@blamejs/core 0.9.49 → 0.10.2

package/lib/auth/jwt-external.js

@@ -55,6 +55,7 @@ var safeUrl = require("../safe-url");
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 var C = require("../constants");
+var bCrypto = require("../crypto");
 var { AuthError } = require("../framework-error");
 
 var httpClient = lazyRequire(function () { return require("../http-client"); });
@@ -131,6 +132,77 @@ function _jwkToKey(jwk) {
   }
 }
 
+// CVE-2026-22817 — RS256→HS256 alg-confusion + the broader alg/kty
+// confused-deputy class. The header `alg` is attacker-controlled; the
+// JWK's `kty` (and `crv` for EC / OKP) describes what the resolved key
+// actually IS. Without a cross-check, a server that resolved an RSA
+// public key (RS256/PS256 family) can be tricked into accepting a token
+// declaring `alg: "HS256"` — Node's verify() treats the RSA public key
+// bytes as an HMAC secret and the signature verifies. Equivalent
+// confusion lives between EC (ES*) and RSA (RS*/PS*) when the issuer
+// publishes both key types under one kid scheme. Crossing alg → expected
+// kty/crv BEFORE handing the JWK to node:crypto closes the class.
+//
+// Routed through from oauth.verifyIdToken / jwt-external.verifyExternal /
+// oid4vci proof verify / sd-jwt-vc.verify / openid-federation.verifyEntityStatement
+// per the v0.9.x audit (CVE-2026-22817 column).
+//
+// RFC 7518 §3 maps the JWS `alg` to the key shape it requires:
+//   RS*/PS*  → kty=RSA
+//   ES256    → kty=EC, crv=P-256
+//   ES384    → kty=EC, crv=P-384
+//   ES512    → kty=EC, crv=P-521
+//   EdDSA    → kty=OKP (crv=Ed25519 or Ed448)
+//   ML-DSA-* → kty=AKP, alg=<algId>      (draft-ietf-cose-cnsa-pqc)
+function _assertAlgKtyMatch(alg, jwk) {
+  if (typeof alg !== "string" || alg.length === 0) {
+    throw new AuthError("auth-jwt-external/bad-alg",
+      "_assertAlgKtyMatch: alg must be a non-empty string");
+  }
+  if (!jwk || typeof jwk !== "object" || typeof jwk.kty !== "string") {
+    throw new AuthError("auth-jwt-external/bad-jwk",
+      "_assertAlgKtyMatch: JWK must declare kty");
+  }
+  var expectedKty = null;
+  var expectedCrv = null;
+  if (alg === "RS256" || alg === "RS384" || alg === "RS512" ||
+      alg === "PS256" || alg === "PS384" || alg === "PS512") {
+    expectedKty = "RSA";
+  } else if (alg === "ES256") { expectedKty = "EC"; expectedCrv = "P-256"; }
+  else if   (alg === "ES384") { expectedKty = "EC"; expectedCrv = "P-384"; }
+  else if   (alg === "ES512") { expectedKty = "EC"; expectedCrv = "P-521"; }
+  else if   (alg === "EdDSA") { expectedKty = "OKP"; }
+  else if   (alg === "ML-DSA-65" || alg === "ML-DSA-87") { expectedKty = "AKP"; }
+  else {
+    // Unknown alg — caller's alg allowlist should have rejected first;
+    // refuse here defensively (CVE-2026-23993 class — unknown-alg paths
+    // that skip downstream verification).
+    throw new AuthError("auth-jwt-external/unsupported-alg",
+      "_assertAlgKtyMatch: alg '" + alg + "' has no defined key-type binding");
+  }
+  if (jwk.kty !== expectedKty) {
+    throw new AuthError("auth-jwt-external/alg-kty-mismatch",
+      "JWS alg '" + alg + "' requires JWK kty='" + expectedKty +
+      "' but resolved JWK has kty='" + jwk.kty + "' (CVE-2026-22817 — alg confusion)");
+  }
+  if (expectedCrv && jwk.crv !== expectedCrv) {
+    throw new AuthError("auth-jwt-external/alg-crv-mismatch",
+      "JWS alg '" + alg + "' requires JWK crv='" + expectedCrv +
+      "' but resolved JWK has crv='" + (jwk.crv || "<absent>") + "' (CVE-2026-22817 — curve confusion)");
+  }
+}
+
+// Constant-time issuer comparison (CVE-2026-23552 — cross-realm/issuer
+// JWT acceptance via weak iss validation). Both sides are
+// operator-supplied strings; a non-CT compare leaks length / prefix
+// timing that lets an attacker narrow which realm prefix the verifier
+// accepts. cryptoTimingSafeEqual handles unequal-length safely and
+// returns false rather than throwing.
+function _issuerMatches(actual, expected) {
+  if (typeof actual !== "string" || typeof expected !== "string") return false;
+  return bCrypto.timingSafeEqual(actual, expected);
+}
+
 function _toKey(value) {
   if (!value) {
     throw new AuthError("auth-jwt-external/no-key",
@@ -299,9 +371,21 @@ async function verifyExternal(token, opts) {
     throw new AuthError("auth-jwt-external/unknown-crit",
       "token declares 'crit' header — verifyExternal does not support critical extensions");
   }
+  // CVE-2026-23993 — refuse alg values outside the accepted list BEFORE
+  // any key lookup. The early refusal closes the class where an
+  // unknown / unsupported alg slips through to a downstream code path
+  // that interprets it permissively. The per-listed algorithm check
+  // above in the opts-validation loop refuses the OPERATOR'S allowlist
+  // shape; this check refuses the TOKEN'S declared alg before any
+  // key-resolver / JWKS-fetch side effect.
   if (opts.algorithms.indexOf(header.alg) === -1) {
     throw new AuthError("auth-jwt-external/alg-not-allowed",
-      "token alg='" + header.alg + "' not in allowed list [" + opts.algorithms.join(", ") + "]");
+      "token alg='" + header.alg + "' not in allowed list [" + opts.algorithms.join(", ") +
+      "] (CVE-2026-23993 — refused before key lookup)");
+  }
+  if (SUPPORTED_CLASSICAL_ALGS.indexOf(header.alg) === -1) {
+    throw new AuthError("auth-jwt-external/unsupported-alg",
+      "token alg='" + header.alg + "' is not in the verifier's supported set (CVE-2026-23993)");
   }
 
   // Resolve key.
@@ -313,11 +397,26 @@ async function verifyExternal(token, opts) {
       throw new AuthError("auth-jwt-external/key-resolver-failed",
         "keyResolver threw: " + ((e && e.message) || String(e)));
     }
+    // When keyResolver returns a JWK object, cross-check alg/kty BEFORE
+    // _toKey hands it to node:crypto (CVE-2026-22817). PEM / KeyObject
+    // shapes can't carry a kty surface so the check happens at JWKS
+    // resolution only.
+    if (resolved && typeof resolved === "object" &&
+        !(resolved instanceof nodeCrypto.KeyObject) &&
+        !Buffer.isBuffer(resolved) &&
+        typeof resolved.kty === "string") {
+      _assertAlgKtyMatch(header.alg, resolved);
+    }
     key = _toKey(resolved);
   } else {
     var keys = opts.jwks ? opts.jwks
                          : await _fetchJwks(opts.jwksUri, opts.jwksCacheMs);
     var jwk = _selectKey(keys, header, opts);
+    // CVE-2026-22817 — cross-check alg/kty BEFORE importing the JWK as
+    // a key object. Without this an attacker-controlled `alg: "HS256"`
+    // against an RSA-kty JWK would have node:crypto.verify treat the
+    // RSA public key as an HMAC secret.
+    _assertAlgKtyMatch(header.alg, jwk);
     key = _jwkToKey(jwk);
   }
 
@@ -376,9 +475,30 @@ async function verifyExternal(token, opts) {
         JSON.stringify(opts.audience) + "'");
     }
   }
-  if (opts.issuer && payload.iss !== opts.issuer) {
-    throw new AuthError("auth-jwt-external/iss-mismatch",
-      "token iss '" + payload.iss + "' does not match expected '" + opts.issuer + "'");
+  if (opts.issuer) {
+    // CVE-2026-23552 — cross-realm / cross-issuer JWT acceptance via
+    // weak iss validation. Constant-time compare defeats prefix-timing
+    // narrowing; emit a DISTINCT audit event (separate from sig-verify-
+    // fail) so detection signals lights up on the cross-realm shape
+    // independently of generic verification failures.
+    if (typeof payload.iss !== "string" ||
+        !_issuerMatches(payload.iss, opts.issuer)) {
+      try { audit().safeEmit({
+        action:   "jwt.iss.mismatch",
+        outcome:  "denied",
+        metadata: {
+          expectedIssuer: opts.issuer,
+          // payload.iss is attacker-controlled, but logging it for
+          // detection is the point — operators correlate against
+          // their tenant table to identify cross-realm probes.
+          presentedIssuer: typeof payload.iss === "string" ? payload.iss : null,
+          reason: "cross-realm-jwt-refused",
+        },
+      }); } catch (_e) { /* drop-silent — observability sink */ }
+      throw new AuthError("auth-jwt-external/iss-mismatch",
+        "token iss '" + payload.iss + "' does not match expected '" + opts.issuer +
+        "' (CVE-2026-23552 — cross-realm refused)");
+    }
   }
   if (opts.subject && payload.sub !== opts.subject) {
     throw new AuthError("auth-jwt-external/sub-mismatch",
@@ -392,4 +512,8 @@ module.exports = {
   verifyExternal:           verifyExternal,
   SUPPORTED_CLASSICAL_ALGS: SUPPORTED_CLASSICAL_ALGS,
   REFUSED_ALGS:             REFUSED_ALGS,
+  // Shared JOSE defenses — routed from oauth.verifyIdToken /
+  // oid4vci proof verify / sd-jwt-vc.verify / openid-federation.
+  _assertAlgKtyMatch:       _assertAlgKtyMatch,
+  _issuerMatches:           _issuerMatches,
 };

package/lib/auth/oauth.js

@@ -115,6 +115,13 @@ var safeJson = require("../safe-json");
 var safeUrl = require("../safe-url");
 var { URL } = require("node:url");
 var { defineClass } = require("../framework-error");
+var lazyRequire = require("../lazy-require");
+// Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check +
+// CVE-2026-23552 constant-time iss compare). Top-of-file per project
+// convention §3; no circular load — jwt-external requires nothing from
+// oauth.
+var jwtExternal = require("./jwt-external");
+var audit       = lazyRequire(function () { return require("../audit"); });
 
 // Cap on responses parsed from upstream OAuth providers. Token /
 // userinfo / discovery responses are tiny in spec; 256 KiB leaves
@@ -208,6 +215,30 @@ var PSS_SALT_BYTES_SHA256      = C.BYTES.bytes(32);
 var PSS_SALT_BYTES_SHA384      = C.BYTES.bytes(48);
 var PSS_SALT_BYTES_SHA512      = C.BYTES.bytes(64);
 
+// RFC 8628 §3.4 — device_code length cap. The spec doesn't fix a max
+// length but 8 KiB comfortably accommodates any legitimate base64url
+// CSPRNG output and refuses pathological payloads.
+var MAX_DEVICE_CODE_BYTES      = C.BYTES.kib(8);
+// RFC 8628 §3.4 — 5s is the spec-documented MINIMUM polling interval.
+var MIN_DEVICE_POLL_INTERVAL_SEC = 5;                                                              // allow:raw-time-literal — RFC 8628 §3.4 spec floor
+// OIDC Back-Channel Logout §2.6 — replay defense via jti store catches
+// duplicate-jti reuse, but pre-v0.9.x an old captured logout-token
+// with a fresh jti could still pass. Enforce iat freshness against
+// this floor (operator-tunable).
+var DEFAULT_LOGOUT_TOKEN_MAX_AGE_SEC = C.TIME.minutes(5) / C.TIME.seconds(1);
+
+// RFC 8693 §3 — registered token-type URNs for token exchange.
+// Operators with custom URNs pass allowCustomTokenType:true with a
+// documented downstream contract.
+var RFC_8693_TOKEN_TYPES = Object.freeze([
+  "urn:ietf:params:oauth:token-type:access_token",
+  "urn:ietf:params:oauth:token-type:refresh_token",
+  "urn:ietf:params:oauth:token-type:id_token",
+  "urn:ietf:params:oauth:token-type:saml1",
+  "urn:ietf:params:oauth:token-type:saml2",
+  "urn:ietf:params:oauth:token-type:jwt",
+]);
+
 // ---- helpers ----
 
 function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
@@ -363,6 +394,14 @@ function create(opts) {
              || (preset && typeof preset.issuerTemplate === "function" && preset.issuerTemplate(opts))
              || (preset && preset.issuer)
              || null;
+  // OIDC Core §15.5 — issuer is a URL the framework subsequently uses
+  // as the OP identity in discovery + JWT iss comparisons. An operator
+  // typo in opts.auth0Domain / opts.keycloakUrl flows into the preset's
+  // issuerTemplate output verbatim; without validation that mistake
+  // reaches discovery + the iss compare. Re-route through _validateUrl
+  // so the issuer the framework will trust later is well-formed before
+  // any network round-trip.
+  if (issuer) _validateUrl(issuer, allowHttp, "issuer");
   var scope = Array.isArray(opts.scope) && opts.scope.length > 0
                 ? opts.scope.slice()
                 : (preset && preset.defaultScope ? preset.defaultScope.slice() : ["openid"]);
@@ -953,6 +992,23 @@ function create(opts) {
       throw new OAuthError("auth-oauth/no-id-token", "verifyIdToken: idToken must be a string");
     }
     var parts = idToken.split(".");
+    // CVE-2026-29000 / CVE-2026-22817 / CVE-2026-23993 — mirror
+    // jwt-external's 5-segment JWE refusal. A 5-segment compact
+    // serialization is a JWE (RFC 7516); verifyIdToken is a JWS verifier
+    // and a JWE shape reaching here is the confused-deputy class an OP
+    // shipping JWE id_tokens would exercise. Operators with JWE
+    // id_tokens wire a separate JWE handler at their KMS — never on
+    // this verifier path.
+    if (parts.length === 5) {
+      try { audit().safeEmit({
+        action:   "jwt.jwe.refused",
+        outcome:  "denied",
+        metadata: { reason: "jwe-on-jws-verifier", primitive: "oauth.verifyIdToken" },
+      }); } catch (_e) { /* drop-silent — observability sink */ }
+      throw new OAuthError("auth-oauth/jwe-refused",
+        "5-segment JWE id_token refused — verifyIdToken only handles JWS " +
+        "(CVE-2026-29000 / CVE-2026-23993 / CVE-2026-22817 / CVE-2026-34950 JWE-bypass class)");
+    }
     if (parts.length !== 3) {
       throw new OAuthError("auth-oauth/malformed-jwt", "ID token does not have 3 parts");
     }
@@ -967,9 +1023,13 @@ function create(opts) {
     if (!header || typeof header.alg !== "string") {
       throw new OAuthError("auth-oauth/malformed-jwt", "ID token header missing 'alg'");
     }
+    // CVE-2026-23993 — refuse unknown alg BEFORE any key resolution.
+    // The acceptedAlgorithms list is the operator's posture; an alg
+    // outside it never reaches the JWKS lookup or node:crypto.verify.
     if (acceptedAlgorithms.indexOf(header.alg) === -1) {
       throw new OAuthError("auth-oauth/alg-not-accepted",
-        "ID token signed with '" + header.alg + "' which is not in the accepted-algorithm list");
+        "ID token signed with '" + header.alg + "' which is not in the accepted-algorithm list " +
+        "(CVE-2026-23993 — refused before key lookup)");
     }
     // RFC 7515 §4.1.11 — refuse JWS with `crit` header. Every other
     // verifier in the framework (jwt.js, jwt-external.js, dpop.js)
@@ -1021,6 +1081,13 @@ function create(opts) {
               "call)");
       }
     }
+    // CVE-2026-22817 — cross-check JWS alg against the resolved JWK's
+    // kty (and crv for EC). Without this an attacker-controlled
+    // `alg: "HS256"` against an RSA-kty JWK would hand the public-key
+    // bytes to node:crypto.verify as an HMAC secret. Routed through the
+    // shared helper so every JWT verifier (oauth / jwt-external /
+    // oid4vci / sd-jwt-vc / openid-federation) enforces the same check.
+    jwtExternal._assertAlgKtyMatch(header.alg, match);
     var keyObject = _jwkToKey(match);
     var params = _verifyParamsForAlg(header.alg);
     var signingInput = parts[0] + "." + parts[1];
@@ -1064,9 +1131,29 @@ function create(opts) {
     if (typeof payload.nbf === "number" && payload.nbf - skewSec > now) {
       throw new OAuthError("auth-oauth/nbf-future", "ID token nbf is in the future");
     }
-    if (issuer && payload.iss !== issuer) {
-      throw new OAuthError("auth-oauth/iss-mismatch",
-        "ID token iss '" + payload.iss + "' does not match expected '" + issuer + "'");
+    if (issuer) {
+      // CVE-2026-23552 — cross-realm / cross-issuer JWT acceptance. The
+      // expected issuer is operator-supplied; payload.iss is attacker-
+      // controlled bytes. Constant-time compare defeats prefix-timing
+      // narrowing. Emit a DISTINCT audit event (separate from the
+      // bad-signature failure) so detection signals on cross-realm
+      // probes independently of generic verification failures.
+      if (typeof payload.iss !== "string" ||
+          !jwtExternal._issuerMatches(payload.iss, issuer)) {
+        try { audit().safeEmit({
+          action:   "jwt.iss.mismatch",
+          outcome:  "denied",
+          metadata: {
+            expectedIssuer:  issuer,
+            presentedIssuer: typeof payload.iss === "string" ? payload.iss : null,
+            reason:          "cross-realm-jwt-refused",
+            primitive:       "oauth.verifyIdToken",
+          },
+        }); } catch (_e) { /* drop-silent — observability sink */ }
+        throw new OAuthError("auth-oauth/iss-mismatch",
+          "ID token iss '" + payload.iss + "' does not match expected '" + issuer +
+          "' (CVE-2026-23552 — cross-realm refused)");
+      }
     }
     var aud = Array.isArray(payload.aud) ? payload.aud : (payload.aud ? [payload.aud] : []);
     if (aud.indexOf(clientId) === -1) {
@@ -1104,6 +1191,12 @@ function create(opts) {
     var params = new URLSearchParams();
     if (uopts.idTokenHint) params.set("id_token_hint", uopts.idTokenHint);
     if (uopts.postLogoutRedirectUri) {
+      // OIDC RP-Init Logout §3.1 — postLogoutRedirectUri is operator-
+      // supplied; an operator typo could ship `http://` or
+      // `javascript:`. Route through the framework's URL gate before
+      // emitting so the URL is validated the same way as every other
+      // operator-supplied OAuth URL (audit 2026-05-15).
+      _validateUrl(uopts.postLogoutRedirectUri, allowHttp, "postLogoutRedirectUri");
       params.set("post_logout_redirect_uri", uopts.postLogoutRedirectUri);
     }
     if (uopts.state)        params.set("state", uopts.state);
@@ -1111,8 +1204,30 @@ function create(opts) {
     if (uopts.uiLocales)    params.set("ui_locales", uopts.uiLocales);
     if (uopts.clientId !== false) params.set("client_id", clientId);
     if (uopts.extraParams && typeof uopts.extraParams === "object") {
+      // OIDC RP-Init Logout §3.1 — extraParams carries operator-
+      // controlled key/value pairs. Refuse keys that collide with
+      // first-class params so an operator typo / library-merge can't
+      // smuggle a second `post_logout_redirect_uri` past the
+      // _validateUrl gate above. Defense-in-depth — the operator
+      // controls extraParams, so this is a config-time invariant, not
+      // an attacker-input filter.
+      var RESERVED_END_SESSION_PARAMS = {
+        "id_token_hint":              1,
+        "post_logout_redirect_uri":   1,
+        "state":                      1,
+        "logout_hint":                1,
+        "ui_locales":                 1,
+        "client_id":                  1,
+      };
       var ek = Object.keys(uopts.extraParams);
-      for (var i = 0; i < ek.length; i++) params.set(ek[i], String(uopts.extraParams[ek[i]]));
+      for (var i = 0; i < ek.length; i++) {
+        if (RESERVED_END_SESSION_PARAMS[ek[i]]) {
+          throw new OAuthError("auth-oauth/end-session-reserved-extra-param",
+            "endSessionUrl: extraParams key '" + ek[i] + "' collides with a first-class " +
+            "RP-Init Logout parameter — pass it through the named field instead");
+        }
+        params.set(ek[i], String(uopts.extraParams[ek[i]]));
+      }
     }
     var qs = params.toString();
     if (qs.length === 0) return endpoint;
@@ -1218,10 +1333,24 @@ function create(opts) {
     // logout for a session at a different IdP). `sid` is required
     // when the RP registered with frontchannel_logout_session_required=true;
     // we surface it either way and let the operator decide.
-    if (iss && iss !== issuer) {
+    // CVE-2026-23552 — constant-time issuer compare. Defeats prefix-
+    // timing narrowing against the configured issuer string; iss is
+    // attacker-controlled query-param input.
+    if (iss && (typeof issuer !== "string" || !jwtExternal._issuerMatches(iss, issuer))) {
+      try { audit().safeEmit({
+        action:   "jwt.iss.mismatch",
+        outcome:  "denied",
+        metadata: {
+          expectedIssuer:  issuer,
+          presentedIssuer: iss,
+          reason:          "frontchannel-logout-cross-realm",
+          primitive:       "oauth.parseFrontchannelLogoutRequest",
+        },
+      }); } catch (_e) { /* drop-silent — observability sink */ }
       throw new OAuthError("auth-oauth/frontchannel-logout-iss-mismatch",
         "parseFrontchannelLogoutRequest: iss \"" + iss +
-        "\" does not match configured issuer \"" + issuer + "\"");
+        "\" does not match configured issuer \"" + issuer +
+        "\" (CVE-2026-23552 — cross-realm refused)");
     }
     return { iss: iss || issuer, sid: sid || null };
   }
@@ -1304,8 +1433,54 @@ function create(opts) {
       throw new OAuthError("auth-oauth/no-sub-or-sid",
         "verifyBackchannelLogoutToken: payload must include sub or sid");
     }
-    // Replay defense — operator-supplied jti store
-    if (typeof vopts.seen === "function") {
+    // OIDC Back-Channel Logout §2.6 — iat freshness gate. Logout tokens
+    // have no exp claim; freshness rests entirely on iat plus a
+    // replay-cache window. A captured old logout-token with a fresh jti
+    // (never seen by THIS RP's replay store, e.g. cleared across a
+    // restart) would otherwise pass. Refuse iat older than
+    // opts.maxAgeSec (default 5 minutes) — matches the standard 5-min
+    // jti-replay-cache window operators ship.
+    var logoutMaxAgeSec = typeof vopts.maxAgeSec === "number"
+      ? vopts.maxAgeSec
+      : DEFAULT_LOGOUT_TOKEN_MAX_AGE_SEC;
+    var nowSecLogout = Math.floor(Date.now() / C.TIME.seconds(1));
+    if (typeof claims.iat !== "number") {
+      throw new OAuthError("auth-oauth/logout-token-no-iat",
+        "verifyBackchannelLogoutToken: payload.iat required (OIDC BCL §2.4)");
+    }
+    if (claims.iat + logoutMaxAgeSec < nowSecLogout) {
+      throw new OAuthError("auth-oauth/logout-token-too-old",
+        "verifyBackchannelLogoutToken: payload.iat=" + claims.iat +
+        " is older than maxAgeSec=" + logoutMaxAgeSec +
+        " (OIDC BCL §2.6 — old logout-token refused)");
+    }
+    // Replay defense — atomic checkAndInsert when the operator supplies
+    // a b.nonceStore-shaped backend, fallback to the legacy
+    // seen()-callback when supplied. The atomic shape closes the
+    // race-class first surfaced for refresh-token rotation in v0.9.3:
+    // two simultaneous deliveries of the same logout_token both pass
+    // the seen() check and both run the operator's session-destroy
+    // handler. atomicReplayStore.checkAndInsert(jti, expireAtMs)
+    // returns true if it WAS the first insert, false on duplicate.
+    if (vopts.atomicReplayStore && typeof vopts.atomicReplayStore.checkAndInsert === "function") {
+      if (typeof claims.jti !== "string" || claims.jti.length === 0) {
+        throw new OAuthError("auth-oauth/no-jti",
+          "verifyBackchannelLogoutToken: jti required when atomicReplayStore is configured");
+      }
+      var expireAtMs = (nowSecLogout + logoutMaxAgeSec * 2) * C.TIME.seconds(1);
+      var inserted;
+      try { inserted = await vopts.atomicReplayStore.checkAndInsert(claims.jti, expireAtMs); }
+      catch (e) {
+        throw new OAuthError("auth-oauth/replay-store-failed",
+          "verifyBackchannelLogoutToken: atomicReplayStore.checkAndInsert threw: " +
+          ((e && e.message) || String(e)));
+      }
+      if (inserted === false) {
+        throw new OAuthError("auth-oauth/logout-token-replay",
+          "verifyBackchannelLogoutToken: jti '" + claims.jti +
+          "' already seen — replay refused (atomic)");
+      }
+    } else if (typeof vopts.seen === "function") {
       if (typeof claims.jti !== "string" || claims.jti.length === 0) {
         throw new OAuthError("auth-oauth/no-jti",
           "verifyBackchannelLogoutToken: jti required when a seen() callback is configured");
@@ -1451,6 +1626,17 @@ function create(opts) {
         "(RFC 7591 §2 makes it optional, but registering without explicit URIs " +
         "creates an open-redirect surface)");
     }
+    // RFC 7591 §2 / RFC 9700 §4.1.1 — every redirect_uri MUST be a
+    // valid https:// URL (or http://localhost for dev). Pre-v0.9.x the
+    // gate only enforced presence; an operator copying a config with
+    // `http://app.example` or `javascript:` would ship that string to
+    // the AS, which then permanently associates the open-redirect
+    // surface with the registered client_id. Validate at registration
+    // time so the bad URL never reaches the AS.
+    for (var ri = 0; ri < metadata.redirect_uris.length; ri++) {
+      _validateUrl(metadata.redirect_uris[ri], allowHttp,
+        "metadata.redirect_uris[" + ri + "]");
+    }
     var endpoint;
     try { endpoint = await _resolveEndpoint("registrationEndpoint"); }
     catch (_e) {
@@ -1566,8 +1752,24 @@ function create(opts) {
       throw new OAuthError("auth-oauth/bad-device-code",
         "pollDeviceCode: deviceCode must be a non-empty string");
     }
+    // RFC 8628 §3.4 — device_code is server-generated and opaque to the
+    // client, but the polling loop POSTs it on every iteration. Without
+    // a length cap an attacker who controls the device_code source
+    // (e.g. a hostile AS in a CIBA-style misconfig) can amplify the
+    // outbound HTTP body across N polls. The 8 KiB cap matches RFC 8628
+    // §6.1's "alphanumeric with sufficient entropy" — even base64url
+    // 512-bit codes fit comfortably.
+    if (deviceCode.length > MAX_DEVICE_CODE_BYTES) {
+      throw new OAuthError("auth-oauth/device-code-too-large",
+        "pollDeviceCode: deviceCode exceeds " + MAX_DEVICE_CODE_BYTES + " bytes " +
+        "(RFC 8628 §3.4 — opaque server-generated code, no legitimate need for length above the cap)");
+    }
     var endpoint = await _resolveEndpoint("tokenEndpoint");
-    var interval = Math.max(1, popts.interval || 5);
+    // RFC 8628 §3.4 — "If no value is provided, clients MUST use 5 as
+    // the default" and §3.5 directs clients to use slow_down responses
+    // to extend the interval. A 1s floor violates the spec's "5
+    // RECOMMENDED" and amplifies AS load. Enforce 5s minimum.
+    var interval = Math.max(MIN_DEVICE_POLL_INTERVAL_SEC, popts.interval || MIN_DEVICE_POLL_INTERVAL_SEC);
     var deadline = Date.now() + (popts.maxWaitMs || C.TIME.minutes(10));
     while (Date.now() < deadline) {
       var body = new URLSearchParams();
@@ -1656,6 +1858,26 @@ function create(opts) {
       throw new OAuthError("auth-oauth/bad-exchange",
         "exchangeToken: opts.subjectTokenType required (RFC 8693 §3 URN)");
     }
+    // RFC 8693 §3 — the token-type URN identifies the requested format
+    // (access_token / refresh_token / id_token / saml2 / saml1 / jwt).
+    // Pre-v0.9.x accepted any string, which let an attacker-controlled
+    // service or operator-mistyped value reach the AS verbatim. Refuse
+    // anything outside the RFC 8693 §3 list unless the operator
+    // explicitly opts in via { allowCustomTokenType: true } with a
+    // documented downstream contract.
+    if (RFC_8693_TOKEN_TYPES.indexOf(xopts.subjectTokenType) === -1 &&
+        xopts.allowCustomTokenType !== true) {
+      throw new OAuthError("auth-oauth/bad-subject-token-type",
+        "exchangeToken: subjectTokenType '" + xopts.subjectTokenType + "' not in RFC 8693 §3 " +
+        "(allowed: " + RFC_8693_TOKEN_TYPES.join(", ") + "); pass `allowCustomTokenType: true` " +
+        "to accept operator-defined URNs");
+    }
+    if (xopts.actorTokenType &&
+        RFC_8693_TOKEN_TYPES.indexOf(xopts.actorTokenType) === -1 &&
+        xopts.allowCustomTokenType !== true) {
+      throw new OAuthError("auth-oauth/bad-actor-token-type",
+        "exchangeToken: actorTokenType '" + xopts.actorTokenType + "' not in RFC 8693 §3");
+    }
     var endpoint = await _resolveEndpoint("tokenEndpoint");
     var body = new URLSearchParams();
     body.set("grant_type",           "urn:ietf:params:oauth:grant-type:token-exchange");

package/lib/auth/oid4vci.js

@@ -55,6 +55,10 @@ var validateOpts = require("../validate-opts");
 var safeJson     = require("../safe-json");
 var nodeCrypto   = require("node:crypto");
 var { generateToken, sha3Hash, timingSafeEqual } = require("../crypto");
+// Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check). Top-of-
+// file per project convention §3; no circular load — jwt-external
+// requires nothing from oid4vci.
+var jwtExternal  = require("./jwt-external");
 var { AuthError } = require("../framework-error");
 
 var cache       = lazyRequire(function () { return require("../cache"); });
@@ -75,7 +79,7 @@ function _b64uDecodeStr(s) {
   return Buffer.from(s, "base64url").toString("utf8");
 }
 
-function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs) {
+function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId, supportedAlgs, proofMaxAgeMs) {
   // OID4VCI §7.2.1.1: the proof JWT MUST:
   //   - typ = "openid4vci-proof+jwt"
   //   - alg in supported list (issuer publishes these)
@@ -104,9 +108,23 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
     throw new AuthError("auth-oid4vci/wrong-proof-typ",
       "credential issuance: proof JWT typ must be \"openid4vci-proof+jwt\" (got \"" + header.typ + "\")");
   }
+  // CVE-2026-23993 — refuse unknown / unsupported alg BEFORE any
+  // verify-side work. The supportedAlgs list is the issuer's posture;
+  // refusing here mirrors the discipline in oauth.verifyIdToken /
+  // jwt-external.verifyExternal.
   if (!header.alg || supportedAlgs.indexOf(header.alg) === -1) {
     throw new AuthError("auth-oid4vci/unsupported-proof-alg",
-      "credential issuance: proof JWT alg \"" + header.alg + "\" not in issuer-supported set");
+      "credential issuance: proof JWT alg \"" + header.alg + "\" not in issuer-supported set " +
+      "(CVE-2026-23993 — refused before key lookup)");
+  }
+  // AUTH-5 / RFC 7515 §4.1.11 — refuse non-empty `crit`. Pre-v0.9.x
+  // silently ignored, letting an attacker-controlled wallet declare
+  // critical extensions the verifier doesn't understand.
+  if (header.crit !== undefined && header.crit !== null) {
+    if (!Array.isArray(header.crit) || header.crit.length > 0) {
+      throw new AuthError("auth-oid4vci/unknown-crit",
+        "credential issuance: proof JWT carries non-empty 'crit' header — refused per RFC 7515 §4.1.11");
+    }
   }
   if (!header.jwk && !header.kid && !header.x5c) {
     throw new AuthError("auth-oid4vci/no-key-in-proof",
@@ -129,14 +147,24 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
     throw new AuthError("auth-oid4vci/no-proof-iat",
       "credential issuance: proof JWT must include iat");
   }
-  var nowSec = Math.floor(Date.now() / 1000);                                                   // allow:raw-byte-literal — ms→s
-  if (payload.iat > nowSec + 60) {                                                              // allow:raw-time-literal — 60s skew tolerance
+  var nowSec = Math.floor(Date.now() / C.TIME.seconds(1));
+  // AUTH-34 — use C.TIME for the 60s skew tolerance rather than a bare
+  // 60 literal; matches the framework's constants discipline.
+  var iatSkewSec = C.TIME.seconds(60) / C.TIME.seconds(1);
+  if (payload.iat > nowSec + iatSkewSec) {
     throw new AuthError("auth-oid4vci/proof-iat-future",
       "credential issuance: proof JWT iat is in the future");
   }
-  if (payload.iat < nowSec - Math.floor(C.TIME.minutes(10) / 1000)) {                            // allow:raw-byte-literal — ms→s
+  // AUTH-26 — operator-tunable proof max-age. Default 10 minutes per
+  // OID4VCI §7.2.1.1; operators with longer-lived wallet flows raise.
+  var effectiveMaxAgeMs = (typeof proofMaxAgeMs === "number" && isFinite(proofMaxAgeMs) && proofMaxAgeMs > 0)
+    ? proofMaxAgeMs
+    : C.TIME.minutes(10);
+  if (payload.iat < nowSec - Math.floor(effectiveMaxAgeMs / C.TIME.seconds(1))) {
     throw new AuthError("auth-oid4vci/proof-iat-too-old",
-      "credential issuance: proof JWT iat older than 10 minutes — wallet must mint a fresh proof");
+      "credential issuance: proof JWT iat older than " +
+      Math.floor(effectiveMaxAgeMs / C.TIME.seconds(1)) +
+      " seconds — wallet must mint a fresh proof");
   }
   if (expectedClientId && payload.iss && payload.iss !== expectedClientId) {
     throw new AuthError("auth-oid4vci/wrong-proof-iss",
@@ -155,6 +183,12 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
     throw new AuthError("auth-oid4vci/no-jwk-in-header",
       "credential issuance: proof JWT must carry `jwk` for inline holder-key binding");
   }
+  // CVE-2026-22817 — cross-check alg/kty before importing the holder
+  // JWK. Without this an attacker-controlled `alg: "HS256"` against an
+  // RSA holder JWK would have node:crypto.verify treat the RSA public
+  // key as an HMAC secret. Routed through the shared helper so every
+  // JWT verifier in the framework enforces the same check.
+  jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
   var keyObj;
   try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
   catch (e) {
@@ -270,6 +304,18 @@ function create(opts) {
   var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
   var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
   var cNonceTtl = opts.cNonceTtlMs || DEFAULT_C_NONCE_TTL_MS;
+  // AUTH-26 — operator-tunable proof iat-too-old window. Default 10
+  // minutes per OID4VCI §7.2.1.1.
+  var proofMaxAgeMs = (typeof opts.proofMaxAgeMs === "number" && isFinite(opts.proofMaxAgeMs) && opts.proofMaxAgeMs > 0)
+    ? opts.proofMaxAgeMs
+    : C.TIME.minutes(10);
+  // AUTH-6 — access-token single-use. OID4VCI §7's credential endpoint
+  // does NOT inherently make the access token single-use; pre-v0.9.x
+  // c_nonce rotation alone defended against proof replay, but a stolen
+  // access token combined with a fresh proof could re-mint
+  // credentials. Default true; operators with batch_credential flows
+  // that need access-token reuse opt out with an audited reason.
+  var accessTokenSingleUse = opts.accessTokenSingleUse !== false;
 
   var codeStore = opts.codeStore || cache().create({
     namespace: "auth.oid4vci.preauth", ttlMs: preAuthTtl,
@@ -508,7 +554,7 @@ function create(opts) {
     }
 
     var expectedCNonce = await cNonceStore.get(iopts.accessToken);
-    var verified = _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs);
+    var verified = _verifyProofJwt(iopts.proof, opts.credentialIssuerUrl, expectedCNonce, null, proofAlgs, proofMaxAgeMs);
 
     if (!iopts.claims || typeof iopts.claims !== "object") {
       throw new AuthError("auth-oid4vci/no-claims",
@@ -528,6 +574,20 @@ function create(opts) {
     var newCNonce = generateToken(16);                                                           // allow:raw-byte-literal — 128-bit c_nonce
     await cNonceStore.set(iopts.accessToken, newCNonce);
 
+    // AUTH-6 — when single-use is on (default), DELETE the access token
+    // after successful credential mint. A stolen access token paired
+    // with a fresh proof would otherwise re-mint credentials; the
+    // c_nonce rotation alone defends against proof replay but not
+    // against an attacker who exfiltrated the access token. The
+    // accompanying c_nonce entry expires with its TTL; deleting it
+    // explicitly tightens cleanup.
+    if (accessTokenSingleUse) {
+      try {
+        await atStore.delete(iopts.accessToken);
+        await cNonceStore.delete(iopts.accessToken);
+      } catch (_e) { /* drop-silent — cleanup is best-effort */ }
+    }
+
     _emitAudit("credential_issued", "success", {
       subject:              record.subject,
       credentialIdentifier: iopts.credentialIdentifier,