@blamejs/core 0.9.3 → 0.9.5

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.5 (2026-05-12) — **Fix-up for v0.9.3 + v0.9.4 audit-derived primitives** (five reported reachability/contract bugs). (1) **`b.middleware.dpop` `trustForwardedHeaders` was unreachable** — the v0.9.4 X-Forwarded-* trust gate added the option to `_reconstructHtu` but the `create()` validateOpts whitelist still rejected unknown keys. Operators behind a trusted reverse proxy got `unknown-option` instead of the documented opt-in, leaving valid DPoP proofs failing htu matching. The whitelist now includes `trustForwardedHeaders`. (2) **`b.auth.jwt.verifyExternal` `allowKidlessJwks` was unreachable** — same shape, fixed the same way. (3) **OAuth `allowKidlessJwks` didn't reach token-exchange flows** — pre-v0.9.5 the opt was per-`verifyIdToken`-call, but `_normalizeTokens()` (called from `exchangeCode` / `pollDeviceCode` / `exchangeToken` / `refreshAccessToken`) passed a reduced `{ nonce, skipNonceCheck }` shape that dropped the operator opt. Surface promoted to client-level: pass `b.auth.oauth.create({ allowKidlessJwks: true })` once and it threads through every code path that lands on the verifier. The per-call `vopts.allowKidlessJwks` continues to work for direct `verifyIdToken` callers. (4) **`b.auth.oauth.refreshAccessToken` `checkAndInsert` return-value contract inverted** — pre-v0.9.5 interpreted `true` as "already seen → replay" but the framework-wide `checkAndInsert` contract (`b.nonceStore`, `b.auth.jwt`) is the opposite: `true` = unseen-and-now-inserted (first sighting), `false` = already-present (replay). Operators reusing an existing `b.nonceStore`-style backend got every first refresh attempt rejected as token theft, breaking normal refresh flows. The handler now normalizes `inserted === false` → `alreadySeen = true`, consistent with the rest of the framework. (5) **`b.auth.ciba` `_intervalState` memory leak on error paths** — pre-v0.9.5 entries were only deleted on successful token issuance; denied / expired auth requests, and ping/push delivery modes that never call `pollToken` successfully, left permanent entries causing unbounded growth in long-running processes. Now entries carry an `expireAtMs` derived from the IdP-supplied `expires_in` of the auth_req_id, and an opportunistic sweep runs on every `_registerInitialInterval` call (no separate timer needed). Terminal CIBA errors (`expired_token` / `access_denied` / `invalid_grant` / `transaction_failed`) also delete the entry immediately on the error path.
+- v0.9.4 (2026-05-12) — **Audit hardening slice 4: kid-less JWKS lookup refusal + OCSP nonce CT compare + OAuth scope strict-split + DPoP `X-Forwarded-Proto` trust gate**. Closes the remaining MEDIUM-tier findings from the 2026-05-11 auth audit. **`b.auth.oauth.verifyIdToken` + `b.auth.jwt.verifyExternal` kid-less JWKS lookup refusal** — pre-v0.9.4 both verifiers fell back to `keys[0]` when the token carried NO `kid` and the JWKS had exactly one key. This is a latent vector during JWKS rotation: an attacker shipping a kid-less token gets the lone-key path during the window the rotated-out key is still cached at the IdP but the rotated-in key is already published. Every modern IdP includes `kid`; the framework now refuses kid-less tokens unconditionally. Operators with non-conforming IdPs that genuinely emit kid-less tokens opt out via `vopts.allowKidlessJwks: true`. **`b.network.tls` OCSP nonce constant-time compare** — `evaluateOcspResponse`'s `expectedNonce` match migrated from `Buffer.equals` to `b.crypto.timingSafeEqual` for module-wide consistency with the Merkle-root / NTS-cookie / cert-fingerprint paths that already use `timingSafeEqual`. **`b.auth.oauth` scope strict whitespace split** — RFC 6749 §3.3 says `scope` is space-separated, ONLY `U+0020`. Pre-v0.9.4 `raw.scope.split(/\s+/)` matched U+0085 NEL, U+00A0 NBSP, etc., so a hostile AS returning `scope: "admin<NEL>read"` would surface as `["admin", "read"]` and the operator's scope allowlist saw two distinct scopes. Now splits on single-space only; empty pieces filtered out. **`b.middleware.dpop` `X-Forwarded-*` trust gate** — `_reconstructHtu` previously read `X-Forwarded-Proto` / `X-Forwarded-Host` unconditionally; an attacker who can hit the origin directly while spoofing `X-Forwarded-Proto: https` could trick the middleware into building an `https` htu that the DPoP proof was signed for, when the origin is actually serving HTTP (RFC 9449 §4.3 says the htu MUST be the absolute URL the request was sent to). The default now derives proto/host from the socket; operators with a confirmed-trusted front proxy opt in via `opts.trustForwardedHeaders: true`.
 - v0.9.3 (2026-05-11) — **Audit hardening slice 3: OAuth + OID4VCI + OID4VP + CIBA + constant-time-compare migrations**. Continues the 2026-05-11 auth audit follow-through. **`b.auth.oauth.refreshAccessToken` atomic check-and-insert** — new `ropts.checkAndInsert(token, expireAtMs)` callback contract replaces the previous `ropts.seen(token)` check-then-act race. Two concurrent refresh requests on the same event-loop tick could both see `seen === false` and both POST to the token endpoint, neither flagging the replay; the new contract requires an atomic test-and-set (Redis SETNX, DB INSERT ON CONFLICT) and is the OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense surfacing the actual race window. Legacy `seen` callback continues to work for backwards-compat with operator code; the docstring documents the race + recommends migration to `checkAndInsert`. **`b.auth.oid4vci` constant-time compares** — pre-auth `tx_code` hash compare (was `!==` on sha3 hex) and proof-JWT `c_nonce` compare (was `!==` on attacker-supplied wallet payload) both route through `b.crypto.timingSafeEqual`. **`b.auth.oid4vp` per-presentation `vct` enforcement** — DCQL filters with 2+ `vct_values` entries previously bypassed vct validation entirely (the framework only set `expectedVct` when the filter pinned to a single value). Verifier now validates the presented vct against the DCQL filter list manually when length > 1; refuses with `vp_token['<id>'][<n>] vct '<presented>' is not in DCQL vct_values [...]` on over-disclosure. **`b.auth.ciba` slow_down honoring** — CIBA §11.3 requires the client to increase its polling interval by at least 5s on every `slow_down` response. Pre-v0.9.3 the framework client never bumped, leaving operators to do their own interval bookkeeping. Now `pollToken()` tracks per-`authReqId` interval state internally (Map keyed by authReqId, seeded from `startAuthentication`'s response, cleared on token issuance), bumps by `max(5s, IdP-suggested interval) <= MAX_INTERVAL_SEC` on every slow_down, and attaches the next-suggested interval to the thrown `auth-ciba/slow_down` error as `err.nextIntervalSec` so operators read a spec-correct back-off without manual bookkeeping. **`b.auth.ciba` notification-token entropy** — `clientNotificationToken` now refuses < 32 chars per CIBA §7.1.2's opaque-hard-to-guess requirement. Pre-v0.9.3 a 4-char token passed. **`b.auth.ciba.parseNotification` constant-time compare** — bearer-token hash compare migrated from `!==` to `b.crypto.timingSafeEqual` (both sides are fixed-width sha3-512 hex strings; defense-in-depth even though equal-length JS string compare is already widely understood as constant-time on V8).
 - v0.9.2 (2026-05-11) — **Audit hardening slice 2: WebAuthn + FIDO MDS3 + NIST AAL**. Continues the 2026-05-11 auth surface audit follow-through. **`b.auth.passkey.verifyAuthentication` counter-regression bypass fix** — pre-v0.9.2 the wrapper coerced `opts.credential.counter || 0`, silently zeroing an `undefined` / `null` / `NaN` counter and defeating CTAP 2.1 clone-detection on credentials whose stored counter was > 0. An operator deserializing the credential from a column that lost the counter would unknowingly accept a cloned authenticator. The wrapper now refuses `undefined` / `null` (operators MUST persist whatever the vendor returned at registration; first-time-stored credentials carry counter:0 explicitly) and rejects any non-integer / non-finite / negative value with `auth-passkey/bad-counter`. **`b.auth.passkey` multi-origin support** — `expectedOrigin` now accepts `string` OR `string[]` on both `verifyRegistration` and `verifyAuthentication`. Pre-v0.9.2 the wrapper enforced a single string only, blocking multi-origin deployments (web + admin-subdomain) from sharing one verifier; SimpleWebAuthn natively supports arrays. **`b.auth.passkey` prototype-pollution fix** — `ALLOWED_MEDIATION` lookup changed from `{...}[opts.mediation]` to `hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)` with a null-prototype map. Pre-v0.9.2 a caller passing `mediation: "__proto__"` / `"constructor"` truthy-matched an inherited Object.prototype property and slipped past the allowlist into `generateAuthenticationOptions`. **`b.auth.aal.fromMethods` UV requirement for AAL3** — per NIST SP 800-63-4 §5.1.7, WebAuthn / passkey satisfies AAL3 (MF-CRYPT) only when user verification was performed on the assertion. Pre-v0.9.2 `fromMethods({ webauthn: true })` returned `AAL3` unconditionally; operators using `userVerification: "preferred"` whose authenticator skipped UV landed in AAL3 despite not satisfying the spec's MF requirement. The caller now passes `uv: true` (sourced from the vendor's authData UV bit) to claim AAL3 with webauthn alone; without `uv`, webauthn alone caps at AAL2 (SF-CRYPT). Combination paths (`webauthn + password` / `webauthn + pin`) reach AAL3 regardless of UV (the memorized secret provides the second factor independently). **`b.auth.fidoMds3.verifyAuthenticator` fail-closed default + new opts** — pre-v0.9.2 unknown AAGUIDs returned `{ ok: true, reason: "aaguid-not-in-blob" }`, silently trusting any authenticator the metadata service hadn't yet listed (rogue / pre-certification / fake hardware). Now fails closed by default; operators wanting the legacy fail-open behavior (test fixtures, pre-certification pilot rollouts) pass `opts.allowUnknownAaguid: true` explicitly. **`b.auth.fidoMds3.parseBlob` stale-BLOB refusal** — refuses BLOB payloads whose `nextUpdate` is already in the past (FIDO MDS3 §3.1.7). Pre-v0.9.2 the staleness was floored to `MIN_CACHE_TTL_MS` but the BLOB was still served, letting an attacker pin operators to a revoked-authenticator-list-frozen-at-X by serving an ancient signed-but-expired BLOB. **`b.auth.fidoMds3.REFUSE_STATUS`** — added `ATTESTATION_KEY_COMPROMISE` per FIDO MDS3 §3.1.4. Pre-v0.9.2 this status was silently accepted; manufacturer batch-signing-key compromise affects every credential attested under that key.
 - v0.9.1 (2026-05-11) — **Audit hardening, slice 1 of N: federation auth + OAuth ID-token verifier**. Audit run after v0.9.0 across OAuth / SAML / OIDC federation / SD-JWT VC / WebAuthn / FIDO MDS3 / constant-time-compare surfaces; this slice closes the highest-severity SAML + OIDC + SD-JWT + OAuth findings. **SAML SP** (`b.auth.saml.sp.create({...}).buildAuthnRequest` + `.metadata`): every operator-supplied URL / ID interpolated into the emitted XML now routes through `b.xmlC14n.escapeAttrValue` / `escapeText`. Pre-v0.9.1 a `"` or `<` in `idpSsoUrl` / `assertionConsumerServiceUrl` / `entityId` / `nameIdFormat` broke out of attribute / element context and produced unsigned-XML breakout into the IdP redirect. Newly exported `b.xmlC14n.escapeAttrValue(s)` and `b.xmlC14n.escapeText(s)` — RFC 3741 §1.3.x compliant; available for any operator emitting XML alongside the framework's own SAML / canonicalization paths. **SAML SP `verifyResponse`**: digest compare on `Reference DigestValue` and `SubjectConfirmation InResponseTo` now use `b.crypto.timingSafeEqual` instead of `Buffer.compare` / `!==`. **SAML XSW defense**: refuses Response payloads that carry duplicate `<Status>`, `<StatusCode>`, `<Assertion>`, `<Subject>`, or `<NameID>` children — XML signature wrapping attacks ferry an unsigned sibling next to a signed element and exploit first-match parsers; the verifier now asserts single-child cardinality on every security-critical element via `_findAllChildren(...).length === 1`. **OIDC federation** (`b.auth.openidFederation.verifyEntityStatement`): JWK key-type cross-check against the JWS `alg` header BEFORE `nodeCrypto.createPublicKey` — an attacker-controlled entity-config declaring `alg: "ES256"` while supplying an RSA JWK would previously load through Node's silent algorithm-vs-key coercion path. Now refuses with `auth-openid-federation/alg-kty-mismatch` for any `alg=ES*` not paired with `kty=EC`, `alg=PS*`/`RS*` not paired with `RSA`, or `alg=EdDSA` not paired with `OKP`. **`b.auth.openidFederation.buildTrustChain` error-masking**: trust-chain ascent previously swallowed every per-authority failure via `catch (_e) {}` and continued to the next `authority_hint`; signature-failure errors from one authority no longer mask, the chain now refuses on cryptographic refusal (`bad-jwk`, `alg-kty-mismatch`, `bad-signature`, `signature-failed`). Network / 404 / iss-sub-mismatch errors still continue to the next hint but are collected and surfaced in the `no-ascent` failure shape. **SD-JWT VC verify** (`b.auth.sdJwtVc.verify`): three correctness fixes. (1) `_sd_alg` default switched from `sha3-512` to `sha-256` per IETF draft §4.1.1 — prior default broke verification against spec-conformant issuers when the issuer omitted `_sd_alg`. (2) Disclosure-replay defense: every disclosure digest tracked in a Set; second occurrence of the same digest refuses with `auth-sd-jwt-vc/disclosure-replay`. (3) Claim-shadowing defense: holder-supplied disclosures whose name collides with an issuer-signed top-level claim (`iss`, `sub`, `aud`, `iat`, `nbf`, `exp`, `jti`, `vct`, `cnf`, `_sd`, `_sd_alg`, `status`) refuse with `auth-sd-jwt-vc/protected-claim-shadow` instead of silently overwriting the signed value. (4) KB-JWT `sd_hash` now uses the credential's declared `_sd_alg` (was hardcoded sha256, breaking against issuers using sha3-512); `sd_hash` compare routed through `b.crypto.timingSafeEqual`. **OAuth `verifyIdToken`** (`b.auth.oauth.verifyIdToken`): three hardening fixes that bring the verifier to parity with the framework's other JWS verifiers. (1) `nodeCrypto.verify` wrapped in try/catch — previously panicked on key/sig shape mismatch (e.g. ES256 sig against an RS256 key returned by a buggy IdP with duplicate kids), bubbling a raw `Error` to the operator's handler instead of an `OAuthError`. (2) RFC 7515 §4.1.11 `crit` header refusal — every sibling verifier (`b.auth.jwt`, `b.auth.jwt.verifyExternal`, `b.auth.dpop`) refuses; verifyIdToken previously silently ignored, letting an attacker-controlled OP ship critical extensions the verifier doesn't understand. (3) `state` and `nonce` claim compares routed through `b.crypto.timingSafeEqual` — these are CSRF / replay tokens compared against attacker-controlled callback / payload data.

package/lib/auth/ciba.js

@@ -51,6 +51,7 @@
  *   alongside CIBA all share one set of audited credentials).
  */
 
+var C            = require("../constants");
 var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
@@ -381,7 +382,7 @@ function create(opts) {
     // Seed the per-authReqId interval tracker so pollToken's
     // slow_down handler bumps from the IdP-supplied starting point
     // (CIBA §11.3 minimum-5s bump on every slow_down response).
-    _registerInitialInterval(rv.auth_req_id, interval);
+    _registerInitialInterval(rv.auth_req_id, interval, expiresIn);
 
     _emitAudit("start", "success", {
       authReqIdHash: sha3Hash("auth-ciba:" + rv.auth_req_id),
@@ -418,10 +419,37 @@ function create(opts) {
   // `slow_down` response. The framework client now maintains this
   // state internally so operators reading `err.nextIntervalSec` get
   // a spec-correct back-off without rolling their own counter.
-  var _intervalState = new Map();   // authReqId → current interval sec
+  // Map values are `{ interval, expireAtMs }`; entries TTL out at
+  // the per-authReqId expiry (startAuthentication's expiresIn). A
+  // periodic sweep + on-touch lazy purge prevent unbounded growth
+  // when authentication requests are denied / expire / never
+  // pollToken'd (e.g. ping/push delivery modes where the IdP
+  // notifies the RP and pollToken is never called).
+  var _intervalState = new Map();
 
-  function _registerInitialInterval(authReqId, intervalSec) {
-    _intervalState.set(authReqId, intervalSec);
+  function _purgeExpiredIntervals(nowMs) {
+    var iter = _intervalState.entries();
+    var step = iter.next();
+    while (!step.done) {
+      var pair = step.value;
+      if (pair[1].expireAtMs <= nowMs) _intervalState.delete(pair[0]);
+      step = iter.next();
+    }
+  }
+
+  function _registerInitialInterval(authReqId, intervalSec, expiresInSec) {
+    var nowMs = Date.now();
+    // Opportunistic sweep at every register so the cleanup runs
+    // on the same code path as growth — no separate timer.
+    _purgeExpiredIntervals(nowMs);
+    _intervalState.set(authReqId, {
+      interval:   intervalSec,
+      // expireAtMs derived from the IdP's expires_in (the lifetime
+      // of the auth-req-id itself). Once the auth-req-id expires
+      // the entry can be purged regardless of whether pollToken
+      // succeeded.
+      expireAtMs: nowMs + C.TIME.seconds(expiresInSec),
+    });
   }
 
   async function pollToken(popts) {
@@ -458,7 +486,8 @@ function create(opts) {
       // honor that when >= current + 5, otherwise enforce the
       // minimum 5s bump.
       if (err && err.code === "auth-ciba/slow_down") {
-        var current = _intervalState.get(popts.authReqId) || DEFAULT_INTERVAL_SEC;
+        var entry = _intervalState.get(popts.authReqId);
+        var current = entry ? entry.interval : DEFAULT_INTERVAL_SEC;
         var idpSuggested = err.cibaError && typeof err.cibaError.interval === "number"
           ? err.cibaError.interval : null;
         var next = current + 5;                                                                 // allow:raw-time-literal — §11.3 mandates +5s minimum
@@ -466,8 +495,20 @@ function create(opts) {
           next = idpSuggested;
         }
         if (next > MAX_INTERVAL_SEC) next = MAX_INTERVAL_SEC;
-        _intervalState.set(popts.authReqId, next);
+        if (entry) {
+          _intervalState.set(popts.authReqId, { interval: next, expireAtMs: entry.expireAtMs });
+        }
         err.nextIntervalSec = next;
+      } else if (err && (
+        err.code === "auth-ciba/expired_token" ||
+        err.code === "auth-ciba/access_denied" ||
+        err.code === "auth-ciba/invalid_grant" ||
+        err.code === "auth-ciba/transaction_failed")) {
+        // Terminal CIBA errors (RFC §13) — the auth_req_id is now
+        // dead. Clear the per-authReqId interval entry so it
+        // doesn't leak when the operator stops polling. (Reported
+        // 2026-05-12.)
+        _intervalState.delete(popts.authReqId);
       }
       throw err;
     }

package/lib/auth/jwt-external.js

@@ -187,7 +187,7 @@ async function _fetchJwks(uri, cacheMs) {
   }, cacheMs || DEFAULT_JWKS_CACHE_MS);
 }
 
-function _selectKey(keys, header) {
+function _selectKey(keys, header, vopts) {
   if (!Array.isArray(keys) || keys.length === 0) {
     throw new AuthError("auth-jwt-external/no-jwks-keys",
       "JWKS source has no keys");
@@ -199,9 +199,18 @@ function _selectKey(keys, header) {
     throw new AuthError("auth-jwt-external/no-matching-kid",
       "no JWKS key matches header.kid='" + header.kid + "'");
   }
-  if (keys.length === 1) return keys[0];
+  // Refuse kid-less tokens by default (audit 2026-05-11). JWKS
+  // rotation creates a window where the rotated-out key is still
+  // cached but the rotated-in key is already published; an
+  // attacker shipping a kid-less token gets the lone-key path
+  // during that window. Modern IdPs always emit kid. Operators
+  // with non-conforming issuers opt in via vopts.allowKidlessJwks
+  // = true (logged via the caller's audit hook).
+  if (keys.length === 1 && vopts && vopts.allowKidlessJwks === true) return keys[0];
   throw new AuthError("auth-jwt-external/kid-required",
-    "JWKS has " + keys.length + " keys but token header has no kid");
+    "JWKS has " + keys.length + " key(s) but token header has no kid — " +
+    "framework refuses kid-less tokens to defend against JWKS-rotation " +
+    "key-pick attacks (pass vopts.allowKidlessJwks: true to opt out)");
 }
 
 // ---- public surface ----
@@ -218,6 +227,10 @@ async function verifyExternal(token, opts) {
   validateOpts(opts, [
     "algorithms", "jwks", "jwksUri", "jwksCacheMs", "keyResolver",
     "audience", "issuer", "subject", "clockSkewMs",
+    // v0.9.4 — opt-out for the kid-less-token JWKS-of-one refusal
+    // (default refuses; non-conforming IdPs that emit kid-less tokens
+    // set this true). Audit 2026-05-11.
+    "allowKidlessJwks",
   ], "auth.jwt.verifyExternal");
 
   if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
@@ -304,7 +317,7 @@ async function verifyExternal(token, opts) {
   } else {
     var keys = opts.jwks ? opts.jwks
                          : await _fetchJwks(opts.jwksUri, opts.jwksCacheMs);
-    var jwk = _selectKey(keys, header);
+    var jwk = _selectKey(keys, header, opts);
     key = _jwkToKey(jwk);
   }
 

package/lib/auth/oauth.js

@@ -334,6 +334,14 @@ function create(opts) {
   var allowInternal    = opts.allowInternal != null ? opts.allowInternal : null; // localhost dev opt-in (SSRF gate)
   var httpClientOpts   = opts.httpClient || {};
   var responseMode     = opts.responseMode || null;
+  // v0.9.5 — client-level opt-out for the kid-less JWKS-of-one
+  // refusal added in v0.9.4. Surfaced at the create() level (not
+  // per-verifyIdToken-call) so it threads through every code path
+  // that lands on verifyIdToken — _normalizeTokens for exchangeCode
+  // / pollDeviceCode / exchangeToken / refreshAccessToken, JARM
+  // wrapper, and the public verifyIdToken entry point. Operators
+  // with non-conforming IdPs set this once at client construction.
+  var allowKidlessJwks = opts.allowKidlessJwks === true;
 
   if (!clientId) {
     throw new OAuthError("auth-oauth/no-client-id", "create: opts.clientId is required");
@@ -566,23 +574,31 @@ function create(opts) {
     // check ran via `ropts.seen(token)` which was a check-then-act
     // race: two concurrent refresh requests landed on the same
     // event-loop tick could both see `seen === false` and both POST
-    // to the token endpoint, neither flagging the replay. The new
-    // contract is `ropts.checkAndInsert(token, expireAtMs)` which
-    // MUST atomically test-and-set: returns true if the token was
-    // ALREADY in the store (replay) and false if it just inserted
-    // the token. The legacy `seen` callback continues to work for
-    // backward compatibility but emits a deprecation warning.
+    // to the token endpoint, neither flagging the replay. The
+    // framework-wide checkAndInsert contract (lib/nonce-store.js,
+    // lib/auth/jwt.js) is: returns `true` when the value was UNSEEN
+    // and is now recorded (first sighting); returns `false` when
+    // already present (replay). The legacy `seen` callback returned
+    // the opposite (true means seen-already); both surfaces are
+    // supported but normalize to a single `alreadySeen` boolean
+    // below.
     var alreadySeen = false;
     if (typeof ropts.checkAndInsert === "function") {
       var nowMs = Date.now();
       // 24h max refresh-token TTL — operators with shorter TTLs
       // should configure their store's own expiry policy.
       var expireAtMs = nowMs + C.TIME.hours(24);
-      try { alreadySeen = await ropts.checkAndInsert(refreshToken, expireAtMs); }
+      var inserted;
+      try { inserted = await ropts.checkAndInsert(refreshToken, expireAtMs); }
       catch (e) {
         throw new OAuthError("auth-oauth/seen-callback-failed",
           "refreshAccessToken: checkAndInsert() callback threw: " + ((e && e.message) || String(e)));
       }
+      // Spec contract: inserted===true → first sighting (OK);
+      // inserted===false → replay. v0.9.3 had this inverted, which
+      // broke every first refresh attempt for operators reusing an
+      // existing b.nonceStore-style backend. (Reported 2026-05-12.)
+      alreadySeen = inserted === false;
     } else if (typeof ropts.seen === "function") {
       // Legacy non-atomic path. Documented as a check-then-act race;
       // operators sharing a single-writer store (Redis SETNX, DB
@@ -898,7 +914,14 @@ function create(opts) {
       expiresIn:    raw.expires_in || null,
       refreshToken: raw.refresh_token || null,
       idToken:      raw.id_token || null,
-      scope:        raw.scope ? raw.scope.split(/\s+/) : scope.slice(),
+      // RFC 6749 §3.3 — scope is space-separated, ONLY U+0020.
+      // `\s+` previously matched U+0085 NEL, U+00A0 NBSP, etc., so a
+      // hostile AS returning `scope: "admin<NEL>read"` would
+      // surface as `["admin", "read"]` and the operator's scope
+      // allowlist saw two distinct scopes. Spec-strict split on
+      // single-space + reject scope tokens that contain non-token
+      // chars. (Audit 2026-05-11.)
+      scope:        raw.scope ? raw.scope.split(" ").filter(function (s) { return s.length > 0; }) : scope.slice(),
       raw:          raw,
     };
     if (tokens.idToken && isOidc) {
@@ -968,12 +991,39 @@ function create(opts) {
       for (var i = 0; i < keys.length; i++) {
         if (keys[i].kid === header.kid) { match = keys[i]; break; }
       }
-    } else if (keys.length === 1) {
-      match = keys[0];
     }
+    // Pre-v0.9.4 fell back to keys[0] when the token carried NO kid
+    // and the JWKS had exactly one key. This is a latent vector
+    // during JWKS rotation: an attacker who can ship a kid-less
+    // token gets the lone key during the window the rotated-out
+    // key was still cached at the IdP but the rotated-in key is
+    // already published. Refuse kid-less tokens unconditionally —
+    // every modern IdP includes kid; absent kid is a spec smell.
+    // (Audit 2026-05-11.) Operators with non-conforming IdPs that
+    // genuinely emit kid-less tokens can opt out via
+    // vopts.allowKidlessJwks = true with a logged warning.
     if (!match) {
-      throw new OAuthError("auth-oauth/no-matching-key",
-        "no JWKS key matches header.kid='" + header.kid + "'");
+      // Operator opt-out reads from EITHER the per-call vopts OR the
+      // client-level config — `_normalizeTokens` calls verifyIdToken
+      // with a reduced vopts ({ nonce, skipNonceCheck }), so a
+      // per-call opt would not reach the standard exchangeCode /
+      // pollDeviceCode / exchangeToken / refreshAccessToken flows.
+      // The client-level `create({ allowKidlessJwks: true })` fills
+      // that gap. (v0.9.5 follow-up to the v0.9.4 audit fix.)
+      var allowKidless = vopts.allowKidlessJwks === true || allowKidlessJwks;
+      if (!header.kid && keys.length === 1 && allowKidless) {
+        match = keys[0];
+      } else {
+        throw new OAuthError("auth-oauth/no-matching-key",
+          header.kid
+            ? "no JWKS key matches header.kid='" + header.kid + "'"
+            : "ID token has no kid header; framework refuses kid-less " +
+              "tokens to defend against JWKS-rotation key-pick attacks " +
+              "(pass `allowKidlessJwks: true` to b.auth.oauth.create() — " +
+              "client-level — if your IdP genuinely emits kid-less tokens; " +
+              "or vopts.allowKidlessJwks: true on a single verifyIdToken " +
+              "call)");
+      }
     }
     var keyObject = _jwkToKey(match);
     var params = _verifyParamsForAlg(header.alg);

package/lib/middleware/dpop.js

@@ -102,12 +102,33 @@ function _nonceManager(rotateSec) {
   };
 }
 
-function _reconstructHtu(req) {
+function _reconstructHtu(req, mopts) {
   // The proof's htu is the request URI WITHOUT query/fragment. Behind
   // a reverse proxy the operator may need to override via opts.htu /
-  // opts.getHtu — defaults read X-Forwarded-* if present.
-  var proto = req.headers["x-forwarded-proto"] || (req.socket && req.socket.encrypted ? "https" : "http");
-  var host = req.headers["x-forwarded-host"] || req.headers.host;
+  // opts.getHtu. X-Forwarded-* headers are ATTACKER-CONTROLLED when
+  // the origin is reachable directly; an attacker who can hit the
+  // origin while spoofing X-Forwarded-Proto: https can trick this
+  // function into building an `https` htu that the DPoP proof was
+  // signed for — when the origin is actually serving HTTP. RFC 9449
+  // §4.3 says htu MUST be the absolute URL the request was sent to.
+  //
+  // Default: ignore X-Forwarded-* and derive proto/host from the
+  // socket. Operators with a confirmed-trusted front proxy opt in
+  // via opts.trustForwardedHeaders: true. (Audit 2026-05-11.)
+  mopts = mopts || {};
+  var trustForwarded = mopts.trustForwardedHeaders === true;
+  var proto;
+  if (trustForwarded && req.headers["x-forwarded-proto"]) {
+    proto = String(req.headers["x-forwarded-proto"]).split(",")[0].trim();
+  } else {
+    proto = req.socket && req.socket.encrypted ? "https" : "http";
+  }
+  var host;
+  if (trustForwarded && req.headers["x-forwarded-host"]) {
+    host = String(req.headers["x-forwarded-host"]).split(",")[0].trim();
+  } else {
+    host = req.headers.host;
+  }
   if (!host) return null;
   var path = req.url || "/";
   var qIdx = path.indexOf("?");
@@ -163,6 +184,10 @@ function create(opts) {
     "replayStore", "algorithms", "iatWindowSec",
     "getAccessToken", "getNonce", "getHtu", "audit",
     "nonceStore", "nonceWindowSec", "nonceRotateSec", "requireNonce",
+    // v0.9.4 — opt-in trust gate for X-Forwarded-Proto/Host when
+    // reconstructing htu. Default off (audit 2026-05-11); operators
+    // with a confirmed-trusted front proxy set this to `true`.
+    "trustForwardedHeaders",
   ], "middleware.dpop");
 
   var auditOn = opts.audit !== false;
@@ -217,7 +242,7 @@ function create(opts) {
         "multiple DPoP headers are not allowed");
     }
 
-    var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req));
+    var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req, opts));
     if (!htu) {
       return _writeUnauthorized(res, "invalid_dpop_proof", "could not reconstruct htu");
     }

package/lib/network-tls.js

@@ -1103,7 +1103,14 @@ function evaluateOcspResponse(ocspDer, opts) {
       return { ok: false, status: parsed.status, signatureValid: true,
                errors: ["OCSP response missing nonce extension (expected for replay defense)"] };
     }
-    if (!parsed.basic.nonce.equals(opts.expectedNonce)) {
+    // Constant-time compare — module-wide consistency with the
+    // Merkle-root / NTS-cookie / cert-fingerprint paths that already
+    // use timingSafeEqual. Buffer.equals is constant-time on equal-
+    // length inputs but fast-paths on length mismatch; not security-
+    // critical here (the OCSP response is CA-signed and signature
+    // already verified) but matches the project discipline.
+    // (Audit 2026-05-11.)
+    if (!blamejsCrypto.timingSafeEqual(parsed.basic.nonce, opts.expectedNonce)) {
       return { ok: false, status: parsed.status, signatureValid: true,
                errors: ["OCSP nonce mismatch — possible replay or wrong responder"] };
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.3",
+  "version": "0.9.5",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:f34cb19c-6c49-42cb-80d5-8727b4fb0f86",
+  "serialNumber": "urn:uuid:851d345b-6891-4a75-bac3-11ec1478b08d",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T00:20:11.455Z",
+    "timestamp": "2026-05-12T03:03:37.327Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.3",
+      "bom-ref": "@blamejs/core@0.9.5",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.3",
+      "version": "0.9.5",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.3",
+      "purl": "pkg:npm/%40blamejs/core@0.9.5",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.3",
+      "ref": "@blamejs/core@0.9.5",
       "dependsOn": []
     }
   ]