@blamejs/core 0.14.0 → 0.14.1

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.14.x
 
+- v0.14.1 (2026-05-29) — **Correctness fixes: JAR request-object typ enforcement, byte-faithful PGP multipart/signed, and SAML InResponseTo binding.** A set of correctness fixes across the auth, mail-crypto, TLS, and encoder surfaces. The most important: JWT-secured authorization requests (RFC 9101) now require the request object to carry the registered `oauth-authz-req+jwt` typ, closing a cross-JWT-confusion vector; the PGP multipart/signed wrapper is now assembled byte-faithfully so non-ASCII signed content can't be corrupted; and SAML response verification now returns the InResponseTo of the SubjectConfirmation that actually validated. Two of these change behavior — see Changed — and are bug fixes rather than new features. **Changed:** *JAR parsing rejects untyped request objects (breaking)* — Following the typ enforcement above, a request object whose header omits `typ` is now refused. An authorization server whose clients sign request objects without the `oauth-authz-req+jwt` typ must update those clients to set it. · *PGP sign() returns multipartSigned as a Buffer (breaking)* — `b.mail.crypto.pgp.sign(...).multipartSigned` is now a Buffer instead of a string. The OpenPGP signature covers the signed-part bytes exactly, and a JS-string round trip through latin1/utf8 could corrupt non-ASCII signed content and break verification, so the RFC 3156 multipart/signed wrapper is now assembled as bytes. Code that wrote the previous string to the wire works unchanged when it writes the Buffer; code that did string operations on the value should treat it as a Buffer (its `indexOf` / `toString` still work). **Fixed:** *SAML response verification binds InResponseTo to the validated confirmation* — `verifyResponse` returned the InResponseTo of the first SubjectConfirmationData in the assertion rather than of the SubjectConfirmation that actually passed bearer validation. When a response carried more than one SubjectConfirmation, the returned value could come from a non-validated confirmation. It is now the InResponseTo of the confirmation that validated. · *checkServerIdentity9525 emits the documented CN-fallback audit code* — A CN-only legacy certificate (a Common Name present, no subjectAltName) is now refused by the exported `b.network.tls.checkServerIdentity9525` with the distinct `tls/pkix-cn-fallback-refused` code its documentation promised, so audit logs can tell a CN-only certificate apart from one carrying neither a SAN nor a CN (which still yields `tls/pkix-san-required`). The accept/refuse outcome is unchanged — both are refused; only the audit granularity improved. · *OIDC back-channel logout / JARM no longer accept dead override parameters* — `verifyBackchannelLogoutToken` and `parseJarmResponse` passed `acceptedAlgs` / `jwksUri` / `maxClockSkewMs` through to the ID-token verifier, which ignored them and applied the configured (create()-time) values. The pass-throughs are removed so the code no longer reads as if those can be overridden per call; the configured trust anchor was — and remains — what applies. · *Queue lease failures are logged* — The consumer loop's lease-acquisition error path swallowed the backend error silently; it now logs at debug so a flapping backend that has not yet tripped the circuit breaker is visible. · *Protobuf and ASN.1 encoders reject out-of-range tags* — The protobuf tag encoder rejected nothing and would have emitted a wrong tag for field numbers at or above 2^28 (where the 32-bit shift overflows); the ASN.1 context-tag writers silently truncated tag numbers above 30 (which require the multi-byte high-tag-number form). Both now throw a RangeError rather than encode silently-wrong output. The values these encoders serve are well within range, so no current caller is affected. · *oid4vci proofAlgorithms default documented accurately* — The documented default proof-algorithm list now matches the code (`["ES256", "ES384", "EdDSA"]`); the doc previously omitted EdDSA, which the runtime has always accepted by default. **Security:** *JAR request objects must carry the registered typ (RFC 9101)* — `b.auth.jar.parse` now requires the request-object JWS header to carry `typ: "oauth-authz-req+jwt"` (with or without the `application/` prefix); a request object with an absent or different typ is refused with `auth-jar/bad-typ`. RFC 9101 §10.8 specifies this media type precisely to stop a JWT minted for another purpose (an ID token, an access token, a logout token) and signed by the same client key from being replayed as a request object. The existing `iss` / `aud` / `client_id` bindings already constrained that; this restores the explicit type check as well. This is stricter than before — see Changed.
+
 - v0.14.0 (2026-05-29) — **Operator-configurable header and field names across SSE, request-id, rate-limit, age-gate, AI-Act disclosure, GraphQL federation, and the HTTP cache.** This release makes operator-facing identifiers that were hardcoded configurable. The framework already let operators rename most names (CSRF cookie/field, cookie parser, i18n header/query/cookie, mTLS CA name, and so on); this closes the remaining gaps so a custom or framework-specific name is never frozen. Every new option defaults to the value emitted today, so upgrading changes no behavior — these are additive knobs. It also fixes a request-id asymmetry (the response header is now written on the same name the inbound id is read from) and wires an SSE proxy-buffering option whose escape hatch was documented but never implemented. **Added:** *Configurable cache-status header on the HTTP client* — The outbound HTTP client annotated every cached response with a hardcoded `x-blamejs-cache: HIT|MISS|STALE|REVALIDATED` header. `b.httpClient.cache.create` now takes `statusHeader` (default "x-blamejs-cache") — pass a custom name (e.g. "x-cache") to rename it, or null/false to suppress it entirely. The decision remains available programmatically on `res.cacheStatus`. · *Configurable rate-limit header names* — `b.middleware.rateLimit` emitted the de-facto `X-RateLimit-Limit` / `X-RateLimit-Remaining` headers (which are not RFC-pinned). It now accepts `headerPrefix` (default "X-RateLimit-") so operators can match the unprefixed IETF-draft `RateLimit-*` names or an upstream gateway's convention; the limit/remaining pair is always built from the same prefix. · *Configurable age-gate and AI-Act disclosure header names* — `b.middleware.ageGate` now takes `privacyPostureHeader` (default "X-Privacy-Posture"; null/false to suppress), and `b.middleware.aiActDisclosure` takes `headerPrefix` (default "AI-Act-") that prefixes the emitted Notice / Article / Policy headers. The EU AI Act mandates the disclosure, not the HTTP spelling, so operators matching a downstream convention can rename these. · *Configurable GraphQL-federation replay-nonce header* — `b.graphqlFederation.guardSdl` read the replay nonce from the Apollo-vendor `x-apollographql-router-nonce` header with no override. It now accepts `nonceHeader` (default unchanged) so an operator fronting the gateway with a non-Apollo router can point the replay check at their own header. · *SSE proxy-buffering opt-out* — `b.sse.create` and `b.middleware.sse` set `X-Accel-Buffering: no` (the nginx hint that disables proxy buffering). They now accept `proxyBuffer` (default true) — pass false when not behind nginx, or when buffering is controlled at the load balancer, to suppress the nginx-specific header. The opt-out was previously referenced in the documentation but not implemented. **Fixed:** *Request-id middleware reflects the configured header name* — `b.log.middleware` read the inbound request id from a configurable `headerName` but always wrote the response on the literal `X-Request-Id`. An operator who set a custom `headerName` (e.g. `X-Correlation-Id`) therefore read from one header and emitted another. The response is now written on the same configured name; the default remains `X-Request-Id`, so deployments that did not set `headerName` are unaffected.
 
 ## v0.13.x

package/lib/asn1-der.js

@@ -321,6 +321,13 @@ function writeOid(dotted) {
 
 function writeContextExplicit(tagNumber, child) {
   // [N] EXPLICIT — context-specific class (0xA0 | tag) + constructed.
+  // Tag numbers > 30 need the multi-byte high-tag-number form, which this
+  // single-byte encoder does not emit — refuse rather than silently
+  // truncate via `& 0x1f`.
+  if (tagNumber < 0 || tagNumber > 30) {
+    throw new RangeError("asn1: context tag number " + tagNumber +
+      " out of range (0..30); high-tag-number form is not supported");
+  }
   var tagByte = 0xa0 | (tagNumber & 0x1f);                                       // allow:raw-byte-literal — context-specific constructed mask
   return writeNode(tagByte, child);
 }
@@ -331,6 +338,10 @@ function writeContextImplicit(tagNumber, value, opts) {
   // wrapping a structured value (e.g. IMPLICIT [0] OCTET STRING vs
   // IMPLICIT [0] SEQUENCE OF). Value is the raw inner bytes (already
   // encoded for constructed cases).
+  if (tagNumber < 0 || tagNumber > 30) {
+    throw new RangeError("asn1: context tag number " + tagNumber +
+      " out of range (0..30); high-tag-number form is not supported");
+  }
   var tagByte = 0x80 | (tagNumber & 0x1f);                                       // allow:raw-byte-literal — context-specific primitive mask
   if (opts && opts.constructed) tagByte |= 0x20;                                 // allow:raw-byte-literal — constructed bit
   return writeNode(tagByte, value);

package/lib/auth/jar.js

@@ -130,6 +130,17 @@ async function parse(jar, opts) {
     audience:    opts.audience,
     clockSkewMs: opts.clockSkewMs,
   });
+  // RFC 9101 §10.8 — the request object MUST be explicitly typed so a JWT
+  // minted for another purpose (id_token / access-token / logout-token)
+  // and signed by the same client key cannot be replayed here as a request
+  // object (cross-JWT confusion). Require the registered media type, with or
+  // without the "application/" prefix; an absent or mismatched typ is refused.
+  var jarTyp = verified.header && verified.header.typ;
+  if (jarTyp !== JAR_TYP && jarTyp !== "application/" + JAR_TYP) {
+    throw new AuthJarError("auth-jar/bad-typ",
+      "jar.parse: request object header.typ must be \"" + JAR_TYP +
+      "\" (RFC 9101 §10.8 — cross-JWT-confusion defense)");
+  }
   var payload = verified.claims;
 
   // RFC 9101 §5.2 — the request object MUST carry a client_id claim,

package/lib/auth/oauth.js

@@ -836,10 +836,10 @@ function create(opts) {
     // only in claim validation (no nonce, audience = clientId, no
     // ID-token-specific claims). We wrap verifyIdToken with the
     // skip-nonce flag and apply JARM-specific claim checks below.
+    // verifyIdToken applies the create()-level accepted algorithms / JWKS /
+    // clock-skew; only the JARM-specific skip-nonce flag is passed here.
     var verified = await verifyIdToken(responseJwt, {
       skipNonceCheck: true,
-      acceptedAlgs:   jopts.acceptedAlgs,
-      maxClockSkewMs: jopts.maxClockSkewMs,
     });
     var c = verified.claims;
     // Per JARM §4: `iss` MUST match the OP issuer; `aud` MUST contain
@@ -1419,12 +1419,10 @@ function create(opts) {
     }
     // Reuse verifyIdToken's signature-verification path. It looks up
     // the IdP JWKS and checks the JWS — same trust anchor.
+    // verifyIdToken applies the create()-level issuer / clientId / accepted
+    // algorithms / JWKS / clock-skew — the same trust anchor as id_tokens.
+    // Only the per-call logout-token semantics are passed here.
     var verified = await verifyIdToken(logoutToken, {
-      issuer:         issuer,
-      clientId:       clientId,
-      acceptedAlgs:   vopts.acceptedAlgs,
-      jwksUri:        vopts.jwksUri,
-      maxClockSkewMs: vopts.maxClockSkewMs,
       // Logout tokens have no nonce — disable the nonce check that
       // verifyIdToken would otherwise enforce on id_tokens.
       skipNonceCheck: true,

package/lib/auth/oid4vci.js

@@ -240,7 +240,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
  *     tokenEndpoint:              string,                // public URL for /token (re-used by the pre-auth flow)
  *     sdJwtIssuer:                <b.auth.sdJwtVc.issuer instance>, // mints the SD-JWT VC
  *     supportedCredentials:       { [id]: { format, vct, claims, ... } },
- *     proofAlgorithms:            string[],              // default ["ES256", "ES384"]
+ *     proofAlgorithms:            string[],              // default ["ES256", "ES384", "EdDSA"]
  *     preAuthCodeTtlMs?:          number,                // default 5m
  *     accessTokenTtlMs?:          number,                // default 15m
  *     cNonceTtlMs?:               number,                // default 5m

package/lib/auth/saml.js

@@ -596,6 +596,10 @@ function create(opts) {
     var confirmations = _findAllChildren(subject, "SubjectConfirmation", SAML_NS.assertion);
     var bearerOk = false;
     var hokOk = false;
+    // InResponseTo of the SubjectConfirmation that actually passed bearer
+    // validation — captured so the returned value can't be sourced from a
+    // different (non-validated) confirmation when several are present.
+    var matchedInResponseTo = null;
     var hokFingerprint = null;
     // Holder-of-Key SubjectConfirmation per SAML 2.0 Profile §3.1
     // (urn:oasis:names:tc:SAML:2.0:cm:holder-of-key). The IdP binds
@@ -721,6 +725,7 @@ function create(opts) {
             "AuthnRequest ID (replay defense)");
         }
       }
+      matchedInResponseTo = inResponseTo;
       bearerOk = true;
       break;
     }
@@ -787,8 +792,7 @@ function create(opts) {
       sessionIndex:    sessionIndex,
       attributes:      attributes,
       audience:        audience,
-      inResponseTo:    bearerOk ? _attr(_findChild(_findChild(subject, "SubjectConfirmation", SAML_NS.assertion),
-                                       "SubjectConfirmationData", SAML_NS.assertion), "InResponseTo") : null,
+      inResponseTo:    bearerOk ? matchedInResponseTo : null,
       issuer:          issuer,
     };
   }

package/lib/mail-crypto-pgp.js

@@ -84,7 +84,7 @@
  *       audit:          opts.audit,            // optional b.audit handle
  *     });
  *     // → { armored: "-----BEGIN PGP SIGNATURE----- ...",
- *     //     multipartSigned: "Content-Type: multipart/signed; ...",
+ *     //     multipartSigned: <Buffer ...>,   // RFC 3156 wrapper bytes
  *     //     signedAt:        epochSeconds, fingerprint: "abcd..." }
  *
  *     var rv = b.mail.crypto.pgp.verify({
@@ -564,19 +564,27 @@ function sign(opts) {
   // key/cert material flows through createSign/verify, not this path.
   // allow:raw-randombytes-token — boundary string, not auth credential
   var boundary = "blamejs-pgp-" + nodeCrypto.randomBytes(12).toString("hex");
-  var multipartSigned =
-    'Content-Type: multipart/signed; micalg="pgp-' + hashName + '"; ' +
-    'protocol="application/pgp-signature"; boundary="' + boundary + '"\r\n' +
-    "\r\n" +
-    "--" + boundary + "\r\n" +
-    (Buffer.isBuffer(message) ? message.toString("binary") : message) +
-    "\r\n--" + boundary + "\r\n" +
-    'Content-Type: application/pgp-signature; name="signature.asc"\r\n' +
-    "Content-Description: OpenPGP digital signature\r\n" +
-    'Content-Disposition: attachment; filename="signature.asc"\r\n' +
-    "\r\n" +
-    armored +
-    "--" + boundary + "--\r\n";
+  // The OpenPGP signature covers the signed-part bytes exactly, so the
+  // multipart/signed wrapper is assembled as a Buffer — a JS-string round
+  // trip through latin1/utf8 could corrupt non-ASCII signed content and
+  // break signature verification. `multipartSigned` is therefore a Buffer.
+  var messageBytes = Buffer.isBuffer(message) ? message : Buffer.from(message, "utf8");
+  var multipartSigned = Buffer.concat([
+    Buffer.from(
+      'Content-Type: multipart/signed; micalg="pgp-' + hashName + '"; ' +
+      'protocol="application/pgp-signature"; boundary="' + boundary + '"\r\n' +
+      "\r\n" +
+      "--" + boundary + "\r\n", "utf8"),
+    messageBytes,
+    Buffer.from(
+      "\r\n--" + boundary + "\r\n" +
+      'Content-Type: application/pgp-signature; name="signature.asc"\r\n' +
+      "Content-Description: OpenPGP digital signature\r\n" +
+      'Content-Disposition: attachment; filename="signature.asc"\r\n' +
+      "\r\n" +
+      armored +
+      "--" + boundary + "--\r\n", "utf8"),
+  ]);
 
   // Audit (drop-silent — never crash the request that triggered us).
   _audit(opts.audit, "mail.crypto.pgp.sign", "success", {

package/lib/network-tls.js

@@ -3066,9 +3066,13 @@ function checkServerIdentity9525(host, cert) {
   }
   var rawSan = cert.subjectaltname;
   if (typeof rawSan !== "string" || rawSan.length === 0) {
-    // RFC 9525 §6.4.4 forbids CN fallback. If there's no SAN we refuse,
-    // never inspect cert.subject.CN — a CN-only cert violates the
-    // modern PKIX baseline and the operator chose the strict checker.
+    // RFC 9525 §6.4.4 forbids CN fallback. A CN-only legacy cert (CN
+    // present, no SAN) surfaces the distinct `tls/pkix-cn-fallback-refused`
+    // code so audit logs can tell it apart from a cert carrying neither;
+    // a cert with no SAN and no CN falls through to `tls/pkix-san-required`.
+    // Both refuse — we never fall back to matching on the Common Name.
+    var cnRefusal = _refuseCnFallback(host, cert);
+    if (cnRefusal) return cnRefusal;
     return new NetworkTlsError("tls/pkix-san-required",
       "checkServerIdentity9525: certificate has no subjectAltName " +
       "extension (RFC 9525 §6.4.4 forbids Common Name fallback)");
@@ -3117,10 +3121,11 @@ function _refuseCnFallback(host, cert) {
   return null;
 }
 
-// Public combined verifier — applies both the SAN-required check and
-// the CN-fallback explicit refusal so operators get the more specific
-// of the two error codes when applicable. checkServerIdentity9525 is
-// the drop-in name; this internal helper is what `connect` wires in.
+// Explicit combined verifier kept for tests + callers that want the
+// CN-fallback / SAN-required split spelled out. The exported drop-in
+// `checkServerIdentity9525` already performs the CN-fallback refusal in
+// its no-SAN branch, so the `_refuseCnFallback` call here is a redundant
+// (idempotent) belt-and-suspenders; the more specific code wins either way.
 function _checkServerIdentityStrict(host, cert) {
   var cnRefusal = _refuseCnFallback(host, cert);
   if (cnRefusal) return cnRefusal;

package/lib/protobuf-encoder.js

@@ -82,6 +82,14 @@ function _writeVarint(value) {
 }
 
 function _tag(fieldNumber, wireType) {
+  // `fieldNumber << 3` uses JS's 32-bit signed shift, which overflows and
+  // emits a wrong tag once fieldNumber reaches 2^28. Reject anything outside
+  // the safe single-shift range rather than encode silently wrong — the OTLP
+  // schema this serves uses small field numbers well within it.
+  if (fieldNumber < 1 || fieldNumber > 268435455) {  // 2^28 - 1
+    throw new RangeError("protobuf: field number " + fieldNumber +
+      " out of range (1..2^28-1)");
+  }
   return _writeVarint((fieldNumber << 3) | wireType);
 }
 

package/lib/queue.js

@@ -417,8 +417,10 @@ function consume(queueName, handler, opts) {
       }
       var jobs;
       try { jobs = await b.lease(queueName, leaseDurationMs, slots); }
-      catch {
-        // Backend down (breaker open, etc.) — back off
+      catch (e) {
+        // Backend down (breaker open, etc.) — log + back off so a flapping
+        // backend that hasn't yet tripped the breaker is still visible.
+        log.debug("lease-failed", { op: "b.lease", queue: queueName, error: e.message });
         await _pollSleep(pollIntervalMs);
         continue;
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:e6a01e68-c8b4-4c27-b3b5-f1ddf1aad212",
+  "serialNumber": "urn:uuid:5ae2d0f7-e30f-4d02-90d0-975129430c5f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T04:02:38.743Z",
+    "timestamp": "2026-05-30T05:49:41.774Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.0",
+      "bom-ref": "@blamejs/core@0.14.1",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.0",
+      "version": "0.14.1",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.0",
+      "purl": "pkg:npm/%40blamejs/core@0.14.1",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.0",
+      "ref": "@blamejs/core@0.14.1",
       "dependsOn": []
     }
   ]