimServer({ basePath: "/scim/v2", users: _mkUsers(), maxPageSize: -3 }); }
+  catch (e) { threwPage2 = /bad-max-page-size/.test(e.code || ""); }
+  check("maxPageSize negative refused at create()", threwPage2);
+}
 module.exports = { run: run };
 if (require.main === module) {

package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js CHANGED Viewed

@@ -650,6 +650,51 @@ function testHolderValidation() {
   check("holder.create: missing holderKey throws", threwNoKey);
 }
+// The holder must derive the KB-JWT alg from the holder key type when no
+// explicit `algorithm` is given — a fixed "ES256" default signed a non-EC
+// holder key under a header alg that disagreed with the key (un-signable
+// or a self-invalid KB-JWT a verifier rejects).
+async function testHolderAlgFromKeyType() {
+  var issuerKey = _newKeyPair();
+  var edHolder = nodeCrypto.generateKeyPairSync("ed25519");
+  var sd = sdJwtVc.issue({
+    issuer: "https://issuer", vct: "https://example/identity",
+    claims: { given_name: "Alice" },
+    selectivelyDisclosed: ["given_name"],
+    issuerKey: issuerKey.privateKey,
+    holderKey: _jwk(edHolder.publicKey),
+  });
+  var holder = sdJwtVc.holder.create({
+    storage:   sdJwtVc.holder.memoryStorage(),
+    holderKey: edHolder.privateKey,        // Ed25519, no explicit algorithm
+  });
+  await holder.store({ id: "c", sdJwt: sd.token });
+  var pres = await holder.present({
+    credentialId: "c", disclosedClaimNames: ["given_name"],
+    audience: "https://verifier", nonce: "n-1",
+  });
+  var kbJwt = pres.presentation.split("~").pop();
+  var kbAlg = JSON.parse(Buffer.from(kbJwt.split(".")[0], "base64url").toString("utf8")).alg;
+  check("holder: Ed25519 key infers EdDSA KB-JWT alg (not fixed ES256)", kbAlg === "EdDSA");
+  var verified = await sdJwtVc.verify(pres.presentation, {
+    issuerKeyResolver: async function () { return issuerKey.publicKey; },
+    audience: "https://verifier", nonce: "n-1", requireKeyBinding: true,
+  });
+  check("holder: Ed25519-bound presentation round-trips", verified.valid && verified.kbValidated);
+  // An RSA holder key has no KB-JWT alg in SUPPORTED_ALGS — refuse at
+  // create time rather than emit a self-invalid ES256-headed token.
+  var rsaThrew = null;
+  try {
+    sdJwtVc.holder.create({
+      storage:   sdJwtVc.holder.memoryStorage(),
+      holderKey: nodeCrypto.generateKeyPairSync("rsa", { modulusLength: 2048 }).privateKey,
+    });
+  } catch (e) { rsaThrew = e; }
+  check("holder.create: RSA holder key refused with a clear error",
+        rsaThrew && rsaThrew.code === "auth-sd-jwt-vc/holder-key-unsupported");
+}
 // ---- Module exports ----
 function testExports() {
@@ -696,5 +741,6 @@ function testExports() {
   await testHolderDelete();
   await testHolderPresentNonexistent();
   testHolderValidation();
+  await testHolderAlgFromKeyType();
   testExports();
 })().catch(function (e) { console.error(e); process.exit(1); });

package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js CHANGED Viewed

@@ -150,6 +150,110 @@ function testDefaultDocumentPolicyExportedConstant() {
     typeof m.DEFAULT_DOCUMENT_POLICY === "string" && m.DEFAULT_DOCUMENT_POLICY.length > 0);
 }
+function testReportOnlyHeadersEmittedWhenOptedIn() {
+  var mw = b.middleware.securityHeaders({
+    coopReportOnly:           'same-origin; report-to="coop"',
+    coepReportOnly:           'require-corp; report-to="coep"',
+    documentPolicyReportOnly: 'document-write=?0; report-to="docpol"',
+  });
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("Cross-Origin-Opener-Policy-Report-Only emitted when coopReportOnly set",
+    res._hdrs["Cross-Origin-Opener-Policy-Report-Only"] === 'same-origin; report-to="coop"');
+  check("Cross-Origin-Embedder-Policy-Report-Only emitted when coepReportOnly set",
+    res._hdrs["Cross-Origin-Embedder-Policy-Report-Only"] === 'require-corp; report-to="coep"');
+  check("Document-Policy-Report-Only emitted when documentPolicyReportOnly set",
+    res._hdrs["Document-Policy-Report-Only"] === 'document-write=?0; report-to="docpol"');
+}
+function testReportOnlyDoesNotTouchEnforcingHeaders() {
+  // Monitor-mode opt-ins must not alter the enforcing COOP / COEP /
+  // Document-Policy headers: COOP stays same-origin, COEP stays off by
+  // default, Document-Policy keeps its enforcing default.
+  var mw = b.middleware.securityHeaders({
+    coopReportOnly: "same-origin",
+    coepReportOnly: "require-corp",
+  });
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("enforcing COOP unchanged by coopReportOnly",
+    res._hdrs["Cross-Origin-Opener-Policy"] === "same-origin");
+  check("COEP stays off by default despite coepReportOnly",
+    res._hdrs["Cross-Origin-Embedder-Policy"] === undefined);
+  check("enforcing Document-Policy unchanged by report-only opts",
+    res._hdrs["Document-Policy"] === b.middleware._modules.securityHeaders.DEFAULT_DOCUMENT_POLICY);
+}
+function testReportOnlyDefaultOff() {
+  var mw = b.middleware.securityHeaders();
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("Cross-Origin-Opener-Policy-Report-Only default off",
+    res._hdrs["Cross-Origin-Opener-Policy-Report-Only"] === undefined);
+  check("Cross-Origin-Embedder-Policy-Report-Only default off",
+    res._hdrs["Cross-Origin-Embedder-Policy-Report-Only"] === undefined);
+  check("Document-Policy-Report-Only default off",
+    res._hdrs["Document-Policy-Report-Only"] === undefined);
+}
+function testRequireDocumentPolicyEmittedWhenOptedIn() {
+  var mw = b.middleware.securityHeaders({ requireDocumentPolicy: "unsized-media=?0" });
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("Require-Document-Policy emitted when opted in",
+    res._hdrs["Require-Document-Policy"] === "unsized-media=?0");
+}
+function testRequireDocumentPolicyDefaultOff() {
+  var mw = b.middleware.securityHeaders();
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("Require-Document-Policy default off",
+    res._hdrs["Require-Document-Policy"] === undefined);
+}
+function testServiceWorkerAllowedEmittedWhenOptedIn() {
+  var mw = b.middleware.securityHeaders({ serviceWorkerAllowed: "/" });
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("Service-Worker-Allowed emitted when opted in",
+    res._hdrs["Service-Worker-Allowed"] === "/");
+}
+function testServiceWorkerAllowedDefaultOff() {
+  var mw = b.middleware.securityHeaders();
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("Service-Worker-Allowed default off",
+    res._hdrs["Service-Worker-Allowed"] === undefined);
+}
+function testNewOptsNonStringIgnored() {
+  // Defensive reader: a non-string (truthy-but-wrong) value emits no
+  // header rather than serializing an object into the response.
+  var mw = b.middleware.securityHeaders({
+    coopReportOnly:        { not: "a string" },
+    serviceWorkerAllowed:  123,
+    requireDocumentPolicy: [],
+  });
+  var res = _mkRes();
+  mw({ headers: {} }, res, function () {});
+  check("non-string coopReportOnly emits no header",
+    res._hdrs["Cross-Origin-Opener-Policy-Report-Only"] === undefined);
+  check("non-string serviceWorkerAllowed emits no header",
+    res._hdrs["Service-Worker-Allowed"] === undefined);
+  check("non-string requireDocumentPolicy emits no header",
+    res._hdrs["Require-Document-Policy"] === undefined);
+}
+function testUnknownOptStillRefused() {
+  var threw = false;
+  try {
+    b.middleware.securityHeaders({ coopReportOnlyy: "same-origin" });
+  } catch (_e) { threw = true; }
+  check("typo'd report-only opt refused at config-time", threw);
+}
 async function run() {
   testFencedFrameSrcInDefaultCsp();
   testDocumentPolicyDefault();
@@ -163,6 +267,15 @@ async function run() {
   testPermissionsPolicyMultiEntryAccepted();
   testV0870PermissionsPolicyDefaults();
   testDefaultDocumentPolicyExportedConstant();
+  testReportOnlyHeadersEmittedWhenOptedIn();
+  testReportOnlyDoesNotTouchEnforcingHeaders();
+  testReportOnlyDefaultOff();
+  testRequireDocumentPolicyEmittedWhenOptedIn();
+  testRequireDocumentPolicyDefaultOff();
+  testServiceWorkerAllowedEmittedWhenOptedIn();
+  testServiceWorkerAllowedDefaultOff();
+  testNewOptsNonStringIgnored();
+  testUnknownOptStillRefused();
 }
 module.exports = { run: run };