@blamejs/core 0.7.82 → 0.7.84

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.84** (2026-05-06) — `b.crypto.sri(content, { algorithm? })` — Subresource Integrity hash builder per W3C SRI 1.0. Operators emit `<script integrity="sha384-...">` and `<link integrity="sha384-...">` to defend against CDN compromise + ISP MITM injection — the browser refuses to load a resource whose actual hash diverges from the integrity attribute. Default algorithm is `sha384` (W3C §3.2 — collision margin without sha512's 64-byte overhead); `sha256` and `sha512` also accepted, anything else refused. Accepts `Buffer` / `Uint8Array` / `string` / array of those — array inputs emit multiple space-separated integrity tokens per W3C §3.3 multi-integrity (browser picks the strongest it recognizes). Returns the standard `sha###-<base64>` format ready to paste into the `integrity=""` attribute.
+
+- **0.7.83** (2026-05-06) — `b.auth.oauth.endSessionUrl()` (OpenID Connect RP-Initiated Logout) + `b.auth.oauth.pushAuthorizationRequest()` (RFC 9126 PAR). **`endSessionUrl({ idTokenHint?, postLogoutRedirectUri?, state?, logoutHint?, uiLocales?, clientId?, extraParams? })`** builds the URL the operator's `/logout` route redirects the user-agent to so the IdP terminates the session and bounces back to the operator's app. The IdP's `end_session_endpoint` is read from the OIDC discovery document or operator-supplied at `create({ endSessionEndpoint })`. **`pushAuthorizationRequest({ state?, nonce?, prompt?, loginHint?, maxAge?, extraParams? })`** POSTs the authorization-request parameters directly to the IdP's PAR endpoint (mTLS or client-secret authenticated) and returns `{ url, state, nonce, verifier, challenge, requestUri, expiresIn }` — the browser-side redirect URL is `<authorizationEndpoint>?client_id=...&request_uri=...`. Defends against authorization-request parameter tampering by an MITM at the user-agent + against URL-length overflow on long authorization requests (request_uri reference is short). The PAR endpoint is read from the discovery doc's `pushed_authorization_request_endpoint` or operator-supplied at `create({ pushedAuthorizationRequestEndpoint })`. Both helpers throw `auth-oauth/no-end-session-endpoint` / `auth-oauth/no-par-endpoint` when neither the discovery doc nor the operator opts supply the endpoint.
+
 - **0.7.82** (2026-05-06) — `b.mail.bimi` — BIMI record builder + verifier (RFC 9091). BIMI publishes a sender's brand logo URL in DNS so receiving MTAs can render it next to the message in supported clients (Gmail, Yahoo, Apple Mail). **`b.mail.bimi.recordShape({ logoUrl, vmcUrl?, selector? })`** produces the canonical `v=BIMI1; l=https://...; a=https://...` TXT-record string per RFC 9091 §4. Both `l=` (SVG logo URL) and `a=` (Verified Mark Certificate URL per RFC 9091 §6) are HTTPS-required (refuses `http://`). All field values are CR/LF/NUL/semicolon-screened so a hostile URL can't inject a record-separator into the published TXT. **`b.mail.bimi.fetchPolicy(domain, { selector?, dnsLookup? })`** queries `<selector>._bimi.<domain>` (default selector `"default"`) and returns the structured record `{ v, l, a }` or `null` when no policy is published / record is malformed. **`b.mail.bimi.parseRecord(text)`** parses any operator-supplied TXT body — semicolon-separated `key=value` pairs per RFC 9091 §4. The framework does NOT validate the SVG / VMC contents against the RFC §5/§6 profiles — operators feed those to their own asset pipeline; the fetch primitive is a thin DNS lookup that returns the structured record so an operator dashboard or SMTP send-time preflight can verify the publication. BIMI is layered on a passing DMARC posture (the receiver requires DMARC quarantine/reject); operators with the existing `b.mail.dmarc` posture set up benefit from BIMI rendering immediately on receivers that honor it.
 
 - **0.7.81** (2026-05-06) — `b.middleware.hostAllowlist` — DNS rebinding defense. Refuses requests whose `Host` header doesn't match the operator-supplied allowlist; the DNS rebinding chain (attacker DNS flips evil.com → 127.0.0.1, browser still believes the URL string says "evil.com" so same-origin policy lets the JS read the response, but the operator's localhost is what actually serves) is closed by checking the post-DNS-resolution `Host` header on the framework's side. **`b.middleware.hostAllowlist({ hosts, denyStatus?, denyBody?, audit? })`** — operators pass an allowlist of canonical Host values (with or without port). Wildcard-leading entries (`*.example.com`) match any single label; `app.sub.example.com` does NOT match `*.example.com` (multi-label rejected by design — a wildcard certificate authority issues only single-label intermediate). Entries without a port match any port; entries with a port require exact match. Default `denyStatus: 421` (RFC 7540 §9.1.2 "Misdirected Request"); default `denyBody: "Misdirected Request"`. Audit emits `network.host_allowlist.denied` with the reason (`missing-host` / `host-not-in-allowlist`) and the actual Host value for triage. Operators running explicitly-public services that accept arbitrary subdomains (multi-tenant forum shapes) skip this middleware entirely; there's no per-request opt-out.

package/lib/auth/oauth.js

@@ -349,6 +349,10 @@ function create(opts) {
     userinfoEndpoint:      opts.userinfoEndpoint      || (preset && preset.userinfoEndpoint)      || null,
     revocationEndpoint:    opts.revocationEndpoint    || (preset && preset.revocationEndpoint)    || null,
     jwksUri:               opts.jwksUri               || (preset && preset.jwksUri)               || null,
+    endSessionEndpoint:    opts.endSessionEndpoint    || (preset && preset.endSessionEndpoint)    || null,
+    pushedAuthorizationRequestEndpoint:
+                           opts.pushedAuthorizationRequestEndpoint ||
+                           (preset && preset.pushedAuthorizationRequestEndpoint) || null,
   };
 
   // Discovery + JWKS caches use b.cache.create + .wrap so concurrent
@@ -422,6 +426,8 @@ function create(opts) {
       userinfoEndpoint:      "userinfo_endpoint",
       revocationEndpoint:    "revocation_endpoint",
       jwksUri:               "jwks_uri",
+      endSessionEndpoint:    "end_session_endpoint",
+      pushedAuthorizationRequestEndpoint: "pushed_authorization_request_endpoint",
     })[name];
     var endpoint = config[snake];
     if (!endpoint) {
@@ -697,6 +703,105 @@ function create(opts) {
     return { header: header, claims: payload };
   }
 
+  // ---- OIDC RP-Initiated Logout (OpenID Connect Session Mgmt 1.0) ----
+  //
+  // The IdP exposes an `end_session_endpoint` in its discovery doc;
+  // the RP-initiated logout flow redirects the user to that endpoint
+  // with the id_token_hint + post_logout_redirect_uri so the IdP
+  // terminates the IdP session and bounces the user back to the
+  // operator's app. Operators wire this on their /logout route.
+  async function endSessionUrl(uopts) {
+    uopts = uopts || {};
+    var endpoint;
+    try { endpoint = await _resolveEndpoint("endSessionEndpoint"); }
+    catch (_e) {
+      throw new OAuthError("auth-oauth/no-end-session-endpoint",
+        "endSessionUrl: IdP discovery doc has no end_session_endpoint " +
+        "(set opts.endSessionEndpoint on create() if the IdP doesn't publish it)");
+    }
+    var params = new URLSearchParams();
+    if (uopts.idTokenHint) params.set("id_token_hint", uopts.idTokenHint);
+    if (uopts.postLogoutRedirectUri) {
+      params.set("post_logout_redirect_uri", uopts.postLogoutRedirectUri);
+    }
+    if (uopts.state)        params.set("state", uopts.state);
+    if (uopts.logoutHint)   params.set("logout_hint", uopts.logoutHint);
+    if (uopts.uiLocales)    params.set("ui_locales", uopts.uiLocales);
+    if (uopts.clientId !== false) params.set("client_id", clientId);
+    if (uopts.extraParams && typeof uopts.extraParams === "object") {
+      var ek = Object.keys(uopts.extraParams);
+      for (var i = 0; i < ek.length; i++) params.set(ek[i], String(uopts.extraParams[ek[i]]));
+    }
+    var qs = params.toString();
+    if (qs.length === 0) return endpoint;
+    var sep = endpoint.indexOf("?") === -1 ? "?" : "&";
+    return endpoint + sep + qs;
+  }
+
+  // ---- OAuth 2.0 Pushed Authorization Requests (RFC 9126) ----
+  //
+  // PAR: the client POSTs the authorization-request parameters
+  // directly to the IdP's PAR endpoint (mTLS or client-secret
+  // authenticated) and gets back a `request_uri` it then puts in the
+  // browser-side redirect to /authorize. Defends against parameter
+  // tampering by an MITM at the user-agent + against URL-length
+  // overflow on long authorization requests.
+  async function pushAuthorizationRequest(uopts) {
+    uopts = uopts || {};
+    var endpoint;
+    try { endpoint = await _resolveEndpoint("pushedAuthorizationRequestEndpoint"); }
+    catch (_e) {
+      throw new OAuthError("auth-oauth/no-par-endpoint",
+        "pushAuthorizationRequest: IdP discovery doc has no " +
+        "pushed_authorization_request_endpoint (set opts.pushedAuthorizationRequestEndpoint " +
+        "on create() if the IdP doesn't publish it)");
+    }
+    // Build the same param set authorizationUrl would emit, then POST
+    // it to PAR instead of putting it in the redirect URL.
+    var state = uopts.state || _generateRandomToken(STATE_NONCE_BYTES);
+    var nonce = uopts.nonce || (isOidc ? _generateRandomToken(STATE_NONCE_BYTES) : null);
+    var pkceVals = _generatePkce();
+    var body = new URLSearchParams();
+    body.set("response_type", "code");
+    body.set("client_id",     clientId);
+    body.set("redirect_uri",  redirectUri);
+    body.set("scope",         scope.join(" "));
+    body.set("state",         state);
+    if (nonce) body.set("nonce", nonce);
+    body.set("code_challenge",        pkceVals.challenge);
+    body.set("code_challenge_method", "S256");
+    if (responseMode) body.set("response_mode", responseMode);
+    if (uopts.prompt)    body.set("prompt", uopts.prompt);
+    if (uopts.loginHint) body.set("login_hint", uopts.loginHint);
+    if (uopts.maxAge != null) body.set("max_age", String(uopts.maxAge));
+    if (clientSecret) body.set("client_secret", clientSecret);
+    if (uopts.extraParams && typeof uopts.extraParams === "object") {
+      var ek = Object.keys(uopts.extraParams);
+      for (var i = 0; i < ek.length; i++) body.set(ek[i], String(uopts.extraParams[ek[i]]));
+    }
+    var rv = await _postForm(endpoint, body);
+    if (!rv || typeof rv.request_uri !== "string" || rv.request_uri.length === 0) {
+      throw new OAuthError("auth-oauth/par-bad-response",
+        "pushAuthorizationRequest: IdP did not return a request_uri (got " +
+        JSON.stringify(rv).slice(0, 200) + ")");                                 // allow:raw-byte-literal — error-message snippet length
+    }
+    // Build the browser-side redirect URL: /authorize?client_id=...&request_uri=...
+    var authzEndpoint = await _resolveEndpoint("authorizationEndpoint");
+    var qs = new URLSearchParams();
+    qs.set("client_id",   clientId);
+    qs.set("request_uri", rv.request_uri);
+    var sep = authzEndpoint.indexOf("?") === -1 ? "?" : "&";
+    return {
+      url:         authzEndpoint + sep + qs.toString(),
+      state:       state,
+      nonce:       nonce,
+      verifier:    pkceVals.verifier,
+      challenge:   pkceVals.challenge,
+      requestUri:  rv.request_uri,
+      expiresIn:   typeof rv.expires_in === "number" ? rv.expires_in : null,
+    };
+  }
+
   return {
     authorizationUrl:    authorizationUrl,
     exchangeCode:        exchangeCode,
@@ -705,6 +810,8 @@ function create(opts) {
     revokeToken:         revokeToken,
     verifyIdToken:       verifyIdToken,
     discover:            _discover,
+    endSessionUrl:           endSessionUrl,
+    pushAuthorizationRequest: pushAuthorizationRequest,
     // Diagnostic / power-user surface
     issuer:              issuer,
     clientId:            clientId,

package/lib/crypto.js

@@ -95,6 +95,46 @@ function kdf(input, outputLength) { return hash(input, "shake256", outputLength)
 function generateBytes(byteLength) { return Buffer.from(random(byteLength)); }
 function generateToken(byteLength) { return random(byteLength || 32).toString("hex"); }
 
+// ---- Subresource Integrity (W3C SRI 1.0) ----
+//
+// b.crypto.sri(content, { algorithm? }) — returns a `sha###-base64`
+// integrity attribute string operators paste into <script integrity="...">
+// or <link integrity="..."> tags. Defends against CDN compromise + ISP
+// MITM injection — the browser refuses to load the resource when its
+// hash diverges from the integrity attribute.
+//
+// W3C SRI 1.0 §3.2 lists sha256 / sha384 / sha512 as the supported
+// digest algorithms; sha384 is the recommended default (collision
+// margin without sha512's 64-byte overhead).
+//
+//   b.crypto.sri(scriptBuffer, { algorithm: "sha384" })
+//   → "sha384-AbCdEf...="
+//
+//   b.crypto.sri(["a", "b"], { algorithm: "sha384" })   // array → multi-hash
+//   → "sha384-X1... sha384-X2..."   (per W3C §3.3 multi-integrity)
+var SRI_ALGORITHMS = { "sha256": "sha256", "sha384": "sha384", "sha512": "sha512" };
+
+function sri(content, opts) {
+  opts = opts || {};
+  var algorithm = (opts.algorithm || "sha384").toLowerCase();
+  if (!SRI_ALGORITHMS[algorithm]) {
+    throw new Error("crypto.sri: unsupported algorithm '" + algorithm +
+      "' (W3C SRI 1.0 §3.2 supports sha256/sha384/sha512)");
+  }
+  // Array input — emit multiple integrity tokens space-separated per
+  // W3C §3.3 (browser picks the strongest one it recognizes).
+  if (Array.isArray(content)) {
+    return content.map(function (c) { return sri(c, opts); }).join(" ");
+  }
+  var buf;
+  if (Buffer.isBuffer(content)) buf = content;
+  else if (typeof content === "string") buf = Buffer.from(content, "utf8");
+  else if (content instanceof Uint8Array) buf = Buffer.from(content);
+  else throw new Error("crypto.sri: content must be a Buffer, Uint8Array, string, or array of those");
+  var digest = nodeCrypto.createHash(algorithm).update(buf).digest("base64");
+  return algorithm + "-" + digest;
+}
+
 // ---- Key generation ----
 function generateEncryptionKeyPair() {
   var mlkem = generateKeyPair("ml-kem-1024");
@@ -454,6 +494,7 @@ var SUPPORTED_KEM_ALGORITHMS = Object.freeze([
 ]);
 
 module.exports = {
+  sri:                          sri,
   // Hashing
   sha3Hash:                    sha3Hash,
   hmacSha3:                    hmacSha3,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.82",
+  "version": "0.7.84",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3d6daca5-7eec-417f-a793-a338db272d40",
+  "serialNumber": "urn:uuid:4072392e-af80-4cf0-a9f7-095c0d6638e0",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T05:54:05.145Z",
+    "timestamp": "2026-05-06T06:11:44.785Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.82",
+      "bom-ref": "@blamejs/core@0.7.84",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.82",
+      "version": "0.7.84",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.82",
+      "purl": "pkg:npm/%40blamejs/core@0.7.84",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.82",
+      "ref": "@blamejs/core@0.7.84",
       "dependsOn": []
     }
   ]