@blamejs/core 0.9.2 → 0.9.4

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.4 (2026-05-12) — **Audit hardening slice 4: kid-less JWKS lookup refusal + OCSP nonce CT compare + OAuth scope strict-split + DPoP `X-Forwarded-Proto` trust gate**. Closes the remaining MEDIUM-tier findings from the 2026-05-11 auth audit. **`b.auth.oauth.verifyIdToken` + `b.auth.jwt.verifyExternal` kid-less JWKS lookup refusal** — pre-v0.9.4 both verifiers fell back to `keys[0]` when the token carried NO `kid` and the JWKS had exactly one key. This is a latent vector during JWKS rotation: an attacker shipping a kid-less token gets the lone-key path during the window the rotated-out key is still cached at the IdP but the rotated-in key is already published. Every modern IdP includes `kid`; the framework now refuses kid-less tokens unconditionally. Operators with non-conforming IdPs that genuinely emit kid-less tokens opt out via `vopts.allowKidlessJwks: true`. **`b.network.tls` OCSP nonce constant-time compare** — `evaluateOcspResponse`'s `expectedNonce` match migrated from `Buffer.equals` to `b.crypto.timingSafeEqual` for module-wide consistency with the Merkle-root / NTS-cookie / cert-fingerprint paths that already use `timingSafeEqual`. **`b.auth.oauth` scope strict whitespace split** — RFC 6749 §3.3 says `scope` is space-separated, ONLY `U+0020`. Pre-v0.9.4 `raw.scope.split(/\s+/)` matched U+0085 NEL, U+00A0 NBSP, etc., so a hostile AS returning `scope: "admin<NEL>read"` would surface as `["admin", "read"]` and the operator's scope allowlist saw two distinct scopes. Now splits on single-space only; empty pieces filtered out. **`b.middleware.dpop` `X-Forwarded-*` trust gate** — `_reconstructHtu` previously read `X-Forwarded-Proto` / `X-Forwarded-Host` unconditionally; an attacker who can hit the origin directly while spoofing `X-Forwarded-Proto: https` could trick the middleware into building an `https` htu that the DPoP proof was signed for, when the origin is actually serving HTTP (RFC 9449 §4.3 says the htu MUST be the absolute URL the request was sent to). The default now derives proto/host from the socket; operators with a confirmed-trusted front proxy opt in via `opts.trustForwardedHeaders: true`.
+- v0.9.3 (2026-05-11) — **Audit hardening slice 3: OAuth + OID4VCI + OID4VP + CIBA + constant-time-compare migrations**. Continues the 2026-05-11 auth audit follow-through. **`b.auth.oauth.refreshAccessToken` atomic check-and-insert** — new `ropts.checkAndInsert(token, expireAtMs)` callback contract replaces the previous `ropts.seen(token)` check-then-act race. Two concurrent refresh requests on the same event-loop tick could both see `seen === false` and both POST to the token endpoint, neither flagging the replay; the new contract requires an atomic test-and-set (Redis SETNX, DB INSERT ON CONFLICT) and is the OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense surfacing the actual race window. Legacy `seen` callback continues to work for backwards-compat with operator code; the docstring documents the race + recommends migration to `checkAndInsert`. **`b.auth.oid4vci` constant-time compares** — pre-auth `tx_code` hash compare (was `!==` on sha3 hex) and proof-JWT `c_nonce` compare (was `!==` on attacker-supplied wallet payload) both route through `b.crypto.timingSafeEqual`. **`b.auth.oid4vp` per-presentation `vct` enforcement** — DCQL filters with 2+ `vct_values` entries previously bypassed vct validation entirely (the framework only set `expectedVct` when the filter pinned to a single value). Verifier now validates the presented vct against the DCQL filter list manually when length > 1; refuses with `vp_token['<id>'][<n>] vct '<presented>' is not in DCQL vct_values [...]` on over-disclosure. **`b.auth.ciba` slow_down honoring** — CIBA §11.3 requires the client to increase its polling interval by at least 5s on every `slow_down` response. Pre-v0.9.3 the framework client never bumped, leaving operators to do their own interval bookkeeping. Now `pollToken()` tracks per-`authReqId` interval state internally (Map keyed by authReqId, seeded from `startAuthentication`'s response, cleared on token issuance), bumps by `max(5s, IdP-suggested interval) <= MAX_INTERVAL_SEC` on every slow_down, and attaches the next-suggested interval to the thrown `auth-ciba/slow_down` error as `err.nextIntervalSec` so operators read a spec-correct back-off without manual bookkeeping. **`b.auth.ciba` notification-token entropy** — `clientNotificationToken` now refuses < 32 chars per CIBA §7.1.2's opaque-hard-to-guess requirement. Pre-v0.9.3 a 4-char token passed. **`b.auth.ciba.parseNotification` constant-time compare** — bearer-token hash compare migrated from `!==` to `b.crypto.timingSafeEqual` (both sides are fixed-width sha3-512 hex strings; defense-in-depth even though equal-length JS string compare is already widely understood as constant-time on V8).
 - v0.9.2 (2026-05-11) — **Audit hardening slice 2: WebAuthn + FIDO MDS3 + NIST AAL**. Continues the 2026-05-11 auth surface audit follow-through. **`b.auth.passkey.verifyAuthentication` counter-regression bypass fix** — pre-v0.9.2 the wrapper coerced `opts.credential.counter || 0`, silently zeroing an `undefined` / `null` / `NaN` counter and defeating CTAP 2.1 clone-detection on credentials whose stored counter was > 0. An operator deserializing the credential from a column that lost the counter would unknowingly accept a cloned authenticator. The wrapper now refuses `undefined` / `null` (operators MUST persist whatever the vendor returned at registration; first-time-stored credentials carry counter:0 explicitly) and rejects any non-integer / non-finite / negative value with `auth-passkey/bad-counter`. **`b.auth.passkey` multi-origin support** — `expectedOrigin` now accepts `string` OR `string[]` on both `verifyRegistration` and `verifyAuthentication`. Pre-v0.9.2 the wrapper enforced a single string only, blocking multi-origin deployments (web + admin-subdomain) from sharing one verifier; SimpleWebAuthn natively supports arrays. **`b.auth.passkey` prototype-pollution fix** — `ALLOWED_MEDIATION` lookup changed from `{...}[opts.mediation]` to `hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)` with a null-prototype map. Pre-v0.9.2 a caller passing `mediation: "__proto__"` / `"constructor"` truthy-matched an inherited Object.prototype property and slipped past the allowlist into `generateAuthenticationOptions`. **`b.auth.aal.fromMethods` UV requirement for AAL3** — per NIST SP 800-63-4 §5.1.7, WebAuthn / passkey satisfies AAL3 (MF-CRYPT) only when user verification was performed on the assertion. Pre-v0.9.2 `fromMethods({ webauthn: true })` returned `AAL3` unconditionally; operators using `userVerification: "preferred"` whose authenticator skipped UV landed in AAL3 despite not satisfying the spec's MF requirement. The caller now passes `uv: true` (sourced from the vendor's authData UV bit) to claim AAL3 with webauthn alone; without `uv`, webauthn alone caps at AAL2 (SF-CRYPT). Combination paths (`webauthn + password` / `webauthn + pin`) reach AAL3 regardless of UV (the memorized secret provides the second factor independently). **`b.auth.fidoMds3.verifyAuthenticator` fail-closed default + new opts** — pre-v0.9.2 unknown AAGUIDs returned `{ ok: true, reason: "aaguid-not-in-blob" }`, silently trusting any authenticator the metadata service hadn't yet listed (rogue / pre-certification / fake hardware). Now fails closed by default; operators wanting the legacy fail-open behavior (test fixtures, pre-certification pilot rollouts) pass `opts.allowUnknownAaguid: true` explicitly. **`b.auth.fidoMds3.parseBlob` stale-BLOB refusal** — refuses BLOB payloads whose `nextUpdate` is already in the past (FIDO MDS3 §3.1.7). Pre-v0.9.2 the staleness was floored to `MIN_CACHE_TTL_MS` but the BLOB was still served, letting an attacker pin operators to a revoked-authenticator-list-frozen-at-X by serving an ancient signed-but-expired BLOB. **`b.auth.fidoMds3.REFUSE_STATUS`** — added `ATTESTATION_KEY_COMPROMISE` per FIDO MDS3 §3.1.4. Pre-v0.9.2 this status was silently accepted; manufacturer batch-signing-key compromise affects every credential attested under that key.
 - v0.9.1 (2026-05-11) — **Audit hardening, slice 1 of N: federation auth + OAuth ID-token verifier**. Audit run after v0.9.0 across OAuth / SAML / OIDC federation / SD-JWT VC / WebAuthn / FIDO MDS3 / constant-time-compare surfaces; this slice closes the highest-severity SAML + OIDC + SD-JWT + OAuth findings. **SAML SP** (`b.auth.saml.sp.create({...}).buildAuthnRequest` + `.metadata`): every operator-supplied URL / ID interpolated into the emitted XML now routes through `b.xmlC14n.escapeAttrValue` / `escapeText`. Pre-v0.9.1 a `"` or `<` in `idpSsoUrl` / `assertionConsumerServiceUrl` / `entityId` / `nameIdFormat` broke out of attribute / element context and produced unsigned-XML breakout into the IdP redirect. Newly exported `b.xmlC14n.escapeAttrValue(s)` and `b.xmlC14n.escapeText(s)` — RFC 3741 §1.3.x compliant; available for any operator emitting XML alongside the framework's own SAML / canonicalization paths. **SAML SP `verifyResponse`**: digest compare on `Reference DigestValue` and `SubjectConfirmation InResponseTo` now use `b.crypto.timingSafeEqual` instead of `Buffer.compare` / `!==`. **SAML XSW defense**: refuses Response payloads that carry duplicate `<Status>`, `<StatusCode>`, `<Assertion>`, `<Subject>`, or `<NameID>` children — XML signature wrapping attacks ferry an unsigned sibling next to a signed element and exploit first-match parsers; the verifier now asserts single-child cardinality on every security-critical element via `_findAllChildren(...).length === 1`. **OIDC federation** (`b.auth.openidFederation.verifyEntityStatement`): JWK key-type cross-check against the JWS `alg` header BEFORE `nodeCrypto.createPublicKey` — an attacker-controlled entity-config declaring `alg: "ES256"` while supplying an RSA JWK would previously load through Node's silent algorithm-vs-key coercion path. Now refuses with `auth-openid-federation/alg-kty-mismatch` for any `alg=ES*` not paired with `kty=EC`, `alg=PS*`/`RS*` not paired with `RSA`, or `alg=EdDSA` not paired with `OKP`. **`b.auth.openidFederation.buildTrustChain` error-masking**: trust-chain ascent previously swallowed every per-authority failure via `catch (_e) {}` and continued to the next `authority_hint`; signature-failure errors from one authority no longer mask, the chain now refuses on cryptographic refusal (`bad-jwk`, `alg-kty-mismatch`, `bad-signature`, `signature-failed`). Network / 404 / iss-sub-mismatch errors still continue to the next hint but are collected and surfaced in the `no-ascent` failure shape. **SD-JWT VC verify** (`b.auth.sdJwtVc.verify`): three correctness fixes. (1) `_sd_alg` default switched from `sha3-512` to `sha-256` per IETF draft §4.1.1 — prior default broke verification against spec-conformant issuers when the issuer omitted `_sd_alg`. (2) Disclosure-replay defense: every disclosure digest tracked in a Set; second occurrence of the same digest refuses with `auth-sd-jwt-vc/disclosure-replay`. (3) Claim-shadowing defense: holder-supplied disclosures whose name collides with an issuer-signed top-level claim (`iss`, `sub`, `aud`, `iat`, `nbf`, `exp`, `jti`, `vct`, `cnf`, `_sd`, `_sd_alg`, `status`) refuse with `auth-sd-jwt-vc/protected-claim-shadow` instead of silently overwriting the signed value. (4) KB-JWT `sd_hash` now uses the credential's declared `_sd_alg` (was hardcoded sha256, breaking against issuers using sha3-512); `sd_hash` compare routed through `b.crypto.timingSafeEqual`. **OAuth `verifyIdToken`** (`b.auth.oauth.verifyIdToken`): three hardening fixes that bring the verifier to parity with the framework's other JWS verifiers. (1) `nodeCrypto.verify` wrapped in try/catch — previously panicked on key/sig shape mismatch (e.g. ES256 sig against an RS256 key returned by a buggy IdP with duplicate kids), bubbling a raw `Error` to the operator's handler instead of an `OAuthError`. (2) RFC 7515 §4.1.11 `crit` header refusal — every sibling verifier (`b.auth.jwt`, `b.auth.jwt.verifyExternal`, `b.auth.dpop`) refuses; verifyIdToken previously silently ignored, letting an attacker-controlled OP ship critical extensions the verifier doesn't understand. (3) `state` and `nonce` claim compares routed through `b.crypto.timingSafeEqual` — these are CSRF / replay tokens compared against attacker-controlled callback / payload data.
 - v0.9.0 (2026-05-11) — **Minor: 3 new RFC primitives + `b.structuredFields` shared substrate + full audit-derived hardening sweep + 5 new bug-class detectors**. **`b.structuredFields`** consolidates the quote-aware top-level splitter (`splitTopLevel(s, sep)`), the raw-value control-byte refusal scan (`refuseControlBytes` / `containsControlBytes`), and the sf-string unquote (`unquoteSfString`) used by every RFC 8941 / RFC 9110 / RFC 9111 / RFC 9213 / RFC 9421 / RFC 6266 / RFC 6265 / RFC 6455 parser in the framework — replaces the per-file open-coded copies that were drifting site-by-site. **8 audit-surfaced bug-class sites fixed in this same patch** (no deferred follow-up): (1) `b.middleware.bodyParser._contentType` + `_parseHeaderParams` — RFC 9110 Content-Type / RFC 6266 Content-Disposition parameters can carry quoted-string values (`boundary="foo;bar"` / `filename="weird;name.txt"`); bare `.split(";")` previously sliced through quoted semicolons and corrupted multipart boundaries. (2) `b.requestHelpers.parseListHeader({ strictToken: true })` — control-byte scan now runs on the RAW value before `.trim()` so a leading `\n<token>` no longer slips past `RFC_9110_TOKEN_RE` (same v0.8.90 bug class; used by webhook signature parsing and WS subprotocol negotiation). (3) `b.middleware.tusUpload._parseChecksumHeader` — same trim-before-validate fix. (4) `b.httpClient.cache._parseCacheControl` — quote-aware `,` splitter (RFC 9111 §5.2 + RFC 9110 §5.6.4 directive values may be quoted-string). (5) `b.httpClient.cookieJar._parseSetCookie` — quote-aware `;` splitter defends RFC 7230 quoted-string attribute values (`SameSite="Strict"` from interop-imperfect upstreams). (6) `b.websocket._parseExtensionHeader` — quote-aware `;` and `,` splitters defend RFC 6455 §9.1 + RFC 7230 token-or-quoted-string parameter values against forward-compat extensions shipping quoted params. (7) `b.aiPref.parseHeader` — control-byte refusal added on the RAW value before split + trim. (8) `b.auth.stepUp.parseChallenge` — same trim-before-validate fix (returns `null` per defensive-reader contract instead of throwing). Also: `b.logStream.init({ minLevel })` now validates the level vocabulary at config time so a typo'd `"infos"` (which previously produced `LEVEL_PRIORITY["infos"] === undefined` and silently dropped every log record) throws at boot. `b.crypto.httpSig`'s RFC 9421 Signature-Input parameter parser uses the quote-aware `;` splitter (RFC 8941 §3.1.2 sf-string parameter values). `b.security.assertProductionPosture({ minTlsVersion })` validates `minTlsVersion` against the canonical TLS vocabulary BEFORE the rank comparison (a typo previously silently passed because `indexOf` returned `-1` — same bug class as v0.8.88 `b.auth.fal.meets`). **3 new RFC primitives**: **`b.cdnCacheControl`** ships an RFC 9213 directive list builder + parser shared across `Cache-Control`, `CDN-Cache-Control`, `Surrogate-Control`, and the operator-specific `Cloudflare-` / `Vercel-` / `Fastly-` / `Akamai-` / `Netlify-CDN-Cache-Control` variants. `build({...})` emits the directive list string (numeric directives non-negative-integer-only; refuses Infinity / NaN / floats / negatives; full RFC 9111 boolean directive set; `extensions` for non-standard directives with RFC 7234 §5.2 token-shape enforcement); refuses `public + private` conflict per RFC 9111 §5.2.2.5/§5.2.2.6. `parse(headerValue)` decodes any targeted header into `{ public, private, noStore, maxAge, sMaxAge, ..., directives, fields }` with **qualified-form support** (`private="Authorization"` flag stays enabled, field-name list under `.fields[camel]` per RFC 9111 §5.2.2.4 / §5.2.2.6 — presence == enabled, the argument narrows scope), **bare `max-stale` parses as `Infinity`** per RFC 9111 §5.2.1.2 (instead of buggy `Number(true) === 1`), and a quote-aware top-level `,` splitter so a `, ` inside a quoted directive value doesn't fake-split. `isTargetedHeader(name)` + curated `TARGETED_HEADERS` allowlist. **`b.clientHints`** ships a Sec-CH-UA-* request-header family parser per W3C UA Client Hints + IETF draft-davidben-http-client-hint-reliability. `parse(req.headers)` returns `{ brands, mobile, platform, platformVersion, arch, bitness, model, fullVersionList, wow64, formFactors, raw }`; quote-aware splitters at brand-list and brand-member-parameter level (RFC 8941 §4.1.1.4 parameter values may be sf-string); refuses control characters in any Sec-CH-* value. `acceptList(hintNames)` builds `Accept-CH` with typo-defense (unknown hint name throws `client-hints/unknown-hint`); dedupes case-variant duplicates; canonicalizes to W3C mixed-case spelling. `KNOWN_HINTS` exports the well-known 22-name list. **`b.network.dns.classifyDnskeyAlgorithm(algorithm)` / `classifyDsDigestType(digestType)`** — RFC 9905 DNSSEC SHA-1 deprecation classifier. Covers every IANA-assigned DNSKEY algorithm (including PRIVATEDNS/PRIVATEOID/INDIRECT/Reserved entries) and RFC 9558 §3 DS digest types 5 (GOST R 34.11-2012) + 6 (SM3); operators auditing inbound DNSSEC chain-of-trust evidence refuse validations where `deprecated === true`. Inline `allow:bare-split-on-quoted-header` markers added across `mail-auth.js` (DKIM / DMARC / ARC tag-list grammar — token-only), `network-smtp-policy.js` (TLS-RPT — token-only), `middleware/scim-server.js` (RFC 7644 §3.9 SCIM attribute paths), `http-client-cache.js` (RFC 9110 §12.5.5 Vary field-names), `http-message-signature.js` (RFC 9421 component-id covered list), `middleware/body-parser.js` (RFC 9112 §6.1 Transfer-Encoding token-only), each citing the controlling RFC clause showing why quoted-string is not a legal value in that grammar. **5 new bug-class detectors** in `test/layer-0-primitives/codebase-patterns.test.js` so the same shapes can't drift back in: (a) `trim-before-validate` — control-byte refusal scans must run on the RAW header value BEFORE `.trim()` strips leading/trailing C0/DEL bytes; detector now catches BOTH the `charCodeAt` codepoint-loop shape AND the `<NAME>_RE.test(<trimmed>)` grammar-regex shape; (b) `enum-rank-without-validation` — `_rankFn(X) >= _rankFn(Y)` arithmetic comparisons must have a preceding `isValid*` / `KNOWN_*` membership check on both inputs (catches `b.auth.fal.meets` bug shape); (c) `bool-string-coerce-shape` — boolean directive parsing must NOT use `val === "" || val === "true"` coercion (catches `b.cdnCacheControl.parse` qualified-form bug shape); (d) `bare-split-on-quoted-header` — RFC structured-fields parsers in files that ALSO handle sf-string unquote regex must use the shared quote-aware `b.structuredFields.splitTopLevel`, not bare `.split(",") / .split(";")`; (e) `scoped-context-binding-unused` — scope-named factory bindings (`forwarderDomain` / `realm` / `origin` / `audience` / `issuer`) captured in the factory must be compared against the inbound value's embedded scope in the `verify` / `reverse` / `decode` path (catches the v0.8.89 SRS forwarder-domain bug shape). Operators upgrade `0.8.90` → `0.9.0`; v0.8.91 was never tagged (its surface is folded into v0.9.0 with the audit-derived hardening).

package/lib/auth/ciba.js

@@ -55,7 +55,7 @@ var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
 var safeUrl      = require("../safe-url");
-var { generateToken, sha3Hash } = require("../crypto");
+var { generateToken, sha3Hash, timingSafeEqual } = require("../crypto");
 var { AuthError } = require("../framework-error");
 
 var httpClient    = lazyRequire(function () { return require("../http-client"); });
@@ -169,6 +169,16 @@ function create(opts) {
     throw new AuthError("auth-ciba/no-notification-token",
       "auth.ciba.client.create: clientNotificationToken required for ping/push delivery modes");
   }
+  // Minimum-entropy guard on the client_notification_token (audit
+  // 2026-05-11). CIBA §7.1.2 requires the token be opaque + hard to
+  // guess; the framework's other token-shaped primitives enforce 32
+  // chars minimum. A 4-char token was previously accepted; refuse.
+  if (clientNotificationToken !== null && clientNotificationToken.length < 32) {                  // allow:raw-byte-literal — RFC 9700 §7.1.2 token char-length minimum, not bytes
+    throw new AuthError("auth-ciba/notification-token-too-short",
+      "auth.ciba.client.create: clientNotificationToken must be >= 32 chars " +
+      "(generate via b.crypto.generateToken(32) or stronger; CIBA §7.1.2 " +
+      "requires opaque hard-to-guess token).");
+  }
 
   // Each backchannel-authentication request mints a fresh
   // `client_notification_token` per the spec? No — the RP registers
@@ -368,6 +378,10 @@ function create(opts) {
       ? rv.interval : DEFAULT_INTERVAL_SEC;
     var expiresIn = typeof rv.expires_in === "number" && rv.expires_in > 0
       ? rv.expires_in : DEFAULT_EXPIRES_SEC;
+    // Seed the per-authReqId interval tracker so pollToken's
+    // slow_down handler bumps from the IdP-supplied starting point
+    // (CIBA §11.3 minimum-5s bump on every slow_down response).
+    _registerInitialInterval(rv.auth_req_id, interval);
 
     _emitAudit("start", "success", {
       authReqIdHash: sha3Hash("auth-ciba:" + rv.auth_req_id),
@@ -399,6 +413,17 @@ function create(opts) {
    *   var tokens = await ciba.pollToken({ authReqId: ticket.authReqId });
    *   // → { accessToken, idToken, refreshToken, tokenType, scope, expiresIn, raw }
    */
+  // Per-authReqId interval tracking — CIBA §11.3 requires the client
+  // to increase its polling interval by at least 5s on every
+  // `slow_down` response. The framework client now maintains this
+  // state internally so operators reading `err.nextIntervalSec` get
+  // a spec-correct back-off without rolling their own counter.
+  var _intervalState = new Map();   // authReqId → current interval sec
+
+  function _registerInitialInterval(authReqId, intervalSec) {
+    _intervalState.set(authReqId, intervalSec);
+  }
+
   async function pollToken(popts) {
     popts = popts || {};
     if (typeof popts.authReqId !== "string" || popts.authReqId.length === 0) {
@@ -421,7 +446,33 @@ function create(opts) {
       body.set("client_id", opts.clientId);
     }
     if (clientAuth === "mtls") body.set("client_id", opts.clientId);
-    var rv = await _postForm(endpoint, body);
+    var rv;
+    try {
+      rv = await _postForm(endpoint, body);
+    } catch (err) {
+      // CIBA §11.3 — on slow_down response, increase polling
+      // interval by at least 5s. Attach the next-suggested-interval
+      // to the error so the operator's poll loop reads a spec-
+      // correct back-off without manual bookkeeping. The IdP MAY
+      // optionally return its own `interval` value in the 400 body;
+      // honor that when >= current + 5, otherwise enforce the
+      // minimum 5s bump.
+      if (err && err.code === "auth-ciba/slow_down") {
+        var current = _intervalState.get(popts.authReqId) || DEFAULT_INTERVAL_SEC;
+        var idpSuggested = err.cibaError && typeof err.cibaError.interval === "number"
+          ? err.cibaError.interval : null;
+        var next = current + 5;                                                                 // allow:raw-time-literal — §11.3 mandates +5s minimum
+        if (idpSuggested !== null && idpSuggested > next && idpSuggested <= MAX_INTERVAL_SEC) {
+          next = idpSuggested;
+        }
+        if (next > MAX_INTERVAL_SEC) next = MAX_INTERVAL_SEC;
+        _intervalState.set(popts.authReqId, next);
+        err.nextIntervalSec = next;
+      }
+      throw err;
+    }
+    // Token issued — clear interval tracking for this authReqId.
+    _intervalState.delete(popts.authReqId);
     _emitAudit("token_received", "success", {
       authReqIdHash: sha3Hash("auth-ciba:" + popts.authReqId),
     });
@@ -479,13 +530,15 @@ function create(opts) {
       throw new AuthError("auth-ciba/bad-bearer",
         "ciba.parseNotification: empty bearer or no expected token configured");
     }
-    // Constant-time compare via the framework's primitive shape —
-    // sha3-of-each + ===-of-hash is constant-time over equal-length
-    // hashes regardless of presented length, so a length-side-channel
-    // probe can't enumerate the prefix.
+    // Constant-time compare on the SHA3 hash of both tokens —
+    // matches the project-wide discipline (audit 2026-05-11). Both
+    // sides are fixed-width sha3-512 hex strings; timingSafeEqual
+    // adds explicit defense-in-depth over `!==` even though equal-
+    // length JS string compare is already broadly understood as
+    // constant-time on V8.
     var presentedHash = sha3Hash(presented);
     var expectedHash  = sha3Hash(clientNotificationToken);
-    if (presentedHash !== expectedHash) {
+    if (!timingSafeEqual(presentedHash, expectedHash)) {
       _emitAudit("notification_token_mismatch", "failure", {});
       throw new AuthError("auth-ciba/wrong-bearer",
         "ciba.parseNotification: client_notification_token does not match");

package/lib/auth/jwt-external.js

@@ -187,7 +187,7 @@ async function _fetchJwks(uri, cacheMs) {
   }, cacheMs || DEFAULT_JWKS_CACHE_MS);
 }
 
-function _selectKey(keys, header) {
+function _selectKey(keys, header, vopts) {
   if (!Array.isArray(keys) || keys.length === 0) {
     throw new AuthError("auth-jwt-external/no-jwks-keys",
       "JWKS source has no keys");
@@ -199,9 +199,18 @@ function _selectKey(keys, header) {
     throw new AuthError("auth-jwt-external/no-matching-kid",
       "no JWKS key matches header.kid='" + header.kid + "'");
   }
-  if (keys.length === 1) return keys[0];
+  // Refuse kid-less tokens by default (audit 2026-05-11). JWKS
+  // rotation creates a window where the rotated-out key is still
+  // cached but the rotated-in key is already published; an
+  // attacker shipping a kid-less token gets the lone-key path
+  // during that window. Modern IdPs always emit kid. Operators
+  // with non-conforming issuers opt in via vopts.allowKidlessJwks
+  // = true (logged via the caller's audit hook).
+  if (keys.length === 1 && vopts && vopts.allowKidlessJwks === true) return keys[0];
   throw new AuthError("auth-jwt-external/kid-required",
-    "JWKS has " + keys.length + " keys but token header has no kid");
+    "JWKS has " + keys.length + " key(s) but token header has no kid — " +
+    "framework refuses kid-less tokens to defend against JWKS-rotation " +
+    "key-pick attacks (pass vopts.allowKidlessJwks: true to opt out)");
 }
 
 // ---- public surface ----
@@ -304,7 +313,7 @@ async function verifyExternal(token, opts) {
   } else {
     var keys = opts.jwks ? opts.jwks
                          : await _fetchJwks(opts.jwksUri, opts.jwksCacheMs);
-    var jwk = _selectKey(keys, header);
+    var jwk = _selectKey(keys, header, opts);
     key = _jwkToKey(jwk);
   }
 

package/lib/auth/oauth.js

@@ -561,20 +561,45 @@ function create(opts) {
     // constrained confidential clients. Operators with sender-
     // constrained tokens (DPoP / mTLS) can opt out by NOT supplying
     // a seen callback.
-    if (typeof ropts.seen === "function") {
-      var alreadySeen;
+    //
+    // Atomic check-and-insert (audit 2026-05-11) — pre-v0.9.3 the
+    // check ran via `ropts.seen(token)` which was a check-then-act
+    // race: two concurrent refresh requests landed on the same
+    // event-loop tick could both see `seen === false` and both POST
+    // to the token endpoint, neither flagging the replay. The new
+    // contract is `ropts.checkAndInsert(token, expireAtMs)` which
+    // MUST atomically test-and-set: returns true if the token was
+    // ALREADY in the store (replay) and false if it just inserted
+    // the token. The legacy `seen` callback continues to work for
+    // backward compatibility but emits a deprecation warning.
+    var alreadySeen = false;
+    if (typeof ropts.checkAndInsert === "function") {
+      var nowMs = Date.now();
+      // 24h max refresh-token TTL — operators with shorter TTLs
+      // should configure their store's own expiry policy.
+      var expireAtMs = nowMs + C.TIME.hours(24);
+      try { alreadySeen = await ropts.checkAndInsert(refreshToken, expireAtMs); }
+      catch (e) {
+        throw new OAuthError("auth-oauth/seen-callback-failed",
+          "refreshAccessToken: checkAndInsert() callback threw: " + ((e && e.message) || String(e)));
+      }
+    } else if (typeof ropts.seen === "function") {
+      // Legacy non-atomic path. Documented as a check-then-act race;
+      // operators sharing a single-writer store (Redis SETNX, DB
+      // INSERT ON CONFLICT) MUST migrate to checkAndInsert. Stays
+      // here for backwards-compat with existing operator code.
       try { alreadySeen = await ropts.seen(refreshToken); }
       catch (e) {
         throw new OAuthError("auth-oauth/seen-callback-failed",
           "refreshAccessToken: seen() callback threw: " + ((e && e.message) || String(e)));
       }
-      if (alreadySeen === true) {
-        throw new OAuthError("auth-oauth/refresh-token-replay",
-          "refreshAccessToken: refresh token has been presented before — refused " +
-          "(OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense). The operator MUST " +
-          "treat this as a token-theft signal: revoke the refresh-token family + force " +
-          "the user to re-authenticate.");
-      }
+    }
+    if (alreadySeen === true) {
+      throw new OAuthError("auth-oauth/refresh-token-replay",
+        "refreshAccessToken: refresh token has been presented before — refused " +
+        "(OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense). The operator MUST " +
+        "treat this as a token-theft signal: revoke the refresh-token family + force " +
+        "the user to re-authenticate.");
     }
     var endpoint = await _resolveEndpoint("tokenEndpoint");
     var body = new URLSearchParams();
@@ -873,7 +898,14 @@ function create(opts) {
       expiresIn:    raw.expires_in || null,
       refreshToken: raw.refresh_token || null,
       idToken:      raw.id_token || null,
-      scope:        raw.scope ? raw.scope.split(/\s+/) : scope.slice(),
+      // RFC 6749 §3.3 — scope is space-separated, ONLY U+0020.
+      // `\s+` previously matched U+0085 NEL, U+00A0 NBSP, etc., so a
+      // hostile AS returning `scope: "admin<NEL>read"` would
+      // surface as `["admin", "read"]` and the operator's scope
+      // allowlist saw two distinct scopes. Spec-strict split on
+      // single-space + reject scope tokens that contain non-token
+      // chars. (Audit 2026-05-11.)
+      scope:        raw.scope ? raw.scope.split(" ").filter(function (s) { return s.length > 0; }) : scope.slice(),
       raw:          raw,
     };
     if (tokens.idToken && isOidc) {
@@ -943,12 +975,29 @@ function create(opts) {
       for (var i = 0; i < keys.length; i++) {
         if (keys[i].kid === header.kid) { match = keys[i]; break; }
       }
-    } else if (keys.length === 1) {
-      match = keys[0];
     }
+    // Pre-v0.9.4 fell back to keys[0] when the token carried NO kid
+    // and the JWKS had exactly one key. This is a latent vector
+    // during JWKS rotation: an attacker who can ship a kid-less
+    // token gets the lone key during the window the rotated-out
+    // key was still cached at the IdP but the rotated-in key is
+    // already published. Refuse kid-less tokens unconditionally —
+    // every modern IdP includes kid; absent kid is a spec smell.
+    // (Audit 2026-05-11.) Operators with non-conforming IdPs that
+    // genuinely emit kid-less tokens can opt out via
+    // vopts.allowKidlessJwks = true with a logged warning.
     if (!match) {
-      throw new OAuthError("auth-oauth/no-matching-key",
-        "no JWKS key matches header.kid='" + header.kid + "'");
+      if (!header.kid && keys.length === 1 && vopts.allowKidlessJwks === true) {
+        match = keys[0];
+      } else {
+        throw new OAuthError("auth-oauth/no-matching-key",
+          header.kid
+            ? "no JWKS key matches header.kid='" + header.kid + "'"
+            : "ID token has no kid header; framework refuses kid-less " +
+              "tokens to defend against JWKS-rotation key-pick attacks " +
+              "(pass vopts.allowKidlessJwks: true to opt out if your IdP " +
+              "genuinely emits kid-less tokens)");
+      }
     }
     var keyObject = _jwkToKey(match);
     var params = _verifyParamsForAlg(header.alg);

package/lib/auth/oid4vci.js

@@ -54,7 +54,7 @@ var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
 var nodeCrypto   = require("node:crypto");
-var { generateToken, sha3Hash } = require("../crypto");
+var { generateToken, sha3Hash, timingSafeEqual } = require("../crypto");
 var { AuthError } = require("../framework-error");
 
 var cache       = lazyRequire(function () { return require("../cache"); });
@@ -116,9 +116,14 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
     throw new AuthError("auth-oid4vci/wrong-proof-aud",
       "credential issuance: proof JWT aud \"" + payload.aud + "\" mismatch (expected \"" + expectedAud + "\")");
   }
-  if (expectedCNonce !== null && payload.nonce !== expectedCNonce) {
-    throw new AuthError("auth-oid4vci/wrong-proof-nonce",
-      "credential issuance: proof JWT nonce mismatch (replay defense — wallet must use the c_nonce from the most recent issuer response)");
+  if (expectedCNonce !== null) {
+    // Constant-time c_nonce compare — secret-shaped value vs
+    // attacker-controlled wallet payload. (Audit 2026-05-11.)
+    if (typeof payload.nonce !== "string" ||
+        !timingSafeEqual(payload.nonce, expectedCNonce)) {
+      throw new AuthError("auth-oid4vci/wrong-proof-nonce",
+        "credential issuance: proof JWT nonce mismatch (replay defense — wallet must use the c_nonce from the most recent issuer response)");
+    }
   }
   if (typeof payload.iat !== "number") {
     throw new AuthError("auth-oid4vci/no-proof-iat",
@@ -400,8 +405,11 @@ function create(opts) {
           "exchangePreAuthorizedCode: tx_code required (offer mandates it)");
       }
       var txHash = sha3Hash("oid4vci-tx:" + eopts.txCode);
-      // Constant-time-ish compare via fixed-size sha3 hash equality.
-      if (txHash !== entry.txCodeHash) {
+      // Constant-time compare on the hashed tx_code (audit 2026-05-11
+      // — was `!==` on fixed-width sha3 hex; per CLAUDE.md rule §5
+      // every framework-internal compare against attacker-controlled
+      // input routes through timingSafeEqual).
+      if (!timingSafeEqual(txHash, entry.txCodeHash)) {
         // Don't consume on failure — wallet may be retrying. Operator
         // attaches their own attempt counter / lockout via b.auth.lockout.
         _emitAudit("tx_code_mismatch", "failure", {

package/lib/auth/oid4vp.js

@@ -452,6 +452,16 @@ function create(opts) {
           continue;
         }
         try {
+          // Per-presentation vct enforcement (audit 2026-05-11): when
+          // DCQL's `vct_values` has 1 entry, `expectedVct` pins it.
+          // With 2+ entries the verifier's expectedVct opt can't hold
+          // a list, so we verify-without-expected and then validate
+          // the actual vct against the DCQL list manually — over-
+          // disclosure defense (a holder presenting a vct outside
+          // the DCQL filter would previously slip through).
+          var dcqlVctValues = cq.meta && Array.isArray(cq.meta.vct_values) ? cq.meta.vct_values : null;
+          var expectedVct = dcqlVctValues && dcqlVctValues.length === 1
+            ? dcqlVctValues[0] : undefined;
           var verified = await sdJwtVcCore().verify(t, {
             issuerKeyResolver:      opts.issuerKeyResolver,
             audience:               audience,
@@ -459,9 +469,16 @@ function create(opts) {
             requireKeyBinding:      true,
             requireKeyAttestation:  vopts.requireKeyAttestation === true,
             keyAttestationVerifier: opts.keyAttestationVerifier || null,
-            expectedVct:            cq.meta && cq.meta.vct_values && cq.meta.vct_values.length === 1
-                                      ? cq.meta.vct_values[0] : undefined,
+            expectedVct:            expectedVct,
           });
+          if (dcqlVctValues && dcqlVctValues.length > 1) {
+            if (!verified.claims || dcqlVctValues.indexOf(verified.claims.vct) === -1) {
+              verifyErrors.push("vp_token['" + id + "'][" + ti + "] vct '" +
+                ((verified.claims && verified.claims.vct) || "<missing>") +
+                "' is not in DCQL vct_values [" + dcqlVctValues.join(", ") + "]");
+              continue;
+            }
+          }
           presentations.push({
             id:                   id,
             format:               cq.format,

package/lib/middleware/dpop.js

@@ -102,12 +102,33 @@ function _nonceManager(rotateSec) {
   };
 }
 
-function _reconstructHtu(req) {
+function _reconstructHtu(req, mopts) {
   // The proof's htu is the request URI WITHOUT query/fragment. Behind
   // a reverse proxy the operator may need to override via opts.htu /
-  // opts.getHtu — defaults read X-Forwarded-* if present.
-  var proto = req.headers["x-forwarded-proto"] || (req.socket && req.socket.encrypted ? "https" : "http");
-  var host = req.headers["x-forwarded-host"] || req.headers.host;
+  // opts.getHtu. X-Forwarded-* headers are ATTACKER-CONTROLLED when
+  // the origin is reachable directly; an attacker who can hit the
+  // origin while spoofing X-Forwarded-Proto: https can trick this
+  // function into building an `https` htu that the DPoP proof was
+  // signed for — when the origin is actually serving HTTP. RFC 9449
+  // §4.3 says htu MUST be the absolute URL the request was sent to.
+  //
+  // Default: ignore X-Forwarded-* and derive proto/host from the
+  // socket. Operators with a confirmed-trusted front proxy opt in
+  // via opts.trustForwardedHeaders: true. (Audit 2026-05-11.)
+  mopts = mopts || {};
+  var trustForwarded = mopts.trustForwardedHeaders === true;
+  var proto;
+  if (trustForwarded && req.headers["x-forwarded-proto"]) {
+    proto = String(req.headers["x-forwarded-proto"]).split(",")[0].trim();
+  } else {
+    proto = req.socket && req.socket.encrypted ? "https" : "http";
+  }
+  var host;
+  if (trustForwarded && req.headers["x-forwarded-host"]) {
+    host = String(req.headers["x-forwarded-host"]).split(",")[0].trim();
+  } else {
+    host = req.headers.host;
+  }
   if (!host) return null;
   var path = req.url || "/";
   var qIdx = path.indexOf("?");
@@ -217,7 +238,7 @@ function create(opts) {
         "multiple DPoP headers are not allowed");
     }
 
-    var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req));
+    var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req, opts));
     if (!htu) {
       return _writeUnauthorized(res, "invalid_dpop_proof", "could not reconstruct htu");
     }

package/lib/network-tls.js

@@ -1103,7 +1103,14 @@ function evaluateOcspResponse(ocspDer, opts) {
       return { ok: false, status: parsed.status, signatureValid: true,
                errors: ["OCSP response missing nonce extension (expected for replay defense)"] };
     }
-    if (!parsed.basic.nonce.equals(opts.expectedNonce)) {
+    // Constant-time compare — module-wide consistency with the
+    // Merkle-root / NTS-cookie / cert-fingerprint paths that already
+    // use timingSafeEqual. Buffer.equals is constant-time on equal-
+    // length inputs but fast-paths on length mismatch; not security-
+    // critical here (the OCSP response is CA-signed and signature
+    // already verified) but matches the project discipline.
+    // (Audit 2026-05-11.)
+    if (!blamejsCrypto.timingSafeEqual(parsed.basic.nonce, opts.expectedNonce)) {
       return { ok: false, status: parsed.status, signatureValid: true,
                errors: ["OCSP nonce mismatch — possible replay or wrong responder"] };
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.2",
+  "version": "0.9.4",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:1fccffd9-4415-43af-8e59-a1b496768581",
+  "serialNumber": "urn:uuid:9ba09f74-5c33-44b9-b39c-b6016b2073d8",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-11T23:52:18.846Z",
+    "timestamp": "2026-05-12T00:48:11.880Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.2",
+      "bom-ref": "@blamejs/core@0.9.4",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.2",
+      "version": "0.9.4",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.2",
+      "purl": "pkg:npm/%40blamejs/core@0.9.4",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.2",
+      "ref": "@blamejs/core@0.9.4",
       "dependsOn": []
     }
   ]