@blamejs/core 0.7.88 → 0.7.90

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.90** (2026-05-06) — `b.outbox` — transactional outbox primitive for at-least-once event publication without distributed transactions. **`b.outbox.create({ externalDb, table, publisher, ... })`** returns an outbox instance with three core operations: `enqueue(event, txn)` writes the outbox row inside the operator's transaction (using the `txClient` returned by `b.externalDb.transaction`), `start()` spins a polling publisher worker that claims rows via `SELECT ... FOR UPDATE SKIP LOCKED` (Postgres) and dispatches to the operator-supplied async `publisher(event)` callback, `stop()` gracefully shuts the worker down. Failed publishes retry with exponential backoff (`retryBackoff: { initialMs, maxMs, factor }`); rows that exceed `maxAttempts` are marked `'dead'` for operator triage and an `system.outbox.deadletter` audit event fires. Schema is operator-managed: `outbox.declareSchema(externalDb)` runs an idempotent `CREATE TABLE IF NOT EXISTS ... (id, topic, payload, key, headers, enqueued_at, next_attempt_at, published_at, attempts, last_error, status)` + a partial index on `(next_attempt_at) WHERE status = 'pending'`. `pendingCount()` / `deadCount()` expose the queue depth + DLQ depth for operator dashboards. Observability events on every state transition (`outbox.enqueued` / `outbox.published` / `outbox.publish-failed` / `outbox.dead-letter`).
+
+- **0.7.89** (2026-05-06) — Three additive primitives bundled: TUS resumable uploads, WebAuthn Signal API, DPoP server-issued nonce challenge. **`b.middleware.tusUpload({ mountPath, store, ... })`** implements the [tus.io](https://tus.io) v1.0.0 resumable-upload protocol — POST creates uploads, HEAD reports offsets, PATCH appends chunks, DELETE terminates. Supported extensions: `creation`, `creation-with-upload`, `expiration`, `checksum`, `termination`. The `checksum` extension defaults to PQC-first algorithms (`sha3-512`, `shake256`) — operators add classical algorithms explicitly via `checksumAlgorithms`. A built-in `b.middleware.tusUpload.memoryStore({ maxSize })` ships for development; production operators implement the `{ create, head, append, setLength, terminate, purgeExpired, getBuffer }` shape against their object-store backend. Bounded chunk collection routes through `safeBuffer.boundedChunkCollector` (cap-enforced at push time, no 10-GiB pre-collect). Concatenation extension (parallel-chunk assembly) deferred — operators that need it compose against their store layer; re-open if a store-layer-only solution proves insufficient. **`b.auth.passkey.signalUnknownCredential` / `signalAllAcceptedCredentials` / `signalCurrentUserDetails`** add the W3C WebAuthn Signal API descriptor builders — when the browser implements `PublicKeyCredential.signal*`, operators emit the matching JSON descriptor to clean up stale passkeys, refresh user details, and surface revocations without forcing a re-registration. All three validate `rpId` / `userId` / `credentialId` shape (base64url) and refuse `name`/`displayName` longer than 256 chars. **`b.middleware.dpop({ requireNonce: true, nonceRotateSec? })`** implements RFC 9449 §8 server-issued DPoP-Nonce challenge — the middleware emits `DPoP-Nonce: <fresh>` on every 401 response, refuses proofs whose `nonce` claim isn't in the rolling current+previous pair, and refreshes the nonce on every successful response. The rolling-pair manager rotates without timers (lazy maybe-rotate on access); no operator nonce store needed. The `getNonce` callback path stays intact for operator-managed nonce flows.
+
 - **0.7.88** (2026-05-06) — `b.middleware.webAppManifest` + `b.middleware.assetlinks` — two static-content middlewares for PWA + Trusted Web Activity support. **`b.middleware.webAppManifest({ name, start_url, icons, ... })`** serves the W3C Web App Manifest at `/manifest.webmanifest` (and `/manifest.json` when `alsoAtJsonPath: true`). The framework JSON-serializes once at create() and serves with `Content-Type: application/manifest+json` per the W3C spec + `Cache-Control: public, max-age=86400` + `X-Content-Type-Options: nosniff`. The W3C-spec attribute set is allowlisted (name / short_name / description / start_url / scope / display / display_override / orientation / theme_color / background_color / icons / screenshots / shortcuts / categories / lang / dir / id / prefer_related_applications / related_applications) — typos throw at create. `name`, `start_url`, and at least one icon are required (W3C — installability minimum). HEAD + GET only. **`b.middleware.assetlinks({ statements })`** serves Digital Asset Links at `/.well-known/assetlinks.json` per Google's spec — used by Trusted Web Activity, Android App Links, Smart Lock for Passwords, WebAuthn for Android. Validates each statement carries `relation` (non-empty array) and `target` (object). Same Content-Type / Cache-Control / X-Content-Type-Options posture as the security.txt + manifest emitters.
 
 - **0.7.87** (2026-05-06) — Two route-guard middlewares for API hardening: `b.middleware.requireMethods` + `b.middleware.requireContentType`. **`b.middleware.requireMethods(["GET", "POST"])`** refuses any HTTP method outside the allowlist with `405 Method Not Allowed` + `Allow:` header listing the allowed methods (per RFC 9110 §15.5.6). Defends against unexpected verb routing — many CVE-class bugs trace to a route handler wired for GET that accidentally accepts arbitrary verbs (PROPFIND, OPTIONS, custom). **`b.middleware.requireContentType(["application/json"])`** refuses requests with a body (POST/PUT/PATCH by default) whose `Content-Type` isn't in the allowlist with `415 Unsupported Media Type` + `Accept:` header listing the allowed types (RFC 9110 §15.5.16). Defends against MIME-type confusion — a route that processes JSON shouldn't accept `application/x-www-form-urlencoded` even if the body parses. Both middlewares emit observability events (`middleware.requireMethods.denied` / `middleware.requireContentType.denied`) on every refusal for triage. Operators wanting to enforce content-type on idempotent verbs that DO carry bodies (rare DELETE-with-body shapes) override the default body-method list via `requireContentType(types, { methods })`.

package/index.js

@@ -213,6 +213,7 @@ var dualControl = require("./lib/dual-control");
 var retention = require("./lib/retention");
 var network = require("./lib/network");
 var cloudEvents = require("./lib/cloud-events");
+var outbox = require("./lib/outbox");
 
 module.exports = {
   crypto:           crypto,
@@ -360,6 +361,7 @@ module.exports = {
   retention:        retention,
   network:          network,
   cloudEvents:      cloudEvents,
+  outbox:           outbox,
   ntpCheck:         ntpCheck,
   version:          constants.version,
 };

package/lib/auth/passkey.js

@@ -57,9 +57,15 @@
  * sessions, audit, or DB. Routes integrate that themselves; the
  * primitive stays the smallest correct surface.
  */
+var safeBuffer = require("../safe-buffer");
 var _wa = require("../vendor/simplewebauthn-server.cjs");
 var { AuthError } = require("../framework-error");
 
+// W3C WebAuthn name field cap — same as the rpName/userName ceiling in
+// the spec's CredentialUserEntity / PublicKeyCredentialEntity dictionaries
+// (no normative limit but RPs broadly cap at 256 to defeat DOM cost).
+var MAX_NAME_LEN = 256;                                                            // allow:raw-byte-literal — UTF-16 codepoint count, not bytes
+
 function _vendor() {
   return _wa;
 }
@@ -173,9 +179,93 @@ async function verifyAuthentication(opts) {
   });
 }
 
+// ---- WebAuthn Signal API (W3C draft, 2024) ----
+//
+// The signal* methods build the JSON descriptor that the operator
+// returns to the client; the browser then calls the matching
+// `PublicKeyCredential.signal*` method to clean up stale passkeys
+// and refresh user details. These are pure builders — no I/O — so
+// validation throws at the boundary and the descriptor shape is the
+// W3C draft schema verbatim.
+
+function _b64urlValid(s) {
+  return typeof s === "string" && s.length > 0 && safeBuffer.BASE64URL_RE.test(s);
+}
+
+function signalUnknownCredential(opts) {
+  if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
+  _requireString(opts.rpId, "rpId");
+  _requireString(opts.credentialId, "credentialId");
+  if (!_b64urlValid(opts.credentialId)) {
+    throw new AuthError("auth-passkey/bad-credential-id",
+      "credentialId must be base64url (no padding)");
+  }
+  return {
+    rpId:         opts.rpId,
+    credentialId: opts.credentialId,
+  };
+}
+
+function signalAllAcceptedCredentials(opts) {
+  if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
+  _requireString(opts.rpId, "rpId");
+  _requireString(opts.userId, "userId");
+  if (!_b64urlValid(opts.userId)) {
+    throw new AuthError("auth-passkey/bad-user-id",
+      "userId must be base64url (no padding)");
+  }
+  if (!Array.isArray(opts.allAcceptedCredentialIds)) {
+    throw new AuthError("auth-passkey/bad-accepted-list",
+      "allAcceptedCredentialIds must be an array");
+  }
+  for (var i = 0; i < opts.allAcceptedCredentialIds.length; i++) {
+    if (!_b64urlValid(opts.allAcceptedCredentialIds[i])) {
+      throw new AuthError("auth-passkey/bad-accepted-list",
+        "allAcceptedCredentialIds[" + i + "] must be base64url");
+    }
+  }
+  return {
+    rpId:                     opts.rpId,
+    userId:                   opts.userId,
+    allAcceptedCredentialIds: opts.allAcceptedCredentialIds.slice(),
+  };
+}
+
+function signalCurrentUserDetails(opts) {
+  if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
+  _requireString(opts.rpId, "rpId");
+  _requireString(opts.userId, "userId");
+  if (!_b64urlValid(opts.userId)) {
+    throw new AuthError("auth-passkey/bad-user-id",
+      "userId must be base64url (no padding)");
+  }
+  _requireString(opts.name, "name");
+  _requireString(opts.displayName, "displayName");
+  // RP-relevant length cap — the descriptor is a hint to the browser,
+  // not a stored value, but absurdly long names indicate a misuse and
+  // we refuse rather than truncate silently.
+  if (opts.name.length > MAX_NAME_LEN) {
+    throw new AuthError("auth-passkey/name-too-long",
+      "name must be <= " + MAX_NAME_LEN + " characters");
+  }
+  if (opts.displayName.length > MAX_NAME_LEN) {
+    throw new AuthError("auth-passkey/displayname-too-long",
+      "displayName must be <= " + MAX_NAME_LEN + " characters");
+  }
+  return {
+    rpId:        opts.rpId,
+    userId:      opts.userId,
+    name:        opts.name,
+    displayName: opts.displayName,
+  };
+}
+
 module.exports = {
-  startRegistration:    startRegistration,
-  verifyRegistration:   verifyRegistration,
-  startAuthentication:  startAuthentication,
-  verifyAuthentication: verifyAuthentication,
+  startRegistration:            startRegistration,
+  verifyRegistration:           verifyRegistration,
+  startAuthentication:          startAuthentication,
+  verifyAuthentication:         verifyAuthentication,
+  signalUnknownCredential:      signalUnknownCredential,
+  signalAllAcceptedCredentials: signalAllAcceptedCredentials,
+  signalCurrentUserDetails:     signalCurrentUserDetails,
 };

package/lib/middleware/dpop.js

@@ -35,6 +35,8 @@
  *   - audit.bearer.failure event when audit: true (default)
  */
 
+var C = require("../constants");
+var bCrypto = require("../crypto");
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
@@ -43,20 +45,63 @@ var { AuthError } = require("../framework-error");
 var dpop = lazyRequire(function () { return require("../auth/dpop"); });
 var audit = lazyRequire(function () { return require("../audit"); });
 
-function _writeUnauthorized(res, errorCode, description) {
+// RFC 9449 §8 — server-issued nonce length (24 random bytes ≈ 192 bits
+// of entropy after base64url, far above the spec's "unpredictable" bar).
+var DPOP_NONCE_BYTES = C.BYTES.bytes(24);
+
+function _writeUnauthorized(res, errorCode, description, freshNonce) {
   if (res.headersSent) return;
   var body = JSON.stringify({ error: errorCode, error_description: description });
   // RFC 9449 §7 — error code is invalid_dpop_proof OR use_dpop_nonce.
   var challenge = 'DPoP error="' + errorCode + '", error_description="' +
                   description.replace(/"/g, "'") + '"';
-  res.writeHead(401, {                                                             // allow:raw-byte-literal — HTTP 401 status
+  var headers = {                                                                  // allow:raw-byte-literal — HTTP 401 status
     "Content-Type":     "application/json; charset=utf-8",
     "Content-Length":   Buffer.byteLength(body),
     "WWW-Authenticate": challenge,
-  });
+  };
+  if (freshNonce) headers["DPoP-Nonce"] = freshNonce;
+  res.writeHead(401, headers);
   res.end(body);
 }
 
+// RFC 9449 §8 — server-issued DPoP-Nonce challenge. The framework
+// holds a rolling pair (current, previous) and rotates after
+// rotateSec elapses. Both the current and previous values are
+// accepted from clients; previous is needed to cover the brief
+// race window after rotation when in-flight requests still carry
+// the prior nonce. Rotation happens lazily on access; no timer.
+function _nonceManager(rotateSec) {
+  var rotateMs = C.TIME.seconds(rotateSec);
+  var current = null;
+  var previous = null;
+  function _fresh() {
+    return {
+      nonce:    bCrypto.generateBytes(DPOP_NONCE_BYTES).toString("base64url"),
+      issuedAt: Date.now(),
+    };
+  }
+  function _maybeRotate() {
+    var now = Date.now();
+    if (current === null) {
+      current = _fresh();
+      return;
+    }
+    if (now - current.issuedAt >= rotateMs) {
+      previous = current;
+      current = _fresh();
+    }
+  }
+  return {
+    issue: function () { _maybeRotate(); return current.nonce; },
+    accepts: function (n) {
+      _maybeRotate();
+      if (typeof n !== "string" || n.length === 0) return false;
+      return (current && n === current.nonce) || (previous && n === previous.nonce);
+    },
+  };
+}
+
 function _reconstructHtu(req) {
   // The proof's htu is the request URI WITHOUT query/fragment. Behind
   // a reverse proxy the operator may need to override via opts.htu /
@@ -77,12 +122,38 @@ function create(opts) {
   validateOpts(opts, [
     "replayStore", "algorithms", "iatWindowSec",
     "getAccessToken", "getNonce", "getHtu", "audit",
+    "nonceStore", "nonceWindowSec", "nonceRotateSec", "requireNonce",
   ], "middleware.dpop");
 
   var auditOn = opts.audit !== false;
   var algorithms = opts.algorithms;
   var iatWindowSec = opts.iatWindowSec;
   var replayStore = opts.replayStore;
+  var requireNonce = opts.requireNonce === true;
+
+  // Server-issued DPoP-Nonce challenge flow (RFC 9449 §8). When
+  // requireNonce is true, the middleware refuses any proof that does
+  // not carry a recognised nonce, and emits a fresh DPoP-Nonce
+  // header on every 401 + as a refresh on every successful response.
+  // The rolling-pair manager rotates without timers; no operator
+  // store is needed.
+  var nonceMgr = null;
+  if (requireNonce) {
+    validateOpts.optionalPositiveFinite(opts.nonceRotateSec,
+      "middleware.dpop: nonceRotateSec", AuthError, "auth-dpop/bad-opt");
+    var rotateSec = opts.nonceRotateSec || (C.TIME.minutes(5) / C.TIME.seconds(1));
+    nonceMgr = _nonceManager(rotateSec);
+  }
+  // Reject the obsolete nonceStore opt with a clear migration message —
+  // pre-v0.7.89 docs may surface it; the rolling-pair shape supersedes.
+  if (opts.nonceStore !== undefined) {
+    throw new AuthError("auth-dpop/bad-opt",
+      "middleware.dpop: opts.nonceStore is not supported — use { requireNonce: true, nonceRotateSec? }; the rolling-pair manager is internal");
+  }
+  if (opts.nonceWindowSec !== undefined) {
+    throw new AuthError("auth-dpop/bad-opt",
+      "middleware.dpop: opts.nonceWindowSec is not supported — use nonceRotateSec");
+  }
 
   validateOpts.optionalFunction(opts.getAccessToken,
     "middleware.dpop: getAccessToken", AuthError, "auth-dpop/bad-opt");
@@ -91,10 +162,14 @@ function create(opts) {
   validateOpts.optionalFunction(opts.getHtu,
     "middleware.dpop: getHtu", AuthError, "auth-dpop/bad-opt");
 
+  function _freshNonce() { return nonceMgr ? nonceMgr.issue() : null; }
+
   return async function dpopMiddleware(req, res, next) {
     var proofHeader = req.headers && req.headers.dpop;
     if (typeof proofHeader !== "string" || proofHeader.length === 0) {
-      return _writeUnauthorized(res, "invalid_dpop_proof", "DPoP header required");
+      return _writeUnauthorized(res,
+        nonceMgr ? "use_dpop_nonce" : "invalid_dpop_proof",
+        "DPoP header required", _freshNonce());
     }
     // RFC 9449 §4.1 — only ONE DPoP header value per request.
     if (Array.isArray(proofHeader)) {
@@ -117,6 +192,12 @@ function create(opts) {
     if (typeof opts.getNonce === "function") {
       try { nonce = await opts.getNonce(req); }
       catch (_e) { nonce = null; }
+    } else if (nonceMgr) {
+      // For server-managed nonces, verify() runs WITHOUT a strict
+      // expected-nonce; we then check the payload's nonce against
+      // our rolling-pair below. This lets us issue + rotate without
+      // requiring a request-by-request operator callback.
+      nonce = null;
     }
 
     var verifyOpts = { htm: htm, htu: htu };
@@ -150,7 +231,35 @@ function create(opts) {
         errorCode = "use_dpop_nonce";
       }
       return _writeUnauthorized(res, errorCode,
-        (e && e.message) || "DPoP proof verification failed");
+        (e && e.message) || "DPoP proof verification failed",
+        _freshNonce());
+    }
+
+    // Server-managed nonce check — payload MUST carry a recognized
+    // rolling-pair nonce. Missing or stale → 401 + DPoP-Nonce.
+    if (nonceMgr) {
+      var presented = result.payload && result.payload.nonce;
+      if (typeof presented !== "string" || !nonceMgr.accepts(presented)) {
+        if (auditOn) {
+          try {
+            audit().safeEmit({
+              action:  "auth.bearer.failure",
+              actor:   { clientIp: requestHelpers.clientIp(req) },
+              outcome: "fail",
+              metadata: { method: "dpop", reason: "stale-nonce", route: req.url },
+            });
+          } catch (_ignored) { /* drop-silent */ }
+        }
+        return _writeUnauthorized(res, "use_dpop_nonce",
+          "DPoP-Nonce required (server-managed challenge)", _freshNonce());
+      }
+    }
+
+    // Refresh the nonce on every successful response so the client
+    // always carries the latest one (RFC 9449 §8.1 recommendation).
+    if (nonceMgr && !res.headersSent) {
+      try { res.setHeader("DPoP-Nonce", _freshNonce()); }
+      catch (_e) { /* drop-silent — header set best-effort */ }
     }
 
     req.dpop = result;

package/lib/middleware/index.js

@@ -46,6 +46,7 @@ var requireMethods = require("./require-methods");
 var securityHeaders = require("./security-headers");
 var securityTxt = require("./security-txt");
 var sse = require("./sse");
+var tusUpload = require("./tus-upload");
 var webAppManifest = require("./web-app-manifest");
 
 module.exports = {
@@ -79,6 +80,7 @@ module.exports = {
   dpop:             dpop.create,
   hostAllowlist:    hostAllowlist.create,
   networkAllowlist: networkAllowlist.create,
+  tusUpload:        tusUpload.create,
   webAppManifest:   webAppManifest.create,
 
   // Module exports for advanced use (constants, raw factory access)
@@ -110,6 +112,9 @@ module.exports = {
     dpop:             dpop,
     hostAllowlist:    hostAllowlist,
     networkAllowlist: networkAllowlist,
+    tusUpload:        tusUpload,
     webAppManifest:   webAppManifest,
   },
 };
+
+module.exports.tusUpload.memoryStore = tusUpload.memoryStore;