@blamejs/core 0.8.0 → 0.8.4

package/lib/http-client.js

@@ -16,7 +16,7 @@
  *     body,               // Buffer | string | Readable | undefined
  *     timeoutMs,          // wall-clock cap (caller-chosen, no default)
  *     idleTimeoutMs,      // zero-progress idle cap (default 30s)
- *     responseMode,       // "buffer" (default) | "stream"
+ *     responseMode,       // "buffer" (default) | "stream" | "always-resolve"
  *     maxResponseBytes,   // for buffer mode (default 16 MiB control,
  *                         //   1 GiB GET — operators with > 1 GiB
  *                         //   stored objects must use stream mode)
@@ -618,6 +618,11 @@ function _requestWithRedirects(opts, hopsLeft) {
     var u0 = safeUrl.parse(opts.url, { allowedProtocols: safeUrl.ALLOW_HTTP_ALL });
     originalOrigin = u0.protocol + "//" + u0.host;
   } catch (_e) { /* request() will reject on next hop's parse */ }
+  // onRedirect: function ({ from, to, hop, headersStripped, statusCode }) — called
+  // BEFORE each follow. Operator can mutate the next-hop URL or abort
+  // the redirect by throwing. Async hooks are awaited.
+  var onRedirect = typeof opts.onRedirect === "function" ? opts.onRedirect : null;
+  var hopCount = 0;
 
   var current = Object.assign({}, opts, { _resolveOnRedirect: true });
   function _follow() {
@@ -628,6 +633,7 @@ function _requestWithRedirects(opts, hopsLeft) {
       var loc = res.headers && (res.headers.location || res.headers.Location);
       if (!loc) return { finalOpts: current, res: res };  // 3xx with no Location — operator handles
       hopsLeft -= 1;
+      hopCount += 1;
 
       // Resolve relative Location against the just-fetched URL (the URL
       // of the request that produced the redirect, which may itself be a
@@ -651,8 +657,10 @@ function _requestWithRedirects(opts, hopsLeft) {
         var nu = safeUrl.parse(nextUrl, { allowedProtocols: safeUrl.ALLOW_HTTP_ALL });
         nextOrigin = nu.protocol + "//" + nu.host;
       } catch (_e) { /* request() will reject when it tries to parse */ }
+      var headersStripped = false;
       if (originalOrigin && nextOrigin && nextOrigin !== originalOrigin) {
         nextHeaders = _stripCrossOriginAuth(nextHeaders);
+        headersStripped = true;
       }
 
       // 303 → always GET; body dropped. 301/302 → historical clients
@@ -667,14 +675,42 @@ function _requestWithRedirects(opts, hopsLeft) {
         nextBody = undefined;
       }
 
-      current = Object.assign({}, current, {
-        url:                 nextUrl,
-        method:              nextMethod,
-        body:                nextBody,
-        headers:             nextHeaders,
-        _resolveOnRedirect:  true,
-      });
-      return _follow();
+      function _continueFollow() {
+        current = Object.assign({}, current, {
+          url:                 nextUrl,
+          method:              nextMethod,
+          body:                nextBody,
+          headers:             nextHeaders,
+          _resolveOnRedirect:  true,
+        });
+        return _follow();
+      }
+
+      // Caller-supplied redirect hook fires here. The hook can throw
+      // (sync) or reject (async) to abort the follow with a custom
+      // error; otherwise we proceed to the next hop. We pre-bind the
+      // values the hook gets and pass them in a frozen object so a
+      // caller can't mutate the in-flight pipeline by side-effect.
+      if (onRedirect) {
+        var hookEvent = Object.freeze({
+          from:            current.url,
+          to:              nextUrl,
+          hop:             hopCount,
+          statusCode:      res.statusCode,
+          headersStripped: headersStripped,
+          method:          nextMethod,
+        });
+        try {
+          var hookResult = onRedirect(hookEvent);
+          if (hookResult && typeof hookResult.then === "function") {
+            return hookResult.then(function () { return _continueFollow(); });
+          }
+        } catch (e) {
+          return Promise.reject(_makeError(opts.errorClass, "REDIRECT_ABORTED",
+            "onRedirect hook refused redirect: " + ((e && e.message) || String(e)), true));
+        }
+      }
+      return _continueFollow();
     });
   }
   void originalUrl;
@@ -885,7 +921,7 @@ function _requestH1(transport, u, opts) {
       }
 
       if (responseMode === "stream") {
-        if (res.statusCode >= 400) {
+        if (res.statusCode >= 400 && responseMode !== "always-resolve") {
           res.resume();
           return _reject(_makeError(opts.errorClass, "HTTP_ERROR",
             "HTTP " + res.statusCode + " " + (res.statusMessage || ""),
@@ -936,6 +972,14 @@ function _requestH1(transport, u, opts) {
           // request() never sets _resolveOnRedirect — operator code that
           // didn't ask for redirect-following keeps seeing 3xx as errors.
           _resolve({ statusCode: res.statusCode, headers: res.headers, body: buf });
+        } else if (responseMode === "always-resolve") {
+          // Operator opted in to "give me the full response object
+          // regardless of status." Caller branches on statusCode in
+          // their own code path — useful for proxies / forwarders /
+          // health-checkers / probe libraries that want to surface
+          // the upstream response structurally instead of via an
+          // error message string.
+          _resolve({ statusCode: res.statusCode, headers: res.headers, body: buf });
         } else {
           var msg = "HTTP " + res.statusCode + ": " + buf.toString("utf8").slice(0, 500);
           _reject(_makeError(opts.errorClass, "HTTP_ERROR", msg,
@@ -1079,7 +1123,7 @@ function _requestH2(transport, u, opts) {
       }
 
       if (responseMode === "stream") {
-        if (statusCode >= 400) {
+        if (statusCode >= 400 && responseMode !== "always-resolve") {
           stream.resume();
           return _reject(_makeError(opts.errorClass, "HTTP_ERROR",
             "HTTP " + statusCode, _isPermanentStatus(statusCode), statusCode));
@@ -1110,6 +1154,8 @@ function _requestH2(transport, u, opts) {
         });
         if (statusCode >= 200 && statusCode < 300) {
           _resolve({ statusCode: statusCode, headers: responseHeaders, body: buf });
+        } else if (responseMode === "always-resolve") {
+          _resolve({ statusCode: statusCode, headers: responseHeaders, body: buf });
         } else {
           var msg = "HTTP " + statusCode + ": " + buf.toString("utf8").slice(0, 500);
           _reject(_makeError(opts.errorClass, "HTTP_ERROR", msg,

package/lib/inbox.js

@@ -145,6 +145,26 @@ function create(opts) {
       throw new InboxError("inbox/bad-receive",
         label + ": source exceeds " + sourceMaxLen + " chars");
     }
+    // Reject NUL + C0 control characters in messageId / source. Both
+    // values flow into the (source, message_id) PRIMARY KEY and into
+    // audit metadata. Postgres TEXT may reject `\0` mid-statement, OR
+    // (depending on driver) silently truncate at the null byte —
+    // opening a dedupe-collision attack where "abc\0attacker" and
+    // "abc" collide as the same key. Refusing at the gate also keeps
+    // operator audit metadata sane.
+    _rejectControlChars(receiveOpts.messageId, label, "messageId");
+    _rejectControlChars(receiveOpts.source,    label, "source");
+  }
+
+  function _rejectControlChars(value, label, field) {
+    for (var i = 0; i < value.length; i += 1) {
+      var code = value.charCodeAt(i);
+      if (code === 0 || (code < 32 && code !== 9) || code === 127) {     // allow:raw-byte-literal — ASCII control codepoints (NUL + C0 + DEL); allow tab
+        throw new InboxError("inbox/bad-receive",
+          label + ": " + field + " contains control character at index " + i +
+          " (codepoint " + code + ")");
+      }
+    }
   }
 
   async function recordReceive(receiveOpts, txn) {
@@ -175,23 +195,27 @@ function create(opts) {
         " RETURNING message_id",
         [receiveOpts.messageId, receiveOpts.source, metaJson]);
       var fresh = rs && rs.rows && rs.rows.length === 1;
-      _emitAudit("inbox.received", fresh ? "success" : "duplicate", {
+      _emitAudit("inbox.received", "success", {
         source: receiveOpts.source, messageId: receiveOpts.messageId,
         fresh: fresh,
       });
       return fresh;
     }
 
-    // SQLite path — INSERT OR IGNORE + check changes()
-    await txn.query(
+    // SQLite path — INSERT OR IGNORE ... RETURNING 1 (SQLite 3.35+,
+    // March 2021). The previous two-statement INSERT + SELECT
+    // changes() pattern raced when callers issued an intervening
+    // statement on the same txn handle (e.g. trace logging) — a
+    // legitimate use case on the public recordReceive(opts, txn) API
+    // that the framework can't prevent. RETURNING 1 collapses both
+    // round-trips into one and removes the changes() dependency.
+    var sqlInsert = await txn.query(
       "INSERT OR IGNORE INTO " + table +
       " (message_id, source, received_at, metadata_json) " +
-      " VALUES (?, ?, " + nowExpr + ", ?)",
+      " VALUES (?, ?, " + nowExpr + ", ?) RETURNING 1",
       [receiveOpts.messageId, receiveOpts.source, metaJson]);
-    var changedResult = await txn.query("SELECT changes() AS c");
-    var changedRow = changedResult.rows && changedResult.rows[0];
-    var sqlFresh = !!(changedRow && Number(changedRow.c) === 1);
-    _emitAudit("inbox.received", sqlFresh ? "success" : "duplicate", {
+    var sqlFresh = !!(sqlInsert && sqlInsert.rows && sqlInsert.rows.length === 1);
+    _emitAudit("inbox.received", "success", {
       source: receiveOpts.source, messageId: receiveOpts.messageId,
       fresh: sqlFresh,
     });
@@ -232,13 +256,13 @@ function create(opts) {
       });
     } catch (e) {
       handlerErr = e;
-      _emitAudit("inbox.handle_failed", "fail", {
+      _emitAudit("inbox.handle_failed", "failure", {
         source: receiveOpts.source, messageId: receiveOpts.messageId,
         message: e && e.message || String(e),
       });
       throw e;
     }
-    _emitAudit("inbox.handled", fresh ? "success" : "duplicate", {
+    _emitAudit("inbox.handled", "success", {
       source: receiveOpts.source, messageId: receiveOpts.messageId,
       fresh: fresh, elapsedMs: Date.now() - startMs,
     });

package/lib/log-stream-syslog.js

@@ -34,6 +34,7 @@ var tls   = require("tls");
 var C = require("./constants");
 var { boot } = require("./log");
 var safeAsync = require("./safe-async");
+var safeBuffer = require("./safe-buffer");
 var safeUrl = require("./safe-url");
 var { LogStreamError } = require("./framework-error");
 
@@ -82,6 +83,13 @@ function _formatRfc5424(record, cfg) {
     try { body += " " + JSON.stringify(record.meta); }
     catch (_e) { /* best-effort */ }
   }
+  // Strip CR / LF from MSG content. RFC 5424 §6.4 requires PRINTUSASCII
+  // / UTF-8 with no embedded control chars in MSG. Without this, an
+  // operator-controlled record.message containing `\n<14>1 2026-...`
+  // produces a fake separate-priority record on a SIEM that splits on
+  // newlines (rsyslog with omfile does). Replace with U+2424 (SYMBOL
+  // FOR NEWLINE) so the operator can still see the intent.
+  body = safeBuffer.stripCrlf(String(body), "␤");
   return "<" + pri + ">1 " + ts + " " + cfg.hostname + " " +
          cfg.appName + " " + cfg.procId + " " + cfg.msgId + " " +
          (cfg.structuredData || "-") + " " + body;

package/lib/log-stream.js

@@ -153,7 +153,7 @@ function emit(level, message, meta) {
       .then(function () { return sink.raw.emit(record); })
       .catch(function (e) {
         audit().safeEmit({
-          action:   "system.log.sink-failure",
+          action:   "system.log.sink_failure",
           outcome:  "failure",
           reason:   (e && e.message) || String(e),
           metadata: { sink: name, level: level },

package/lib/mail.js

@@ -69,6 +69,8 @@ var safeBuffer = require("./safe-buffer");
 var audit = lazyRequire(function () { return require("./audit"); });
 var httpClient = lazyRequire(function () { return require("./http-client"); });
 var guardEmail = lazyRequire(function () { return require("./guard-email"); });
+var guardFilename = lazyRequire(function () { return require("./guard-filename"); });
+var fileType = lazyRequire(function () { return require("./file-type"); });
 var mailDkim = require("./mail-dkim");
 var mailAuth = require("./mail-auth");
 var mailBimi = require("./mail-bimi");
@@ -285,6 +287,44 @@ function _validateMessage(message) {
         throw new MailError("mail/invalid-attachment",
           "attachments[" + i + "].filename contains forbidden control characters", true);
       }
+      // Filename safety gate — path traversal / null-byte / NTFS ADS /
+      // RTLO bidi / Windows-reserved / overlong UTF-8 / shell-exec
+      // / double-extension. Without this, an operator forwarding a
+      // user-uploaded attachment passes attacker-controlled filenames
+      // straight to mail clients (which use the filename for "save
+      // as" prompts) where Excel + macOS Finder + Outlook honor the
+      // RTLO + reserved-name + Windows-strip semantics.
+      if (att.skipFilenameSafety !== true) {
+        var fnResult = guardFilename().validate(att.filename, { profile: "strict" });
+        if (!fnResult.ok) {
+          throw new MailError("mail/invalid-attachment",
+            "attachments[" + i + "].filename rejected by guardFilename: " +
+            (fnResult.issues && fnResult.issues[0] && fnResult.issues[0].kind || "filename-safety-fail"),
+            true);
+        }
+      }
+      // Magic-byte gate — refuse claimed/detected MIME mismatch when
+      // both are present. Operator can opt out per-attachment with
+      // `skipMagicByteCheck: true` and audited reason (e.g. encrypted
+      // payloads where the magic bytes intentionally don't match the
+      // claimed type).
+      if (att.skipMagicByteCheck !== true && att.contentType &&
+          Buffer.isBuffer(att.content)) {
+        try {
+          var detected = fileType().detect(att.content);
+          if (detected && detected.mime &&
+              detected.mime.split("/")[0] !==
+              att.contentType.split(";")[0].trim().toLowerCase().split("/")[0]) {
+            throw new MailError("mail/invalid-attachment",
+              "attachments[" + i + "].contentType '" + att.contentType +
+              "' disagrees with detected magic-byte MIME '" + detected.mime +
+              "' — refusing to send mis-typed attachment", true);
+          }
+        } catch (e) {
+          if (e && e.code === "mail/invalid-attachment") throw e;
+          // file-type detection error: drop-silent, treat as no-detection
+        }
+      }
       if (att.content === undefined || att.content === null) {
         throw new MailError("mail/invalid-attachment",
           "attachments[" + i + "].content is required (Buffer or string)", true);

package/lib/middleware/attach-user.js

@@ -67,6 +67,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "cookieName", "tokenFrom", "sealed", "vault", "userLoader", "audit",
+    "requireFingerprintMatch", "maxAnomalyScore", "scorer",
   ], "middleware.attachUser");
   if (typeof opts.userLoader !== "function") {
     throw new Error("middleware.attachUser: opts.userLoader is required " +
@@ -76,6 +77,17 @@ function create(opts) {
   var tokenFrom  = opts.tokenFrom  || "both";
   var auditOn    = opts.audit !== false;
   var sealed     = !!opts.sealed;
+  // Fingerprint-drift / IP-UA pin / anomaly-score opts thread through
+  // session.verify so the documented session.create({ req,
+  // fingerprintFields }) defenses actually engage on every verify
+  // through the standard middleware path. Without this they were inert
+  // — an operator who set them at session.create only got the signal,
+  // not enforcement, when the session was checked through attachUser.
+  var verifyOpts = {
+    requireFingerprintMatch: opts.requireFingerprintMatch === true,
+    maxAnomalyScore:         (typeof opts.maxAnomalyScore === "number") ? opts.maxAnomalyScore : null,
+    scorer:                  (typeof opts.scorer === "function") ? opts.scorer : null,
+  };
   if (sealed && (!opts.vault || typeof opts.vault.unseal !== "function")) {
     throw new Error("middleware.attachUser: opts.sealed requires opts.vault " +
       "with a .unseal method (typically b.vault)");
@@ -94,14 +106,25 @@ function create(opts) {
         ? cookieJar.readSealed(req, cookieName)
         : _readCookie(req.headers && req.headers.cookie, cookieName);
     }
-    if (!token && (tokenFrom === "header" || tokenFrom === "both")) {
+    if (!token && (tokenFrom === "header" || tokenFrom === "both") &&
+        !req._bearerAuthHandled) {
+      // bearer-auth (when mounted upstream) sets req._bearerAuthHandled
+      // after consuming + verifying the Authorization header. Skipping
+      // the header re-read here avoids the duplicate verify and the
+      // confusing "session.verify failed" audit row that would land
+      // when the bearer token is a JWT or API key, not a session ID.
       token = _readBearer(req.headers && req.headers.authorization);
     }
     if (!token) return next();
 
     var verified;
     try {
-      verified = await session().verify(token);
+      verified = await session().verify(token, {
+        req: req,
+        requireFingerprintMatch: verifyOpts.requireFingerprintMatch,
+        maxAnomalyScore:         verifyOpts.maxAnomalyScore,
+        scorer:                  verifyOpts.scorer,
+      });
     } catch (_e) {
       // session.verify is tolerant — shouldn't normally throw, but if it
       // does (DB hiccup), don't propagate; treat as "no user" and let

package/lib/middleware/bearer-auth.js

@@ -54,14 +54,28 @@ function _writeUnauthorized(res, scheme, message, realm) {
   res.end(body);
 }
 
+// Three-state extractor: { state: "absent" } when no Authorization
+// header was sent, { state: "malformed" } when one is present but
+// doesn't parse against this middleware's scheme, or { state: "ok",
+// token } on success. The "malformed" case must NOT fall through to
+// downstream auth (cookie-session) — operators relying on bearer-auth
+// expect a 401 when a client deliberately sends `Authorization: ...`
+// even if the value is unparseable.
 function _extractToken(req, scheme) {
   var h = req.headers && req.headers.authorization;
-  if (typeof h !== "string" || h.length === 0) return null;
+  if (typeof h !== "string" || h.length === 0) return { state: "absent" };
   var prefix = scheme + " ";
-  if (h.length <= prefix.length) return null;
-  if (h.slice(0, prefix.length).toLowerCase() !== prefix.toLowerCase()) return null;
+  if (h.length <= prefix.length) return { state: "malformed" };
+  if (h.slice(0, prefix.length).toLowerCase() !== prefix.toLowerCase()) {
+    // Authorization header is for a different scheme (Basic, Digest,
+    // Negotiate, etc.) — leave the request for the next middleware
+    // that handles that scheme. From this middleware's perspective,
+    // it's effectively "absent."
+    return { state: "absent" };
+  }
   var token = h.slice(prefix.length).trim();
-  return token.length > 0 ? token : null;
+  if (token.length === 0) return { state: "malformed" };
+  return { state: "ok", token: token };
 }
 
 function create(opts) {
@@ -80,6 +94,29 @@ function create(opts) {
   var scheme        = opts.scheme || "Bearer";
   var errorMessage  = opts.errorMessage || "Bearer token required.";
   var realm         = opts.realm || null;
+  // CRLF-injection defense on operator-supplied realm — without this,
+  // a config-fed realm like `api\r\nX-Inject: 1` lands in the
+  // WWW-Authenticate response header verbatim. RFC 7235 §2.2 quoted-
+  // string excludes CTLs (codepoints < 0x20 and 0x7F) and the literal
+  // `"` / `\` characters.
+  if (realm !== null) {
+    if (typeof realm !== "string") {
+      throw new AuthError("auth-bearer/bad-realm",
+        "middleware.bearerAuth: realm must be a string");
+    }
+    for (var ri = 0; ri < realm.length; ri += 1) {
+      var rcode = realm.charCodeAt(ri);
+      if (rcode < 32 || rcode === 127) {                                  // allow:raw-byte-literal — ASCII control codepoints
+        throw new AuthError("auth-bearer/bad-realm",
+          "realm contains control character at index " + ri);
+      }
+      var rchar = realm.charAt(ri);
+      if (rchar === '"' || rchar === "\\") {
+        throw new AuthError("auth-bearer/bad-realm",
+          "realm contains illegal character " + JSON.stringify(rchar) + " at index " + ri);
+      }
+    }
+  }
   var tokenAttach   = opts.tokenAttachKey || "bearerToken";
   var userAttach    = opts.userAttachKey || "user";
 
@@ -104,12 +141,33 @@ function create(opts) {
   }
 
   return async function bearerAuth(req, res, next) {
-    var token = _extractToken(req, scheme);
-    if (!token) {
+    var extracted = _extractToken(req, scheme);
+    if (extracted.state === "absent") {
       // No Bearer header — fall through. Cookie-based session middleware
       // running after this can attach a user via the cookie path.
       return next();
     }
+    if (extracted.state === "malformed") {
+      // Authorization header present but does not parse against this
+      // scheme. Refuse with 401 — the request is unambiguously trying
+      // to authenticate via bearer, and falling through to cookie-auth
+      // would mask the operator's malformed-input bug.
+      _emitAudit("auth.bearer.failure", "failure", req, "malformed-authorization");
+      _emitObs("auth.bearer.rejected", 1, { reason: "malformed-authorization" });
+      if (!res.headersSent) {
+        var malformedChallenge = scheme + ' error="invalid_request"' +
+          (realm ? ', realm="' + realm + '"' : "");
+        var malformedBody = JSON.stringify({ error: errorMessage });
+        res.writeHead(401, {                                                     // allow:raw-byte-literal — HTTP 401 status
+          "Content-Type":     "application/json; charset=utf-8",
+          "Content-Length":   Buffer.byteLength(malformedBody),
+          "WWW-Authenticate": malformedChallenge,
+        });
+        res.end(malformedBody);
+      }
+      return;
+    }
+    var token = extracted.token;
 
     var user;
     try {
@@ -143,6 +201,13 @@ function create(opts) {
 
     req[tokenAttach] = token;
     req[userAttach]  = user;
+    // Signal to attach-user (and any other downstream auth middleware)
+    // that this Authorization header has already been consumed and
+    // verified — without this flag, attach-user would re-read the
+    // header and try to parse it as a session token, producing a
+    // confusing "session.verify-tried-and-failed" audit row alongside
+    // the successful "auth.bearer.success" we just emitted.
+    req._bearerAuthHandled = true;
     _emitAudit("auth.bearer.success", "success", req, null);
     _emitObs("auth.bearer.accepted", 1, {});
     next();

package/lib/middleware/body-parser.js

@@ -715,6 +715,19 @@ async function _parseMultipart(req, opts, ctParams) {
               }
               return;
             }
+            // Count the per-part header bytes toward totalSize so a
+            // burst of small parts can't slip past the request-level
+            // cap. Without this, fileCount: 20 + fieldCount: 100
+            // gives an attacker ~120 × 16 KiB = ~1.9 MiB of pending
+            // header state per request, multiplied across concurrent
+            // requests.
+            totalRead += headEnd + 4;
+            if (totalRead > totalSize) {
+              done(new BodyParserError("body-parser/multipart-too-large",
+                "multipart total request size exceeds totalSize (" + totalSize + ")",
+                true, HTTP_STATUS.PAYLOAD_TOO_LARGE));
+              return;
+            }
             currentHeaders = _parseMultipartHeaders(pending.slice(0, headEnd).toString("utf8"));
             pending = pending.slice(headEnd + 4);
             // Decode Content-Disposition.

package/lib/middleware/cors.js

@@ -241,6 +241,16 @@ function create(opts) {
 
     var matched = _matchOrigin(origin, origins);
     if (!matched) {
+      // Always append Vary: Origin when the request carried an Origin
+      // header — otherwise downstream caches that previously cached a
+      // matched-origin response (with ACAO + Vary: Origin set) may
+      // serve the wrong cached entry to this unmatched-origin
+      // request, OR cache the no-CORS response and replay it for a
+      // future matched-origin request. Cheap; matches Fetch-spec
+      // discipline.
+      if (typeof res.setHeader === "function") {
+        try { requestHelpers.appendVary(res, "Origin"); } catch (_e) { /* best-effort */ }
+      }
       if (refuseUnknown) {
         try {
           audit().emit({

package/lib/middleware/csrf-protect.js

@@ -165,7 +165,7 @@ function _appendSetCookie(res, value) {
 // throws on file:// / data:// schemes which would crash the middleware
 // instead of refusing the request. URL constructor + try/catch is the
 // right shape for "is this URL well-formed and what's its origin?".
-function _checkOriginAllowed(req, allowedOrigins, isHttpsFn) {
+function _checkOriginAllowed(req, allowedOrigins, isHttpsFn, requireOrigin) {
   var headers = req.headers || {};
   var origin = headers.origin;
   var referer = headers.referer;
@@ -175,6 +175,9 @@ function _checkOriginAllowed(req, allowedOrigins, isHttpsFn) {
     // gate doesn't add to it. Defense-in-depth against a stolen
     // cookie via a browser-rendered cross-origin fetch IS the value;
     // headless clients carry their own auth threat model.
+    if (requireOrigin === true) {
+      return { allowed: false, reason: "missing-origin-and-referer" };
+    }
     return null;
   }
 
@@ -229,6 +232,7 @@ function create(opts) {
   validateOpts(opts, [
     "cookie", "tokenLookup", "fieldName", "headerName", "methods", "audit",
     "trustProxy", "checkOrigin", "allowedOrigins", "requireJsonContentType",
+    "requireOrigin",
   ], "middleware.csrfProtect");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -277,6 +281,14 @@ function create(opts) {
   // SPA + classic form pages) leave this opt-out (default).
   var requireJsonCt = opts.requireJsonContentType === true;
 
+  // requireOrigin — when true, refuse state-changing requests that
+  // carry NO Origin/Referer at all. Default false (back-compat for
+  // server-to-server / curl callers). Operators on a browser-only
+  // route mount the middleware with `requireOrigin: true` so the
+  // documented "no headers = bypass for non-browser" pass-through
+  // is opt-in rather than silent.
+  var requireOriginOpt = opts.requireOrigin === true;
+
   // Cookie issuance config (only when opts.cookie is set).
   var cookieCfg = null;
   if (hasCookie) {
@@ -341,10 +353,29 @@ function create(opts) {
     var cookieName = _resolveCookieName(req);
     var cookies = _parseCookieHeader(req.headers && req.headers.cookie);
     var existing = cookies[cookieName];
-    if (existing && /^[a-f0-9]{2,}$/.test(existing)) {
+    // Strict 64-hex-char check matches the byte-length of every token
+    // forms.generateCsrfToken() produces (CSRF_TOKEN_BYTES = 32 bytes
+    // → 64 hex chars). The previous {2,} floor accepted any 2-char
+    // hex string a sibling-subdomain XSS could plant on plain HTTP
+    // (cookie name falls back to `csrf` when the request isn't HTTPS,
+    // so the `__Host-` prefix safety doesn't apply). Attacker plants
+    // `csrf=ab` then submits matching X-CSRF-Token to bypass the
+    // double-submit gate.
+    if (existing && /^[a-f0-9]{64}$/.test(existing)) {
       req.csrfToken = existing;
       return existing;
     }
+    if (existing && !/^[a-f0-9]{64}$/.test(existing)) {
+      // Audit-emit so operators see when a planted/short cookie is
+      // refused — surfaces the attack class in compliance logs.
+      try {
+        audit().safeEmit({
+          action: "csrf.bad_cookie_value",
+          outcome: "denied",
+          metadata: { cookieName: cookieName, length: existing.length },
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
     var fresh = forms.generateCsrfToken();
     var setCookie = _formatSetCookie(cookieName, fresh, {
       path:     cookieCfg.path,
@@ -381,7 +412,7 @@ function create(opts) {
     // requests even when the token is valid (e.g. operator-mistaken
     // CORS configuration that exposes the cookie).
     if (checkOrigin) {
-      var originReason = _checkOriginAllowed(req, allowedOrigins, _isHttps);
+      var originReason = _checkOriginAllowed(req, allowedOrigins, _isHttps, requireOriginOpt);
       if (originReason !== null) {
         _emitDenied(req, "origin/referer: " + originReason);
         return _writeReject(res, "CSRF cross-origin request refused.");

package/lib/middleware/dpop.js

@@ -215,7 +215,7 @@ function create(opts) {
           audit().safeEmit({
             action:  "auth.bearer.failure",
             actor:   { clientIp: requestHelpers.clientIp(req) },
-            outcome: "fail",
+            outcome: "failure",
             metadata: {
               method: "dpop",
               reason: (e && e.code) || "verify-failed",
@@ -245,7 +245,7 @@ function create(opts) {
             audit().safeEmit({
               action:  "auth.bearer.failure",
               actor:   { clientIp: requestHelpers.clientIp(req) },
-              outcome: "fail",
+              outcome: "failure",
               metadata: { method: "dpop", reason: "stale-nonce", route: req.url },
             });
           } catch (_ignored) { /* drop-silent */ }
@@ -268,7 +268,7 @@ function create(opts) {
         audit().safeEmit({
           action:  "auth.bearer.success",
           actor:   { clientIp: requestHelpers.clientIp(req) },
-          outcome: "ok",
+          outcome: "success",
           metadata: { method: "dpop", jkt: result.jkt, route: req.url },
         });
       } catch (_ignored) { /* drop-silent */ }

package/lib/middleware/host-allowlist.js

@@ -142,7 +142,7 @@ function create(opts) {
     try {
       audit().safeEmit({
         action:  "network.host_allowlist.denied",
-        outcome: "fail",
+        outcome: "denied",
         actor:   { clientIp: requestHelpers.clientIp(req) },
         metadata: {
           reason:  reason,

package/lib/middleware/require-aal.js

@@ -76,7 +76,7 @@ function create(opts) {
           audit().safeEmit({
             action:  "auth.aal.denied",
             actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
-            outcome: "fail",
+            outcome: "denied",
             metadata: {
               required: minimum,
               actual:   actual || null,
@@ -93,7 +93,7 @@ function create(opts) {
         audit().safeEmit({
           action:  "auth.aal.granted",
           actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
-          outcome: "ok",
+          outcome: "success",
           metadata: { aal: actual, required: minimum, route: req.url },
         });
       } catch (_ignored) { /* drop-silent */ }

package/lib/middleware/trace-propagate.js

@@ -85,7 +85,7 @@ function create(opts) {
         try {
           audit().safeEmit({
             action:   "system.trace.synthesised",
-            outcome:  "ok",
+            outcome:  "success",
             metadata: { route: req.url || "/", traceId: req.trace.traceId },
           });
         } catch (_e) { /* drop-silent — observability sink */ }