@blamejs/blamejs-shop 0.4.56 → 0.4.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +426 -366
- package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
- package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +1381 -4
- package/lib/vendor/blamejs/eslint.config.mjs +1 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
- package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
- package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
- package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
- package/lib/vendor/blamejs/lib/acme.js +6 -5
- package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
- package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
- package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
- package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
- package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
- package/lib/vendor/blamejs/lib/ai-input.js +2 -2
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
- package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
- package/lib/vendor/blamejs/lib/api-key.js +37 -28
- package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
- package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
- package/lib/vendor/blamejs/lib/archive-read.js +5 -17
- package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
- package/lib/vendor/blamejs/lib/archive.js +2 -10
- package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
- package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
- package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
- package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
- package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
- package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
- package/lib/vendor/blamejs/lib/audit.js +84 -0
- package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
- package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
- package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
- package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
- package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/password.js +7 -1
- package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
- package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
- package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
- package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
- package/lib/vendor/blamejs/lib/backup/index.js +14 -47
- package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
- package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
- package/lib/vendor/blamejs/lib/cache.js +7 -18
- package/lib/vendor/blamejs/lib/cbor.js +2 -1
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
- package/lib/vendor/blamejs/lib/cert.js +3 -10
- package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
- package/lib/vendor/blamejs/lib/cli.js +5 -1
- package/lib/vendor/blamejs/lib/client-hints.js +7 -9
- package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
- package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
- package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
- package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
- package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
- package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
- package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
- package/lib/vendor/blamejs/lib/compliance.js +2 -9
- package/lib/vendor/blamejs/lib/config-drift.js +2 -12
- package/lib/vendor/blamejs/lib/content-digest.js +10 -8
- package/lib/vendor/blamejs/lib/cookies.js +5 -11
- package/lib/vendor/blamejs/lib/cose.js +19 -11
- package/lib/vendor/blamejs/lib/cra-report.js +1 -11
- package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
- package/lib/vendor/blamejs/lib/crypto.js +120 -3
- package/lib/vendor/blamejs/lib/csp.js +235 -3
- package/lib/vendor/blamejs/lib/daemon.js +42 -41
- package/lib/vendor/blamejs/lib/data-act.js +19 -9
- package/lib/vendor/blamejs/lib/db-query.js +6 -40
- package/lib/vendor/blamejs/lib/db.js +34 -12
- package/lib/vendor/blamejs/lib/dbsc.js +5 -6
- package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
- package/lib/vendor/blamejs/lib/deprecate.js +4 -5
- package/lib/vendor/blamejs/lib/did.js +6 -2
- package/lib/vendor/blamejs/lib/dsr.js +8 -12
- package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
- package/lib/vendor/blamejs/lib/external-db.js +14 -26
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
- package/lib/vendor/blamejs/lib/fdx.js +22 -18
- package/lib/vendor/blamejs/lib/file-upload.js +80 -66
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
- package/lib/vendor/blamejs/lib/framework-error.js +12 -0
- package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
- package/lib/vendor/blamejs/lib/fsm.js +7 -12
- package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
- package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
- package/lib/vendor/blamejs/lib/guard-all.js +1 -0
- package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
- package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
- package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
- package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
- package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
- package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
- package/lib/vendor/blamejs/lib/guard-email.js +46 -53
- package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
- package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
- package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
- package/lib/vendor/blamejs/lib/guard-html.js +65 -117
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
- package/lib/vendor/blamejs/lib/guard-image.js +280 -77
- package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
- package/lib/vendor/blamejs/lib/guard-json.js +87 -103
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
- package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
- package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
- package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
- package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
- package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
- package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
- package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
- package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
- package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
- package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
- package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
- package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
- package/lib/vendor/blamejs/lib/guard-template.js +23 -80
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
- package/lib/vendor/blamejs/lib/guard-text.js +592 -0
- package/lib/vendor/blamejs/lib/guard-time.js +27 -95
- package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
- package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
- package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
- package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
- package/lib/vendor/blamejs/lib/http-client.js +8 -21
- package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
- package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
- package/lib/vendor/blamejs/lib/i18n.js +83 -26
- package/lib/vendor/blamejs/lib/inbox.js +8 -8
- package/lib/vendor/blamejs/lib/incident-report.js +3 -21
- package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
- package/lib/vendor/blamejs/lib/jobs.js +3 -2
- package/lib/vendor/blamejs/lib/keychain.js +6 -18
- package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
- package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
- package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
- package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
- package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
- package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
- package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
- package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
- package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
- package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
- package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
- package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
- package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
- package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
- package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
- package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
- package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
- package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
- package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
- package/lib/vendor/blamejs/lib/mail-store.js +3 -2
- package/lib/vendor/blamejs/lib/mail.js +6 -11
- package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
- package/lib/vendor/blamejs/lib/mcp.js +1 -1
- package/lib/vendor/blamejs/lib/mdoc.js +11 -12
- package/lib/vendor/blamejs/lib/metrics.js +32 -30
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
- package/lib/vendor/blamejs/lib/migrations.js +4 -13
- package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
- package/lib/vendor/blamejs/lib/module-loader.js +44 -0
- package/lib/vendor/blamejs/lib/money.js +105 -0
- package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
- package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
- package/lib/vendor/blamejs/lib/network-dane.js +8 -6
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
- package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
- package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
- package/lib/vendor/blamejs/lib/network-tls.js +40 -42
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
- package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
- package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
- package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
- package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
- package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
- package/lib/vendor/blamejs/lib/observability.js +95 -0
- package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
- package/lib/vendor/blamejs/lib/otel-export.js +7 -10
- package/lib/vendor/blamejs/lib/outbox.js +43 -37
- package/lib/vendor/blamejs/lib/pagination.js +11 -15
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
- package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
- package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
- package/lib/vendor/blamejs/lib/pick.js +63 -5
- package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
- package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
- package/lib/vendor/blamejs/lib/problem-details.js +2 -5
- package/lib/vendor/blamejs/lib/pubsub.js +4 -8
- package/lib/vendor/blamejs/lib/redact.js +2 -1
- package/lib/vendor/blamejs/lib/render.js +4 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
- package/lib/vendor/blamejs/lib/restore.js +5 -22
- package/lib/vendor/blamejs/lib/retention.js +3 -5
- package/lib/vendor/blamejs/lib/safe-async.js +457 -0
- package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
- package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
- package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
- package/lib/vendor/blamejs/lib/safe-json.js +7 -8
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
- package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
- package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
- package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
- package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
- package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
- package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
- package/lib/vendor/blamejs/lib/sandbox.js +3 -2
- package/lib/vendor/blamejs/lib/scheduler.js +5 -12
- package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
- package/lib/vendor/blamejs/lib/seeders.js +4 -11
- package/lib/vendor/blamejs/lib/self-update.js +92 -69
- package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
- package/lib/vendor/blamejs/lib/session.js +194 -6
- package/lib/vendor/blamejs/lib/sql.js +225 -78
- package/lib/vendor/blamejs/lib/sse.js +6 -10
- package/lib/vendor/blamejs/lib/static.js +136 -98
- package/lib/vendor/blamejs/lib/storage.js +4 -2
- package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
- package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
- package/lib/vendor/blamejs/lib/tsa.js +11 -15
- package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
- package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
- package/lib/vendor/blamejs/lib/vc.js +2 -7
- package/lib/vendor/blamejs/lib/vex.js +35 -13
- package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
- package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
- package/lib/vendor/blamejs/lib/webhook.js +43 -18
- package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
- package/lib/vendor/blamejs/lib/websocket.js +7 -3
- package/lib/vendor/blamejs/lib/worm.js +2 -3
- package/lib/vendor/blamejs/lib/ws-client.js +8 -10
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
- package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
- package/lib/vendor/blamejs/test/00-primitives.js +136 -7
- package/lib/vendor/blamejs/test/10-state.js +9 -3
- package/lib/vendor/blamejs/test/30-chain.js +40 -0
- package/lib/vendor/blamejs/test/helpers/check.js +18 -0
- package/lib/vendor/blamejs/test/helpers/db.js +4 -0
- package/lib/vendor/blamejs/test/helpers/index.js +1 -0
- package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
- package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
- package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
- package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
- package/package.json +1 -1
|
@@ -117,7 +117,16 @@ function _b64urlDecode(s) {
|
|
|
117
117
|
// supplied alg the key can't actually produce.
|
|
118
118
|
var _EC_CURVE_ALG = { prime256v1: "ES256", secp384r1: "ES384", secp521r1: "ES512" };
|
|
119
119
|
|
|
120
|
-
|
|
120
|
+
// algParams — JOSE alg → node:crypto sign/verify parameters (hash + RSA
|
|
121
|
+
// PKCS1 padding / RSASSA-PSS saltLength / ECDSA dsaEncoding). The classical-
|
|
122
|
+
// JOSE table (RS/PS/ES per RFC 7518 §3, EdDSA per RFC 8037) lives HERE once,
|
|
123
|
+
// in the classical-JOSE domain owner: dpop proofs, fido-mds3 MDS3 BLOBs,
|
|
124
|
+
// oauth ID-token verify, and this module's own sign/verify all read the
|
|
125
|
+
// identical mapping. Returns null for an unrecognised alg so every caller
|
|
126
|
+
// throws its OWN typed error and keeps its OWN supported set — oauth omits
|
|
127
|
+
// EdDSA, dpop layers the PQC ML-DSA-87 on top. The values are sign/verify-
|
|
128
|
+
// symmetric (node:crypto uses the same params for both).
|
|
129
|
+
function algParams(alg) {
|
|
121
130
|
if (alg === "RS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
122
131
|
if (alg === "RS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
123
132
|
if (alg === "RS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
|
|
@@ -128,8 +137,16 @@ function _verifyParamsForAlg(alg) {
|
|
|
128
137
|
if (alg === "ES384") return { hash: "sha384", dsaEncoding: "ieee-p1363" };
|
|
129
138
|
if (alg === "ES512") return { hash: "sha512", dsaEncoding: "ieee-p1363" };
|
|
130
139
|
if (alg === "EdDSA") return { hash: null };
|
|
131
|
-
|
|
132
|
-
|
|
140
|
+
return null;
|
|
141
|
+
}
|
|
142
|
+
|
|
143
|
+
function _verifyParamsForAlg(alg) {
|
|
144
|
+
var params = algParams(alg);
|
|
145
|
+
if (!params) {
|
|
146
|
+
throw new AuthError("auth-jwt-external/unsupported-alg",
|
|
147
|
+
"alg '" + alg + "' is not supported by verifyExternal");
|
|
148
|
+
}
|
|
149
|
+
return params;
|
|
133
150
|
}
|
|
134
151
|
|
|
135
152
|
// _toPrivateKey — import the operator's classical signing key from any of
|
|
@@ -231,11 +248,11 @@ function _signCompactJws(header, payload, privateKey, alg) {
|
|
|
231
248
|
}
|
|
232
249
|
|
|
233
250
|
function _jwkToKey(jwk) {
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
}
|
|
251
|
+
return bCrypto.importPublicJwk(jwk, {
|
|
252
|
+
errorClass: AuthError,
|
|
253
|
+
code: "auth-jwt-external/bad-jwk",
|
|
254
|
+
messagePrefix: "could not import JWK (kid=" + (jwk && jwk.kid) + "): ",
|
|
255
|
+
});
|
|
239
256
|
}
|
|
240
257
|
|
|
241
258
|
// CVE-2026-22817 — RS256→HS256 alg-confusion + the broader alg/kty
|
|
@@ -725,6 +742,7 @@ module.exports = {
|
|
|
725
742
|
REFUSED_ALGS: REFUSED_ALGS,
|
|
726
743
|
// Shared JOSE defenses — routed from oauth.verifyIdToken /
|
|
727
744
|
// oid4vci proof verify / sd-jwt-vc.verify / openid-federation.
|
|
745
|
+
algParams: algParams,
|
|
728
746
|
_assertAlgKtyMatch: _assertAlgKtyMatch,
|
|
729
747
|
_issuerMatches: _issuerMatches,
|
|
730
748
|
// Classical-JWS signer internals — composed by oauth.js's attestation
|
|
@@ -78,6 +78,7 @@ var C = require("../constants");
|
|
|
78
78
|
var bCrypto = require("../crypto");
|
|
79
79
|
var safeJson = require("../safe-json");
|
|
80
80
|
var validateOpts = require("../validate-opts");
|
|
81
|
+
var nonceStore = require("../nonce-store");
|
|
81
82
|
var { AuthError } = require("../framework-error");
|
|
82
83
|
|
|
83
84
|
// Algorithm registry. The string keys are the JWT header `alg` values
|
|
@@ -92,11 +93,12 @@ var SUPPORTED_ALGORITHMS = Object.freeze(Object.keys(ALGORITHM_TO_NODE));
|
|
|
92
93
|
|
|
93
94
|
function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
|
|
94
95
|
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
96
|
+
var _b64urlDecode = bCrypto.makeBase64UrlDecoder({
|
|
97
|
+
errorClass: AuthError,
|
|
98
|
+
code: "auth-jwt/malformed",
|
|
99
|
+
typeMessage: "expected base64url string",
|
|
100
|
+
badMessage: "JWT segment is not valid base64url",
|
|
101
|
+
});
|
|
100
102
|
|
|
101
103
|
function _toKeyObject(pemOrKey, kind) {
|
|
102
104
|
// kind is 'private' or 'public' — passes through if already a KeyObject;
|
|
@@ -409,16 +411,12 @@ async function verify(token, opts) {
|
|
|
409
411
|
if (typeof p.exp === "number") {
|
|
410
412
|
expireAtMs = p.exp * C.TIME.seconds(1);
|
|
411
413
|
}
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
}
|
|
418
|
-
if (inserted === false) {
|
|
419
|
-
throw new AuthError("auth-jwt/replay",
|
|
420
|
-
"token jti='" + p.jti + "' has been seen before — replay refused");
|
|
421
|
-
}
|
|
414
|
+
await nonceStore.enforceReplay(opts.replayStore, p.jti, expireAtMs, {
|
|
415
|
+
errorClass: AuthError,
|
|
416
|
+
storeFailedCode: "auth-jwt/replay-store-failed",
|
|
417
|
+
replayCode: "auth-jwt/replay",
|
|
418
|
+
tokenLabel: "token",
|
|
419
|
+
});
|
|
422
420
|
}
|
|
423
421
|
|
|
424
422
|
return p;
|
|
@@ -200,32 +200,13 @@ function create(opts) {
|
|
|
200
200
|
|
|
201
201
|
function _scopedKey(key) { return namespace + ":" + key; }
|
|
202
202
|
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
try { sink.event(name, 1, labels); } catch (_e) { /* observability is best-effort */ }
|
|
207
|
-
}
|
|
208
|
-
|
|
209
|
-
// Fall back to the framework's global observability registry when the
|
|
210
|
-
// operator didn't pass their own. event() is a no-op when no registry
|
|
211
|
-
// is wired, so this is zero-cost in apps without observability.
|
|
212
|
-
function _safeGlobalObs() {
|
|
213
|
-
try { return observability(); } catch (_e) { return null; }
|
|
214
|
-
}
|
|
203
|
+
// Emit to the operator's configured observability instance, else the
|
|
204
|
+
// framework's global registry (a no-op when none is wired), drop-silent.
|
|
205
|
+
var _emitObs = observability().makeCounterEmitter(obsInst);
|
|
215
206
|
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
var event = {
|
|
220
|
-
action: action,
|
|
221
|
-
outcome: outcome,
|
|
222
|
-
resource: { kind: "auth.lockout", id: namespace + ":" + key },
|
|
223
|
-
metadata: metadata || {},
|
|
224
|
-
};
|
|
225
|
-
if (req) event.actor = requestHelpers.extractActorContext(req);
|
|
226
|
-
auditInst.safeEmit(event);
|
|
227
|
-
} catch (_e) { /* audit best-effort */ }
|
|
228
|
-
}
|
|
207
|
+
var _emitAudit = requestHelpers.makeResourceAuditEmitter(auditInst, "auth.lockout", function (key) {
|
|
208
|
+
return namespace + ":" + key;
|
|
209
|
+
});
|
|
229
210
|
|
|
230
211
|
// Cache failures fail-OPEN by design (per the framework's
|
|
231
212
|
// documented brute-force-lockout posture — rather than crash the
|
|
@@ -215,11 +215,8 @@ var DEFAULT_CLOCK_SKEW_MS = C.TIME.minutes(1);
|
|
|
215
215
|
// OAuth 2.0 Threat Model §4.4.1.8 / §4.4.1.13.
|
|
216
216
|
var PKCE_VERIFIER_BYTES = C.BYTES.bytes(32);
|
|
217
217
|
var STATE_NONCE_BYTES = C.BYTES.bytes(16);
|
|
218
|
-
// JOSE PSS salt lengths (RFC 7518 §3.5)
|
|
219
|
-
//
|
|
220
|
-
var PSS_SALT_BYTES_SHA256 = C.BYTES.bytes(32);
|
|
221
|
-
var PSS_SALT_BYTES_SHA384 = C.BYTES.bytes(48);
|
|
222
|
-
var PSS_SALT_BYTES_SHA512 = C.BYTES.bytes(64);
|
|
218
|
+
// JOSE PSS salt lengths (RFC 7518 §3.5) now live with the shared alg table
|
|
219
|
+
// in jwtExternal.algParams; _verifyParamsForAlg here is a thin wrapper.
|
|
223
220
|
|
|
224
221
|
// RFC 8628 §3.4 — device_code length cap. The spec doesn't fix a max
|
|
225
222
|
// length but 8 KiB comfortably accommodates any legitimate base64url
|
|
@@ -253,11 +250,12 @@ var RFC_8693_TOKEN_TYPES = Object.freeze([
|
|
|
253
250
|
|
|
254
251
|
function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
|
|
255
252
|
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
253
|
+
var _b64urlDecode = bCrypto.makeBase64UrlDecoder({
|
|
254
|
+
errorClass: OAuthError,
|
|
255
|
+
code: "auth-oauth/bad-base64",
|
|
256
|
+
typeMessage: "expected base64url string",
|
|
257
|
+
badMessage: "segment is not valid base64url",
|
|
258
|
+
});
|
|
261
259
|
|
|
262
260
|
function _generateRandomToken(bytes) {
|
|
263
261
|
return _b64urlEncode(generateBytes(bytes));
|
|
@@ -329,29 +327,27 @@ function _validateUrl(url, allowHttp, label) {
|
|
|
329
327
|
// ---- JOSE alg → node:crypto verify parameters ----
|
|
330
328
|
|
|
331
329
|
function _verifyParamsForAlg(alg) {
|
|
332
|
-
// Returns { hash, padding, dsaEncoding } for node:crypto.verify
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
if (alg === "
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
throw new OAuthError("auth-oauth/unsupported-alg",
|
|
343
|
-
"alg '" + alg + "' is not supported for ID-token verification");
|
|
330
|
+
// Returns { hash, padding, dsaEncoding } for node:crypto.verify, from the
|
|
331
|
+
// shared classical-JOSE table (jwtExternal.algParams). ID-token verification
|
|
332
|
+
// deliberately does NOT accept EdDSA — most OIDC OPs sign with RS256/ES256
|
|
333
|
+
// and the framework keeps the ID-token verify surface to the RSA/ECDSA set.
|
|
334
|
+
var params = jwtExternal.algParams(alg);
|
|
335
|
+
if (!params || alg === "EdDSA") {
|
|
336
|
+
throw new OAuthError("auth-oauth/unsupported-alg",
|
|
337
|
+
"alg '" + alg + "' is not supported for ID-token verification");
|
|
338
|
+
}
|
|
339
|
+
return params;
|
|
344
340
|
}
|
|
345
341
|
|
|
346
342
|
// ---- JWKS → KeyObject ----
|
|
347
343
|
|
|
348
344
|
function _jwkToKey(jwk) {
|
|
349
345
|
// node's createPublicKey accepts JWK directly since Node 16.
|
|
350
|
-
|
|
351
|
-
|
|
352
|
-
|
|
353
|
-
|
|
354
|
-
}
|
|
346
|
+
return bCrypto.importPublicJwk(jwk, {
|
|
347
|
+
errorClass: OAuthError,
|
|
348
|
+
code: "auth-oauth/bad-jwk",
|
|
349
|
+
messagePrefix: "could not import JWK (kid=" + (jwk && jwk.kid) + "): ",
|
|
350
|
+
});
|
|
355
351
|
}
|
|
356
352
|
|
|
357
353
|
// ---- RFC 9396 Rich Authorization Requests (RAR) ----
|
|
@@ -657,6 +653,16 @@ function _publicCnfJwk(jwk, label) {
|
|
|
657
653
|
label + ": instanceKeyJwk.kty='" + jwk.kty + "' is not an asymmetric public JWK");
|
|
658
654
|
}
|
|
659
655
|
|
|
656
|
+
// Config-time check for an OPTIONAL epoch-seconds override (iat / nbf): if
|
|
657
|
+
// present it must be a finite number, so a typo is caught at build time
|
|
658
|
+
// rather than silently ignored by the `typeof === "number"` body guard.
|
|
659
|
+
function _optionalFiniteNumber(value, label, code) {
|
|
660
|
+
if (value === undefined || value === null) return;
|
|
661
|
+
if (typeof value !== "number" || !isFinite(value)) {
|
|
662
|
+
throw new OAuthError(code, label + " must be a finite number (epoch seconds)");
|
|
663
|
+
}
|
|
664
|
+
}
|
|
665
|
+
|
|
660
666
|
/**
|
|
661
667
|
* @primitive b.auth.oauth.buildClientAttestation
|
|
662
668
|
* @signature b.auth.oauth.buildClientAttestation(opts)
|
|
@@ -700,14 +706,23 @@ function _publicCnfJwk(jwk, label) {
|
|
|
700
706
|
*/
|
|
701
707
|
function buildClientAttestation(aopts) {
|
|
702
708
|
aopts = aopts || {};
|
|
703
|
-
validateOpts(aopts,
|
|
704
|
-
|
|
705
|
-
|
|
706
|
-
|
|
707
|
-
|
|
708
|
-
|
|
709
|
-
|
|
710
|
-
|
|
709
|
+
validateOpts.shape(aopts, {
|
|
710
|
+
clientId: { rule: "required-string", code: "auth-oauth/attestation-no-client-id" },
|
|
711
|
+
// KeyObject | PEM string | JWK object — typed downstream by
|
|
712
|
+
// _toAttestationPrivateKey; the shape only enforces presence.
|
|
713
|
+
attesterPrivateKey: function (v, l) {
|
|
714
|
+
if (v === undefined || v === null) {
|
|
715
|
+
throw new OAuthError("auth-oauth/attestation-no-attester-key",
|
|
716
|
+
l + " (Attester signing key) is required");
|
|
717
|
+
}
|
|
718
|
+
},
|
|
719
|
+
instanceKeyJwk: { rule: "required-object", code: "auth-oauth/attestation-bad-cnf" },
|
|
720
|
+
algorithm: { rule: "optional-string", code: "auth-oauth/attestation-bad-alg" },
|
|
721
|
+
nbf: function (v, l) { _optionalFiniteNumber(v, l, "auth-oauth/attestation-bad-nbf"); },
|
|
722
|
+
iat: function (v, l) { _optionalFiniteNumber(v, l, "auth-oauth/attestation-bad-iat"); },
|
|
723
|
+
extraClaims: { rule: "optional-plain-object", code: "auth-oauth/attestation-bad-extra-claims" },
|
|
724
|
+
expiresInSec: { rule: "optional-positive-int", code: "auth-oauth/attestation-bad-expiry" },
|
|
725
|
+
}, "buildClientAttestation", OAuthError, "auth-oauth/attestation-no-client-id");
|
|
711
726
|
var key = _toAttestationPrivateKey(aopts.attesterPrivateKey, "buildClientAttestation");
|
|
712
727
|
var alg = _resolveAttestationAlg(aopts.algorithm, key, "buildClientAttestation");
|
|
713
728
|
var cnfJwk = _publicCnfJwk(aopts.instanceKeyJwk, "buildClientAttestation");
|
|
@@ -769,16 +784,23 @@ function buildClientAttestation(aopts) {
|
|
|
769
784
|
*/
|
|
770
785
|
function buildClientAttestationPop(popts) {
|
|
771
786
|
popts = popts || {};
|
|
772
|
-
validateOpts(popts,
|
|
773
|
-
|
|
774
|
-
|
|
775
|
-
|
|
776
|
-
|
|
777
|
-
|
|
778
|
-
|
|
779
|
-
|
|
780
|
-
|
|
781
|
-
|
|
787
|
+
validateOpts.shape(popts, {
|
|
788
|
+
audience: { rule: "required-string", code: "auth-oauth/attestation-pop-no-aud",
|
|
789
|
+
label: "buildClientAttestationPop: audience (AS issuer)" },
|
|
790
|
+
// KeyObject | PEM string | JWK object — typed downstream by
|
|
791
|
+
// _toAttestationPrivateKey; the shape only enforces presence.
|
|
792
|
+
instancePrivateKey: function (v, l) {
|
|
793
|
+
if (v === undefined || v === null) {
|
|
794
|
+
throw new OAuthError("auth-oauth/attestation-pop-no-instance-key",
|
|
795
|
+
l + " (instance signing key matching cnf.jwk) is required");
|
|
796
|
+
}
|
|
797
|
+
},
|
|
798
|
+
algorithm: { rule: "optional-string", code: "auth-oauth/attestation-pop-bad-alg" },
|
|
799
|
+
jti: { rule: "optional-string", code: "auth-oauth/attestation-pop-bad-jti" },
|
|
800
|
+
iat: function (v, l) { _optionalFiniteNumber(v, l, "auth-oauth/attestation-pop-bad-iat"); },
|
|
801
|
+
challenge: { rule: "optional-string", code: "auth-oauth/attestation-pop-bad-challenge" },
|
|
802
|
+
expiresInSec: { rule: "optional-positive-int", code: "auth-oauth/attestation-pop-bad-expiry" },
|
|
803
|
+
}, "buildClientAttestationPop", OAuthError, "auth-oauth/attestation-pop-no-aud");
|
|
782
804
|
var key = _toAttestationPrivateKey(popts.instancePrivateKey, "buildClientAttestationPop");
|
|
783
805
|
var alg = _resolveAttestationAlg(popts.algorithm, key, "buildClientAttestationPop");
|
|
784
806
|
var iatSec = typeof popts.iat === "number" ? popts.iat : Math.floor(Date.now() / C.TIME.seconds(1));
|
|
@@ -54,7 +54,7 @@ var lazyRequire = require("../lazy-require");
|
|
|
54
54
|
var validateOpts = require("../validate-opts");
|
|
55
55
|
var safeJson = require("../safe-json");
|
|
56
56
|
var nodeCrypto = require("node:crypto");
|
|
57
|
-
var { generateToken, sha3Hash, timingSafeEqual } = require("../crypto");
|
|
57
|
+
var { generateToken, sha3Hash, timingSafeEqual, importPublicJwk } = require("../crypto");
|
|
58
58
|
// Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check). Top-of-
|
|
59
59
|
// file per project convention §3; no circular load — jwt-external
|
|
60
60
|
// requires nothing from oid4vci.
|
|
@@ -297,11 +297,11 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
|
|
|
297
297
|
// A resolver that returns an RSA key for a proof declaring an HMAC
|
|
298
298
|
// alg would otherwise be verified as an HMAC secret.
|
|
299
299
|
jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
}
|
|
300
|
+
keyObj = importPublicJwk(holderKeyJwk, {
|
|
301
|
+
errorClass: AuthError,
|
|
302
|
+
code: "auth-oid4vci/bad-resolved-key",
|
|
303
|
+
messagePrefix: "credential issuance: resolveKid-returned key is not importable as a public key: ",
|
|
304
|
+
});
|
|
305
305
|
} else if (!holderKeyJwk && header.x5c) {
|
|
306
306
|
// RFC 7515 §4.1.6 / OID4VCI §8.2.1.1 — the wallet ships a base64 DER
|
|
307
307
|
// certificate chain; the LEAF (first) cert's SPKI is the holder key.
|
|
@@ -333,11 +333,11 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
|
|
|
333
333
|
// A leaf cert holding an RSA key against a proof declaring an HMAC
|
|
334
334
|
// alg would otherwise be verified as an HMAC secret.
|
|
335
335
|
jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
}
|
|
336
|
+
keyObj = importPublicJwk(holderKeyJwk, {
|
|
337
|
+
errorClass: AuthError,
|
|
338
|
+
code: "auth-oid4vci/bad-x5c",
|
|
339
|
+
messagePrefix: "credential issuance: proof JWT `x5c` leaf public key is not importable: ",
|
|
340
|
+
});
|
|
341
341
|
} else {
|
|
342
342
|
if (!holderKeyJwk) {
|
|
343
343
|
throw new AuthError("auth-oid4vci/no-jwk-in-header",
|
|
@@ -349,11 +349,11 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
|
|
|
349
349
|
// key as an HMAC secret. Routed through the shared helper so every
|
|
350
350
|
// JWT verifier in the framework enforces the same check.
|
|
351
351
|
jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
|
|
352
|
-
|
|
353
|
-
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
}
|
|
352
|
+
keyObj = importPublicJwk(holderKeyJwk, {
|
|
353
|
+
errorClass: AuthError,
|
|
354
|
+
code: "auth-oid4vci/bad-jwk",
|
|
355
|
+
messagePrefix: "credential issuance: proof JWT jwk is not parseable: ",
|
|
356
|
+
});
|
|
357
357
|
}
|
|
358
358
|
|
|
359
359
|
var signingInput = parts[0] + "." + parts[1];
|
|
@@ -428,13 +428,36 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
|
|
|
428
428
|
* });
|
|
429
429
|
*/
|
|
430
430
|
function create(opts) {
|
|
431
|
+
// Preserve the original object-guard's exact label + default code
|
|
432
|
+
// (distinct from the per-field "issuer.create:" label prefix below).
|
|
431
433
|
validateOpts.requireObject(opts, "auth.oid4vci.issuer.create", AuthError);
|
|
432
|
-
validateOpts.
|
|
433
|
-
|
|
434
|
-
|
|
435
|
-
|
|
436
|
-
|
|
437
|
-
|
|
434
|
+
validateOpts.shape(opts, {
|
|
435
|
+
credentialIssuerUrl: { rule: "required-string", code: "auth-oid4vci/no-issuer-url" },
|
|
436
|
+
credentialEndpoint: { rule: "required-string", code: "auth-oid4vci/no-credential-endpoint" },
|
|
437
|
+
tokenEndpoint: { rule: "required-string", code: "auth-oid4vci/no-token-endpoint" },
|
|
438
|
+
// sdJwtIssuer + supportedCredentials carry distinct bespoke checks
|
|
439
|
+
// (instance shape / non-empty map / per-credential format+vct) below;
|
|
440
|
+
// declare them here so the exhaustive contract accepts the keys —
|
|
441
|
+
// required-object validates only that they are objects, which the
|
|
442
|
+
// bespoke checks then refine.
|
|
443
|
+
sdJwtIssuer: "required-object",
|
|
444
|
+
supportedCredentials: "required-object",
|
|
445
|
+
proofAlgorithms: "optional-string-array",
|
|
446
|
+
// resolveKid / validateX5c carry distinct per-field codes the inline
|
|
447
|
+
// config-time guards used; the descriptor form keeps the exact code +
|
|
448
|
+
// label inside the exhaustive shape.
|
|
449
|
+
resolveKid: { rule: "optional-function", code: "auth-oid4vci/bad-resolve-kid" },
|
|
450
|
+
validateX5c: { rule: "optional-function", code: "auth-oid4vci/bad-validate-x5c" },
|
|
451
|
+
preAuthCodeTtlMs: "optional-positive-finite",
|
|
452
|
+
accessTokenTtlMs: "optional-positive-finite",
|
|
453
|
+
cNonceTtlMs: "optional-positive-finite",
|
|
454
|
+
proofMaxAgeMs: "optional-positive-finite",
|
|
455
|
+
accessTokenSingleUse: "optional-boolean",
|
|
456
|
+
codeStore: "optional-plain-object",
|
|
457
|
+
accessTokenStore: "optional-plain-object",
|
|
458
|
+
cNonceStore: "optional-plain-object",
|
|
459
|
+
authorizationServers: "optional-string-array",
|
|
460
|
+
}, "issuer.create", AuthError);
|
|
438
461
|
if (!opts.sdJwtIssuer || typeof opts.sdJwtIssuer.issue !== "function") {
|
|
439
462
|
throw new AuthError("auth-oid4vci/no-sd-jwt-issuer",
|
|
440
463
|
"issuer.create: sdJwtIssuer must be a b.auth.sdJwtVc.issuer instance");
|
|
@@ -464,18 +487,18 @@ function create(opts) {
|
|
|
464
487
|
? opts.proofAlgorithms : ["ES256", "ES384", "EdDSA"];
|
|
465
488
|
|
|
466
489
|
// Optional kid-resolver for kid-only proofs (EUDI-Wallet attested-key
|
|
467
|
-
// flow).
|
|
468
|
-
// kid-only proofs keep the clear refusal
|
|
469
|
-
|
|
470
|
-
|
|
490
|
+
// flow). Validated by the shape above (config-time throw if supplied
|
|
491
|
+
// but not a function). Absent → kid-only proofs keep the clear refusal
|
|
492
|
+
// (back-compat).
|
|
493
|
+
var resolveKid = opts.resolveKid;
|
|
471
494
|
|
|
472
495
|
// Optional x5c chain-trust policy for x5c proofs (RFC 7515 §4.1.6 /
|
|
473
|
-
// OID4VCI §8.2.1.1).
|
|
474
|
-
// Absent → the leaf-cert SPKI binds at the
|
|
475
|
-
// level as an inline `jwk` (the proof signature
|
|
476
|
-
// anchoring beyond that is the operator's to
|
|
477
|
-
|
|
478
|
-
|
|
496
|
+
// OID4VCI §8.2.1.1). Validated by the shape above (config-time throw if
|
|
497
|
+
// supplied but not a function). Absent → the leaf-cert SPKI binds at the
|
|
498
|
+
// same self-asserted trust level as an inline `jwk` (the proof signature
|
|
499
|
+
// binds the key); chain anchoring beyond that is the operator's to
|
|
500
|
+
// enforce via this callback.
|
|
501
|
+
var validateX5c = opts.validateX5c;
|
|
479
502
|
|
|
480
503
|
var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
|
|
481
504
|
var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
|
|
@@ -52,6 +52,7 @@
|
|
|
52
52
|
|
|
53
53
|
var lazyRequire = require("../lazy-require");
|
|
54
54
|
var validateOpts = require("../validate-opts");
|
|
55
|
+
var boundedMap = require("../bounded-map");
|
|
55
56
|
var { generateToken } = require("../crypto");
|
|
56
57
|
var { AuthError } = require("../framework-error");
|
|
57
58
|
|
|
@@ -90,10 +91,10 @@ function _validateDcql(dcql) {
|
|
|
90
91
|
throw new AuthError("auth-oid4vp/no-credential-id",
|
|
91
92
|
"DCQL: credentials[" + i + "].id is required");
|
|
92
93
|
}
|
|
93
|
-
|
|
94
|
+
boundedMap.requireAbsentMember(seenIds, cred.id, function () {
|
|
94
95
|
throw new AuthError("auth-oid4vp/duplicate-id",
|
|
95
96
|
"DCQL: credentials[" + i + "].id \"" + cred.id + "\" duplicated");
|
|
96
|
-
}
|
|
97
|
+
});
|
|
97
98
|
seenIds.add(cred.id);
|
|
98
99
|
if (typeof cred.format !== "string" || cred.format.length === 0) {
|
|
99
100
|
throw new AuthError("auth-oid4vp/no-format",
|
|
@@ -58,6 +58,7 @@ var lazyRequire = require("../lazy-require");
|
|
|
58
58
|
var validateOpts = require("../validate-opts");
|
|
59
59
|
var safeJson = require("../safe-json");
|
|
60
60
|
var nodeCrypto = require("node:crypto");
|
|
61
|
+
var bCrypto = require("../crypto");
|
|
61
62
|
var C = require("../constants");
|
|
62
63
|
// Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check +
|
|
63
64
|
// CVE-2026-23552 constant-time iss compare). Top-of-file per project
|
|
@@ -195,12 +196,11 @@ function verifyEntityStatement(jwt, jwks, vopts) {
|
|
|
195
196
|
// same check.
|
|
196
197
|
jwtExternal._assertAlgKtyMatch(parsed.header.alg, key);
|
|
197
198
|
|
|
198
|
-
var keyObj
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
}
|
|
199
|
+
var keyObj = bCrypto.importPublicJwk(key, {
|
|
200
|
+
errorClass: AuthError,
|
|
201
|
+
code: "auth-openid-federation/bad-jwk",
|
|
202
|
+
messagePrefix: "verifyEntityStatement: JWK is not parseable: ",
|
|
203
|
+
});
|
|
204
204
|
|
|
205
205
|
var hash = _hashByAlg(parsed.header.alg);
|
|
206
206
|
var verifyOpts = { key: keyObj };
|
|
@@ -325,7 +325,7 @@ function _b64urlExtInput(value, name, maxBytes) {
|
|
|
325
325
|
}
|
|
326
326
|
if (typeof maxBytes === "number") {
|
|
327
327
|
var decoded = Buffer.from(value, "base64url");
|
|
328
|
-
if (decoded
|
|
328
|
+
if (safeBuffer.byteLengthOf(decoded) > maxBytes) {
|
|
329
329
|
throw new AuthError("auth-passkey/extension-input-too-large",
|
|
330
330
|
name + " decoded length " + decoded.length + " exceeds " + maxBytes + " bytes");
|
|
331
331
|
}
|
|
@@ -333,14 +333,14 @@ function _b64urlExtInput(value, name, maxBytes) {
|
|
|
333
333
|
return value;
|
|
334
334
|
}
|
|
335
335
|
if (Buffer.isBuffer(value)) {
|
|
336
|
-
if (typeof maxBytes === "number" && value
|
|
336
|
+
if (typeof maxBytes === "number" && safeBuffer.byteLengthOf(value) > maxBytes) {
|
|
337
337
|
throw new AuthError("auth-passkey/extension-input-too-large",
|
|
338
338
|
name + " length " + value.length + " exceeds " + maxBytes + " bytes");
|
|
339
339
|
}
|
|
340
340
|
return value.toString("base64url");
|
|
341
341
|
}
|
|
342
342
|
if (value instanceof Uint8Array) {
|
|
343
|
-
if (typeof maxBytes === "number" && value
|
|
343
|
+
if (typeof maxBytes === "number" && safeBuffer.byteLengthOf(value) > maxBytes) {
|
|
344
344
|
throw new AuthError("auth-passkey/extension-input-too-large",
|
|
345
345
|
name + " length " + value.length + " exceeds " + maxBytes + " bytes");
|
|
346
346
|
}
|
|
@@ -421,7 +421,13 @@ function policy(opts) {
|
|
|
421
421
|
var sha1Full = hibpSha1.sha1Hex(plaintext).toUpperCase();
|
|
422
422
|
var prefix = sha1Full.slice(0, 5);
|
|
423
423
|
var suffix = sha1Full.slice(5);
|
|
424
|
-
|
|
424
|
+
// Strip trailing slashes with a linear backward scan rather than
|
|
425
|
+
// /\/+$/ — the `$`-after-greedy-`+` regex is O(n^2) in V8 on a value
|
|
426
|
+
// that is a long run of '/' (the engine retries from every offset).
|
|
427
|
+
// Byte-identical result, unconditionally linear.
|
|
428
|
+
var endEp = p.hibpEndpoint.length;
|
|
429
|
+
while (endEp > 0 && p.hibpEndpoint.charCodeAt(endEp - 1) === 0x2f) { endEp -= 1; }
|
|
430
|
+
var url = p.hibpEndpoint.slice(0, endEp) + "/range/" + prefix;
|
|
425
431
|
var resp;
|
|
426
432
|
try {
|
|
427
433
|
resp = await httpClient.request({
|
|
@@ -332,13 +332,18 @@ function _verifyXmldsig(envelope, signatureNode, certPem) {
|
|
|
332
332
|
* });
|
|
333
333
|
*/
|
|
334
334
|
function create(opts) {
|
|
335
|
-
validateOpts.
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
335
|
+
validateOpts.shape(opts, {
|
|
336
|
+
entityId: { rule: "required-string", label: "entityId", code: "auth-saml/no-entity-id" },
|
|
337
|
+
assertionConsumerServiceUrl: { rule: "required-string", label: "assertionConsumerServiceUrl", code: "auth-saml/no-acs" },
|
|
338
|
+
idpEntityId: { rule: "required-string", label: "idpEntityId", code: "auth-saml/no-idp-entity-id" },
|
|
339
|
+
idpSsoUrl: { rule: "required-string", label: "idpSsoUrl", code: "auth-saml/no-idp-sso" },
|
|
340
|
+
idpCertPem: { rule: "required-string", label: "idpCertPem", code: "auth-saml/no-idp-cert" },
|
|
341
|
+
audience: "optional-string",
|
|
342
|
+
clockSkewSec: "optional-non-negative",
|
|
343
|
+
nameIdFormat: "optional-string",
|
|
344
|
+
singleLogoutServiceUrl: "optional-string",
|
|
345
|
+
idpSloUrl: "optional-string",
|
|
346
|
+
}, "auth.saml.sp.create", AuthError);
|
|
342
347
|
|
|
343
348
|
var audience = opts.audience || opts.entityId;
|
|
344
349
|
var clockSkewSec = typeof opts.clockSkewSec === "number" ? opts.clockSkewSec : 60; // allow:raw-time-literal — clock-skew default
|
|
@@ -973,6 +978,25 @@ function create(opts) {
|
|
|
973
978
|
* idpVerifyAlg: "ml-dsa-65",
|
|
974
979
|
* });
|
|
975
980
|
*/
|
|
981
|
+
// _extractRedirectSignature(queryString) — split a SAML HTTP-Redirect
|
|
982
|
+
// binding query string, pulling the URL-decoded `Signature=` value out and
|
|
983
|
+
// collecting the remaining (signed) portion in order. Shared by
|
|
984
|
+
// parseLogoutRequest / parseLogoutResponse so the two cannot drift on which
|
|
985
|
+
// bytes the signature covers — a drift would be a signature-bypass.
|
|
986
|
+
function _extractRedirectSignature(queryString) {
|
|
987
|
+
var parts = queryString.split("&");
|
|
988
|
+
var sigValue = null;
|
|
989
|
+
var signedPortion = [];
|
|
990
|
+
for (var i = 0; i < parts.length; i += 1) {
|
|
991
|
+
if (parts[i].indexOf("Signature=") === 0) {
|
|
992
|
+
sigValue = decodeURIComponent(parts[i].slice("Signature=".length));
|
|
993
|
+
} else {
|
|
994
|
+
signedPortion.push(parts[i]);
|
|
995
|
+
}
|
|
996
|
+
}
|
|
997
|
+
return { sigValue: sigValue, signedPortion: signedPortion };
|
|
998
|
+
}
|
|
999
|
+
|
|
976
1000
|
function parseLogoutRequest(samlRequestB64, vopts) {
|
|
977
1001
|
vopts = vopts || {};
|
|
978
1002
|
if (typeof samlRequestB64 !== "string" || samlRequestB64.length === 0) {
|
|
@@ -998,16 +1022,9 @@ function create(opts) {
|
|
|
998
1022
|
throw new AuthError("auth-saml/bad-verify-alg",
|
|
999
1023
|
"parseLogoutRequest: idpVerifyAlg must be 'ml-dsa-65' / 'ml-dsa-87' / 'ed25519'");
|
|
1000
1024
|
}
|
|
1001
|
-
var
|
|
1002
|
-
var sigValue =
|
|
1003
|
-
var signedPortion =
|
|
1004
|
-
for (var i = 0; i < parts.length; i += 1) {
|
|
1005
|
-
if (parts[i].indexOf("Signature=") === 0) {
|
|
1006
|
-
sigValue = decodeURIComponent(parts[i].slice("Signature=".length));
|
|
1007
|
-
} else {
|
|
1008
|
-
signedPortion.push(parts[i]);
|
|
1009
|
-
}
|
|
1010
|
-
}
|
|
1025
|
+
var sig = _extractRedirectSignature(vopts.queryString);
|
|
1026
|
+
var sigValue = sig.sigValue;
|
|
1027
|
+
var signedPortion = sig.signedPortion;
|
|
1011
1028
|
if (!sigValue) {
|
|
1012
1029
|
throw new AuthError("auth-saml/no-signature",
|
|
1013
1030
|
"parseLogoutRequest: queryString lacks Signature parameter");
|
|
@@ -1193,16 +1210,9 @@ function create(opts) {
|
|
|
1193
1210
|
throw new AuthError("auth-saml/bad-verify-alg",
|
|
1194
1211
|
"parseLogoutResponse: idpVerifyAlg must be 'ml-dsa-65' / 'ml-dsa-87' / 'ed25519'");
|
|
1195
1212
|
}
|
|
1196
|
-
var
|
|
1197
|
-
var sigValue =
|
|
1198
|
-
var signedPortion =
|
|
1199
|
-
for (var i = 0; i < parts.length; i += 1) {
|
|
1200
|
-
if (parts[i].indexOf("Signature=") === 0) {
|
|
1201
|
-
sigValue = decodeURIComponent(parts[i].slice("Signature=".length));
|
|
1202
|
-
} else {
|
|
1203
|
-
signedPortion.push(parts[i]);
|
|
1204
|
-
}
|
|
1205
|
-
}
|
|
1213
|
+
var sig = _extractRedirectSignature(vopts.queryString);
|
|
1214
|
+
var sigValue = sig.sigValue;
|
|
1215
|
+
var signedPortion = sig.signedPortion;
|
|
1206
1216
|
if (!sigValue) {
|
|
1207
1217
|
throw new AuthError("auth-saml/no-signature",
|
|
1208
1218
|
"parseLogoutResponse: queryString lacks Signature parameter");
|