@blamejs/core 0.8.66 → 0.8.67

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.67 (2026-05-10) — SAML XMLDSig Reference Transforms (`enveloped-signature` + per-Reference c14n) + full IdP-emitted SAML round-trip in the federation-auth integration test. Pre-v0.8.67 `b.auth.saml.sp.verifyResponse` only honored the SignedInfo's `CanonicalizationMethod`; it didn't process the `<ds:Transforms>` block on the Reference. Real-world IdP-signed responses (Keycloak, ADFS, Okta) attach `http://www.w3.org/2000/09/xmldsig#enveloped-signature` (strip the `<Signature>` child of the referenced element before c14n) and a per-Reference `xml-exc-c14n#` Transform — without them, the digest computed over the assertion-including-signature never matches the signed-then-signature-injected reality and verifyResponse rejected legitimate IdP responses. `_verifyXmldsig` now reads the Transforms list, applies enveloped-signature by filtering the parsed-tree's `<Signature>` element children before canonicalization, and honors the per-Reference c14n choice (with vs without comments). The single-match-by-ID invariant + signature-wrapping defense moves into the saml.js path directly so the modified subtree (signature stripped) is the one that gets canonicalized + digested. `test/integration/federation-auth.test.js` now drives Keycloak's HTML login form via cookie-jar curl-equivalent (no headless browser needed), captures the IdP-signed SAMLResponse, fetches the IdP signing certificate from `/protocol/saml/descriptor`, hands the response to `sp.verifyResponse(b64, { expectedInResponseTo })`, and asserts the extracted `nameId` / `issuer` / `audience` / `inResponseTo` match the realm's signed claims. Verified end-to-end: Keycloak alice user → SAML AuthnRequest → login form POST → signed Response → `sp.verifyResponse()` → `{ nameId: "alice", issuer: <realm>, audience: <SP entityID>, attributes: { Role: "default-roles-..." } }`. Unsupported Transform algorithms refuse loudly via `auth-saml/unsupported-transform`. No primitive surface change versus v0.8.66 (the Transforms processing is internal to `_verifyXmldsig`).
 - v0.8.66 (2026-05-10) — `b.session.updateData(token, data, opts?)`. Update the sealed `data` payload on a session WITHOUT rotating the sid. Pre-v0.8.66 the only path to mutate session data was `b.session.rotate(token, { data })` which forces an sid rotation — appropriate for security-boundary transitions (login, MFA, role escalation) but heavyweight for cart-state writes / preference flips / step-up-completion flags. Default semantics: full payload replace, `lastActivity` bumped (idle-timeout reset), reserved `__bj_fingerprint` binding preserved automatically so verify() still surfaces drift correctly. `opts.merge: true` does a one-level deep merge into the existing payload; `opts.touchLastActivity: false` skips the idle-timeout bump. Returns `false` for unknown / expired / pre-v0.8.61-raw-format tokens (no throw). Anonymous-session userIds work the same as named userIds. Leader-only. New Layer 0 tests: 13 checks covering replace / merge / null-clear / fingerprint preservation / unknown-token returns / array refusal.
 - v0.8.65 (2026-05-10) — federated-authentication integration test fixture (Keycloak as OIDC OP + SAML IdP). Adds `quay.io/keycloak/keycloak:26.0` to `docker-compose.test.yml` running with realm-import on port `:18080` (HTTP) + `:18081` (Quarkus health). Realm `blamejs-test` boots with one OIDC client (`blamejs-rp-oidc`, secret `blamejs-test-rp-secret`, frontchannel + backchannel logout enabled), one SAML SP client (entityID `https://sp.blamejs-test.example`, RSA-SHA256 assertion signature), and a test user (`alice` / `blamejs-test-password`). New `test/integration/federation-auth.test.js` exercises end-to-end against the live Keycloak: OIDC discovery, `b.auth.oauth.authorizationUrl` (state + nonce + PKCE), password-grant token retrieval, `verifyIdToken` against the realm JWKS, `fetchUserInfo` with `idTokenSub` cross-check, RP-Initiated Logout URL build, `parseFrontchannelLogoutRequest` iss-mismatch refusal, `verifyBackchannelLogoutToken` JWKS-lookup + signature + typ-check failure paths, SAML `buildAuthnRequest` POST to the IdP's `/protocol/saml` endpoint, SP `metadata()` XML emit, and CIBA `startAuthentication` wire-format check (Keycloak's `backchannel_authentication_endpoint` is at `/protocol/openid-connect/ext/ciba/auth`). `b.auth.ciba._postForm` now sets `responseMode: "always-resolve"` so deterministic OAuth-shape error JSON (`{ error, error_description }`) reaches the AuthError-mapping path instead of being rejected as a generic HTTP error. `b.auth.ciba._postForm` URL validation switched from a non-existent `safeUrl.assertHttpUrl` to `safeUrl.parse({ allowedProtocols })`. `scripts/check-services.js` registers `keycloak` + `keycloak-health` (both v4 + v6); `test/helpers/services.js` exposes `URLS.keycloak`. CLAUDE.md release-workflow §6 documents the federation-auth integration test path. OID4VCI / OID4VP / OpenID Federation deferred — Keycloak's `oid4vc-issuer` SPI is preview-only and there's no entity-statement publisher in the base image.
 - v0.8.64 (2026-05-10) — CI green-up for v0.8.63 (wiki source-comment validator). The v0.8.62 push missed `examples/wiki/test/validate-source-comment-blocks.js` — a wiki-side validator that enforces every `@primitive` block has `@signature` starting with `b.`, matching function arity, an `@opts` declaration when the function takes opts, an `@example` block, and resolvable `@related` cross-refs. 50 findings across the new federation/VC primitives. Fixed: every nested-namespace `@signature` (`b.auth.ciba.client.X`, `b.auth.oid4vci.issuer.X`, `b.auth.oid4vp.verifier.X`, `b.auth.saml.sp.X`) re-qualified with the full `b.*` prefix instead of the bare `client.X` shorthand; arity collapsed to `(opts)` where the function takes a single opts arg; `@example` block added to every primitive; `@opts` block added to ciba.client.startAuthentication / parseNotification + openidFederation.resolveLeaf; `@primitive` block added to xmlC14n.parse; `@related` cross-refs scrubbed of dangling references to undocumented primitives (oauth.create / sdJwtVc.issuer aren't @primitive-documented yet); the parse-as-JS check on oid4vci's @example caught a `{...}` literal with no target — replaced with a concrete object spread. No primitive surface change versus v0.8.63.

package/lib/auth/saml.js

@@ -191,10 +191,75 @@ function _verifyXmldsig(envelope, signatureNode, certPem) {
     throw new AuthError("auth-saml/no-digest-value", "Reference missing DigestValue");
   }
   var withComments = canonAlgo.indexOf("#WithComments") !== -1;
-  // Single-match invariant — anti-wrapping defense
-  var canonical = xmlC14n().canonicalizeElementById(envelope, refId, {
-    withComments: withComments,
-  });
+
+  // XMLDSig Reference Transforms — applied in order before the digest.
+  // SAML responses commonly use:
+  //   1. http://www.w3.org/2000/09/xmldsig#enveloped-signature  (strip
+  //      the <Signature> child of the referenced element)
+  //   2. http://www.w3.org/2001/10/xml-exc-c14n#                (canonicalize)
+  // Without the enveloped-signature transform, the digest is computed
+  // over the assertion-including-signature, which never matches the
+  // signed-then-signature-injected reality.
+  var transformsNode = _findChild(refNode, "Transforms");
+  var transformList = transformsNode ? _findAllChildren(transformsNode, "Transform") : [];
+  var stripSignature = false;
+  var refC14nWithComments = withComments;
+  for (var ti = 0; ti < transformList.length; ti++) {
+    var algo = _attr(transformList[ti], "Algorithm");
+    switch (algo) {
+      case "http://www.w3.org/2000/09/xmldsig#enveloped-signature":
+        stripSignature = true;
+        break;
+      case "http://www.w3.org/2001/10/xml-exc-c14n#":
+        refC14nWithComments = false;
+        break;
+      case "http://www.w3.org/2001/10/xml-exc-c14n#WithComments":
+        refC14nWithComments = true;
+        break;
+      default:
+        throw new AuthError("auth-saml/unsupported-transform",
+          "Unsupported Transform: " + algo + " (supported: enveloped-signature, xml-exc-c14n)");
+    }
+  }
+
+  // Locate the referenced element with the single-match invariant
+  // (anti-wrapping defense) — if zero or duplicate IDs match, refuse.
+  // We then optionally strip its <Signature> child(ren) per the
+  // enveloped-signature transform and canonicalize the result.
+  var c14n = xmlC14n();
+  var rootForRef = c14n.parse(envelope);
+  var matches = [];
+  (function _walk(node) {
+    if (node.type !== "element") return;
+    if (node.attrs) {
+      for (var ai = 0; ai < node.attrs.length; ai++) {
+        if (node.attrs[ai].name === "ID" && node.attrs[ai].value === refId) {
+          matches.push(node);
+          break;
+        }
+      }
+    }
+    for (var ci = 0; ci < node.children.length; ci++) _walk(node.children[ci]);
+  })(rootForRef);
+  if (matches.length === 0) {
+    throw new AuthError("auth-saml/no-id-match",
+      "Reference URI #" + refId + " resolves to no element");
+  }
+  if (matches.length > 1) {
+    throw new AuthError("auth-saml/duplicate-id",
+      "Reference URI #" + refId + " matches " + matches.length +
+      " elements — refused (signature-wrapping defense)");
+  }
+  var refTarget = matches[0];
+  if (stripSignature) {
+    refTarget.children = refTarget.children.filter(function (c) {
+      if (c.type !== "element") return true;
+      var colon = c.name.indexOf(":");
+      var local = colon !== -1 ? c.name.substring(colon + 1) : c.name;
+      return local !== "Signature";
+    });
+  }
+  var canonical = c14n.canonicalize(refTarget, { withComments: refC14nWithComments });
   var actualDigest = nodeCrypto.createHash(SUPPORTED_DIGEST[digestAlgo]).update(canonical).digest();
   if (Buffer.from(expectedDigestB64, "base64").compare(actualDigest) !== 0) {
     throw new AuthError("auth-saml/digest-mismatch",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.66",
+  "version": "0.8.67",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:af468756-ee7e-474b-aa3e-0e24106e1792",
+  "serialNumber": "urn:uuid:7b747b8f-4f21-448f-a73e-50b8615f6937",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-10T06:52:11.439Z",
+    "timestamp": "2026-05-10T14:43:14.112Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.66",
+      "bom-ref": "@blamejs/core@0.8.67",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.66",
+      "version": "0.8.67",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.66",
+      "purl": "pkg:npm/%40blamejs/core@0.8.67",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.66",
+      "ref": "@blamejs/core@0.8.67",
       "dependsOn": []
     }
   ]