@blamejs/blamejs-shop 0.3.7 → 0.3.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/checkout.js +125 -1
- package/lib/storefront.js +1 -1
- package/lib/vendor/MANIFEST.json +2 -2
- package/lib/vendor/blamejs/.github/workflows/ci.yml +27 -0
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/README.md +1 -0
- package/lib/vendor/blamejs/SECURITY.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +6 -2
- package/lib/vendor/blamejs/lib/cra-report.js +3 -3
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +20 -7
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +36 -35
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +17 -5
- package/lib/vendor/blamejs/lib/middleware/cors.js +28 -12
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +22 -14
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +27 -13
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +140 -0
- package/lib/vendor/blamejs/lib/middleware/dpop.js +32 -19
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +21 -12
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +19 -8
- package/lib/vendor/blamejs/lib/middleware/index.js +3 -0
- package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +24 -10
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +22 -5
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +25 -10
- package/lib/vendor/blamejs/lib/middleware/require-auth.js +32 -16
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +49 -18
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +19 -8
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +17 -7
- package/lib/vendor/blamejs/lib/middleware/require-mtls.js +27 -14
- package/lib/vendor/blamejs/lib/network.js +4 -4
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.14.6.json +60 -0
- package/lib/vendor/blamejs/scripts/check-actions-currency.js +256 -0
- package/lib/vendor/blamejs/scripts/release.js +11 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +138 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/deny-response.test.js +228 -0
- package/package.json +1 -1
|
@@ -36,20 +36,25 @@
|
|
|
36
36
|
var requestHelpers = require("../request-helpers");
|
|
37
37
|
var validateOpts = require("../validate-opts");
|
|
38
38
|
var lazyRequire = require("../lazy-require");
|
|
39
|
+
var denyResponse = require("./deny-response").denyResponse;
|
|
39
40
|
|
|
40
41
|
var audit = lazyRequire(function () { return require("../audit"); });
|
|
41
42
|
var observability = lazyRequire(function () { return require("../observability"); });
|
|
42
43
|
|
|
43
44
|
var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "DELETE", "PATCH"]);
|
|
44
45
|
|
|
45
|
-
function _writeReject(res, message) {
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
46
|
+
function _writeReject(req, res, message, reason, onDeny, problemMode) {
|
|
47
|
+
denyResponse(req, res, {
|
|
48
|
+
onDeny: onDeny,
|
|
49
|
+
problem: problemMode,
|
|
50
|
+
status: requestHelpers.HTTP_STATUS.FORBIDDEN,
|
|
51
|
+
info: { status: 403, reason: reason },
|
|
52
|
+
problemCode: "fetch-metadata-refused",
|
|
53
|
+
problemTitle: "Forbidden",
|
|
54
|
+
problemDetail: message,
|
|
55
|
+
contentType: "application/json; charset=utf-8",
|
|
56
|
+
body: JSON.stringify({ error: message }),
|
|
51
57
|
});
|
|
52
|
-
res.end(body);
|
|
53
58
|
}
|
|
54
59
|
|
|
55
60
|
/**
|
|
@@ -79,6 +84,8 @@ function _writeReject(res, message) {
|
|
|
79
84
|
* allowedNavigate: boolean, // default true
|
|
80
85
|
* methods: string[], // default POST/PUT/DELETE/PATCH
|
|
81
86
|
* audit: boolean, // default true
|
|
87
|
+
* onDeny: function(req, res, info): void, // own the 403; info = { status, reason }
|
|
88
|
+
* problemDetails: boolean, // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
|
|
82
89
|
* }
|
|
83
90
|
*
|
|
84
91
|
* @example
|
|
@@ -95,9 +102,11 @@ function create(opts) {
|
|
|
95
102
|
opts = opts || {};
|
|
96
103
|
validateOpts(opts, [
|
|
97
104
|
"allowSameSite", "allowCrossSite", "allowMissing",
|
|
98
|
-
"allowedDest", "allowedNavigate", "methods", "audit",
|
|
105
|
+
"allowedDest", "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
|
|
99
106
|
], "middleware.fetchMetadata");
|
|
100
107
|
|
|
108
|
+
var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
|
|
109
|
+
var problemMode = opts.problemDetails === true;
|
|
101
110
|
var allowSameSite = opts.allowSameSite !== false;
|
|
102
111
|
var allowCrossSite = opts.allowCrossSite === true;
|
|
103
112
|
var allowMissing = opts.allowMissing !== false;
|
|
@@ -135,7 +144,7 @@ function create(opts) {
|
|
|
135
144
|
// Defer to other auth/CSRF layers per allowMissing.
|
|
136
145
|
if (!allowMissing) {
|
|
137
146
|
_emitDenied(req, "fetch-metadata-missing");
|
|
138
|
-
return _writeReject(res, "Fetch-metadata required.");
|
|
147
|
+
return _writeReject(req, res, "Fetch-metadata required.", "fetch-metadata-missing", onDeny, problemMode);
|
|
139
148
|
}
|
|
140
149
|
return next();
|
|
141
150
|
}
|
|
@@ -144,7 +153,7 @@ function create(opts) {
|
|
|
144
153
|
if (site === "none") {
|
|
145
154
|
if (allowedNavigate) return next();
|
|
146
155
|
_emitDenied(req, "navigate-disallowed");
|
|
147
|
-
return _writeReject(res, "Direct navigation not allowed for this method.");
|
|
156
|
+
return _writeReject(req, res, "Direct navigation not allowed for this method.", "navigation-not-allowed", onDeny, problemMode);
|
|
148
157
|
}
|
|
149
158
|
|
|
150
159
|
if (site === "same-origin") return next();
|
|
@@ -152,7 +161,7 @@ function create(opts) {
|
|
|
152
161
|
if (site === "same-site") {
|
|
153
162
|
if (allowSameSite) return next();
|
|
154
163
|
_emitDenied(req, "same-site-disallowed");
|
|
155
|
-
return _writeReject(res, "Same-site request not allowed.");
|
|
164
|
+
return _writeReject(req, res, "Same-site request not allowed.", "same-site-not-allowed", onDeny, problemMode);
|
|
156
165
|
}
|
|
157
166
|
|
|
158
167
|
// cross-site
|
|
@@ -164,7 +173,7 @@ function create(opts) {
|
|
|
164
173
|
", dest=" + (dest || "?") + ")");
|
|
165
174
|
try { observability().count("auth.fetch_metadata.cross_site_refused", 1, {}); }
|
|
166
175
|
catch (_e) { /* best-effort */ }
|
|
167
|
-
return _writeReject(res, "Cross-site request refused.");
|
|
176
|
+
return _writeReject(req, res, "Cross-site request refused.", "cross-site-refused", onDeny, problemMode);
|
|
168
177
|
};
|
|
169
178
|
}
|
|
170
179
|
|
|
@@ -41,6 +41,7 @@
|
|
|
41
41
|
var lazyRequire = require("../lazy-require");
|
|
42
42
|
var requestHelpers = require("../request-helpers");
|
|
43
43
|
var validateOpts = require("../validate-opts");
|
|
44
|
+
var denyResponse = require("./deny-response").denyResponse;
|
|
44
45
|
var { defineClass } = require("../framework-error");
|
|
45
46
|
|
|
46
47
|
var HostAllowlistError = defineClass("HostAllowlistError", { alwaysPermanent: true });
|
|
@@ -102,6 +103,8 @@ function _matches(entry, actual) {
|
|
|
102
103
|
* denyStatus: number, // default 421
|
|
103
104
|
* denyBody: string,
|
|
104
105
|
* audit: boolean, // default true
|
|
106
|
+
* onDeny: function(req, res, info): void, // own the refusal; info = { status, reason, host }
|
|
107
|
+
* problemDetails: boolean, // default false — emit RFC 9457 application/problem+json instead of text/plain
|
|
105
108
|
* }
|
|
106
109
|
*
|
|
107
110
|
* @example
|
|
@@ -114,7 +117,7 @@ function _matches(entry, actual) {
|
|
|
114
117
|
function create(opts) {
|
|
115
118
|
validateOpts.requireObject(opts, "middleware.hostAllowlist", HostAllowlistError);
|
|
116
119
|
validateOpts(opts, [
|
|
117
|
-
"hosts", "denyStatus", "denyBody", "audit",
|
|
120
|
+
"hosts", "denyStatus", "denyBody", "audit", "onDeny", "problemDetails",
|
|
118
121
|
], "middleware.hostAllowlist");
|
|
119
122
|
|
|
120
123
|
if (!Array.isArray(opts.hosts) || opts.hosts.length === 0) {
|
|
@@ -134,6 +137,8 @@ function create(opts) {
|
|
|
134
137
|
var denyStatus = (typeof opts.denyStatus === "number") ? opts.denyStatus : 421; // HTTP 421 status
|
|
135
138
|
var denyBody = typeof opts.denyBody === "string" ? opts.denyBody : "Misdirected Request";
|
|
136
139
|
var auditOn = opts.audit !== false;
|
|
140
|
+
var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
|
|
141
|
+
var problemMode = opts.problemDetails === true;
|
|
137
142
|
|
|
138
143
|
return function hostAllowlistMiddleware(req, res, next) {
|
|
139
144
|
var raw = req.headers && req.headers.host;
|
|
@@ -141,7 +146,7 @@ function create(opts) {
|
|
|
141
146
|
// RFC 7230 §5.4 — a request without a Host header is malformed
|
|
142
147
|
// for HTTP/1.1; HTTP/2 maps :authority into req.headers.host
|
|
143
148
|
// automatically. Reject either shape.
|
|
144
|
-
_deny(res,
|
|
149
|
+
_deny(req, res, "missing-host", null);
|
|
145
150
|
_emitDenied(req, "missing-host");
|
|
146
151
|
return;
|
|
147
152
|
}
|
|
@@ -151,20 +156,26 @@ function create(opts) {
|
|
|
151
156
|
if (_matches(hosts[hi], actual)) { matched = true; break; }
|
|
152
157
|
}
|
|
153
158
|
if (!matched) {
|
|
154
|
-
_deny(res,
|
|
159
|
+
_deny(req, res, "host-not-in-allowlist", actual);
|
|
155
160
|
_emitDenied(req, "host-not-in-allowlist", actual);
|
|
156
161
|
return;
|
|
157
162
|
}
|
|
158
163
|
return next();
|
|
159
164
|
};
|
|
160
165
|
|
|
161
|
-
function _deny(res,
|
|
166
|
+
function _deny(req, res, reason, host) {
|
|
162
167
|
if (res.headersSent) return;
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
168
|
+
denyResponse(req, res, {
|
|
169
|
+
onDeny: onDeny,
|
|
170
|
+
problem: problemMode,
|
|
171
|
+
status: denyStatus,
|
|
172
|
+
info: { status: denyStatus, reason: reason, host: host },
|
|
173
|
+
problemCode: "misdirected-request",
|
|
174
|
+
problemTitle: "Misdirected Request",
|
|
175
|
+
problemDetail: "The request Host header is not served by this endpoint.",
|
|
176
|
+
contentType: "text/plain; charset=utf-8",
|
|
177
|
+
body: denyBody,
|
|
166
178
|
});
|
|
167
|
-
res.end(body);
|
|
168
179
|
}
|
|
169
180
|
|
|
170
181
|
function _emitDenied(req, reason, actual) {
|
|
@@ -53,6 +53,7 @@ var requireAal = require("./require-aal");
|
|
|
53
53
|
var requireAuth = require("./require-auth");
|
|
54
54
|
var requireContentType = require("./require-content-type");
|
|
55
55
|
var ageGate = require("./age-gate");
|
|
56
|
+
var requireBoundKey = require("./require-bound-key");
|
|
56
57
|
var requireMethods = require("./require-methods");
|
|
57
58
|
var requireMtls = require("./require-mtls");
|
|
58
59
|
var requireStepUp = require("./require-step-up");
|
|
@@ -85,6 +86,7 @@ module.exports = {
|
|
|
85
86
|
requireAuth: requireAuth.create,
|
|
86
87
|
requireContentType: requireContentType.create,
|
|
87
88
|
ageGate: ageGate.create,
|
|
89
|
+
requireBoundKey: requireBoundKey.create,
|
|
88
90
|
requireMethods: requireMethods.create,
|
|
89
91
|
requireMtls: requireMtls.create,
|
|
90
92
|
requireStepUp: requireStepUp.create,
|
|
@@ -145,6 +147,7 @@ module.exports = {
|
|
|
145
147
|
requireAuth: requireAuth,
|
|
146
148
|
requireContentType: requireContentType,
|
|
147
149
|
ageGate: ageGate,
|
|
150
|
+
requireBoundKey: requireBoundKey,
|
|
148
151
|
requireMethods: requireMethods,
|
|
149
152
|
requireMtls: requireMtls,
|
|
150
153
|
requireStepUp: requireStepUp,
|
|
@@ -48,6 +48,7 @@ var lazyRequire = require("../lazy-require");
|
|
|
48
48
|
var requestHelpers = require("../request-helpers");
|
|
49
49
|
var ssrfGuard = require("../ssrf-guard");
|
|
50
50
|
var validateOpts = require("../validate-opts");
|
|
51
|
+
var denyResponse = require("./deny-response").denyResponse;
|
|
51
52
|
var { defineClass } = require("../framework-error");
|
|
52
53
|
|
|
53
54
|
var audit = lazyRequire(function () { return require("../audit"); });
|
|
@@ -98,6 +99,8 @@ function _validateCidr(cidr) {
|
|
|
98
99
|
* denyStatus: number, // default 404
|
|
99
100
|
* denyBody: string, // default "Not Found"
|
|
100
101
|
* audit: object,
|
|
102
|
+
* onDeny: function(req, res, info): void, // own the refusal; info = { status, reason, clientIp, route }
|
|
103
|
+
* problemDetails: boolean, // default false — emit RFC 9457 application/problem+json instead of text/plain
|
|
101
104
|
* }
|
|
102
105
|
*
|
|
103
106
|
* @example
|
|
@@ -113,7 +116,7 @@ function create(opts) {
|
|
|
113
116
|
opts = opts || {};
|
|
114
117
|
validateOpts(opts, [
|
|
115
118
|
"paths", "allowedCidrs", "deniedCidrs", "trustProxy",
|
|
116
|
-
"denyStatus", "denyBody", "audit",
|
|
119
|
+
"denyStatus", "denyBody", "audit", "onDeny", "problemDetails",
|
|
117
120
|
], "middleware.networkAllowlist");
|
|
118
121
|
|
|
119
122
|
if (!Array.isArray(opts.paths) || opts.paths.length === 0) {
|
|
@@ -156,6 +159,23 @@ function create(opts) {
|
|
|
156
159
|
var denyBody = typeof opts.denyBody === "string" ? opts.denyBody : "Not Found";
|
|
157
160
|
var auditOn = opts.audit !== false && opts.audit != null;
|
|
158
161
|
var auditInstance = opts.audit === true ? null : opts.audit; // null → use lazy-required default
|
|
162
|
+
var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
|
|
163
|
+
var problemMode = opts.problemDetails === true;
|
|
164
|
+
|
|
165
|
+
function _deny(req, res, ip, route) {
|
|
166
|
+
_emitDeny(req, ip, route);
|
|
167
|
+
denyResponse(req, res, {
|
|
168
|
+
onDeny: onDeny,
|
|
169
|
+
problem: problemMode,
|
|
170
|
+
status: denyStatus,
|
|
171
|
+
info: { status: denyStatus, reason: "ip-not-in-allowlist", clientIp: ip, route: route },
|
|
172
|
+
problemCode: "network-gate-denied",
|
|
173
|
+
problemTitle: denyBody,
|
|
174
|
+
problemDetail: "Access to this resource is restricted by network policy.",
|
|
175
|
+
contentType: "text/plain",
|
|
176
|
+
body: denyBody,
|
|
177
|
+
});
|
|
178
|
+
}
|
|
159
179
|
|
|
160
180
|
function _emitDeny(req, ip, route) {
|
|
161
181
|
if (!auditOn) return;
|
|
@@ -196,9 +216,7 @@ function create(opts) {
|
|
|
196
216
|
if (!ip) {
|
|
197
217
|
// Fail closed: a request we can't even derive an IP for shouldn't
|
|
198
218
|
// bypass the gate.
|
|
199
|
-
|
|
200
|
-
res.writeHead(denyStatus, { "Content-Type": "text/plain" });
|
|
201
|
-
res.end(denyBody);
|
|
219
|
+
_deny(req, res, "<unknown>", pathname);
|
|
202
220
|
return;
|
|
203
221
|
}
|
|
204
222
|
|
|
@@ -208,9 +226,7 @@ function create(opts) {
|
|
|
208
226
|
for (var dii = 0; dii < deniedCidrs.length; dii++) {
|
|
209
227
|
try {
|
|
210
228
|
if (ssrfGuard.cidrContains(deniedCidrs[dii], ip)) {
|
|
211
|
-
|
|
212
|
-
res.writeHead(denyStatus, { "Content-Type": "text/plain" });
|
|
213
|
-
res.end(denyBody);
|
|
229
|
+
_deny(req, res, ip, pathname);
|
|
214
230
|
return;
|
|
215
231
|
}
|
|
216
232
|
} catch (_e) { /* skip malformed at runtime — caught at config */ }
|
|
@@ -222,9 +238,7 @@ function create(opts) {
|
|
|
222
238
|
} catch (_e) { /* skip malformed at runtime — caught at config */ }
|
|
223
239
|
}
|
|
224
240
|
if (!allowed) {
|
|
225
|
-
|
|
226
|
-
res.writeHead(denyStatus, { "Content-Type": "text/plain" });
|
|
227
|
-
res.end(denyBody);
|
|
241
|
+
_deny(req, res, ip, pathname);
|
|
228
242
|
return;
|
|
229
243
|
}
|
|
230
244
|
return next();
|
|
@@ -62,6 +62,7 @@ var requestHelpers = require("../request-helpers");
|
|
|
62
62
|
var safeAsync = require("../safe-async");
|
|
63
63
|
var validateOpts = require("../validate-opts");
|
|
64
64
|
var clusterStorage = require("../cluster-storage");
|
|
65
|
+
var denyResponse = require("./deny-response").denyResponse;
|
|
65
66
|
|
|
66
67
|
var audit = lazyRequire(function () { return require("../audit"); });
|
|
67
68
|
var logger = lazyRequire(function () { return require("../log").boot("rate-limit"); });
|
|
@@ -363,6 +364,8 @@ function _resolveBackend(opts) {
|
|
|
363
364
|
* keyFn: function(req): string,
|
|
364
365
|
* statusOnLimit: number, // default 429
|
|
365
366
|
* bodyOnLimit: string, // default "Too Many Requests"
|
|
367
|
+
* onDeny: function(req, res, info): void, // own the refusal response; info = { status, reason, limit, remaining, retryAfter, key }
|
|
368
|
+
* problemDetails: boolean, // default false — emit RFC 9457 application/problem+json instead of text/plain
|
|
366
369
|
* header: boolean, // default true
|
|
367
370
|
* headerPrefix: string, // default "X-RateLimit-" — builds <prefix>Limit / <prefix>Remaining (e.g. "RateLimit-" for the IETF draft names)
|
|
368
371
|
* skipPaths: Array<string|RegExp>,
|
|
@@ -391,7 +394,8 @@ function _resolveBackend(opts) {
|
|
|
391
394
|
function create(opts) {
|
|
392
395
|
opts = opts || {};
|
|
393
396
|
validateOpts(opts, [
|
|
394
|
-
"keyFn", "statusOnLimit", "bodyOnLimit", "
|
|
397
|
+
"keyFn", "statusOnLimit", "bodyOnLimit", "onDeny", "problemDetails",
|
|
398
|
+
"header", "headerPrefix", "skipPaths", "scope",
|
|
395
399
|
"backend", "trustProxy", "algorithm",
|
|
396
400
|
// memory backend (token-bucket)
|
|
397
401
|
"burst", "refillPerSecond",
|
|
@@ -404,6 +408,8 @@ function create(opts) {
|
|
|
404
408
|
var keyFn = opts.keyFn || _clientIp;
|
|
405
409
|
var statusOnLimit = opts.statusOnLimit || 429;
|
|
406
410
|
var bodyOnLimit = opts.bodyOnLimit !== undefined ? opts.bodyOnLimit : "Too Many Requests";
|
|
411
|
+
var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
|
|
412
|
+
var problemMode = opts.problemDetails === true;
|
|
407
413
|
var emitHeaders = opts.header !== false;
|
|
408
414
|
// headerPrefix (default "X-RateLimit-") builds the limit/remaining header
|
|
409
415
|
// names as <prefix>Limit / <prefix>Remaining. The X-RateLimit-* family is a
|
|
@@ -455,10 +461,21 @@ function create(opts) {
|
|
|
455
461
|
requestId: req.requestId,
|
|
456
462
|
});
|
|
457
463
|
} catch (_e) { /* audit best-effort */ }
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
|
|
464
|
+
var retryAfter = verdict.retryAfter > 0 ? verdict.retryAfter : null;
|
|
465
|
+
denyResponse(req, res, {
|
|
466
|
+
onDeny: onDeny,
|
|
467
|
+
problem: problemMode,
|
|
468
|
+
status: statusOnLimit,
|
|
469
|
+
info: { status: statusOnLimit, reason: "rate-limit-exceeded",
|
|
470
|
+
limit: verdict.limit, remaining: verdict.remaining,
|
|
471
|
+
retryAfter: verdict.retryAfter, key: k },
|
|
472
|
+
problemCode: "rate-limit-exceeded",
|
|
473
|
+
problemTitle: "Too Many Requests",
|
|
474
|
+
problemDetail: "Request rate limit exceeded; retry after the indicated interval.",
|
|
475
|
+
problemExt: retryAfter !== null ? { retryAfter: retryAfter } : null,
|
|
476
|
+
contentType: "text/plain",
|
|
477
|
+
body: bodyOnLimit,
|
|
478
|
+
});
|
|
462
479
|
}
|
|
463
480
|
|
|
464
481
|
var middleware = function rateLimit(req, res, next) {
|
|
@@ -21,12 +21,13 @@
|
|
|
21
21
|
var lazyRequire = require("../lazy-require");
|
|
22
22
|
var requestHelpers = require("../request-helpers");
|
|
23
23
|
var validateOpts = require("../validate-opts");
|
|
24
|
+
var denyResponse = require("./deny-response").denyResponse;
|
|
24
25
|
var { AuthError } = require("../framework-error");
|
|
25
26
|
|
|
26
27
|
var aal = lazyRequire(function () { return require("../auth/aal"); });
|
|
27
28
|
var audit = lazyRequire(function () { return require("../audit"); });
|
|
28
29
|
|
|
29
|
-
function _writeUnauthorized(res, requiredBand, actualBand, realm) {
|
|
30
|
+
function _writeUnauthorized(req, res, requiredBand, actualBand, realm, onDeny, problemMode) {
|
|
30
31
|
if (res.headersSent) return;
|
|
31
32
|
var body = JSON.stringify({
|
|
32
33
|
error: "step_up_required",
|
|
@@ -36,14 +37,24 @@ function _writeUnauthorized(res, requiredBand, actualBand, realm) {
|
|
|
36
37
|
});
|
|
37
38
|
var realmStr = realm ? ' realm="' + realm + '"' : "";
|
|
38
39
|
var challenge = "AAL-StepUp" + realmStr + ', required="' + requiredBand + '"';
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
40
|
+
denyResponse(req, res, {
|
|
41
|
+
onDeny: onDeny,
|
|
42
|
+
problem: problemMode,
|
|
43
|
+
status: 401, // HTTP 401 status
|
|
44
|
+
info: { status: 401, reason: "step_up_required",
|
|
45
|
+
required_aal: requiredBand, actual_aal: actualBand || null },
|
|
46
|
+
problemCode: "step-up-required",
|
|
47
|
+
problemTitle: "Step-Up Authentication Required",
|
|
48
|
+
problemDetail: "AAL " + requiredBand + " is required for this resource.",
|
|
49
|
+
problemExt: { required_aal: requiredBand, actual_aal: actualBand || null },
|
|
50
|
+
headers: {
|
|
51
|
+
"WWW-Authenticate": challenge,
|
|
52
|
+
// RFC 9111 §5.2.2.5 — auth-gated 401 must not be cached.
|
|
53
|
+
"Cache-Control": "no-store",
|
|
54
|
+
},
|
|
55
|
+
contentType: "application/json; charset=utf-8",
|
|
56
|
+
body: body,
|
|
45
57
|
});
|
|
46
|
-
res.end(body);
|
|
47
58
|
}
|
|
48
59
|
|
|
49
60
|
/**
|
|
@@ -68,6 +79,8 @@ function _writeUnauthorized(res, requiredBand, actualBand, realm) {
|
|
|
68
79
|
* getAal: function(req): string,
|
|
69
80
|
* realm: string,
|
|
70
81
|
* audit: boolean, // default true
|
|
82
|
+
* onDeny: function(req, res, info): void, // own the 401; info = { status, reason, required_aal, actual_aal }
|
|
83
|
+
* problemDetails: boolean, // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
|
|
71
84
|
* }
|
|
72
85
|
*
|
|
73
86
|
* @example
|
|
@@ -78,7 +91,7 @@ function _writeUnauthorized(res, requiredBand, actualBand, realm) {
|
|
|
78
91
|
function create(opts) {
|
|
79
92
|
opts = opts || {};
|
|
80
93
|
validateOpts(opts, [
|
|
81
|
-
"minimum", "getAal", "audit", "realm",
|
|
94
|
+
"minimum", "getAal", "audit", "realm", "onDeny", "problemDetails",
|
|
82
95
|
], "middleware.requireAal");
|
|
83
96
|
|
|
84
97
|
var minimum = opts.minimum;
|
|
@@ -92,6 +105,8 @@ function create(opts) {
|
|
|
92
105
|
|
|
93
106
|
var auditOn = opts.audit !== false;
|
|
94
107
|
var realm = (typeof opts.realm === "string" && opts.realm.length > 0) ? opts.realm : null;
|
|
108
|
+
var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
|
|
109
|
+
var problemMode = opts.problemDetails === true;
|
|
95
110
|
|
|
96
111
|
return function requireAalMiddleware(req, res, next) {
|
|
97
112
|
var actual = null;
|
|
@@ -116,7 +131,7 @@ function create(opts) {
|
|
|
116
131
|
});
|
|
117
132
|
} catch (_ignored) { /* drop-silent */ }
|
|
118
133
|
}
|
|
119
|
-
return _writeUnauthorized(res, minimum, actual, realm);
|
|
134
|
+
return _writeUnauthorized(req, res, minimum, actual, realm, onDeny, problemMode);
|
|
120
135
|
}
|
|
121
136
|
|
|
122
137
|
if (auditOn) {
|
|
@@ -39,6 +39,7 @@
|
|
|
39
39
|
var lazyRequire = require("../lazy-require");
|
|
40
40
|
var requestHelpers = require("../request-helpers");
|
|
41
41
|
var validateOpts = require("../validate-opts");
|
|
42
|
+
var denyResponse = require("./deny-response").denyResponse;
|
|
42
43
|
var audit = lazyRequire(function () { return require("../audit"); });
|
|
43
44
|
|
|
44
45
|
function _defaultPrefersJson(req) {
|
|
@@ -72,6 +73,8 @@ function _defaultPrefersJson(req) {
|
|
|
72
73
|
* prefersJson: function(req): boolean,
|
|
73
74
|
* errorMessage: string, // default "Authentication required."
|
|
74
75
|
* audit: boolean, // default true
|
|
76
|
+
* onDeny: function(req, res, info): void, // own any refusal shape; info = { status, reason, redirectTo }
|
|
77
|
+
* problemDetails: boolean, // default false — emit RFC 9457 application/problem+json for the 401 (redirect path unaffected)
|
|
75
78
|
* }
|
|
76
79
|
*
|
|
77
80
|
* @example
|
|
@@ -83,7 +86,7 @@ function _defaultPrefersJson(req) {
|
|
|
83
86
|
function create(opts) {
|
|
84
87
|
opts = opts || {};
|
|
85
88
|
validateOpts(opts, [
|
|
86
|
-
"redirectTo", "prefersJson", "errorMessage", "audit",
|
|
89
|
+
"redirectTo", "prefersJson", "errorMessage", "audit", "onDeny", "problemDetails",
|
|
87
90
|
], "middleware.requireAuth");
|
|
88
91
|
var redirectTo = opts.redirectTo || null;
|
|
89
92
|
var prefersJson = typeof opts.prefersJson === "function"
|
|
@@ -91,6 +94,8 @@ function create(opts) {
|
|
|
91
94
|
: _defaultPrefersJson;
|
|
92
95
|
var msg = opts.errorMessage || "Authentication required.";
|
|
93
96
|
var auditOn = opts.audit !== false;
|
|
97
|
+
var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
|
|
98
|
+
var problemMode = opts.problemDetails === true;
|
|
94
99
|
|
|
95
100
|
return function requireAuth(req, res, next) {
|
|
96
101
|
if (req.user) return next();
|
|
@@ -107,6 +112,18 @@ function create(opts) {
|
|
|
107
112
|
} catch (_e) { /* audit best-effort */ }
|
|
108
113
|
}
|
|
109
114
|
|
|
115
|
+
// Operator hook owns ANY refusal shape (json / redirect / text)
|
|
116
|
+
// before the default content-negotiation runs.
|
|
117
|
+
if (onDeny) {
|
|
118
|
+
try {
|
|
119
|
+
var returned = onDeny(req, res, { status: 401, reason: "no-authenticated-user", redirectTo: redirectTo });
|
|
120
|
+
if (res.writableEnded) return returned;
|
|
121
|
+
} catch (_e) {
|
|
122
|
+
if (res.writableEnded) return;
|
|
123
|
+
// fall through to default
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
|
|
110
127
|
// RFC 9111 §5.2.2.5 — auth-gated paths SHOULD emit
|
|
111
128
|
// Cache-Control: no-store so a shared cache (or browser
|
|
112
129
|
// back-button cache) can't replay a 401 / redirect / payload
|
|
@@ -115,27 +132,26 @@ function create(opts) {
|
|
|
115
132
|
// cache directive, leaving the operator to set it themselves;
|
|
116
133
|
// forgetting it under a CDN that respects Cache-Control was
|
|
117
134
|
// a routine misconfiguration.
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
{ "Content-Type": "application/json", "Cache-Control": "no-store" });
|
|
122
|
-
res.end(JSON.stringify({ error: msg }));
|
|
123
|
-
}
|
|
124
|
-
return;
|
|
125
|
-
}
|
|
126
|
-
if (redirectTo) {
|
|
127
|
-
if (typeof res.writeHead === "function") {
|
|
135
|
+
var wantsJson = prefersJson(req);
|
|
136
|
+
if (!wantsJson && redirectTo) {
|
|
137
|
+
if (!res.writableEnded && typeof res.writeHead === "function") {
|
|
128
138
|
// 302 Found — RFC 7231 §6.4.3. Not in HTTP_STATUS table.
|
|
129
139
|
res.writeHead(302, { "Location": redirectTo, "Cache-Control": "no-store" });
|
|
130
140
|
res.end();
|
|
131
141
|
}
|
|
132
142
|
return;
|
|
133
143
|
}
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
144
|
+
denyResponse(req, res, {
|
|
145
|
+
problem: problemMode,
|
|
146
|
+
status: requestHelpers.HTTP_STATUS.UNAUTHORIZED,
|
|
147
|
+
info: { status: 401, reason: "no-authenticated-user" },
|
|
148
|
+
problemCode: "authentication-required",
|
|
149
|
+
problemTitle: "Unauthorized",
|
|
150
|
+
problemDetail: msg,
|
|
151
|
+
headers: { "Cache-Control": "no-store" },
|
|
152
|
+
contentType: wantsJson ? "application/json" : "text/plain",
|
|
153
|
+
body: wantsJson ? JSON.stringify({ error: msg }) : msg,
|
|
154
|
+
});
|
|
139
155
|
};
|
|
140
156
|
}
|
|
141
157
|
|