@blamejs/core 0.14.17 → 0.14.18

package/lib/middleware/asyncapi-serve.js

@@ -22,9 +22,42 @@
 var nodeCrypto    = require("node:crypto");
 var validateOpts  = require("../validate-opts");
 var lazyRequire   = require("../lazy-require");
+var safeUrl       = require("../safe-url");
 var { defineClass } = require("../framework-error");
 var AsyncApiError = defineClass("AsyncApiError", { alwaysPermanent: true });
 
+// Validate an operator-supplied accessControl.allowOrigin and return the
+// canonical `scheme://host[:port]` string for the Access-Control-Allow-
+// Origin response header. CORS (Fetch Standard §3.2.1) requires a single
+// concrete origin with no path / query / fragment; the empty-string and
+// "*" wildcard forms are spelled separately ("same-origin" / "public").
+// Parsing through safeUrl rejects header-injection bytes (CR/LF) and
+// userinfo, and confirms the value is a real http(s) origin. Throws so
+// the operator catches a typo'd allowOrigin at boot.
+function _canonicalAllowOrigin(value, label) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new AsyncApiError("asyncapi/bad-access-control",
+      label + ": accessControl.allowOrigin must be a non-empty origin string " +
+      "(e.g. \"https://docs.example.com\")");
+  }
+  var parsed;
+  try {
+    parsed = safeUrl.parse(value, { allowedProtocols: safeUrl.ALLOW_HTTP_ALL });
+  } catch (e) {
+    throw new AsyncApiError("asyncapi/bad-access-control",
+      label + ": accessControl.allowOrigin '" + value + "' is not a valid " +
+      "http(s) origin: " + ((e && e.message) || String(e)));
+  }
+  var path = parsed.pathname || "";
+  if ((path !== "" && path !== "/") || parsed.search || parsed.hash) {
+    throw new AsyncApiError("asyncapi/bad-access-control",
+      label + ": accessControl.allowOrigin must be a bare origin " +
+      "(scheme://host[:port]) with no path / query / fragment; got '" + value + "'");
+  }
+  var port = parsed.port;
+  return parsed.protocol + "//" + parsed.hostname.toLowerCase() + (port ? ":" + port : "");
+}
+
 var openapiYaml   = lazyRequire(function () { return require("../openapi-yaml"); });
 var audit         = lazyRequire(function () { return require("../audit"); });
 
@@ -38,8 +71,12 @@ var audit         = lazyRequire(function () { return require("../audit"); });
  * configurable JSON + YAML mount points. Matches `openapiServe`
  * behaviour: GET/HEAD only, SHA3-512 ETag with conditional 304,
  * operator-controlled CORS gate, falls through on unmatched paths
- * or methods. Use to publish channel + operation + message + schema
- * specs for event-driven APIs (Kafka, AMQP, MQTT, WebSocket).
+ * or methods. `accessControl: "public"` (default) emits
+ * `Access-Control-Allow-Origin: *`; `same-origin` omits the header;
+ * `{ allowOrigin: "https://docs.example.com" }` echoes one validated
+ * origin with `Vary: Origin`. Use to publish channel + operation +
+ * message + schema specs for event-driven APIs (Kafka, AMQP, MQTT,
+ * WebSocket).
  *
  * @opts
  *   {
@@ -79,6 +116,17 @@ function create(opts) {
   var cacheControl  = (typeof opts.cacheControl === "string" && opts.cacheControl.length > 0)
     ? opts.cacheControl : "public, max-age=300";
   var accessControl = opts.accessControl || "public";
+  // Resolve the Access-Control-Allow-Origin value once at config time.
+  // "public" → "*"; an { allowOrigin } object → the canonical origin
+  // (validated, throws on a bad value); "same-origin" / anything else →
+  // null (no CORS header emitted).
+  var allowOriginHeader = null;
+  if (accessControl === "public") {
+    allowOriginHeader = "*";
+  } else if (accessControl && typeof accessControl === "object" &&
+             typeof accessControl.allowOrigin === "string") {
+    allowOriginHeader = _canonicalAllowOrigin(accessControl.allowOrigin, "asyncapiServe");
+  }
   var auditOn       = opts.audit !== false;
 
   if (typeof pathJson !== "string" || pathJson.charAt(0) !== "/") {
@@ -117,8 +165,12 @@ function create(opts) {
       "Cache-Control":  cacheControl,
       "ETag":           etag,
     };
-    if (accessControl === "public") {
-      headers["Access-Control-Allow-Origin"] = "*";
+    if (allowOriginHeader !== null) {
+      headers["Access-Control-Allow-Origin"] = allowOriginHeader;
+      // A specific (non-"*") origin makes the response vary by Origin;
+      // advertise it so shared caches don't serve one operator's allowed
+      // origin to another's request (Fetch Standard §3.2.1).
+      if (allowOriginHeader !== "*") headers["Vary"] = "Origin";
     }
     res.writeHead(200, headers);                                                     // HTTP 200
     res.end(body);

package/lib/middleware/attach-user.js

@@ -33,18 +33,27 @@
  *
  * Options:
  *   {
- *     cookieName:  'blamejs_session'                 (cookie name to read)
- *     tokenFrom:   'both' | 'cookie' | 'header'      (default 'both')
- *     sealed:      false                             (use cookies.readSealed)
- *     vault:       b.vault                           (required when sealed)
- *     userLoader:  async (verifiedSession) => user   (REQUIRED)
- *     audit:       true                              (emit user-load audits)
+ *     cookieName:     'blamejs_session'              (cookie name to read)
+ *     tokenFrom:      'both' | 'cookie' | 'header'   (default 'both')
+ *     bearerScheme:   'Bearer'                       (Authorization scheme token; RFC 6750 §2.1)
+ *     tokenExtractor: (req) => token | null          (overrides header extraction entirely)
+ *     sealed:         false                          (use cookies.readSealed)
+ *     vault:          b.vault                        (required when sealed)
+ *     userLoader:     async (verifiedSession) => user (REQUIRED)
+ *     audit:          true                           (emit user-load audits)
  *   }
+ *
+ * The Authorization-header path matches the `Bearer` scheme by default
+ * (RFC 6750 §2.1). Operators behind a gateway that issues a different
+ * scheme (e.g. `Token`, `DPoP` per RFC 9449) set bearerScheme, or pass
+ * tokenExtractor(req) to read the credential from anywhere on the
+ * request. The scheme match is case-insensitive (RFC 9110 §11.1).
  */
 var lazyRequire = require("../lazy-require");
 var cookies = require("../cookies");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var codepointClass = require("../codepoint-class");
 var session = lazyRequire(function () { return require("../session"); });
 var audit   = lazyRequire(function () { return require("../audit"); });
 
@@ -56,10 +65,17 @@ function _readCookie(cookieHeader, name) {
   return Object.prototype.hasOwnProperty.call(jar, name) ? jar[name] : null;
 }
 
-function _readBearer(authHeader) {
+// Read the credential after an Authorization scheme token. Default scheme
+// is "Bearer" (RFC 6750 §2.1); operators fronted by a gateway that mints
+// "Token", "DPoP" (RFC 9449), or a custom scheme pass that name so the
+// header is consumed instead of silently ignored. The scheme match is
+// case-insensitive per RFC 9110 §11.1 (auth-scheme is case-insensitive).
+function _readBearer(authHeader, scheme) {
   if (!authHeader || typeof authHeader !== "string") return null;
-  // case-insensitive scheme match
-  var m = authHeader.match(/^Bearer\s+(.+)$/i);
+  var schemeTok = (typeof scheme === "string" && scheme.length > 0) ? scheme : "Bearer";
+  // allow:dynamic-regex — schemeTok is RegExp-escaped via codepointClass.escapeRegExp,
+  // so the operator-supplied scheme matches literally and cannot inject a pattern
+  var m = authHeader.match(new RegExp("^" + codepointClass.escapeRegExp(schemeTok) + "\\s+(.+)$", "i"));
   return m ? m[1].trim() : null;
 }
 
@@ -86,6 +102,8 @@ function _readBearer(authHeader) {
  *     userLoader:              async function(session): user|null,  // required
  *     cookieName:              string,    // default "blamejs_session"
  *     tokenFrom:               "both"|"cookie"|"header",  // default "both"
+ *     bearerScheme:            string,    // default "Bearer" (RFC 6750); set "Token"/"DPoP"/etc. for a gateway scheme
+ *     tokenExtractor:          function,  // (req) → token|null; fully owns header extraction when supplied
  *     sealed:                  boolean,
  *     vault:                   object,    // required when sealed
  *     requireFingerprintMatch: boolean,
@@ -108,15 +126,28 @@ function create(opts) {
   validateOpts(opts, [
     "cookieName", "tokenFrom", "sealed", "vault", "userLoader", "audit",
     "requireFingerprintMatch", "maxAnomalyScore", "scorer",
+    "bearerScheme", "tokenExtractor",
   ], "middleware.attachUser");
   if (typeof opts.userLoader !== "function") {
     throw new Error("middleware.attachUser: opts.userLoader is required " +
       "(async function (verifiedSession) → user | null)");
   }
+  validateOpts.optionalNonEmptyString(opts.bearerScheme,
+    "middleware.attachUser: opts.bearerScheme (the Authorization scheme token, " +
+    "e.g. \"Bearer\", \"Token\", \"DPoP\")");
+  validateOpts.optionalFunction(opts.tokenExtractor,
+    "middleware.attachUser: opts.tokenExtractor (req) → token | null");
   var cookieName = opts.cookieName || "blamejs_session";
   var tokenFrom  = opts.tokenFrom  || "both";
   var auditOn    = opts.audit !== false;
   var sealed     = !!opts.sealed;
+  // Authorization-header scheme token (default "Bearer", RFC 6750 §2.1).
+  // tokenExtractor, when supplied, fully owns header-token extraction so
+  // gateway-specific schemes (a forwarded JWT in a non-standard header,
+  // DPoP-bound tokens, etc.) work without the framework assuming the
+  // RFC 6750 shape.
+  var bearerScheme   = opts.bearerScheme || "Bearer";
+  var tokenExtractor = typeof opts.tokenExtractor === "function" ? opts.tokenExtractor : null;
   // Fingerprint-drift / IP-UA pin / anomaly-score opts thread through
   // session.verify so the documented session.create({ req,
   // fingerprintFields }) defenses actually engage on every verify
@@ -153,7 +184,11 @@ function create(opts) {
       // the header re-read here avoids the duplicate verify and the
       // confusing "session.verify failed" audit row that would land
       // when the bearer token is a JWT or API key, not a session ID.
-      token = _readBearer(req.headers && req.headers.authorization);
+      if (tokenExtractor) {
+        token = tokenExtractor(req) || null;
+      } else {
+        token = _readBearer(req.headers && req.headers.authorization, bearerScheme);
+      }
     }
     if (!token) return next();
 

package/lib/middleware/body-parser.js

@@ -69,6 +69,11 @@
  *         document: { maxBytes: b.constants.BYTES.mib(25) },
  *       },
  *
+ *       // RFC 5987 filename* charsets to decode. utf-8 is always
+ *       // supported (RFC 8187 §3.2); add "iso-8859-1" (RFC 5987 §3.2)
+ *       // to accept legacy senders that encode filenames in Latin-1.
+ *       filenameCharsets: ["utf-8"],
+ *
  *       // When wired, fileFilter rejections emit body-parser.multipart.file_rejected
  *       // on the audit chain with the field, filename, mime, and reason.
  *       audit: b.audit,
@@ -121,6 +126,7 @@ var safeBuffer      = require("../safe-buffer");
 var safeJson        = require("../safe-json");
 var structuredFields = require("../structured-fields");
 var validateOpts    = require("../validate-opts");
+var codepointClass  = require("../codepoint-class");
 var C = require("../constants");
 var { defineClass } = require("../framework-error");
 
@@ -196,6 +202,7 @@ var DEFAULTS = Object.freeze({
     fileFilter:    null,             // fn({ field, filename, mimeType, partHeaders }) → bool | { reject, code, message }
     fields:        null,             // per-field overrides: { name: { maxBytes?, mimeTypes? } }
     audit:         null,             // when wired, file-rejection emits an audit event
+    filenameCharsets: ["utf-8"],     // RFC 5987 filename* charsets to decode; add "iso-8859-1" to opt that legacy charset in
     contentTypes:  ["multipart/form-data"],
   },
 });
@@ -344,9 +351,16 @@ function _detectSmuggling(req) {
 function _writeError(res, status, message, code) {
   if (res.headersSent) return;
   var body = JSON.stringify({ error: message, code: code });
+  // Connection: close on a body-parse rejection (malformed JSON, poisoned
+  // key, oversize payload) so an upstream proxy can't reuse a socket whose
+  // request stream we abandoned mid-body. Pairing the 4xx with a forced
+  // socket teardown closes the desync window a partially-consumed body
+  // would otherwise leave open (RFC 9112 §9.6 — a server MAY close after
+  // an error response; doing so here prevents request-smuggling reuse).
   res.writeHead(status, {
     "Content-Type":   "application/json; charset=utf-8",
     "Content-Length": Buffer.byteLength(body),
+    "Connection":     "close",
   });
   res.end(body);
 }
@@ -600,28 +614,58 @@ function _parseMultipartHeaders(rawHeaders) {
   return out;
 }
 
+// Percent-decode an RFC 5987 ext-value's value segment under iso-8859-1.
+// RFC 5987 §3.2 / RFC 2231 §7 define iso-8859-1 (Latin-1) as the only
+// non-utf-8 charset a recipient is expected to understand: each decoded
+// byte is itself the Latin-1 code point, so a byte b maps directly to
+// U+00bb. We percent-unescape to raw bytes, then map each byte to its
+// code point. Returns null on a malformed `%`-escape.
+function _percentDecodeLatin1(encoded) {
+  var out = "";
+  for (var i = 0; i < encoded.length; i += 1) {
+    var ch = encoded.charAt(i);
+    if (ch === "%") {
+      var hex = encoded.substr(i + 1, 2);
+      if (hex.length !== 2 || !codepointClass.HEX_PAIR_RE.test(hex)) return null;
+      out += String.fromCharCode(parseInt(hex, 16));
+      i += 2;
+    } else {
+      out += ch;
+    }
+  }
+  return out;
+}
+
 // RFC 5987 / 8187 — `filename*=UTF-8''percent%20encoded.txt` extended
-// parameter form for non-ASCII filenames. Charset MUST be `UTF-8`
-// (case-insensitive); we refuse other charsets to keep the decode
-// path single-encoding. Language tag (between the two `'`s) is
-// permitted but ignored.
-function _decodeRfc5987(raw) {
+// parameter form for non-ASCII filenames. utf-8 is always accepted
+// (RFC 8187 §3.2 mandates support); iso-8859-1 (RFC 5987 §3.2 / RFC 2231
+// §7) decodes only when the operator opts it in via
+// `multipart.filenameCharsets`. Any other charset is refused to keep the
+// decode path bounded to the two RFC-defined encodings. The language tag
+// (between the two `'`s) is permitted but ignored. `allowed` is a
+// lower-cased charset allowlist; it always includes "utf-8".
+function _decodeRfc5987(raw, allowed) {
   if (typeof raw !== "string") return null;
   var firstTick  = raw.indexOf("'");
   if (firstTick === -1) return null;
   var secondTick = raw.indexOf("'", firstTick + 1);
   if (secondTick === -1) return null;
   var charset = raw.slice(0, firstTick).toLowerCase();
-  if (charset !== "utf-8") return null;       // RFC 5987 mandated charset; refuse anything else
   var encoded = raw.slice(secondTick + 1);
-  try {
-    return decodeURIComponent(encoded);
-  } catch (_e) {
-    return null;
+  if (charset === "utf-8") {
+    try {
+      return decodeURIComponent(encoded);
+    } catch (_e) {
+      return null;
+    }
   }
+  if (charset === "iso-8859-1" && allowed && allowed.indexOf("iso-8859-1") !== -1) {
+    return _percentDecodeLatin1(encoded);
+  }
+  return null;                                // charset not enabled — refuse
 }
 
-function _parseHeaderParams(headerValue) {
+function _parseHeaderParams(headerValue, filenameCharsets) {
   // Content-Disposition: form-data; name="field"; filename="x.txt"
   // Returns { _value: "form-data", name: "field", filename: "x.txt" }
   // RFC 5987 / 8187 — when a `filename*=UTF-8''...` extended parameter
@@ -646,7 +690,7 @@ function _parseHeaderParams(headerValue) {
     var _unq = structuredFields.unquoteSfString(v);
     if (_unq !== null) v = _unq;
     if (k.charAt(k.length - 1) === "*") {
-      var decoded = _decodeRfc5987(v);
+      var decoded = _decodeRfc5987(v, filenameCharsets);
       if (decoded !== null) {
         var bareKey = k.slice(0, -1);
         if (bareKey === "filename") extName = decoded;
@@ -682,6 +726,17 @@ async function _parseMultipart(req, opts, ctParams) {
       true, HTTP_STATUS.BAD_REQUEST
     );
   }
+  // RFC 5987 filename* charsets the operator opts into decoding. utf-8 is
+  // always present (RFC 8187 §3.2 mandates it); operators add "iso-8859-1"
+  // for legacy senders. Lower-cased once here so the per-part decode does
+  // a plain membership check.
+  var filenameCharsets = ["utf-8"];
+  if (Array.isArray(opts.filenameCharsets)) {
+    filenameCharsets = opts.filenameCharsets.map(function (c) {
+      return String(c).toLowerCase();
+    });
+    if (filenameCharsets.indexOf("utf-8") === -1) filenameCharsets.push("utf-8");
+  }
   // storage: "memory" buffers file parts in RAM (capped by fileSize ×
   // fileCount, the same DoS bound as disk mode) and exposes each file as
   // req.files[].buffer with no filesystem touch — the read-only /
@@ -870,7 +925,7 @@ async function _parseMultipart(req, opts, ctParams) {
             }
             pending = pending.slice(headEnd + 4);
             // Decode Content-Disposition.
-            var cd = _parseHeaderParams(currentHeaders["content-disposition"]);
+            var cd = _parseHeaderParams(currentHeaders["content-disposition"], filenameCharsets);
             if (cd._value !== "form-data" || typeof cd.name !== "string" || cd.name.length === 0) {
               done(new BodyParserError("body-parser/multipart-bad-disposition",
                 "multipart part missing form-data Content-Disposition", true, HTTP_STATUS.BAD_REQUEST));
@@ -1211,7 +1266,8 @@ async function _parseMultipart(req, opts, ctParams) {
  *     raw:         false | { limit, contentTypes },
  *     multipart:   false | {
  *       storage, tmpDir, fileSize, totalSize, fileCount, fieldCount,
- *       fieldSize, mimeAllowlist, fileFilter, fields, audit, contentTypes,
+ *       fieldSize, mimeAllowlist, fileFilter, fields, audit,
+ *       filenameCharsets, contentTypes,
  *     },
  *     keepRawBody: boolean,    // expose req.bodyRaw for webhook signing
  *   }

package/lib/middleware/csp-report.js

@@ -99,9 +99,21 @@ function _normalizeOne(reportLike) {
  * `csp.violation`, and forwarded to the operator's `onReport`
  * callback for metrics or alerting.
  *
+ * The rejection paths (405 / 413 / 400) are otherwise empty-bodied —
+ * the spec'd Reporting API (W3C Reporting API §3.1) ignores the
+ * response body, so there's nothing for the browser to read. `onReject`
+ * surfaces these refusals to the operator for the same metrics /
+ * alerting use as `onReport`: a flood of 413s signals a misconfigured
+ * `Reporting-Endpoints` URL or a report-bomb. It receives
+ * `(req, res, { status, reason })` where `reason` is one of
+ * `method-not-allowed` / `payload-too-large` / `invalid-json`. Invoked
+ * after the rejection response is written; a throwing hook is swallowed
+ * so a broken metrics sink can't crash the endpoint.
+ *
  * @opts
  *   {
  *     onReport: function(report): void,
+ *     onReject: function(req, res, { status, reason }): void,
  *     maxBytes: number,    // default 64 KiB
  *     audit:    boolean,   // default true
  *   }
@@ -118,23 +130,38 @@ function _normalizeOne(reportLike) {
  */
 function create(opts) {
   opts = opts || {};
-  validateOpts(opts, ["audit", "onReport", "maxBytes"], "middleware.cspReport");
+  validateOpts(opts, ["audit", "onReport", "onReject", "maxBytes"], "middleware.cspReport");
+  if (opts.onReject !== undefined && opts.onReject !== null &&
+      typeof opts.onReject !== "function") {
+    throw new TypeError("middleware.cspReport: opts.onReject must be a function");
+  }
   var maxBytes = (typeof opts.maxBytes === "number" && isFinite(opts.maxBytes) && opts.maxBytes > 0)
     ? opts.maxBytes : DEFAULT_MAX_BYTES;
   var onReport = (typeof opts.onReport === "function") ? opts.onReport : null;
+  var onReject = (typeof opts.onReject === "function") ? opts.onReject : null;
+
+  // Drop-silent observability sink — the rejection response is already
+  // on the wire; a throwing metrics hook must not crash the endpoint.
+  function _emitReject(req, res, status, reason) {
+    if (!onReject) return;
+    try { onReject(req, res, { status: status, reason: reason }); }
+    catch (_e) { /* hook best-effort */ }
+  }
 
   return async function cspReport(req, res, _next) {
     if (req.method !== "POST") {
       res.writeHead(405, { "Allow": "POST" });                                     // HTTP 405 status
       res.end();
+      _emitReject(req, res, 405, "method-not-allowed");
       return;
     }
     var body;
     try {
-      body = await safeBuffer.boundedChunkCollector(req, { maxBytes: maxBytes });
+      body = await safeBuffer.collectStream(req, { maxBytes: maxBytes });
     } catch (_e) {
       res.writeHead(413);                                                         // HTTP 413 status
       res.end();
+      _emitReject(req, res, 413, "payload-too-large");
       return;
     }
     var parsed;
@@ -142,6 +169,7 @@ function create(opts) {
     catch (_e) {
       res.writeHead(400);                                                         // HTTP 400 status
       res.end();
+      _emitReject(req, res, 400, "invalid-json");
       return;
     }
     var reports = Array.isArray(parsed) ? parsed : [parsed];

package/lib/middleware/deny-response.js

@@ -79,25 +79,40 @@ function denyResponse(req, res, ctx) {
   if (_isFn(ctx.onDeny)) {
     try {
       var returned = ctx.onDeny(req, res, info);
-      if (res.writableEnded) return returned;
-      // Hook ran but did not write — fall through to the default so
-      // the response can never hang on a no-op hook.
+      if (res.writableEnded || res.headersSent) return returned;
+      // Hook ran but did not commit the response — fall through to the
+      // default so the response can never hang on a no-op hook. A
+      // wrapping consumer that already sent headers (without flipping
+      // writableEnded) counts as committed: re-entering writeHead below
+      // would throw "headers already sent".
     } catch (e) {
       if (_isFn(ctx.onThrow)) {
         try { ctx.onThrow(e); } catch (_e) { /* drop-silent */ }
       }
-      if (res.writableEnded) return undefined;
-      // Hook threw before writing — fall through to the default.
+      if (res.writableEnded || res.headersSent) return undefined;
+      // Hook threw before committing the response — fall through to
+      // the default.
     }
   }
 
-  if (res.writableEnded || !_isFn(res.writeHead)) return undefined;
+  if (res.writableEnded || res.headersSent || !_isFn(res.writeHead)) return undefined;
 
   var extra = (ctx.headers && typeof ctx.headers === "object") ? ctx.headers : null;
 
   if (ctx.problem) {
     var fields = { status: ctx.status };
-    if (ctx.problemType)   fields.type   = ctx.problemType;
+    if (ctx.problemType) {
+      fields.type = ctx.problemType;
+    } else if (typeof ctx.problemCode === "string" && ctx.problemCode.length > 0) {
+      // No explicit type URI: derive one from problemCode using the
+      // same `<base>/<code>` convention as problemDetails.fromError, so
+      // a 429 carrying problemCode reads `<base>/rate-limit-exceeded`
+      // rather than defaulting to "about:blank". RFC 9457 §3.1.1 lets
+      // the type be any URI reference; sanitize the suffix into RFC
+      // 3986 unreserved + "/" path chars, matching fromError exactly.
+      fields.type = problemDetails.getBase() + "/" +
+        ctx.problemCode.replace(/[^A-Za-z0-9\-._/]/g, "-");
+    }
     if (ctx.problemTitle)  fields.title  = ctx.problemTitle;
     if (ctx.problemDetail) fields.detail = ctx.problemDetail;
     if (ctx.problemExt && typeof ctx.problemExt === "object") {

package/lib/middleware/openapi-serve.js

@@ -22,15 +22,50 @@
  * If `accessControl: "public"` (the default), the middleware emits
  * `Access-Control-Allow-Origin: *` so external doc tooling can fetch.
  * For internal-only docs operators set `accessControl: "same-origin"`
- * which omits the CORS header.
+ * which omits the CORS header. To allow exactly one external origin set
+ * `accessControl: { allowOrigin: "https://docs.example.com" }`; the
+ * origin is validated and echoed verbatim with `Vary: Origin`.
  */
 
 var nodeCrypto    = require("node:crypto");
 var validateOpts  = require("../validate-opts");
 var lazyRequire   = require("../lazy-require");
+var safeUrl       = require("../safe-url");
 var { defineClass } = require("../framework-error");
 var OpenApiError = defineClass("OpenApiError", { alwaysPermanent: true });
 
+// Validate an operator-supplied accessControl.allowOrigin and return the
+// canonical `scheme://host[:port]` string for the Access-Control-Allow-
+// Origin response header. CORS (Fetch Standard §3.2.1) requires a single
+// concrete origin with no path / query / fragment; the empty-string and
+// "*" wildcard forms are spelled separately ("same-origin" / "public").
+// Parsing through safeUrl rejects header-injection bytes (CR/LF) and
+// userinfo, and confirms the value is a real http(s) origin. Throws so
+// the operator catches a typo'd allowOrigin at boot.
+function _canonicalAllowOrigin(value, label) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new OpenApiError("openapi/bad-access-control",
+      label + ": accessControl.allowOrigin must be a non-empty origin string " +
+      "(e.g. \"https://docs.example.com\")");
+  }
+  var parsed;
+  try {
+    parsed = safeUrl.parse(value, { allowedProtocols: safeUrl.ALLOW_HTTP_ALL });
+  } catch (e) {
+    throw new OpenApiError("openapi/bad-access-control",
+      label + ": accessControl.allowOrigin '" + value + "' is not a valid " +
+      "http(s) origin: " + ((e && e.message) || String(e)));
+  }
+  var path = parsed.pathname || "";
+  if ((path !== "" && path !== "/") || parsed.search || parsed.hash) {
+    throw new OpenApiError("openapi/bad-access-control",
+      label + ": accessControl.allowOrigin must be a bare origin " +
+      "(scheme://host[:port]) with no path / query / fragment; got '" + value + "'");
+  }
+  var port = parsed.port;
+  return parsed.protocol + "//" + parsed.hostname.toLowerCase() + (port ? ":" + port : "");
+}
+
 var openapiYaml   = lazyRequire(function () { return require("../openapi-yaml"); });
 var audit         = lazyRequire(function () { return require("../audit"); });
 
@@ -45,7 +80,9 @@ var audit         = lazyRequire(function () { return require("../audit"); });
  * else falls through. SHA3-512 ETag enables conditional 304. With
  * `accessControl: "public"` (default) emits
  * `Access-Control-Allow-Origin: *` so external doc tooling can
- * fetch; `same-origin` omits the CORS header for internal-only docs.
+ * fetch; `same-origin` omits the CORS header for internal-only docs;
+ * `{ allowOrigin: "https://docs.example.com" }` echoes one validated
+ * origin with `Vary: Origin`.
  *
  * @opts
  *   {
@@ -84,6 +121,17 @@ function create(opts) {
   var cacheControl  = (typeof opts.cacheControl === "string" && opts.cacheControl.length > 0)
     ? opts.cacheControl : "public, max-age=300";
   var accessControl = opts.accessControl || "public";
+  // Resolve the Access-Control-Allow-Origin value once at config time.
+  // "public" → "*"; an { allowOrigin } object → the canonical origin
+  // (validated, throws on a bad value); "same-origin" / anything else →
+  // null (no CORS header emitted).
+  var allowOriginHeader = null;
+  if (accessControl === "public") {
+    allowOriginHeader = "*";
+  } else if (accessControl && typeof accessControl === "object" &&
+             typeof accessControl.allowOrigin === "string") {
+    allowOriginHeader = _canonicalAllowOrigin(accessControl.allowOrigin, "openapiServe");
+  }
   var auditOn       = opts.audit !== false;
 
   if (typeof pathJson !== "string" || pathJson.charAt(0) !== "/") {
@@ -123,8 +171,12 @@ function create(opts) {
       "Cache-Control":  cacheControl,
       "ETag":           etag,
     };
-    if (accessControl === "public") {
-      headers["Access-Control-Allow-Origin"] = "*";
+    if (allowOriginHeader !== null) {
+      headers["Access-Control-Allow-Origin"] = allowOriginHeader;
+      // A specific (non-"*") origin makes the response vary by Origin;
+      // advertise it so shared caches don't serve one operator's allowed
+      // origin to another's request (Fetch Standard §3.2.1).
+      if (allowOriginHeader !== "*") headers["Vary"] = "Origin";
     }
     res.writeHead(200, headers);                                                    // HTTP 200
     res.end(body);

package/lib/middleware/scim-server.js

@@ -279,10 +279,13 @@ function _readJsonBody(req) {
     return Promise.resolve(safeJson.parse(req.body.toString("utf8"), { maxBytes: MAX }));
   }
   if (req.body && typeof req.body === "object") return Promise.resolve(req.body);
-  return safeBuffer.boundedChunkCollector(req, MAX, ScimServerError, "middleware/scim-server/body-too-large")
-    .then(function (buf) {
-      return safeJson.parse(buf.toString("utf8"), { maxBytes: MAX });
-    });
+  return safeBuffer.collectStream(req, {
+    maxBytes:   MAX,
+    errorClass: ScimServerError,
+    sizeCode:   "middleware/scim-server/body-too-large",
+  }).then(function (buf) {
+    return safeJson.parse(buf.toString("utf8"), { maxBytes: MAX });
+  });
 }
 
 function _assertSchema(body, expectedSchema) {