@blamejs/core 0.14.0 → 0.14.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/_test/crypto-fixtures.js +3 -3
- package/lib/a2a-tasks.js +18 -18
- package/lib/a2a.js +4 -4
- package/lib/acme.js +3 -3
- package/lib/agent-idempotency.js +1 -1
- package/lib/agent-orchestrator.js +8 -8
- package/lib/agent-posture-chain.js +2 -2
- package/lib/agent-saga.js +1 -1
- package/lib/agent-snapshot.js +1 -1
- package/lib/agent-stream.js +1 -1
- package/lib/agent-tenant.js +1 -1
- package/lib/agent-trace.js +3 -3
- package/lib/ai-capability.js +1 -1
- package/lib/ai-dp.js +4 -4
- package/lib/ai-input.js +3 -3
- package/lib/ai-model-manifest.js +7 -7
- package/lib/ai-pref.js +3 -3
- package/lib/archive-gz.js +2 -2
- package/lib/archive-read.js +25 -25
- package/lib/archive-tar-read.js +2 -2
- package/lib/archive-tar.js +20 -20
- package/lib/archive-wrap.js +10 -10
- package/lib/argon2-builtin.js +1 -1
- package/lib/asn1-der.js +45 -34
- package/lib/atomic-file.js +2 -2
- package/lib/audit-daily-review.js +3 -3
- package/lib/audit-sign.js +5 -5
- package/lib/audit-tools.js +1 -1
- package/lib/audit.js +2 -2
- package/lib/auth/acr-vocabulary.js +2 -2
- package/lib/auth/bot-challenge.js +3 -3
- package/lib/auth/ciba.js +7 -7
- package/lib/auth/dpop.js +3 -3
- package/lib/auth/fido-mds3.js +8 -8
- package/lib/auth/jar.js +11 -0
- package/lib/auth/jwt-external.js +5 -5
- package/lib/auth/oauth.js +7 -9
- package/lib/auth/oid4vci.js +10 -10
- package/lib/auth/oid4vp.js +2 -2
- package/lib/auth/openid-federation.js +2 -2
- package/lib/auth/passkey.js +3 -3
- package/lib/auth/saml.js +29 -25
- package/lib/auth/sd-jwt-vc-disclosure.js +1 -1
- package/lib/auth/sd-jwt-vc.js +4 -4
- package/lib/auth/status-list.js +10 -10
- package/lib/auth/step-up.js +1 -1
- package/lib/auth-bot-challenge.js +1 -1
- package/lib/backup/index.js +7 -7
- package/lib/base32.js +8 -8
- package/lib/budr.js +2 -2
- package/lib/cache-status.js +2 -2
- package/lib/calendar.js +23 -23
- package/lib/cbor.js +12 -12
- package/lib/cdn-cache-control.js +1 -1
- package/lib/cert.js +5 -5
- package/lib/cloud-events.js +5 -5
- package/lib/cms-codec.js +21 -21
- package/lib/codepoint-class.js +12 -12
- package/lib/compliance-sanctions-fuzzy.js +4 -4
- package/lib/compliance-sanctions.js +4 -4
- package/lib/compliance.js +29 -29
- package/lib/content-credentials.js +36 -36
- package/lib/cookies.js +1 -1
- package/lib/cose.js +13 -13
- package/lib/cra-report.js +1 -1
- package/lib/crdt.js +1 -1
- package/lib/crypto-field.js +2 -2
- package/lib/crypto-xwing.js +7 -7
- package/lib/crypto.js +6 -6
- package/lib/csp.js +2 -2
- package/lib/cwt.js +4 -4
- package/lib/dark-patterns.js +2 -2
- package/lib/data-act.js +2 -2
- package/lib/db-file-lifecycle.js +4 -4
- package/lib/db-query.js +1 -1
- package/lib/db.js +6 -6
- package/lib/dbsc.js +13 -13
- package/lib/did.js +17 -17
- package/lib/dora.js +4 -4
- package/lib/dsr.js +1 -1
- package/lib/early-hints.js +2 -2
- package/lib/eat.js +4 -4
- package/lib/external-db-migrate.js +1 -1
- package/lib/external-db.js +1 -1
- package/lib/flag-cache.js +1 -1
- package/lib/flag-evaluation-context.js +2 -2
- package/lib/graphql-federation.js +4 -4
- package/lib/guard-agent-registry.js +5 -5
- package/lib/guard-archive.js +24 -24
- package/lib/guard-cidr.js +33 -33
- package/lib/guard-csv.js +1 -1
- package/lib/guard-domain.js +10 -10
- package/lib/guard-dsn.js +4 -4
- package/lib/guard-email.js +19 -19
- package/lib/guard-event-bus-payload.js +4 -4
- package/lib/guard-event-bus-topic.js +6 -6
- package/lib/guard-filename.js +7 -7
- package/lib/guard-graphql.js +9 -9
- package/lib/guard-html-wcag-tagwalk.js +1 -1
- package/lib/guard-html-wcag.js +4 -4
- package/lib/guard-html.js +7 -7
- package/lib/guard-idempotency-key.js +6 -6
- package/lib/guard-image.js +4 -4
- package/lib/guard-imap-command.js +17 -17
- package/lib/guard-jmap.js +20 -20
- package/lib/guard-json.js +12 -12
- package/lib/guard-jsonpath.js +3 -3
- package/lib/guard-jwt.js +4 -4
- package/lib/guard-list-id.js +7 -7
- package/lib/guard-list-unsubscribe.js +8 -8
- package/lib/guard-mail-compose.js +4 -4
- package/lib/guard-mail-move.js +5 -5
- package/lib/guard-mail-query.js +3 -3
- package/lib/guard-mail-reply.js +3 -3
- package/lib/guard-mail-sieve.js +6 -6
- package/lib/guard-managesieve-command.js +25 -25
- package/lib/guard-markdown.js +31 -31
- package/lib/guard-message-id.js +5 -5
- package/lib/guard-mime.js +1 -1
- package/lib/guard-oauth.js +3 -3
- package/lib/guard-pdf.js +6 -6
- package/lib/guard-pop3-command.js +11 -11
- package/lib/guard-posture-chain.js +5 -5
- package/lib/guard-regex.js +10 -10
- package/lib/guard-saga-config.js +5 -5
- package/lib/guard-smtp-command.js +6 -6
- package/lib/guard-snapshot-envelope.js +3 -3
- package/lib/guard-stream-args.js +4 -4
- package/lib/guard-svg.js +11 -11
- package/lib/guard-tenant-id.js +5 -5
- package/lib/guard-time.js +15 -15
- package/lib/guard-trace-context.js +4 -4
- package/lib/guard-uuid.js +11 -11
- package/lib/guard-xml.js +12 -12
- package/lib/guard-yaml.js +16 -16
- package/lib/honeytoken.js +5 -5
- package/lib/http-client.js +1 -1
- package/lib/http-message-signature.js +2 -2
- package/lib/iab-mspa.js +3 -3
- package/lib/iab-tcf.js +70 -70
- package/lib/inbox.js +4 -4
- package/lib/ip-utils.js +15 -15
- package/lib/jose-jwe-experimental.js +2 -2
- package/lib/json-path.js +3 -3
- package/lib/json-schema.js +1 -1
- package/lib/jsonapi.js +3 -3
- package/lib/jtd.js +2 -2
- package/lib/link-header.js +1 -1
- package/lib/local-db-thin.js +1 -1
- package/lib/log.js +1 -1
- package/lib/lro.js +4 -4
- package/lib/mail-agent.js +1 -1
- package/lib/mail-arc-sign.js +6 -6
- package/lib/mail-auth.js +43 -43
- package/lib/mail-bimi.js +3 -3
- package/lib/mail-crypto-pgp.js +53 -45
- package/lib/mail-crypto-smime.js +5 -5
- package/lib/mail-dav.js +1 -1
- package/lib/mail-deploy.js +39 -39
- package/lib/mail-dkim.js +11 -11
- package/lib/mail-greylist.js +12 -12
- package/lib/mail-helo.js +1 -1
- package/lib/mail-journal.js +8 -8
- package/lib/mail-rbl.js +7 -7
- package/lib/mail-scan.js +7 -7
- package/lib/mail-send-deliver.js +2 -2
- package/lib/mail-server-imap.js +12 -12
- package/lib/mail-server-jmap.js +16 -16
- package/lib/mail-server-managesieve.js +4 -4
- package/lib/mail-server-mx.js +17 -17
- package/lib/mail-server-pop3.js +4 -4
- package/lib/mail-server-rate-limit.js +2 -2
- package/lib/mail-server-submission.js +21 -21
- package/lib/mail-sieve.js +2 -2
- package/lib/mail-spam-score.js +5 -5
- package/lib/mail-srs.js +12 -12
- package/lib/mail-store-fts.js +2 -2
- package/lib/mail-store.js +8 -8
- package/lib/mail-unsubscribe.js +4 -4
- package/lib/mail.js +4 -4
- package/lib/mcp-tool-registry.js +4 -4
- package/lib/mcp.js +8 -8
- package/lib/mdoc.js +2 -2
- package/lib/metrics.js +8 -8
- package/lib/middleware/age-gate.js +1 -1
- package/lib/middleware/api-encrypt.js +7 -7
- package/lib/middleware/assetlinks.js +2 -2
- package/lib/middleware/asyncapi-serve.js +2 -2
- package/lib/middleware/bearer-auth.js +5 -5
- package/lib/middleware/body-parser.js +5 -5
- package/lib/middleware/compose-pipeline.js +15 -15
- package/lib/middleware/csp-report.js +4 -4
- package/lib/middleware/daily-byte-quota.js +1 -1
- package/lib/middleware/dpop.js +1 -1
- package/lib/middleware/headers.js +2 -2
- package/lib/middleware/host-allowlist.js +1 -1
- package/lib/middleware/idempotency-key.js +12 -12
- package/lib/middleware/nel.js +1 -1
- package/lib/middleware/openapi-serve.js +2 -2
- package/lib/middleware/protected-resource-metadata.js +2 -2
- package/lib/middleware/require-aal.js +1 -1
- package/lib/middleware/require-bound-key.js +2 -2
- package/lib/middleware/require-content-type.js +1 -1
- package/lib/middleware/require-methods.js +1 -1
- package/lib/middleware/require-step-up.js +2 -2
- package/lib/middleware/scim-server.js +1 -1
- package/lib/middleware/security-txt.js +3 -3
- package/lib/middleware/tus-upload.js +12 -12
- package/lib/middleware/web-app-manifest.js +2 -2
- package/lib/network-byte-quota.js +1 -1
- package/lib/network-dns-resolver.js +23 -23
- package/lib/network-dns.js +29 -29
- package/lib/network-dnssec.js +33 -33
- package/lib/network-smtp-policy.js +10 -10
- package/lib/network-tls.js +99 -94
- package/lib/network-tsig.js +33 -33
- package/lib/nis2-report.js +1 -1
- package/lib/ntp-check.js +3 -3
- package/lib/observability-otlp-exporter.js +17 -17
- package/lib/observability-tracer.js +6 -6
- package/lib/observability.js +8 -8
- package/lib/openapi-yaml.js +1 -1
- package/lib/openapi.js +1 -1
- package/lib/outbox.js +6 -6
- package/lib/pqc-agent.js +4 -4
- package/lib/pqc-software.js +1 -1
- package/lib/privacy-pass.js +5 -5
- package/lib/problem-details.js +5 -5
- package/lib/promise-pool.js +1 -1
- package/lib/protobuf-encoder.js +9 -1
- package/lib/queue.js +4 -2
- package/lib/redact.js +2 -2
- package/lib/request-helpers.js +1 -1
- package/lib/router.js +10 -10
- package/lib/safe-async.js +2 -2
- package/lib/safe-dns.js +71 -71
- package/lib/safe-ical.js +19 -19
- package/lib/safe-icap.js +24 -24
- package/lib/safe-jsonpath.js +2 -2
- package/lib/safe-mime.js +10 -10
- package/lib/safe-mount-info.js +3 -3
- package/lib/safe-redirect.js +1 -1
- package/lib/safe-sieve.js +23 -23
- package/lib/safe-smtp.js +1 -1
- package/lib/safe-vcard.js +14 -14
- package/lib/sandbox.js +5 -5
- package/lib/sec-cyber.js +1 -1
- package/lib/self-update-standalone-verifier.js +3 -3
- package/lib/self-update.js +3 -3
- package/lib/server-timing.js +3 -3
- package/lib/session-device-binding.js +7 -7
- package/lib/session.js +8 -8
- package/lib/standard-webhooks.js +4 -4
- package/lib/storage.js +2 -2
- package/lib/stream-throttle.js +1 -1
- package/lib/structured-fields.js +15 -15
- package/lib/subject.js +1 -1
- package/lib/tcpa-10dlc.js +1 -1
- package/lib/tenant-quota.js +3 -3
- package/lib/test-harness.js +1 -1
- package/lib/tracing.js +1 -1
- package/lib/tsa.js +5 -5
- package/lib/uri-template.js +5 -5
- package/lib/vault/index.js +2 -2
- package/lib/vault/seal-pem-file.js +4 -4
- package/lib/vc.js +2 -2
- package/lib/vendor-data.js +1 -1
- package/lib/watcher.js +4 -4
- package/lib/web-push-vapid.js +21 -21
- package/lib/webhook.js +2 -2
- package/lib/websocket.js +3 -3
- package/lib/worker-pool.js +3 -3
- package/lib/ws-client.js +24 -24
- package/lib/xml-c14n.js +2 -2
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
|
@@ -69,8 +69,8 @@ var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "PATCH", "DELETE"]);
|
|
|
69
69
|
// control chars, length 1..255 (typical client implementations cap
|
|
70
70
|
// at 36 for UUID + a few extra for vendor prefixes; 255 is the
|
|
71
71
|
// upper bound that still fits a single HTTP header line).
|
|
72
|
-
var KEY_RE = /^[\x21-\x7E]+$/; //
|
|
73
|
-
var KEY_MAX_LEN = 255; //
|
|
72
|
+
var KEY_RE = /^[\x21-\x7E]+$/; // printable ASCII codepoint range
|
|
73
|
+
var KEY_MAX_LEN = 255; // draft §2 upper bound
|
|
74
74
|
|
|
75
75
|
/**
|
|
76
76
|
* @primitive b.middleware.idempotencyKey.memoryStore
|
|
@@ -101,7 +101,7 @@ function memoryStore(opts) {
|
|
|
101
101
|
opts = opts || {};
|
|
102
102
|
numericBounds.requirePositiveFiniteIntIfPresent(
|
|
103
103
|
opts.maxEntries, "memoryStore.maxEntries", IdempotencyError, "idempotency/bad-max-entries");
|
|
104
|
-
var maxEntries = opts.maxEntries !== undefined ? opts.maxEntries : 10000; //
|
|
104
|
+
var maxEntries = opts.maxEntries !== undefined ? opts.maxEntries : 10000; // default in-memory cap, not bytes
|
|
105
105
|
var data = new Map();
|
|
106
106
|
return {
|
|
107
107
|
get: function (key) {
|
|
@@ -705,7 +705,7 @@ function create(opts) {
|
|
|
705
705
|
var missing = problemDetails().create({
|
|
706
706
|
type: problemDetails().getBase() + "/idempotency/missing-key",
|
|
707
707
|
title: "Idempotency-Key header required",
|
|
708
|
-
status: 400, //
|
|
708
|
+
status: 400, // HTTP status 400 Bad Request
|
|
709
709
|
detail: "This endpoint requires an Idempotency-Key header (draft-ietf-httpapi-idempotency-key).",
|
|
710
710
|
});
|
|
711
711
|
_emitAudit("idempotency.missing_key", { method: method, path: req.url }, "denied");
|
|
@@ -716,7 +716,7 @@ function create(opts) {
|
|
|
716
716
|
var bad = problemDetails().create({
|
|
717
717
|
type: problemDetails().getBase() + "/idempotency/bad-key",
|
|
718
718
|
title: "Idempotency-Key malformed",
|
|
719
|
-
status: 400, //
|
|
719
|
+
status: 400, // HTTP status 400
|
|
720
720
|
detail: "Idempotency-Key must be ASCII printable, length 1.." + KEY_MAX_LEN + " (draft §2).",
|
|
721
721
|
});
|
|
722
722
|
_emitAudit("idempotency.bad_key", { method: method, keyLen: key.length }, "denied");
|
|
@@ -781,7 +781,7 @@ function create(opts) {
|
|
|
781
781
|
var missingBody = problemDetails().create({
|
|
782
782
|
type: problemDetails().getBase() + "/idempotency/missing-body-fingerprint",
|
|
783
783
|
title: "Idempotency body fingerprint unavailable",
|
|
784
|
-
status: 400, //
|
|
784
|
+
status: 400, // HTTP status 400 Bad Request
|
|
785
785
|
detail: "The idempotency middleware could not derive a body fingerprint for this " +
|
|
786
786
|
"request. Mount body-parser BEFORE the idempotency middleware, OR provide an " +
|
|
787
787
|
"opts.bodyFingerprint(req) hook. To restore the pre-0.9.58 method+path-only " +
|
|
@@ -809,7 +809,7 @@ function create(opts) {
|
|
|
809
809
|
var mismatch = problemDetails().create({
|
|
810
810
|
type: problemDetails().getBase() + "/idempotency/key-reuse-mismatch",
|
|
811
811
|
title: "Idempotency-Key reused with different request",
|
|
812
|
-
status: 422, //
|
|
812
|
+
status: 422, // HTTP status 422 Unprocessable Content (RFC 9110)
|
|
813
813
|
detail: "The Idempotency-Key matches a prior request but the request body/method/path differs (draft §4.3).",
|
|
814
814
|
});
|
|
815
815
|
_emitAudit("idempotency.key_reuse_mismatch",
|
|
@@ -865,10 +865,10 @@ function create(opts) {
|
|
|
865
865
|
if (!captured) {
|
|
866
866
|
captured = true;
|
|
867
867
|
_pushChunk(chunk, encoding);
|
|
868
|
-
var status = res.statusCode || 200; //
|
|
868
|
+
var status = res.statusCode || 200; // default HTTP status 200
|
|
869
869
|
// Only persist 2xx-4xx responses; 5xx is transient infra
|
|
870
870
|
// failure that should be retried fresh, not replayed.
|
|
871
|
-
if (!oversized && status >= 200 && status < 500) { //
|
|
871
|
+
if (!oversized && status >= 200 && status < 500) { // HTTP status class boundaries
|
|
872
872
|
var headerMap = {};
|
|
873
873
|
try {
|
|
874
874
|
var allHeaders = typeof res.getHeaders === "function" ? res.getHeaders() : {};
|
|
@@ -913,13 +913,13 @@ function _hashKey(key) {
|
|
|
913
913
|
// Hash before logging — operator's audit chain shouldn't carry raw
|
|
914
914
|
// idempotency keys (clients sometimes inadvertently put PII / order
|
|
915
915
|
// numbers in them).
|
|
916
|
-
return nodeCrypto.createHash("sha3-256").update(key, "utf8").digest("hex").slice(0, 16); //
|
|
916
|
+
return nodeCrypto.createHash("sha3-256").update(key, "utf8").digest("hex").slice(0, 16); // log-truncation length, not bytes
|
|
917
917
|
}
|
|
918
918
|
|
|
919
919
|
function _redactKey(key) {
|
|
920
920
|
if (typeof key !== "string") return "<non-string>";
|
|
921
|
-
if (key.length <= 8) return "<short:" + key.length + ">"; //
|
|
922
|
-
return key.slice(0, 4) + "..." + key.slice(-2) + " (len=" + key.length + ")"; //
|
|
921
|
+
if (key.length <= 8) return "<short:" + key.length + ">"; // log-redaction length threshold
|
|
922
|
+
return key.slice(0, 4) + "..." + key.slice(-2) + " (len=" + key.length + ")"; // log-redaction prefix/suffix lengths
|
|
923
923
|
}
|
|
924
924
|
|
|
925
925
|
/**
|
package/lib/middleware/nel.js
CHANGED
|
@@ -149,7 +149,7 @@ function create(opts) {
|
|
|
149
149
|
// honor secure-origin report endpoints. Refusing at config-time so
|
|
150
150
|
// an operator typo (`http://`) surfaces at boot, not as silent
|
|
151
151
|
// never-fires-in-production.
|
|
152
|
-
if (opts.collectorUrl.slice(0, 8) !== "https://") { //
|
|
152
|
+
if (opts.collectorUrl.slice(0, 8) !== "https://") { // string-prefix length, not bytes
|
|
153
153
|
throw new TypeError(
|
|
154
154
|
"middleware.nel: opts.collectorUrl must be https:// (browsers " +
|
|
155
155
|
"ignore non-secure NEL collectors); got " + opts.collectorUrl);
|
|
@@ -113,7 +113,7 @@ function create(opts) {
|
|
|
113
113
|
function _writeBody(req, res, body, etag, contentType) {
|
|
114
114
|
var requestEtag = (req.headers && req.headers["if-none-match"]) || null;
|
|
115
115
|
if (requestEtag && requestEtag === etag) {
|
|
116
|
-
res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl }); //
|
|
116
|
+
res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl }); // HTTP 304
|
|
117
117
|
res.end();
|
|
118
118
|
return;
|
|
119
119
|
}
|
|
@@ -126,7 +126,7 @@ function create(opts) {
|
|
|
126
126
|
if (accessControl === "public") {
|
|
127
127
|
headers["Access-Control-Allow-Origin"] = "*";
|
|
128
128
|
}
|
|
129
|
-
res.writeHead(200, headers); //
|
|
129
|
+
res.writeHead(200, headers); // HTTP 200
|
|
130
130
|
res.end(body);
|
|
131
131
|
}
|
|
132
132
|
|
|
@@ -214,8 +214,8 @@ function create(opts) {
|
|
|
214
214
|
var signAlgo = null;
|
|
215
215
|
if (sm.alg === "ES256") { signAlgo = "sha256"; signParams.dsaEncoding = "ieee-p1363"; }
|
|
216
216
|
else if (sm.alg === "ES384") { signAlgo = "sha384"; signParams.dsaEncoding = "ieee-p1363"; }
|
|
217
|
-
else if (sm.alg === "PS256") { signAlgo = "sha256"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 32; } //
|
|
218
|
-
else if (sm.alg === "PS384") { signAlgo = "sha384"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 48; } //
|
|
217
|
+
else if (sm.alg === "PS256") { signAlgo = "sha256"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 32; } // RFC 7518 PS256 salt
|
|
218
|
+
else if (sm.alg === "PS384") { signAlgo = "sha384"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 48; } // RFC 7518 PS384 salt
|
|
219
219
|
var sig = nodeCrypto.sign(signAlgo, Buffer.from(input, "ascii"), signParams);
|
|
220
220
|
signedJwt = input + "." + _b64url(sig);
|
|
221
221
|
}
|
|
@@ -36,7 +36,7 @@ function _writeUnauthorized(res, requiredBand, actualBand, realm) {
|
|
|
36
36
|
});
|
|
37
37
|
var realmStr = realm ? ' realm="' + realm + '"' : "";
|
|
38
38
|
var challenge = "AAL-StepUp" + realmStr + ', required="' + requiredBand + '"';
|
|
39
|
-
res.writeHead(401, { //
|
|
39
|
+
res.writeHead(401, { // HTTP 401 status
|
|
40
40
|
"Content-Type": "application/json; charset=utf-8",
|
|
41
41
|
"Content-Length": Buffer.byteLength(body),
|
|
42
42
|
"WWW-Authenticate": challenge,
|
|
@@ -215,12 +215,12 @@ function create(opts) {
|
|
|
215
215
|
var presented;
|
|
216
216
|
try { presented = getter(req); }
|
|
217
217
|
catch (e) {
|
|
218
|
-
return _refuse(res, 400, "bound-field-getter-threw", { //
|
|
218
|
+
return _refuse(res, 400, "bound-field-getter-threw", { // HTTP 400
|
|
219
219
|
field: fieldName, error: (e && e.message) || String(e),
|
|
220
220
|
});
|
|
221
221
|
}
|
|
222
222
|
if (typeof presented !== "string" || presented.length === 0) {
|
|
223
|
-
return _refuse(res, 400, "bound-field-missing", { //
|
|
223
|
+
return _refuse(res, 400, "bound-field-missing", { // HTTP 400
|
|
224
224
|
field: fieldName, keyId: record.id || null,
|
|
225
225
|
});
|
|
226
226
|
}
|
|
@@ -91,7 +91,7 @@ function create(allowed, opts) {
|
|
|
91
91
|
if (bare.length > 0 && normalized.indexOf(bare) !== -1) return next();
|
|
92
92
|
if (!res.headersSent) {
|
|
93
93
|
var body = "Unsupported Media Type";
|
|
94
|
-
res.writeHead(415, { //
|
|
94
|
+
res.writeHead(415, { // HTTP 415 status
|
|
95
95
|
"Accept": normalized.join(", "),
|
|
96
96
|
"Content-Type": "text/plain; charset=utf-8",
|
|
97
97
|
"Content-Length": Buffer.byteLength(body),
|
|
@@ -75,7 +75,7 @@ function create(allowed, opts) {
|
|
|
75
75
|
if (normalized.indexOf(m) !== -1) return next();
|
|
76
76
|
if (!res.headersSent) {
|
|
77
77
|
var body = "Method Not Allowed";
|
|
78
|
-
res.writeHead(405, { //
|
|
78
|
+
res.writeHead(405, { // HTTP 405 status
|
|
79
79
|
"Allow": allowHeader,
|
|
80
80
|
"Content-Type": "text/plain; charset=utf-8",
|
|
81
81
|
"Content-Length": Buffer.byteLength(body),
|
|
@@ -67,7 +67,7 @@ function _defaultGetClaims(req) {
|
|
|
67
67
|
function _writeChallenge(res, challenge, body, statusCode) {
|
|
68
68
|
if (res.headersSent) return;
|
|
69
69
|
var json = JSON.stringify(body);
|
|
70
|
-
res.writeHead(statusCode, { //
|
|
70
|
+
res.writeHead(statusCode, { // HTTP status passthrough
|
|
71
71
|
"Content-Type": "application/json; charset=utf-8",
|
|
72
72
|
"Content-Length": Buffer.byteLength(json),
|
|
73
73
|
"WWW-Authenticate": challenge,
|
|
@@ -218,7 +218,7 @@ function create(opts) {
|
|
|
218
218
|
error: stepUp().INSUFFICIENT_USER_AUTHENTICATION,
|
|
219
219
|
error_description: errorDesc || "A higher level of authentication is required",
|
|
220
220
|
},
|
|
221
|
-
401 //
|
|
221
|
+
401 // HTTP 401
|
|
222
222
|
);
|
|
223
223
|
};
|
|
224
224
|
}
|
|
@@ -61,7 +61,7 @@ function create(opts) {
|
|
|
61
61
|
if (opts.groups) _validateResourceImpl(opts.groups, "groups");
|
|
62
62
|
|
|
63
63
|
var basePath = opts.basePath || "/scim/v2";
|
|
64
|
-
var maxPageSize = opts.maxPageSize || 200; //
|
|
64
|
+
var maxPageSize = opts.maxPageSize || 200; // page-size count, not bytes
|
|
65
65
|
var bearer = opts.bearer || null;
|
|
66
66
|
|
|
67
67
|
function middleware(req, res, next) {
|
|
@@ -144,15 +144,15 @@ function create(opts) {
|
|
|
144
144
|
(alsoAtRoot && path === "/security.txt");
|
|
145
145
|
if (!matches) return next();
|
|
146
146
|
if (req.method !== "GET" && req.method !== "HEAD") {
|
|
147
|
-
res.writeHead(405, { //
|
|
147
|
+
res.writeHead(405, { // HTTP 405 status
|
|
148
148
|
"Allow": "GET, HEAD",
|
|
149
149
|
"Content-Type": "text/plain; charset=utf-8",
|
|
150
|
-
"Content-Length": 18, //
|
|
150
|
+
"Content-Length": 18, // len of "Method Not Allowed"
|
|
151
151
|
});
|
|
152
152
|
res.end("Method Not Allowed");
|
|
153
153
|
return;
|
|
154
154
|
}
|
|
155
|
-
res.writeHead(200, { //
|
|
155
|
+
res.writeHead(200, { // HTTP 200 status
|
|
156
156
|
"Content-Type": "text/plain; charset=utf-8",
|
|
157
157
|
"Content-Length": bodyBuf.length,
|
|
158
158
|
"Cache-Control": "public, max-age=86400",
|
|
@@ -59,18 +59,18 @@ var TUS_ID_BYTES = C.BYTES.bytes(18);
|
|
|
59
59
|
|
|
60
60
|
// HTTP status codes used by TUS — hoisted to named constants so the
|
|
61
61
|
// raw-byte-literal detector doesn't fire on every status path.
|
|
62
|
-
var STATUS_OK = 200; //
|
|
63
|
-
var STATUS_CREATED = 201; //
|
|
64
|
-
var STATUS_NO_CONTENT = 204; //
|
|
65
|
-
var STATUS_BAD_REQUEST = 400; //
|
|
66
|
-
var STATUS_NOT_FOUND = 404; //
|
|
67
|
-
var STATUS_METHOD_NOT_ALLOWED = 405; //
|
|
68
|
-
var STATUS_CONFLICT = 409; //
|
|
69
|
-
var STATUS_PRECONDITION_FAILED = 412; //
|
|
70
|
-
var STATUS_PAYLOAD_TOO_LARGE = 413; //
|
|
71
|
-
var STATUS_UNSUPPORTED_MEDIA = 415; //
|
|
72
|
-
var STATUS_CHECKSUM_MISMATCH = 460; //
|
|
73
|
-
var STATUS_INTERNAL_ERROR = 500; //
|
|
62
|
+
var STATUS_OK = 200; // HTTP status
|
|
63
|
+
var STATUS_CREATED = 201; // HTTP status
|
|
64
|
+
var STATUS_NO_CONTENT = 204; // HTTP status
|
|
65
|
+
var STATUS_BAD_REQUEST = 400; // HTTP status
|
|
66
|
+
var STATUS_NOT_FOUND = 404; // HTTP status
|
|
67
|
+
var STATUS_METHOD_NOT_ALLOWED = 405; // HTTP status
|
|
68
|
+
var STATUS_CONFLICT = 409; // HTTP status
|
|
69
|
+
var STATUS_PRECONDITION_FAILED = 412; // HTTP status
|
|
70
|
+
var STATUS_PAYLOAD_TOO_LARGE = 413; // HTTP status
|
|
71
|
+
var STATUS_UNSUPPORTED_MEDIA = 415; // HTTP status
|
|
72
|
+
var STATUS_CHECKSUM_MISMATCH = 460; // TUS-specific status (§3.5)
|
|
73
|
+
var STATUS_INTERNAL_ERROR = 500; // HTTP status
|
|
74
74
|
|
|
75
75
|
var TusError = defineClass("TusError", { alwaysPermanent: true });
|
|
76
76
|
|
|
@@ -136,7 +136,7 @@ function create(opts) {
|
|
|
136
136
|
if (!matches) return next();
|
|
137
137
|
if (req.method !== "GET" && req.method !== "HEAD") {
|
|
138
138
|
var bodyMsg = "Method Not Allowed";
|
|
139
|
-
res.writeHead(405, { //
|
|
139
|
+
res.writeHead(405, { // HTTP 405 status
|
|
140
140
|
"Allow": "GET, HEAD",
|
|
141
141
|
"Content-Type": "text/plain; charset=utf-8",
|
|
142
142
|
"Content-Length": Buffer.byteLength(bodyMsg),
|
|
@@ -144,7 +144,7 @@ function create(opts) {
|
|
|
144
144
|
res.end(bodyMsg);
|
|
145
145
|
return;
|
|
146
146
|
}
|
|
147
|
-
res.writeHead(200, { //
|
|
147
|
+
res.writeHead(200, { // HTTP 200 status
|
|
148
148
|
"Content-Type": "application/manifest+json",
|
|
149
149
|
"Content-Length": bodyBuf.length,
|
|
150
150
|
"Cache-Control": "public, max-age=86400",
|
|
@@ -48,7 +48,7 @@ var observability = lazyRequire(function () { return require("./observability");
|
|
|
48
48
|
|
|
49
49
|
var ByteQuotaError = defineClass("ByteQuotaError", { alwaysPermanent: true });
|
|
50
50
|
|
|
51
|
-
var BINS_PER_DAY = 24; //
|
|
51
|
+
var BINS_PER_DAY = 24; // 24 hours in a day
|
|
52
52
|
var BIN_MS = C.TIME.hours(1);
|
|
53
53
|
|
|
54
54
|
function _hourBin(nowMs) { return Math.floor(nowMs / BIN_MS); }
|
|
@@ -132,23 +132,23 @@ var DEFAULT_PROFILE = "strict";
|
|
|
132
132
|
// OOM. Default 5000 entries: a parsed-response object ~100 bytes ×
|
|
133
133
|
// 5000 ≈ 500 KiB, several orders below operator-relevant memory
|
|
134
134
|
// pressure. LRU eviction picks the oldest accessed entry on overflow.
|
|
135
|
-
var DEFAULT_MAX_CACHE_ENTRIES = 5000; //
|
|
135
|
+
var DEFAULT_MAX_CACHE_ENTRIES = 5000; // cache-entry count, not a byte/time value
|
|
136
136
|
|
|
137
137
|
var QTYPE_BY_NAME = Object.freeze({
|
|
138
138
|
A: 1,
|
|
139
139
|
NS: 2,
|
|
140
|
-
CNAME: 5, //
|
|
141
|
-
SOA: 6, //
|
|
142
|
-
PTR: 12, //
|
|
143
|
-
MX: 15, //
|
|
144
|
-
TXT: 16, //
|
|
145
|
-
AAAA: 28, //
|
|
146
|
-
SRV: 33, //
|
|
147
|
-
DS: 43, //
|
|
148
|
-
DNSKEY: 48, //
|
|
149
|
-
TLSA: 52, //
|
|
150
|
-
SVCB: 64, //
|
|
151
|
-
HTTPS: 65, //
|
|
140
|
+
CNAME: 5, // IANA DNS qtype code
|
|
141
|
+
SOA: 6, // IANA DNS qtype code
|
|
142
|
+
PTR: 12, // IANA DNS qtype code
|
|
143
|
+
MX: 15, // IANA DNS qtype code
|
|
144
|
+
TXT: 16, // IANA DNS qtype code
|
|
145
|
+
AAAA: 28, // IANA DNS qtype code
|
|
146
|
+
SRV: 33, // IANA DNS qtype code
|
|
147
|
+
DS: 43, // IANA DNS qtype code
|
|
148
|
+
DNSKEY: 48, // IANA DNS qtype code
|
|
149
|
+
TLSA: 52, // IANA DNS qtype code
|
|
150
|
+
SVCB: 64, // IANA DNS qtype code
|
|
151
|
+
HTTPS: 65, // IANA DNS qtype code
|
|
152
152
|
});
|
|
153
153
|
|
|
154
154
|
/**
|
|
@@ -314,7 +314,7 @@ function create(opts) {
|
|
|
314
314
|
// Bit 5 of byte 3 of header; parsed.flags is the full 16-bit flags
|
|
315
315
|
// field at offset 2..3. AD is bit 5 within byte 3 = bit 5 of the
|
|
316
316
|
// low byte of the 16-bit flags value.
|
|
317
|
-
var ad = (parsed.flags & 0x0020) !== 0; //
|
|
317
|
+
var ad = (parsed.flags & 0x0020) !== 0; // RFC 4035 §3.2.3 AD-bit mask within DNS header flags
|
|
318
318
|
if (validate && !ad) {
|
|
319
319
|
throw new ResolverError("resolver/validate-failed",
|
|
320
320
|
"query: validate: true but upstream returned AD=0 for " + name + "/" + qtype);
|
|
@@ -455,7 +455,7 @@ async function _wireLookup(name, qtype) {
|
|
|
455
455
|
// parse (httpClient assumes JSON/text shapes).
|
|
456
456
|
var req = https.request({ // allow:raw-outbound-http — DoH wire-format response bytes; b.httpClient envelopes assume text/JSON, and httpClient → ssrfGuard → DNS → DoH would form a cycle
|
|
457
457
|
hostname: u.hostname,
|
|
458
|
-
port: u.port || 443, //
|
|
458
|
+
port: u.port || 443, // HTTPS port
|
|
459
459
|
path: u.pathname + u.search,
|
|
460
460
|
method: "GET",
|
|
461
461
|
headers: { "accept": "application/dns-message" },
|
|
@@ -473,7 +473,7 @@ async function _wireLookup(name, qtype) {
|
|
|
473
473
|
res.on("end", function () {
|
|
474
474
|
try {
|
|
475
475
|
if (pushFailed) { reject(pushFailed); return; }
|
|
476
|
-
if (res.statusCode !== 200) { //
|
|
476
|
+
if (res.statusCode !== 200) { // HTTP 200 OK
|
|
477
477
|
reject(new ResolverError("resolver/upstream-http",
|
|
478
478
|
"DoH HTTP " + res.statusCode + " for " + name));
|
|
479
479
|
return;
|
|
@@ -497,12 +497,12 @@ function _encodeWireQuery(name, qtype) {
|
|
|
497
497
|
var parts = name.split(".").filter(Boolean);
|
|
498
498
|
var nameLen = 1;
|
|
499
499
|
for (var i = 0; i < parts.length; i += 1) nameLen += 1 + Buffer.byteLength(parts[i], "ascii");
|
|
500
|
-
var buf = Buffer.alloc(12 + nameLen + 4); //
|
|
501
|
-
var id = bCrypto.randomInt(0, 0x10000); //
|
|
500
|
+
var buf = Buffer.alloc(12 + nameLen + 4); // RFC 1035 §4.1.1 header (12) + question tail (4) + name
|
|
501
|
+
var id = bCrypto.randomInt(0, 0x10000); // RFC 1035 §4.1.1 16-bit query ID space
|
|
502
502
|
buf.writeUInt16BE(id, 0);
|
|
503
|
-
buf.writeUInt16BE(0x0100, 2); //
|
|
504
|
-
buf.writeUInt16BE(1, 4); //
|
|
505
|
-
var off = 12; //
|
|
503
|
+
buf.writeUInt16BE(0x0100, 2); // RFC 1035 §4.1.1 RD=1 flags
|
|
504
|
+
buf.writeUInt16BE(1, 4); // RFC 1035 §4.1.1 qdcount
|
|
505
|
+
var off = 12; // RFC 1035 §4.1.1 header end / question start
|
|
506
506
|
for (var p = 0; p < parts.length; p += 1) {
|
|
507
507
|
var s = parts[p];
|
|
508
508
|
buf.writeUInt8(Buffer.byteLength(s, "ascii"), off);
|
|
@@ -512,8 +512,8 @@ function _encodeWireQuery(name, qtype) {
|
|
|
512
512
|
buf.writeUInt8(0, off);
|
|
513
513
|
off += 1;
|
|
514
514
|
buf.writeUInt16BE(qtype, off);
|
|
515
|
-
off += 2; //
|
|
516
|
-
buf.writeUInt16BE(1, off); //
|
|
515
|
+
off += 2; // RFC 1035 §4.1.2 QTYPE width
|
|
516
|
+
buf.writeUInt16BE(1, off); // RFC 1035 §4.1.2 QCLASS=IN
|
|
517
517
|
return buf;
|
|
518
518
|
}
|
|
519
519
|
|