@blamejs/core 0.7.84 → 0.7.86

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.86** (2026-05-06) — `b.middleware.csrfProtect({ requireJsonContentType: true })` — strict-fetch mode for JSON-only API surfaces. State-changing requests (POST/PUT/PATCH/DELETE) without `Content-Type: application/json` are refused before the token check with `CSRF: state-changing requests require Content-Type: application/json.` and audit emission `csrf.denied` with `reason: "non-JSON content-type: ..."`. The browser's form-encoded POST shape is the canonical CSRF vector — a malicious page can `<form action="/transfer" method=POST>` a victim into a state-changing request without a preflight. An `application/json` body forces a CORS preflight (the browser refuses to skip it for non-simple Content-Type values), so an attacker without an operator-allowlisted CORS origin can't reach the route at all. Default `false` — operators with HTML form submissions on the same routes (mixed SPA + classic form pages) keep current behavior; pure-fetch API operators opt in.
+
+- **0.7.85** (2026-05-06) — `b.auth.statusList` — OAuth Token Status List (draft-ietf-oauth-status-list-20). The canonical credential-revocation mechanism for SD-JWT VC and OpenID for Verifiable Credentials. An issuer publishes a JWT-wrapped bitstring at a URL; relying parties fetch + check the bit at index N to determine if the credential whose `status_list` claim points at that URL+index is valid / invalid / suspended / application-specific. **`b.auth.statusList.create({ size, bits?, fill? })`** allocates a bit-packed buffer (`bits` ∈ {1, 2, 4, 8} per draft §6.1.1, default 1). The returned object exposes `.set(idx, status)` / `.get(idx)` / `.snapshot()` / `.toJwt({ issuer, subject, privateKey, algorithm, expiresInSec?, ... })`. **`b.auth.statusList.fromJwt(token, { publicKey | keyResolver, algorithms?, expectedIssuer?, ... })`** verifies the JWT through `b.auth.jwt.verify` and returns `{ list, claims }` — the list exposes `.get(idx)` to check status of an individual credential without decompressing into a separate Buffer. The bitstring is zlib-deflated (RFC 1951 raw deflate per draft §6.1.4) before base64url encoding so a million-entry list collapses to ~125 KB on the wire when most bits are zero. Caps the compressed payload at 1 MiB; operators publishing larger lists shard. Status constants exported as `b.auth.statusList.STATUS_{VALID,INVALID,SUSPENDED,APPLICATION_SPECIFIC}`. Foundational for the v0.7.58 EU AI Act + eIDAS 2.0 wallet slice.
+
 - **0.7.84** (2026-05-06) — `b.crypto.sri(content, { algorithm? })` — Subresource Integrity hash builder per W3C SRI 1.0. Operators emit `<script integrity="sha384-...">` and `<link integrity="sha384-...">` to defend against CDN compromise + ISP MITM injection — the browser refuses to load a resource whose actual hash diverges from the integrity attribute. Default algorithm is `sha384` (W3C §3.2 — collision margin without sha512's 64-byte overhead); `sha256` and `sha512` also accepted, anything else refused. Accepts `Buffer` / `Uint8Array` / `string` / array of those — array inputs emit multiple space-separated integrity tokens per W3C §3.3 multi-integrity (browser picks the strongest it recognizes). Returns the standard `sha###-<base64>` format ready to paste into the `integrity=""` attribute.
 
 - **0.7.83** (2026-05-06) — `b.auth.oauth.endSessionUrl()` (OpenID Connect RP-Initiated Logout) + `b.auth.oauth.pushAuthorizationRequest()` (RFC 9126 PAR). **`endSessionUrl({ idTokenHint?, postLogoutRedirectUri?, state?, logoutHint?, uiLocales?, clientId?, extraParams? })`** builds the URL the operator's `/logout` route redirects the user-agent to so the IdP terminates the session and bounces back to the operator's app. The IdP's `end_session_endpoint` is read from the OIDC discovery document or operator-supplied at `create({ endSessionEndpoint })`. **`pushAuthorizationRequest({ state?, nonce?, prompt?, loginHint?, maxAge?, extraParams? })`** POSTs the authorization-request parameters directly to the IdP's PAR endpoint (mTLS or client-secret authenticated) and returns `{ url, state, nonce, verifier, challenge, requestUri, expiresIn }` — the browser-side redirect URL is `<authorizationEndpoint>?client_id=...&request_uri=...`. Defends against authorization-request parameter tampering by an MITM at the user-agent + against URL-length overflow on long authorization requests (request_uri reference is short). The PAR endpoint is read from the discovery doc's `pushed_authorization_request_endpoint` or operator-supplied at `create({ pushedAuthorizationRequestEndpoint })`. Both helpers throw `auth-oauth/no-end-session-endpoint` / `auth-oauth/no-par-endpoint` when neither the discovery doc nor the operator opts supply the endpoint.

package/index.js

@@ -139,6 +139,7 @@ var auth = {
   lockout:  require("./lib/auth/lockout"),
   dpop:     require("./lib/auth/dpop"),
   aal:      require("./lib/auth/aal"),
+  statusList: require("./lib/auth/status-list"),
 };
 var template = require("./lib/template");
 var render = require("./lib/render");

package/lib/auth/status-list.js

@@ -0,0 +1,271 @@
+"use strict";
+/**
+ * OAuth Token Status List (draft-ietf-oauth-status-list-20).
+ *
+ * An issuer publishes a JWT-wrapped bitstring at a URL; relying
+ * parties fetch + check the bit at index N to determine if the
+ * credential whose `status_list` claim points at that URL + index
+ * has been revoked / suspended / is still valid. The format is the
+ * canonical replacement for the older "status list" mechanisms in
+ * SD-JWT VC and OpenID for Verifiable Credentials.
+ *
+ * Status values per draft §4.2:
+ *   0 = VALID
+ *   1 = INVALID
+ *   2 = SUSPENDED
+ *   3 = APPLICATION_SPECIFIC
+ *   ... (1-bit / 2-bit / 4-bit / 8-bit `bits` size — operator picks)
+ *
+ *   var list = b.auth.statusList.create({ size: 1024, bits: 1 });
+ *   list.set(42, 1);                                  // mark idx 42 INVALID
+ *   var jwt = await list.toJwt({
+ *     issuer:     "https://issuer.example.com",
+ *     subject:    "https://issuer.example.com/status/list/1",
+ *     privateKey: env("STATUS_LIST_PRIVATE_KEY_PEM"),
+ *     algorithm:  "ML-DSA-87",      // matches b.auth.jwt's PQC default
+ *   });
+ *
+ *   // Receive side:
+ *   var rv = await b.auth.statusList.fromJwt(jwt, { publicKey: pem });
+ *   rv.list.get(42)   // → 1 (INVALID)
+ *
+ * The JWT payload shape per draft §6.1:
+ *   {
+ *     iss: "<issuer>",
+ *     sub: "<this-list-uri>",
+ *     iat: <issued-at>,
+ *     exp: <optional-expires>,
+ *     ttl: <optional-cache-ttl>,
+ *     status_list: { bits: 1|2|4|8, lst: "<base64url(zlib(bitstring))>" },
+ *   }
+ *
+ * The bitstring is zlib-deflated (RFC 1951 raw deflate per draft
+ * §6.1.4) before base64url encoding so a million-entry list collapses
+ * to a few KB on the wire when most bits are zero.
+ */
+
+var nodeCrypto = require("crypto");
+var zlib = require("node:zlib");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+var C = require("../constants");
+var jwt = require("./jwt");
+var { defineClass } = require("../framework-error");
+
+var StatusListError = defineClass("StatusListError", { alwaysPermanent: true });
+
+var SUPPORTED_BIT_SIZES = { 1: 1, 2: 1, 4: 1, 8: 1 };                            // allow:raw-byte-literal — bit-size enum (1/2/4/8 bits per status), not bytes
+var STATUS_VALID                = 0;
+var STATUS_INVALID              = 1;
+var STATUS_SUSPENDED            = 2;
+var STATUS_APPLICATION_SPECIFIC = 3;
+
+// Cap the on-the-wire compressed payload at 1 MiB (a million 1-bit
+// entries compress to ~125 KB when most are zero; 8 MiB on the wire
+// is more than the spec's expected use). Operators publishing larger
+// status lists should shard.
+var MAX_LIST_BYTES = C.BYTES.mib(1);
+
+function _b64url(buf) {
+  return buf.toString("base64").replace(/=+$/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+
+function _fromB64url(s) {
+  var padded = s.replace(/-/g, "+").replace(/_/g, "/");
+  while (padded.length % 4) padded += "=";                                       // allow:raw-byte-literal — base64 quartet padding
+  return Buffer.from(padded, "base64");
+}
+
+function _validateBits(bits) {
+  if (!SUPPORTED_BIT_SIZES[bits]) {
+    throw new StatusListError("status-list/bad-bits",
+      "statusList: bits must be 1, 2, 4, or 8 (draft §6.1.1) — got " + bits);
+  }
+}
+
+function _validateStatus(status, bits) {
+  if (typeof status !== "number" || !isFinite(status) || status < 0 || (status >> 0) !== status) {
+    throw new StatusListError("status-list/bad-status",
+      "statusList: status must be a non-negative integer — got " + status);
+  }
+  var max = (1 << bits) - 1;
+  if (status > max) {
+    throw new StatusListError("status-list/bad-status",
+      "statusList: status " + status + " exceeds bits=" + bits + " ceiling " + max);
+  }
+}
+
+function create(opts) {
+  validateOpts.requireObject(opts, "statusList.create", StatusListError);
+  validateOpts(opts, ["size", "bits", "fill"], "statusList.create");
+  var size = opts.size;
+  if (typeof size !== "number" || !isFinite(size) || size <= 0 || (size >> 0) !== size) {
+    throw new StatusListError("status-list/bad-size",
+      "statusList.create: size must be a positive integer — got " + size);
+  }
+  var bits = opts.bits === undefined ? 1 : opts.bits;
+  _validateBits(bits);
+  // Allocate the bit-packed buffer up front. byteCount = ceil(size*bits/8).
+  var bitBytes = Math.ceil((size * bits) / 8);                                   // allow:raw-byte-literal — bits-per-byte conversion
+  var bytes = Buffer.alloc(bitBytes);
+  if (opts.fill !== undefined && opts.fill !== 0) {
+    _validateStatus(opts.fill, bits);
+    for (var i = 0; i < size; i += 1) _setAt(bytes, bits, i, opts.fill);
+  }
+
+  function set(idx, status) {
+    if (typeof idx !== "number" || idx < 0 || idx >= size || (idx >> 0) !== idx) {
+      throw new StatusListError("status-list/bad-index",
+        "statusList.set: idx out of range — got " + idx + ", size=" + size);
+    }
+    _validateStatus(status, bits);
+    _setAt(bytes, bits, idx, status);
+  }
+
+  function get(idx) {
+    if (typeof idx !== "number" || idx < 0 || idx >= size || (idx >> 0) !== idx) {
+      throw new StatusListError("status-list/bad-index",
+        "statusList.get: idx out of range — got " + idx + ", size=" + size);
+    }
+    return _getAt(bytes, bits, idx);
+  }
+
+  function snapshot() {
+    return { size: size, bits: bits, bytes: Buffer.from(bytes) };
+  }
+
+  // ---- JWT issuance ----
+  // Returns the canonical JWT payload + signed compact form per
+  // draft §6.1. The signing key is operator-supplied; the framework
+  // wraps b.auth.jwt.sign with the status-list-specific claim shape.
+  async function toJwt(jwtOpts) {
+    validateOpts.requireObject(jwtOpts, "statusList.toJwt", StatusListError);
+    validateOpts(jwtOpts, [
+      "issuer", "subject", "privateKey", "algorithm",
+      "expiresInSec", "notBeforeSec", "now", "ttl",
+    ], "statusList.toJwt");
+    validateOpts.requireNonEmptyString(jwtOpts.issuer,
+      "statusList.toJwt: issuer", StatusListError, "status-list/bad-issuer");
+    validateOpts.requireNonEmptyString(jwtOpts.subject,
+      "statusList.toJwt: subject", StatusListError, "status-list/bad-subject");
+    var deflated = zlib.deflateRawSync(bytes);
+    if (deflated.length > MAX_LIST_BYTES) {
+      throw new StatusListError("status-list/too-large",
+        "statusList.toJwt: compressed list exceeds " + MAX_LIST_BYTES + " bytes — shard the list");
+    }
+    var lst = _b64url(deflated);
+    var claims = {
+      iss:         jwtOpts.issuer,
+      sub:         jwtOpts.subject,
+      status_list: { bits: bits, lst: lst },
+    };
+    if (typeof jwtOpts.ttl === "number") claims.ttl = jwtOpts.ttl;
+    return await jwt.sign(claims, {
+      privateKey:   jwtOpts.privateKey,
+      algorithm:    jwtOpts.algorithm,
+      typ:          "statuslist+jwt",
+      expiresInSec: jwtOpts.expiresInSec,
+      notBeforeSec: jwtOpts.notBeforeSec,
+      now:          jwtOpts.now,
+    });
+  }
+
+  return {
+    set:        set,
+    get:        get,
+    size:       size,
+    bits:       bits,
+    snapshot:   snapshot,
+    toJwt:      toJwt,
+  };
+}
+
+// ---- bit-packed helpers ----
+
+function _setAt(bytes, bits, idx, status) {
+  if (bits === 8) { bytes[idx] = status & 0xff; return; }                        // allow:raw-byte-literal — byte mask
+  var bitOffset = idx * bits;
+  var byteIdx   = Math.floor(bitOffset / 8);                                     // allow:raw-byte-literal — bits-per-byte
+  var bitInByte = bitOffset % 8;                                                 // allow:raw-byte-literal — bits-per-byte
+  var mask      = ((1 << bits) - 1) << bitInByte;
+  bytes[byteIdx] = (bytes[byteIdx] & ~mask) | ((status << bitInByte) & mask);
+}
+
+function _getAt(bytes, bits, idx) {
+  if (bits === 8) return bytes[idx];                                             // allow:raw-byte-literal — 8-bit fast path
+  var bitOffset = idx * bits;
+  var byteIdx   = Math.floor(bitOffset / 8);                                     // allow:raw-byte-literal — bits-per-byte
+  var bitInByte = bitOffset % 8;                                                 // allow:raw-byte-literal — bits-per-byte
+  var mask      = (1 << bits) - 1;
+  return (bytes[byteIdx] >> bitInByte) & mask;
+}
+
+// ---- JWT verification ----
+
+async function fromJwt(token, opts) {
+  validateOpts.requireObject(opts, "statusList.fromJwt", StatusListError);
+  if (typeof token !== "string" || token.length === 0) {
+    throw new StatusListError("status-list/bad-token",
+      "statusList.fromJwt: token must be a non-empty string");
+  }
+  // Verify the JWT signature using the framework's b.auth.jwt verifier.
+  // Allow operator-supplied algorithms (defaults to PQC list).
+  var claims = await jwt.verify(token, {
+    publicKey:    opts.publicKey,
+    keyResolver:  opts.keyResolver,
+    algorithms:   opts.algorithms,
+    issuer:       opts.expectedIssuer,
+    audience:     opts.expectedAudience,
+    clockToleranceSec: opts.clockToleranceSec,
+    now:          opts.now,
+  });
+  var sl = claims.status_list;
+  if (!sl || typeof sl !== "object" || typeof sl.lst !== "string") {
+    throw new StatusListError("status-list/bad-claims",
+      "statusList.fromJwt: payload missing status_list.lst (draft §6.1)");
+  }
+  var bits = sl.bits === undefined ? 1 : sl.bits;
+  _validateBits(bits);
+  var deflated;
+  try { deflated = _fromB64url(sl.lst); }
+  catch (e) {
+    throw new StatusListError("status-list/bad-base64",
+      "statusList.fromJwt: lst is not valid base64url: " + ((e && e.message) || String(e)));
+  }
+  if (deflated.length > MAX_LIST_BYTES) {
+    throw new StatusListError("status-list/too-large",
+      "statusList.fromJwt: compressed list exceeds " + MAX_LIST_BYTES + " bytes");
+  }
+  var inflated;
+  try { inflated = zlib.inflateRawSync(deflated, { maxOutputLength: MAX_LIST_BYTES * 8 }); }      // allow:raw-byte-literal — 8x compression-ratio cap
+  catch (e) {
+    throw new StatusListError("status-list/inflate-failed",
+      "statusList.fromJwt: zlib inflate failed: " + ((e && e.message) || String(e)));
+  }
+  // Reconstruct the list object pointing at the inflated bytes.
+  var size = (inflated.length * 8) / bits;                                       // allow:raw-byte-literal — bits-per-byte
+  return {
+    list: {
+      size:     size,
+      bits:     bits,
+      get:      function (idx) { return _getAt(inflated, bits, idx); },
+      snapshot: function () { return { size: size, bits: bits, bytes: Buffer.from(inflated) }; },
+    },
+    claims: claims,
+  };
+}
+
+// Provide structured-error helpers so a tree-shake-friendly consumer
+// can write switch(status) { case b.auth.statusList.STATUS_VALID: ... }.
+void safeJson;                                                                   // imported for symmetry; reserved for future helpers
+void nodeCrypto;
+
+module.exports = {
+  create:      create,
+  fromJwt:     fromJwt,
+  STATUS_VALID:                 STATUS_VALID,
+  STATUS_INVALID:               STATUS_INVALID,
+  STATUS_SUSPENDED:             STATUS_SUSPENDED,
+  STATUS_APPLICATION_SPECIFIC:  STATUS_APPLICATION_SPECIFIC,
+  StatusListError:              StatusListError,
+};

package/lib/middleware/csrf-protect.js

@@ -228,7 +228,7 @@ function create(opts) {
 
   validateOpts(opts, [
     "cookie", "tokenLookup", "fieldName", "headerName", "methods", "audit",
-    "trustProxy", "checkOrigin", "allowedOrigins",
+    "trustProxy", "checkOrigin", "allowedOrigins", "requireJsonContentType",
   ], "middleware.csrfProtect");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -264,6 +264,19 @@ function create(opts) {
   var allowedOrigins = Array.isArray(opts.allowedOrigins)
     ? opts.allowedOrigins.slice() : null;
 
+  // requireJsonContentType — strict-fetch mode for JSON-only API
+  // surfaces. State-changing requests without `Content-Type:
+  // application/json` are refused before the token check. The browser's
+  // form-encoded POST shape is the canonical CSRF vector — a malicious
+  // page can <form action="/transfer" method=POST> a victim into a
+  // state-changing request without a preflight; an `application/json`
+  // body forces a CORS preflight (the browser refuses to skip it for
+  // non-simple Content-Type values), so an attacker without an
+  // operator-allowlisted CORS origin can't reach the route at all.
+  // Operators with HTML form submissions on the same routes (mixed
+  // SPA + classic form pages) leave this opt-out (default).
+  var requireJsonCt = opts.requireJsonContentType === true;
+
   // Cookie issuance config (only when opts.cookie is set).
   var cookieCfg = null;
   if (hasCookie) {
@@ -353,6 +366,16 @@ function create(opts) {
 
     if (methods.indexOf(req.method) === -1) return next();
 
+    // requireJsonContentType — refuse before the token check.
+    if (requireJsonCt) {
+      var ct = req.headers && req.headers["content-type"];
+      var bare = (typeof ct === "string" ? ct.split(";")[0].trim().toLowerCase() : "");
+      if (bare !== "application/json") {
+        _emitDenied(req, "non-JSON content-type: " + (bare || "<absent>"));
+        return _writeReject(res, "CSRF: state-changing requests require Content-Type: application/json.");
+      }
+    }
+
     // Origin / Referer cross-check (defense-in-depth alongside the
     // double-submit token). Refuses cross-origin state-changing
     // requests even when the token is valid (e.g. operator-mistaken

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.84",
+  "version": "0.7.86",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4072392e-af80-4cf0-a9f7-095c0d6638e0",
+  "serialNumber": "urn:uuid:256e94d1-19a3-4626-8930-d068f5ff939f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T06:11:44.785Z",
+    "timestamp": "2026-05-06T06:31:01.232Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.84",
+      "bom-ref": "@blamejs/core@0.7.86",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.84",
+      "version": "0.7.86",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.84",
+      "purl": "pkg:npm/%40blamejs/core@0.7.86",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.84",
+      "ref": "@blamejs/core@0.7.86",
       "dependsOn": []
     }
   ]