@blamejs/core 0.8.35 → 0.8.36

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.36** (2026-05-08) — HTTP/web G-class LOW cleanup + scope-aware bearer challenge. **WS handshake (RFC 6455 §4.1)** — `Sec-WebSocket-Key` validated as base64 of 16 random bytes (`/^[A-Za-z0-9+/]{22}==$/`). Pre-v0.8.36 only the presence was checked; truncated / arbitrary-token values flowed through. **Permissions-Policy default** — `fullscreen` flipped to `()` (deny) instead of `(self)`; operators wanting fullscreen pass an explicit override. **`b.middleware.bearerAuth` insufficient_scope (RFC 6750 §3)** — new `requiredScopes: ["scope1", "scope2"]` opt enforces operator-declared scopes. Token's `user.scope` (string, space-separated) or `user.scopes` (array) is checked; missing scopes refuse with HTTP 403 + `WWW-Authenticate: Bearer error="insufficient_scope", scope="..."`. **`b.requestHelpers.parseListHeader({strictToken: true})`** — RFC 9110 §5.6.2 token-grammar enforcement. Refuses non-token entries (anything outside `!#$%&'*+-.^_\\`|~` + alnum). **Multipart boundary validation (RFC 2046 §5.1.1)** — `_parseMultipart` refuses boundaries longer than 70 chars OR violating the `bcharsnospace` grammar. Closes the quadratic-match risk on pathological boundaries.
+
 - **0.8.35** (2026-05-08) — `b.tcpa10dlc` + `b.iabMspa` primitives. **`b.tcpa10dlc`** — TCPA 10DLC consent-record audit. 47 USC §227 + 47 CFR §64.1200 + FCC 1:1 disclosure rule (effective 2025-01-27, vacated 11th Circuit IMC v. FCC 2025 but TCPA standard still applies). $500-$1,500/violation exposure. `recordConsent({phoneE164, brand, disclosureText, disclosurePartyKind, formUrl, ip, userAgent})` writes a tamper-evident audit row with the carrier-required fields; `lookup(phoneE164)` for the carrier "produce-on-demand" workflow; `revoke(phoneE164, reason)` records consumer-initiated opt-out with audit trail. **`b.iabMspa`** — IAB Multi-State Privacy Agreement / Global Privacy Platform (GPP) universal opt-out signal codec. `parseGpp(gppString)` decodes the framing (header + per-section payloads, section-id mapping for usnat / usca / usva / usco / usct / usut / usnv / usia / usde / usnj / ustx / usor / usmt / usnh). `checkOptOut(parsed, {dataUse, state})` returns `{ mustHonor, signals }` against operator-decoded section opt-outs (sale / sharing / targeted-ads / sensitive / child-data). `refuseProcessing(parsed, opts)` throws `IabMspaError` to halt the operator's data-flow at the same point a CCPA "do-not-sell" header would. `gpcFromHeaders(req)` reads the W3C `Sec-GPC: 1` browser signal — universal opt-out per CCPA / CPRA §1798.135(b)(1) and similar state laws.
 
 - **0.8.34** (2026-05-08) — `lib/middleware/body-parser.js` BiDi-strip regex uses Unicode-escape form (`\\u202A`-style) instead of literal codepoints to satisfy ESLint's `no-irregular-whitespace`. v0.8.33 publish workflow blocked on this; v0.8.33 tag exists on git but never reached npm — v0.8.34 cumulative includes the v0.8.33 G-class MEDIUM fixes.

package/lib/middleware/bearer-auth.js

@@ -199,6 +199,42 @@ function create(opts) {
       return;
     }
 
+    // RFC 6750 §3 — `insufficient_scope` challenge with `scope=` when
+    // the verified token is missing one or more required scopes.
+    // Operators pass `requiredScopes: ["write", "admin"]` to enforce.
+    // The verifier returns the user's scope list at `user.scope`
+    // (string, space-separated) OR `user.scopes` (array). When the
+    // request lacks a required scope, refuse with 403 + the standard
+    // challenge (NOT 401 — token was valid).
+    if (Array.isArray(opts.requiredScopes) && opts.requiredScopes.length > 0) {
+      var userScopes = Array.isArray(user.scopes) ? user.scopes :
+        typeof user.scope === "string" ? user.scope.split(/\s+/).filter(function (s) { return s.length > 0; }) :
+        [];
+      var missing = opts.requiredScopes.filter(function (s) {
+        return userScopes.indexOf(s) === -1;
+      });
+      if (missing.length > 0) {
+        _emitAudit("auth.bearer.failure", "failure", req, "insufficient-scope:" + missing.join(","));
+        _emitObs("auth.bearer.rejected", 1, { reason: "insufficient-scope" });
+        if (!res.headersSent) {
+          var scopeChallenge = scheme + ' error="insufficient_scope"' +
+            ', scope="' + opts.requiredScopes.join(" ") + '"' +
+            (realm ? ', realm="' + realm + '"' : "");
+          var scopeBody = JSON.stringify({
+            error: "insufficient_scope",
+            required: opts.requiredScopes.slice(),
+          });
+          res.writeHead(403, {                                                     // allow:raw-byte-literal — HTTP 403 status
+            "Content-Type":     "application/json; charset=utf-8",
+            "Content-Length":   Buffer.byteLength(scopeBody),
+            "WWW-Authenticate": scopeChallenge,
+          });
+          res.end(scopeBody);
+        }
+        return;
+      }
+    }
+
     req[tokenAttach] = token;
     req[userAttach]  = user;
     // Signal to attach-user (and any other downstream auth middleware)

package/lib/middleware/body-parser.js

@@ -568,6 +568,19 @@ async function _parseMultipart(req, opts, ctParams) {
       true, HTTP_STATUS.BAD_REQUEST
     );
   }
+  // RFC 2046 §5.1.1 — boundary length 1-70 chars, bcharsnospace
+  // grammar. Pathological boundaries (zero-length / very long /
+  // newlines) drive quadratic match cost in scanners. Refuse at
+  // the parse boundary so the rest of the engine doesn't have to
+  // defend against them.
+  if (boundary.length > 70 ||                                                                  // allow:raw-byte-literal — RFC 2046 §5.1.1 boundary length cap
+      !/^[A-Za-z0-9'()+_,\-./:=?]{1,70}$/.test(boundary)) {                                   // allow:raw-byte-literal — RFC 2046 §5.1.1 bchars + cap
+    throw new BodyParserError(
+      "body-parser/multipart-bad-boundary",
+      "multipart boundary violates RFC 2046 §5.1.1 (1-70 chars, bcharsnospace grammar)",
+      true, HTTP_STATUS.BAD_REQUEST
+    );
+  }
   // Resolve tmpDir per-request so directory-creation failure surfaces as a
   // structured error rather than a deferred fs throw.
   var tmpDir = opts.tmpDir || path.join(os.tmpdir(), "blamejs-uploads");

package/lib/middleware/security-headers.js

@@ -40,7 +40,7 @@ var validateOpts = require("../validate-opts");
 
 var DEFAULT_PERMISSIONS = [
   "accelerometer=()", "ambient-light-sensor=()", "autoplay=()",
-  "camera=()", "display-capture=()", "encrypted-media=()", "fullscreen=(self)",
+  "camera=()", "display-capture=()", "encrypted-media=()", "fullscreen=()",
   "geolocation=()", "gyroscope=()", "magnetometer=()", "microphone=()",
   "midi=()", "payment=()", "picture-in-picture=()", "publickey-credentials-get=()",
   "screen-wake-lock=()", "sync-xhr=()", "usb=()", "web-share=()", "xr-spatial-tracking=()",

package/lib/request-helpers.js

@@ -212,6 +212,13 @@ function requestProtocol(req, opts) {
 // Tolerant read: non-string input returns [] — these are read from
 // request headers that the network might omit. Callers needing stricter
 // checks layer their own validation on the result.
+// RFC 9110 §5.6.2 token grammar — letters, digits, and the
+// punctuation set `!#$%&'*+-.^_`|~`. Used by header-list parsers
+// that consume protocol tokens (Connection, Sec-WebSocket-
+// Protocol, etc.). Operator handlers parsing comma-separated
+// human-supplied values (Origin lists, etc.) opt out by passing
+// `lax: true`.
+var RFC_9110_TOKEN_RE = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
 function parseListHeader(value, opts) {
   if (value == null) return [];
   opts = opts || {};
@@ -222,6 +229,13 @@ function parseListHeader(value, opts) {
   for (var i = 0; i < parts.length; i++) {
     var t = parts[i].trim();
     if (t.length === 0) continue;
+    if (opts.strictToken && !RFC_9110_TOKEN_RE.test(t)) {
+      // Refuse non-token entries when caller asked for strict-token
+      // grammar (RFC 9110 §5.6.2). Used by ws subprotocol negotiation
+      // and other places where only token-shaped values are valid.
+      throw new TypeError("parseListHeader: '" + t +
+        "' is not a valid RFC 9110 token");
+    }
     out.push(opts.lowercase ? t.toLowerCase() : t);
   }
   return out;

package/lib/websocket.js

@@ -245,6 +245,16 @@ function validateUpgradeRequest(req, opts) {
   if (!h["sec-websocket-key"]) {
     return { ok: false, status: HTTP.BAD_REQUEST, reason: "missing Sec-WebSocket-Key" };
   }
+  // RFC 6455 §4.1 — Sec-WebSocket-Key MUST be a base64-encoded
+  // 16-byte nonce. Encoded length is 24 chars including the
+  // `==` padding. Strict check refuses malformed values that
+  // some clients send (truncated or arbitrary token); lets
+  // server-side anomaly detection see the malformation rather
+  // than passing through.
+  if (!/^[A-Za-z0-9+/]{22}==$/.test(h["sec-websocket-key"])) {
+    return { ok: false, status: HTTP.BAD_REQUEST,
+      reason: "Sec-WebSocket-Key must be base64 of 16 random bytes (RFC 6455 §4.1)" };
+  }
   if (h["sec-websocket-version"] !== "13") {
     return { ok: false, status: HTTP.BAD_REQUEST, reason: "Sec-WebSocket-Version must be 13" };
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.35",
+  "version": "0.8.36",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:0d7236d8-d7fd-4993-8139-83cff6ea1ce7",
+  "serialNumber": "urn:uuid:bc456840-498c-445d-b9a6-d087f3ab5715",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T15:31:18.217Z",
+    "timestamp": "2026-05-07T15:39:09.436Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.35",
+      "bom-ref": "@blamejs/core@0.8.36",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.35",
+      "version": "0.8.36",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.35",
+      "purl": "pkg:npm/%40blamejs/core@0.8.36",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.35",
+      "ref": "@blamejs/core@0.8.36",
       "dependsOn": []
     }
   ]