@blamejs/core 0.9.4 → 0.9.5

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.9.x
 
+- v0.9.5 (2026-05-12) — **Fix-up for v0.9.3 + v0.9.4 audit-derived primitives** (five reported reachability/contract bugs). (1) **`b.middleware.dpop` `trustForwardedHeaders` was unreachable** — the v0.9.4 X-Forwarded-* trust gate added the option to `_reconstructHtu` but the `create()` validateOpts whitelist still rejected unknown keys. Operators behind a trusted reverse proxy got `unknown-option` instead of the documented opt-in, leaving valid DPoP proofs failing htu matching. The whitelist now includes `trustForwardedHeaders`. (2) **`b.auth.jwt.verifyExternal` `allowKidlessJwks` was unreachable** — same shape, fixed the same way. (3) **OAuth `allowKidlessJwks` didn't reach token-exchange flows** — pre-v0.9.5 the opt was per-`verifyIdToken`-call, but `_normalizeTokens()` (called from `exchangeCode` / `pollDeviceCode` / `exchangeToken` / `refreshAccessToken`) passed a reduced `{ nonce, skipNonceCheck }` shape that dropped the operator opt. Surface promoted to client-level: pass `b.auth.oauth.create({ allowKidlessJwks: true })` once and it threads through every code path that lands on the verifier. The per-call `vopts.allowKidlessJwks` continues to work for direct `verifyIdToken` callers. (4) **`b.auth.oauth.refreshAccessToken` `checkAndInsert` return-value contract inverted** — pre-v0.9.5 interpreted `true` as "already seen → replay" but the framework-wide `checkAndInsert` contract (`b.nonceStore`, `b.auth.jwt`) is the opposite: `true` = unseen-and-now-inserted (first sighting), `false` = already-present (replay). Operators reusing an existing `b.nonceStore`-style backend got every first refresh attempt rejected as token theft, breaking normal refresh flows. The handler now normalizes `inserted === false` → `alreadySeen = true`, consistent with the rest of the framework. (5) **`b.auth.ciba` `_intervalState` memory leak on error paths** — pre-v0.9.5 entries were only deleted on successful token issuance; denied / expired auth requests, and ping/push delivery modes that never call `pollToken` successfully, left permanent entries causing unbounded growth in long-running processes. Now entries carry an `expireAtMs` derived from the IdP-supplied `expires_in` of the auth_req_id, and an opportunistic sweep runs on every `_registerInitialInterval` call (no separate timer needed). Terminal CIBA errors (`expired_token` / `access_denied` / `invalid_grant` / `transaction_failed`) also delete the entry immediately on the error path.
 - v0.9.4 (2026-05-12) — **Audit hardening slice 4: kid-less JWKS lookup refusal + OCSP nonce CT compare + OAuth scope strict-split + DPoP `X-Forwarded-Proto` trust gate**. Closes the remaining MEDIUM-tier findings from the 2026-05-11 auth audit. **`b.auth.oauth.verifyIdToken` + `b.auth.jwt.verifyExternal` kid-less JWKS lookup refusal** — pre-v0.9.4 both verifiers fell back to `keys[0]` when the token carried NO `kid` and the JWKS had exactly one key. This is a latent vector during JWKS rotation: an attacker shipping a kid-less token gets the lone-key path during the window the rotated-out key is still cached at the IdP but the rotated-in key is already published. Every modern IdP includes `kid`; the framework now refuses kid-less tokens unconditionally. Operators with non-conforming IdPs that genuinely emit kid-less tokens opt out via `vopts.allowKidlessJwks: true`. **`b.network.tls` OCSP nonce constant-time compare** — `evaluateOcspResponse`'s `expectedNonce` match migrated from `Buffer.equals` to `b.crypto.timingSafeEqual` for module-wide consistency with the Merkle-root / NTS-cookie / cert-fingerprint paths that already use `timingSafeEqual`. **`b.auth.oauth` scope strict whitespace split** — RFC 6749 §3.3 says `scope` is space-separated, ONLY `U+0020`. Pre-v0.9.4 `raw.scope.split(/\s+/)` matched U+0085 NEL, U+00A0 NBSP, etc., so a hostile AS returning `scope: "admin<NEL>read"` would surface as `["admin", "read"]` and the operator's scope allowlist saw two distinct scopes. Now splits on single-space only; empty pieces filtered out. **`b.middleware.dpop` `X-Forwarded-*` trust gate** — `_reconstructHtu` previously read `X-Forwarded-Proto` / `X-Forwarded-Host` unconditionally; an attacker who can hit the origin directly while spoofing `X-Forwarded-Proto: https` could trick the middleware into building an `https` htu that the DPoP proof was signed for, when the origin is actually serving HTTP (RFC 9449 §4.3 says the htu MUST be the absolute URL the request was sent to). The default now derives proto/host from the socket; operators with a confirmed-trusted front proxy opt in via `opts.trustForwardedHeaders: true`.
 - v0.9.3 (2026-05-11) — **Audit hardening slice 3: OAuth + OID4VCI + OID4VP + CIBA + constant-time-compare migrations**. Continues the 2026-05-11 auth audit follow-through. **`b.auth.oauth.refreshAccessToken` atomic check-and-insert** — new `ropts.checkAndInsert(token, expireAtMs)` callback contract replaces the previous `ropts.seen(token)` check-then-act race. Two concurrent refresh requests on the same event-loop tick could both see `seen === false` and both POST to the token endpoint, neither flagging the replay; the new contract requires an atomic test-and-set (Redis SETNX, DB INSERT ON CONFLICT) and is the OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense surfacing the actual race window. Legacy `seen` callback continues to work for backwards-compat with operator code; the docstring documents the race + recommends migration to `checkAndInsert`. **`b.auth.oid4vci` constant-time compares** — pre-auth `tx_code` hash compare (was `!==` on sha3 hex) and proof-JWT `c_nonce` compare (was `!==` on attacker-supplied wallet payload) both route through `b.crypto.timingSafeEqual`. **`b.auth.oid4vp` per-presentation `vct` enforcement** — DCQL filters with 2+ `vct_values` entries previously bypassed vct validation entirely (the framework only set `expectedVct` when the filter pinned to a single value). Verifier now validates the presented vct against the DCQL filter list manually when length > 1; refuses with `vp_token['<id>'][<n>] vct '<presented>' is not in DCQL vct_values [...]` on over-disclosure. **`b.auth.ciba` slow_down honoring** — CIBA §11.3 requires the client to increase its polling interval by at least 5s on every `slow_down` response. Pre-v0.9.3 the framework client never bumped, leaving operators to do their own interval bookkeeping. Now `pollToken()` tracks per-`authReqId` interval state internally (Map keyed by authReqId, seeded from `startAuthentication`'s response, cleared on token issuance), bumps by `max(5s, IdP-suggested interval) <= MAX_INTERVAL_SEC` on every slow_down, and attaches the next-suggested interval to the thrown `auth-ciba/slow_down` error as `err.nextIntervalSec` so operators read a spec-correct back-off without manual bookkeeping. **`b.auth.ciba` notification-token entropy** — `clientNotificationToken` now refuses < 32 chars per CIBA §7.1.2's opaque-hard-to-guess requirement. Pre-v0.9.3 a 4-char token passed. **`b.auth.ciba.parseNotification` constant-time compare** — bearer-token hash compare migrated from `!==` to `b.crypto.timingSafeEqual` (both sides are fixed-width sha3-512 hex strings; defense-in-depth even though equal-length JS string compare is already widely understood as constant-time on V8).
 - v0.9.2 (2026-05-11) — **Audit hardening slice 2: WebAuthn + FIDO MDS3 + NIST AAL**. Continues the 2026-05-11 auth surface audit follow-through. **`b.auth.passkey.verifyAuthentication` counter-regression bypass fix** — pre-v0.9.2 the wrapper coerced `opts.credential.counter || 0`, silently zeroing an `undefined` / `null` / `NaN` counter and defeating CTAP 2.1 clone-detection on credentials whose stored counter was > 0. An operator deserializing the credential from a column that lost the counter would unknowingly accept a cloned authenticator. The wrapper now refuses `undefined` / `null` (operators MUST persist whatever the vendor returned at registration; first-time-stored credentials carry counter:0 explicitly) and rejects any non-integer / non-finite / negative value with `auth-passkey/bad-counter`. **`b.auth.passkey` multi-origin support** — `expectedOrigin` now accepts `string` OR `string[]` on both `verifyRegistration` and `verifyAuthentication`. Pre-v0.9.2 the wrapper enforced a single string only, blocking multi-origin deployments (web + admin-subdomain) from sharing one verifier; SimpleWebAuthn natively supports arrays. **`b.auth.passkey` prototype-pollution fix** — `ALLOWED_MEDIATION` lookup changed from `{...}[opts.mediation]` to `hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)` with a null-prototype map. Pre-v0.9.2 a caller passing `mediation: "__proto__"` / `"constructor"` truthy-matched an inherited Object.prototype property and slipped past the allowlist into `generateAuthenticationOptions`. **`b.auth.aal.fromMethods` UV requirement for AAL3** — per NIST SP 800-63-4 §5.1.7, WebAuthn / passkey satisfies AAL3 (MF-CRYPT) only when user verification was performed on the assertion. Pre-v0.9.2 `fromMethods({ webauthn: true })` returned `AAL3` unconditionally; operators using `userVerification: "preferred"` whose authenticator skipped UV landed in AAL3 despite not satisfying the spec's MF requirement. The caller now passes `uv: true` (sourced from the vendor's authData UV bit) to claim AAL3 with webauthn alone; without `uv`, webauthn alone caps at AAL2 (SF-CRYPT). Combination paths (`webauthn + password` / `webauthn + pin`) reach AAL3 regardless of UV (the memorized secret provides the second factor independently). **`b.auth.fidoMds3.verifyAuthenticator` fail-closed default + new opts** — pre-v0.9.2 unknown AAGUIDs returned `{ ok: true, reason: "aaguid-not-in-blob" }`, silently trusting any authenticator the metadata service hadn't yet listed (rogue / pre-certification / fake hardware). Now fails closed by default; operators wanting the legacy fail-open behavior (test fixtures, pre-certification pilot rollouts) pass `opts.allowUnknownAaguid: true` explicitly. **`b.auth.fidoMds3.parseBlob` stale-BLOB refusal** — refuses BLOB payloads whose `nextUpdate` is already in the past (FIDO MDS3 §3.1.7). Pre-v0.9.2 the staleness was floored to `MIN_CACHE_TTL_MS` but the BLOB was still served, letting an attacker pin operators to a revoked-authenticator-list-frozen-at-X by serving an ancient signed-but-expired BLOB. **`b.auth.fidoMds3.REFUSE_STATUS`** — added `ATTESTATION_KEY_COMPROMISE` per FIDO MDS3 §3.1.4. Pre-v0.9.2 this status was silently accepted; manufacturer batch-signing-key compromise affects every credential attested under that key.

package/lib/auth/ciba.js

@@ -51,6 +51,7 @@
  *   alongside CIBA all share one set of audited credentials).
  */
 
+var C            = require("../constants");
 var lazyRequire  = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
@@ -381,7 +382,7 @@ function create(opts) {
     // Seed the per-authReqId interval tracker so pollToken's
     // slow_down handler bumps from the IdP-supplied starting point
     // (CIBA §11.3 minimum-5s bump on every slow_down response).
-    _registerInitialInterval(rv.auth_req_id, interval);
+    _registerInitialInterval(rv.auth_req_id, interval, expiresIn);
 
     _emitAudit("start", "success", {
       authReqIdHash: sha3Hash("auth-ciba:" + rv.auth_req_id),
@@ -418,10 +419,37 @@ function create(opts) {
   // `slow_down` response. The framework client now maintains this
   // state internally so operators reading `err.nextIntervalSec` get
   // a spec-correct back-off without rolling their own counter.
-  var _intervalState = new Map();   // authReqId → current interval sec
+  // Map values are `{ interval, expireAtMs }`; entries TTL out at
+  // the per-authReqId expiry (startAuthentication's expiresIn). A
+  // periodic sweep + on-touch lazy purge prevent unbounded growth
+  // when authentication requests are denied / expire / never
+  // pollToken'd (e.g. ping/push delivery modes where the IdP
+  // notifies the RP and pollToken is never called).
+  var _intervalState = new Map();
 
-  function _registerInitialInterval(authReqId, intervalSec) {
-    _intervalState.set(authReqId, intervalSec);
+  function _purgeExpiredIntervals(nowMs) {
+    var iter = _intervalState.entries();
+    var step = iter.next();
+    while (!step.done) {
+      var pair = step.value;
+      if (pair[1].expireAtMs <= nowMs) _intervalState.delete(pair[0]);
+      step = iter.next();
+    }
+  }
+
+  function _registerInitialInterval(authReqId, intervalSec, expiresInSec) {
+    var nowMs = Date.now();
+    // Opportunistic sweep at every register so the cleanup runs
+    // on the same code path as growth — no separate timer.
+    _purgeExpiredIntervals(nowMs);
+    _intervalState.set(authReqId, {
+      interval:   intervalSec,
+      // expireAtMs derived from the IdP's expires_in (the lifetime
+      // of the auth-req-id itself). Once the auth-req-id expires
+      // the entry can be purged regardless of whether pollToken
+      // succeeded.
+      expireAtMs: nowMs + C.TIME.seconds(expiresInSec),
+    });
   }
 
   async function pollToken(popts) {
@@ -458,7 +486,8 @@ function create(opts) {
       // honor that when >= current + 5, otherwise enforce the
       // minimum 5s bump.
       if (err && err.code === "auth-ciba/slow_down") {
-        var current = _intervalState.get(popts.authReqId) || DEFAULT_INTERVAL_SEC;
+        var entry = _intervalState.get(popts.authReqId);
+        var current = entry ? entry.interval : DEFAULT_INTERVAL_SEC;
         var idpSuggested = err.cibaError && typeof err.cibaError.interval === "number"
           ? err.cibaError.interval : null;
         var next = current + 5;                                                                 // allow:raw-time-literal — §11.3 mandates +5s minimum
@@ -466,8 +495,20 @@ function create(opts) {
           next = idpSuggested;
         }
         if (next > MAX_INTERVAL_SEC) next = MAX_INTERVAL_SEC;
-        _intervalState.set(popts.authReqId, next);
+        if (entry) {
+          _intervalState.set(popts.authReqId, { interval: next, expireAtMs: entry.expireAtMs });
+        }
         err.nextIntervalSec = next;
+      } else if (err && (
+        err.code === "auth-ciba/expired_token" ||
+        err.code === "auth-ciba/access_denied" ||
+        err.code === "auth-ciba/invalid_grant" ||
+        err.code === "auth-ciba/transaction_failed")) {
+        // Terminal CIBA errors (RFC §13) — the auth_req_id is now
+        // dead. Clear the per-authReqId interval entry so it
+        // doesn't leak when the operator stops polling. (Reported
+        // 2026-05-12.)
+        _intervalState.delete(popts.authReqId);
       }
       throw err;
     }

package/lib/auth/jwt-external.js

@@ -227,6 +227,10 @@ async function verifyExternal(token, opts) {
   validateOpts(opts, [
     "algorithms", "jwks", "jwksUri", "jwksCacheMs", "keyResolver",
     "audience", "issuer", "subject", "clockSkewMs",
+    // v0.9.4 — opt-out for the kid-less-token JWKS-of-one refusal
+    // (default refuses; non-conforming IdPs that emit kid-less tokens
+    // set this true). Audit 2026-05-11.
+    "allowKidlessJwks",
   ], "auth.jwt.verifyExternal");
 
   if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {

package/lib/auth/oauth.js

@@ -334,6 +334,14 @@ function create(opts) {
   var allowInternal    = opts.allowInternal != null ? opts.allowInternal : null; // localhost dev opt-in (SSRF gate)
   var httpClientOpts   = opts.httpClient || {};
   var responseMode     = opts.responseMode || null;
+  // v0.9.5 — client-level opt-out for the kid-less JWKS-of-one
+  // refusal added in v0.9.4. Surfaced at the create() level (not
+  // per-verifyIdToken-call) so it threads through every code path
+  // that lands on verifyIdToken — _normalizeTokens for exchangeCode
+  // / pollDeviceCode / exchangeToken / refreshAccessToken, JARM
+  // wrapper, and the public verifyIdToken entry point. Operators
+  // with non-conforming IdPs set this once at client construction.
+  var allowKidlessJwks = opts.allowKidlessJwks === true;
 
   if (!clientId) {
     throw new OAuthError("auth-oauth/no-client-id", "create: opts.clientId is required");
@@ -566,23 +574,31 @@ function create(opts) {
     // check ran via `ropts.seen(token)` which was a check-then-act
     // race: two concurrent refresh requests landed on the same
     // event-loop tick could both see `seen === false` and both POST
-    // to the token endpoint, neither flagging the replay. The new
-    // contract is `ropts.checkAndInsert(token, expireAtMs)` which
-    // MUST atomically test-and-set: returns true if the token was
-    // ALREADY in the store (replay) and false if it just inserted
-    // the token. The legacy `seen` callback continues to work for
-    // backward compatibility but emits a deprecation warning.
+    // to the token endpoint, neither flagging the replay. The
+    // framework-wide checkAndInsert contract (lib/nonce-store.js,
+    // lib/auth/jwt.js) is: returns `true` when the value was UNSEEN
+    // and is now recorded (first sighting); returns `false` when
+    // already present (replay). The legacy `seen` callback returned
+    // the opposite (true means seen-already); both surfaces are
+    // supported but normalize to a single `alreadySeen` boolean
+    // below.
     var alreadySeen = false;
     if (typeof ropts.checkAndInsert === "function") {
       var nowMs = Date.now();
       // 24h max refresh-token TTL — operators with shorter TTLs
       // should configure their store's own expiry policy.
       var expireAtMs = nowMs + C.TIME.hours(24);
-      try { alreadySeen = await ropts.checkAndInsert(refreshToken, expireAtMs); }
+      var inserted;
+      try { inserted = await ropts.checkAndInsert(refreshToken, expireAtMs); }
       catch (e) {
         throw new OAuthError("auth-oauth/seen-callback-failed",
           "refreshAccessToken: checkAndInsert() callback threw: " + ((e && e.message) || String(e)));
       }
+      // Spec contract: inserted===true → first sighting (OK);
+      // inserted===false → replay. v0.9.3 had this inverted, which
+      // broke every first refresh attempt for operators reusing an
+      // existing b.nonceStore-style backend. (Reported 2026-05-12.)
+      alreadySeen = inserted === false;
     } else if (typeof ropts.seen === "function") {
       // Legacy non-atomic path. Documented as a check-then-act race;
       // operators sharing a single-writer store (Redis SETNX, DB
@@ -987,7 +1003,15 @@ function create(opts) {
     // genuinely emit kid-less tokens can opt out via
     // vopts.allowKidlessJwks = true with a logged warning.
     if (!match) {
-      if (!header.kid && keys.length === 1 && vopts.allowKidlessJwks === true) {
+      // Operator opt-out reads from EITHER the per-call vopts OR the
+      // client-level config — `_normalizeTokens` calls verifyIdToken
+      // with a reduced vopts ({ nonce, skipNonceCheck }), so a
+      // per-call opt would not reach the standard exchangeCode /
+      // pollDeviceCode / exchangeToken / refreshAccessToken flows.
+      // The client-level `create({ allowKidlessJwks: true })` fills
+      // that gap. (v0.9.5 follow-up to the v0.9.4 audit fix.)
+      var allowKidless = vopts.allowKidlessJwks === true || allowKidlessJwks;
+      if (!header.kid && keys.length === 1 && allowKidless) {
         match = keys[0];
       } else {
         throw new OAuthError("auth-oauth/no-matching-key",
@@ -995,8 +1019,10 @@ function create(opts) {
             ? "no JWKS key matches header.kid='" + header.kid + "'"
             : "ID token has no kid header; framework refuses kid-less " +
               "tokens to defend against JWKS-rotation key-pick attacks " +
-              "(pass vopts.allowKidlessJwks: true to opt out if your IdP " +
-              "genuinely emits kid-less tokens)");
+              "(pass `allowKidlessJwks: true` to b.auth.oauth.create() — " +
+              "client-level — if your IdP genuinely emits kid-less tokens; " +
+              "or vopts.allowKidlessJwks: true on a single verifyIdToken " +
+              "call)");
       }
     }
     var keyObject = _jwkToKey(match);

package/lib/middleware/dpop.js

@@ -184,6 +184,10 @@ function create(opts) {
     "replayStore", "algorithms", "iatWindowSec",
     "getAccessToken", "getNonce", "getHtu", "audit",
     "nonceStore", "nonceWindowSec", "nonceRotateSec", "requireNonce",
+    // v0.9.4 — opt-in trust gate for X-Forwarded-Proto/Host when
+    // reconstructing htu. Default off (audit 2026-05-11); operators
+    // with a confirmed-trusted front proxy set this to `true`.
+    "trustForwardedHeaders",
   ], "middleware.dpop");
 
   var auditOn = opts.audit !== false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.4",
+  "version": "0.9.5",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:9ba09f74-5c33-44b9-b39c-b6016b2073d8",
+  "serialNumber": "urn:uuid:851d345b-6891-4a75-bac3-11ec1478b08d",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T00:48:11.880Z",
+    "timestamp": "2026-05-12T03:03:37.327Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.4",
+      "bom-ref": "@blamejs/core@0.9.5",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.4",
+      "version": "0.9.5",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.4",
+      "purl": "pkg:npm/%40blamejs/core@0.9.5",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.4",
+      "ref": "@blamejs/core@0.9.5",
       "dependsOn": []
     }
   ]