@blamejs/core 0.9.3 → 0.9.4

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.4 (2026-05-12) — **Audit hardening slice 4: kid-less JWKS lookup refusal + OCSP nonce CT compare + OAuth scope strict-split + DPoP `X-Forwarded-Proto` trust gate**. Closes the remaining MEDIUM-tier findings from the 2026-05-11 auth audit. **`b.auth.oauth.verifyIdToken` + `b.auth.jwt.verifyExternal` kid-less JWKS lookup refusal** — pre-v0.9.4 both verifiers fell back to `keys[0]` when the token carried NO `kid` and the JWKS had exactly one key. This is a latent vector during JWKS rotation: an attacker shipping a kid-less token gets the lone-key path during the window the rotated-out key is still cached at the IdP but the rotated-in key is already published. Every modern IdP includes `kid`; the framework now refuses kid-less tokens unconditionally. Operators with non-conforming IdPs that genuinely emit kid-less tokens opt out via `vopts.allowKidlessJwks: true`. **`b.network.tls` OCSP nonce constant-time compare** — `evaluateOcspResponse`'s `expectedNonce` match migrated from `Buffer.equals` to `b.crypto.timingSafeEqual` for module-wide consistency with the Merkle-root / NTS-cookie / cert-fingerprint paths that already use `timingSafeEqual`. **`b.auth.oauth` scope strict whitespace split** — RFC 6749 §3.3 says `scope` is space-separated, ONLY `U+0020`. Pre-v0.9.4 `raw.scope.split(/\s+/)` matched U+0085 NEL, U+00A0 NBSP, etc., so a hostile AS returning `scope: "admin<NEL>read"` would surface as `["admin", "read"]` and the operator's scope allowlist saw two distinct scopes. Now splits on single-space only; empty pieces filtered out. **`b.middleware.dpop` `X-Forwarded-*` trust gate** — `_reconstructHtu` previously read `X-Forwarded-Proto` / `X-Forwarded-Host` unconditionally; an attacker who can hit the origin directly while spoofing `X-Forwarded-Proto: https` could trick the middleware into building an `https` htu that the DPoP proof was signed for, when the origin is actually serving HTTP (RFC 9449 §4.3 says the htu MUST be the absolute URL the request was sent to). The default now derives proto/host from the socket; operators with a confirmed-trusted front proxy opt in via `opts.trustForwardedHeaders: true`.
 - v0.9.3 (2026-05-11) — **Audit hardening slice 3: OAuth + OID4VCI + OID4VP + CIBA + constant-time-compare migrations**. Continues the 2026-05-11 auth audit follow-through. **`b.auth.oauth.refreshAccessToken` atomic check-and-insert** — new `ropts.checkAndInsert(token, expireAtMs)` callback contract replaces the previous `ropts.seen(token)` check-then-act race. Two concurrent refresh requests on the same event-loop tick could both see `seen === false` and both POST to the token endpoint, neither flagging the replay; the new contract requires an atomic test-and-set (Redis SETNX, DB INSERT ON CONFLICT) and is the OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense surfacing the actual race window. Legacy `seen` callback continues to work for backwards-compat with operator code; the docstring documents the race + recommends migration to `checkAndInsert`. **`b.auth.oid4vci` constant-time compares** — pre-auth `tx_code` hash compare (was `!==` on sha3 hex) and proof-JWT `c_nonce` compare (was `!==` on attacker-supplied wallet payload) both route through `b.crypto.timingSafeEqual`. **`b.auth.oid4vp` per-presentation `vct` enforcement** — DCQL filters with 2+ `vct_values` entries previously bypassed vct validation entirely (the framework only set `expectedVct` when the filter pinned to a single value). Verifier now validates the presented vct against the DCQL filter list manually when length > 1; refuses with `vp_token['<id>'][<n>] vct '<presented>' is not in DCQL vct_values [...]` on over-disclosure. **`b.auth.ciba` slow_down honoring** — CIBA §11.3 requires the client to increase its polling interval by at least 5s on every `slow_down` response. Pre-v0.9.3 the framework client never bumped, leaving operators to do their own interval bookkeeping. Now `pollToken()` tracks per-`authReqId` interval state internally (Map keyed by authReqId, seeded from `startAuthentication`'s response, cleared on token issuance), bumps by `max(5s, IdP-suggested interval) <= MAX_INTERVAL_SEC` on every slow_down, and attaches the next-suggested interval to the thrown `auth-ciba/slow_down` error as `err.nextIntervalSec` so operators read a spec-correct back-off without manual bookkeeping. **`b.auth.ciba` notification-token entropy** — `clientNotificationToken` now refuses < 32 chars per CIBA §7.1.2's opaque-hard-to-guess requirement. Pre-v0.9.3 a 4-char token passed. **`b.auth.ciba.parseNotification` constant-time compare** — bearer-token hash compare migrated from `!==` to `b.crypto.timingSafeEqual` (both sides are fixed-width sha3-512 hex strings; defense-in-depth even though equal-length JS string compare is already widely understood as constant-time on V8).
 - v0.9.2 (2026-05-11) — **Audit hardening slice 2: WebAuthn + FIDO MDS3 + NIST AAL**. Continues the 2026-05-11 auth surface audit follow-through. **`b.auth.passkey.verifyAuthentication` counter-regression bypass fix** — pre-v0.9.2 the wrapper coerced `opts.credential.counter || 0`, silently zeroing an `undefined` / `null` / `NaN` counter and defeating CTAP 2.1 clone-detection on credentials whose stored counter was > 0. An operator deserializing the credential from a column that lost the counter would unknowingly accept a cloned authenticator. The wrapper now refuses `undefined` / `null` (operators MUST persist whatever the vendor returned at registration; first-time-stored credentials carry counter:0 explicitly) and rejects any non-integer / non-finite / negative value with `auth-passkey/bad-counter`. **`b.auth.passkey` multi-origin support** — `expectedOrigin` now accepts `string` OR `string[]` on both `verifyRegistration` and `verifyAuthentication`. Pre-v0.9.2 the wrapper enforced a single string only, blocking multi-origin deployments (web + admin-subdomain) from sharing one verifier; SimpleWebAuthn natively supports arrays. **`b.auth.passkey` prototype-pollution fix** — `ALLOWED_MEDIATION` lookup changed from `{...}[opts.mediation]` to `hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)` with a null-prototype map. Pre-v0.9.2 a caller passing `mediation: "__proto__"` / `"constructor"` truthy-matched an inherited Object.prototype property and slipped past the allowlist into `generateAuthenticationOptions`. **`b.auth.aal.fromMethods` UV requirement for AAL3** — per NIST SP 800-63-4 §5.1.7, WebAuthn / passkey satisfies AAL3 (MF-CRYPT) only when user verification was performed on the assertion. Pre-v0.9.2 `fromMethods({ webauthn: true })` returned `AAL3` unconditionally; operators using `userVerification: "preferred"` whose authenticator skipped UV landed in AAL3 despite not satisfying the spec's MF requirement. The caller now passes `uv: true` (sourced from the vendor's authData UV bit) to claim AAL3 with webauthn alone; without `uv`, webauthn alone caps at AAL2 (SF-CRYPT). Combination paths (`webauthn + password` / `webauthn + pin`) reach AAL3 regardless of UV (the memorized secret provides the second factor independently). **`b.auth.fidoMds3.verifyAuthenticator` fail-closed default + new opts** — pre-v0.9.2 unknown AAGUIDs returned `{ ok: true, reason: "aaguid-not-in-blob" }`, silently trusting any authenticator the metadata service hadn't yet listed (rogue / pre-certification / fake hardware). Now fails closed by default; operators wanting the legacy fail-open behavior (test fixtures, pre-certification pilot rollouts) pass `opts.allowUnknownAaguid: true` explicitly. **`b.auth.fidoMds3.parseBlob` stale-BLOB refusal** — refuses BLOB payloads whose `nextUpdate` is already in the past (FIDO MDS3 §3.1.7). Pre-v0.9.2 the staleness was floored to `MIN_CACHE_TTL_MS` but the BLOB was still served, letting an attacker pin operators to a revoked-authenticator-list-frozen-at-X by serving an ancient signed-but-expired BLOB. **`b.auth.fidoMds3.REFUSE_STATUS`** — added `ATTESTATION_KEY_COMPROMISE` per FIDO MDS3 §3.1.4. Pre-v0.9.2 this status was silently accepted; manufacturer batch-signing-key compromise affects every credential attested under that key.
 - v0.9.1 (2026-05-11) — **Audit hardening, slice 1 of N: federation auth + OAuth ID-token verifier**. Audit run after v0.9.0 across OAuth / SAML / OIDC federation / SD-JWT VC / WebAuthn / FIDO MDS3 / constant-time-compare surfaces; this slice closes the highest-severity SAML + OIDC + SD-JWT + OAuth findings. **SAML SP** (`b.auth.saml.sp.create({...}).buildAuthnRequest` + `.metadata`): every operator-supplied URL / ID interpolated into the emitted XML now routes through `b.xmlC14n.escapeAttrValue` / `escapeText`. Pre-v0.9.1 a `"` or `<` in `idpSsoUrl` / `assertionConsumerServiceUrl` / `entityId` / `nameIdFormat` broke out of attribute / element context and produced unsigned-XML breakout into the IdP redirect. Newly exported `b.xmlC14n.escapeAttrValue(s)` and `b.xmlC14n.escapeText(s)` — RFC 3741 §1.3.x compliant; available for any operator emitting XML alongside the framework's own SAML / canonicalization paths. **SAML SP `verifyResponse`**: digest compare on `Reference DigestValue` and `SubjectConfirmation InResponseTo` now use `b.crypto.timingSafeEqual` instead of `Buffer.compare` / `!==`. **SAML XSW defense**: refuses Response payloads that carry duplicate `<Status>`, `<StatusCode>`, `<Assertion>`, `<Subject>`, or `<NameID>` children — XML signature wrapping attacks ferry an unsigned sibling next to a signed element and exploit first-match parsers; the verifier now asserts single-child cardinality on every security-critical element via `_findAllChildren(...).length === 1`. **OIDC federation** (`b.auth.openidFederation.verifyEntityStatement`): JWK key-type cross-check against the JWS `alg` header BEFORE `nodeCrypto.createPublicKey` — an attacker-controlled entity-config declaring `alg: "ES256"` while supplying an RSA JWK would previously load through Node's silent algorithm-vs-key coercion path. Now refuses with `auth-openid-federation/alg-kty-mismatch` for any `alg=ES*` not paired with `kty=EC`, `alg=PS*`/`RS*` not paired with `RSA`, or `alg=EdDSA` not paired with `OKP`. **`b.auth.openidFederation.buildTrustChain` error-masking**: trust-chain ascent previously swallowed every per-authority failure via `catch (_e) {}` and continued to the next `authority_hint`; signature-failure errors from one authority no longer mask, the chain now refuses on cryptographic refusal (`bad-jwk`, `alg-kty-mismatch`, `bad-signature`, `signature-failed`). Network / 404 / iss-sub-mismatch errors still continue to the next hint but are collected and surfaced in the `no-ascent` failure shape. **SD-JWT VC verify** (`b.auth.sdJwtVc.verify`): three correctness fixes. (1) `_sd_alg` default switched from `sha3-512` to `sha-256` per IETF draft §4.1.1 — prior default broke verification against spec-conformant issuers when the issuer omitted `_sd_alg`. (2) Disclosure-replay defense: every disclosure digest tracked in a Set; second occurrence of the same digest refuses with `auth-sd-jwt-vc/disclosure-replay`. (3) Claim-shadowing defense: holder-supplied disclosures whose name collides with an issuer-signed top-level claim (`iss`, `sub`, `aud`, `iat`, `nbf`, `exp`, `jti`, `vct`, `cnf`, `_sd`, `_sd_alg`, `status`) refuse with `auth-sd-jwt-vc/protected-claim-shadow` instead of silently overwriting the signed value. (4) KB-JWT `sd_hash` now uses the credential's declared `_sd_alg` (was hardcoded sha256, breaking against issuers using sha3-512); `sd_hash` compare routed through `b.crypto.timingSafeEqual`. **OAuth `verifyIdToken`** (`b.auth.oauth.verifyIdToken`): three hardening fixes that bring the verifier to parity with the framework's other JWS verifiers. (1) `nodeCrypto.verify` wrapped in try/catch — previously panicked on key/sig shape mismatch (e.g. ES256 sig against an RS256 key returned by a buggy IdP with duplicate kids), bubbling a raw `Error` to the operator's handler instead of an `OAuthError`. (2) RFC 7515 §4.1.11 `crit` header refusal — every sibling verifier (`b.auth.jwt`, `b.auth.jwt.verifyExternal`, `b.auth.dpop`) refuses; verifyIdToken previously silently ignored, letting an attacker-controlled OP ship critical extensions the verifier doesn't understand. (3) `state` and `nonce` claim compares routed through `b.crypto.timingSafeEqual` — these are CSRF / replay tokens compared against attacker-controlled callback / payload data.

package/lib/auth/jwt-external.js

@@ -187,7 +187,7 @@ async function _fetchJwks(uri, cacheMs) {
   }, cacheMs || DEFAULT_JWKS_CACHE_MS);
 }
 
-function _selectKey(keys, header) {
+function _selectKey(keys, header, vopts) {
   if (!Array.isArray(keys) || keys.length === 0) {
     throw new AuthError("auth-jwt-external/no-jwks-keys",
       "JWKS source has no keys");
@@ -199,9 +199,18 @@ function _selectKey(keys, header) {
     throw new AuthError("auth-jwt-external/no-matching-kid",
       "no JWKS key matches header.kid='" + header.kid + "'");
   }
-  if (keys.length === 1) return keys[0];
+  // Refuse kid-less tokens by default (audit 2026-05-11). JWKS
+  // rotation creates a window where the rotated-out key is still
+  // cached but the rotated-in key is already published; an
+  // attacker shipping a kid-less token gets the lone-key path
+  // during that window. Modern IdPs always emit kid. Operators
+  // with non-conforming issuers opt in via vopts.allowKidlessJwks
+  // = true (logged via the caller's audit hook).
+  if (keys.length === 1 && vopts && vopts.allowKidlessJwks === true) return keys[0];
   throw new AuthError("auth-jwt-external/kid-required",
-    "JWKS has " + keys.length + " keys but token header has no kid");
+    "JWKS has " + keys.length + " key(s) but token header has no kid — " +
+    "framework refuses kid-less tokens to defend against JWKS-rotation " +
+    "key-pick attacks (pass vopts.allowKidlessJwks: true to opt out)");
 }
 
 // ---- public surface ----
@@ -304,7 +313,7 @@ async function verifyExternal(token, opts) {
   } else {
     var keys = opts.jwks ? opts.jwks
                          : await _fetchJwks(opts.jwksUri, opts.jwksCacheMs);
-    var jwk = _selectKey(keys, header);
+    var jwk = _selectKey(keys, header, opts);
     key = _jwkToKey(jwk);
   }
 

package/lib/auth/oauth.js

@@ -898,7 +898,14 @@ function create(opts) {
       expiresIn:    raw.expires_in || null,
       refreshToken: raw.refresh_token || null,
       idToken:      raw.id_token || null,
-      scope:        raw.scope ? raw.scope.split(/\s+/) : scope.slice(),
+      // RFC 6749 §3.3 — scope is space-separated, ONLY U+0020.
+      // `\s+` previously matched U+0085 NEL, U+00A0 NBSP, etc., so a
+      // hostile AS returning `scope: "admin<NEL>read"` would
+      // surface as `["admin", "read"]` and the operator's scope
+      // allowlist saw two distinct scopes. Spec-strict split on
+      // single-space + reject scope tokens that contain non-token
+      // chars. (Audit 2026-05-11.)
+      scope:        raw.scope ? raw.scope.split(" ").filter(function (s) { return s.length > 0; }) : scope.slice(),
       raw:          raw,
     };
     if (tokens.idToken && isOidc) {
@@ -968,12 +975,29 @@ function create(opts) {
       for (var i = 0; i < keys.length; i++) {
         if (keys[i].kid === header.kid) { match = keys[i]; break; }
       }
-    } else if (keys.length === 1) {
-      match = keys[0];
     }
+    // Pre-v0.9.4 fell back to keys[0] when the token carried NO kid
+    // and the JWKS had exactly one key. This is a latent vector
+    // during JWKS rotation: an attacker who can ship a kid-less
+    // token gets the lone key during the window the rotated-out
+    // key was still cached at the IdP but the rotated-in key is
+    // already published. Refuse kid-less tokens unconditionally —
+    // every modern IdP includes kid; absent kid is a spec smell.
+    // (Audit 2026-05-11.) Operators with non-conforming IdPs that
+    // genuinely emit kid-less tokens can opt out via
+    // vopts.allowKidlessJwks = true with a logged warning.
     if (!match) {
-      throw new OAuthError("auth-oauth/no-matching-key",
-        "no JWKS key matches header.kid='" + header.kid + "'");
+      if (!header.kid && keys.length === 1 && vopts.allowKidlessJwks === true) {
+        match = keys[0];
+      } else {
+        throw new OAuthError("auth-oauth/no-matching-key",
+          header.kid
+            ? "no JWKS key matches header.kid='" + header.kid + "'"
+            : "ID token has no kid header; framework refuses kid-less " +
+              "tokens to defend against JWKS-rotation key-pick attacks " +
+              "(pass vopts.allowKidlessJwks: true to opt out if your IdP " +
+              "genuinely emits kid-less tokens)");
+      }
     }
     var keyObject = _jwkToKey(match);
     var params = _verifyParamsForAlg(header.alg);

package/lib/middleware/dpop.js

@@ -102,12 +102,33 @@ function _nonceManager(rotateSec) {
   };
 }
 
-function _reconstructHtu(req) {
+function _reconstructHtu(req, mopts) {
   // The proof's htu is the request URI WITHOUT query/fragment. Behind
   // a reverse proxy the operator may need to override via opts.htu /
-  // opts.getHtu — defaults read X-Forwarded-* if present.
-  var proto = req.headers["x-forwarded-proto"] || (req.socket && req.socket.encrypted ? "https" : "http");
-  var host = req.headers["x-forwarded-host"] || req.headers.host;
+  // opts.getHtu. X-Forwarded-* headers are ATTACKER-CONTROLLED when
+  // the origin is reachable directly; an attacker who can hit the
+  // origin while spoofing X-Forwarded-Proto: https can trick this
+  // function into building an `https` htu that the DPoP proof was
+  // signed for — when the origin is actually serving HTTP. RFC 9449
+  // §4.3 says htu MUST be the absolute URL the request was sent to.
+  //
+  // Default: ignore X-Forwarded-* and derive proto/host from the
+  // socket. Operators with a confirmed-trusted front proxy opt in
+  // via opts.trustForwardedHeaders: true. (Audit 2026-05-11.)
+  mopts = mopts || {};
+  var trustForwarded = mopts.trustForwardedHeaders === true;
+  var proto;
+  if (trustForwarded && req.headers["x-forwarded-proto"]) {
+    proto = String(req.headers["x-forwarded-proto"]).split(",")[0].trim();
+  } else {
+    proto = req.socket && req.socket.encrypted ? "https" : "http";
+  }
+  var host;
+  if (trustForwarded && req.headers["x-forwarded-host"]) {
+    host = String(req.headers["x-forwarded-host"]).split(",")[0].trim();
+  } else {
+    host = req.headers.host;
+  }
   if (!host) return null;
   var path = req.url || "/";
   var qIdx = path.indexOf("?");
@@ -217,7 +238,7 @@ function create(opts) {
         "multiple DPoP headers are not allowed");
     }
 
-    var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req));
+    var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req, opts));
     if (!htu) {
       return _writeUnauthorized(res, "invalid_dpop_proof", "could not reconstruct htu");
     }

package/lib/network-tls.js

@@ -1103,7 +1103,14 @@ function evaluateOcspResponse(ocspDer, opts) {
       return { ok: false, status: parsed.status, signatureValid: true,
                errors: ["OCSP response missing nonce extension (expected for replay defense)"] };
     }
-    if (!parsed.basic.nonce.equals(opts.expectedNonce)) {
+    // Constant-time compare — module-wide consistency with the
+    // Merkle-root / NTS-cookie / cert-fingerprint paths that already
+    // use timingSafeEqual. Buffer.equals is constant-time on equal-
+    // length inputs but fast-paths on length mismatch; not security-
+    // critical here (the OCSP response is CA-signed and signature
+    // already verified) but matches the project discipline.
+    // (Audit 2026-05-11.)
+    if (!blamejsCrypto.timingSafeEqual(parsed.basic.nonce, opts.expectedNonce)) {
       return { ok: false, status: parsed.status, signatureValid: true,
                errors: ["OCSP nonce mismatch — possible replay or wrong responder"] };
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.3",
+  "version": "0.9.4",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:f34cb19c-6c49-42cb-80d5-8727b4fb0f86",
+  "serialNumber": "urn:uuid:9ba09f74-5c33-44b9-b39c-b6016b2073d8",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T00:20:11.455Z",
+    "timestamp": "2026-05-12T00:48:11.880Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.3",
+      "bom-ref": "@blamejs/core@0.9.4",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.3",
+      "version": "0.9.4",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.3",
+      "purl": "pkg:npm/%40blamejs/core@0.9.4",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.3",
+      "ref": "@blamejs/core@0.9.4",
       "dependsOn": []
     }
   ]