npm - @deque/axe-auth - Versions diffs - 1.1.0-next.73fce274 → 1.1.0-next.74c778ee - Mend

@deque/axe-auth 1.1.0-next.73fce274 → 1.1.0-next.74c778ee

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/oauth/discoverOIDC.js +31 -1
package/dist/oauth/refreshTokens.js +2 -0
package/dist/oauth/revokeToken.js +5 -1
package/dist/oauth/tokenExchange.js +2 -0
package/dist/userAgent.d.ts +12 -0
package/dist/userAgent.js +18 -0
package/package.json +1 -1

package/dist/oauth/discoverOIDC.js CHANGED Viewed

@@ -4,6 +4,7 @@ exports.discoverOIDC = discoverOIDC;
 const errors_1 = require("./errors");
 const issuerURL_1 = require("./issuerURL");
 const predicates_1 = require("./predicates");
+const userAgent_1 = require("../userAgent");
 const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
 function optionalString(v) {
     return (0, predicates_1.isNonEmptyString)(v) ? v : undefined;
@@ -69,6 +70,31 @@ function parseConfiguration(body, url) {
         endSessionEndpoint: optionalString(body.end_session_endpoint),
     };
 }
+/**
+ * `code_challenge_methods_supported` is OPTIONAL in OIDC discovery, so its
+ * absence proves nothing — older providers may support PKCE without
+ * advertising it. But when the list IS present and does not include
+ * `S256` (the only method this CLI uses, per RFC 7636), the server has
+ * explicitly declared it does not support the flow we need. Fail fast
+ * with an actionable message instead of letting the user hit a generic
+ * OAuth error several steps deeper into the flow.
+ *
+ * An empty list (`[]`) is treated the same as a populated list missing
+ * `S256`: the server has explicitly advertised zero supported methods,
+ * which is incompatible.
+ *
+ * Called from `discoverOIDC` after issuer verification so that a
+ * tampered discovery doc surfaces the more security-critical issuer
+ * mismatch first.
+ */
+function assertPKCESupport(body, url) {
+    const methods = body.code_challenge_methods_supported;
+    if (!Array.isArray(methods))
+        return;
+    if (methods.includes("S256"))
+        return;
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} advertises code_challenge_methods_supported = ${JSON.stringify(methods)}, but axe-auth requires S256 (PKCE per RFC 7636). The OAuth client used by axe-auth needs PKCE enabled, or you may be on an axe server version that predates OAuth-based MCP authentication.`);
+}
 /**
  * Fetches and parses the OpenID Connect discovery document for a given
  * issuer. Fails fast (no retry) so the caller does not open a browser
@@ -98,7 +124,10 @@ async function discoverOIDC(issuerURL, options = {}) {
     const url = buildDiscoveryURL(issuerURL);
     let response;
     try {
-        response = await fetch(url, { signal: options.signal });
+        response = await fetch(url, {
+            headers: { "User-Agent": userAgent_1.USER_AGENT },
+            signal: options.signal,
+        });
     }
     catch (cause) {
         throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Could not reach the authentication server at ${url}. Check the URL and your network connection.`, { cause });
@@ -139,5 +168,6 @@ async function discoverOIDC(issuerURL, options = {}) {
     if (config.endSessionEndpoint) {
         assertSecureURL(config.endSessionEndpoint, "end_session_endpoint", allowInsecure);
     }
+    assertPKCESupport(body, url);
     return config;
 }

package/dist/oauth/refreshTokens.js CHANGED Viewed

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.refreshTokens = refreshTokens;
 const errors_1 = require("./errors");
 const tokenResponse_1 = require("./tokenResponse");
+const userAgent_1 = require("../userAgent");
 /**
  * Exchanges a refresh token for a fresh access token via RFC 6749 §6.
  *
@@ -39,6 +40,7 @@ async function refreshTokens(options) {
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
                 Accept: "application/json",
+                "User-Agent": userAgent_1.USER_AGENT,
             },
             body,
             signal: options.signal,

package/dist/oauth/revokeToken.js CHANGED Viewed

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.revokeRefreshToken = revokeRefreshToken;
+const userAgent_1 = require("../userAgent");
 /**
  * Revokes a refresh token via RFC 7009. Servers SHOULD return 200
  * regardless of whether the token was valid (the spec doesn't want
@@ -27,7 +28,10 @@ async function revokeRefreshToken(options) {
     try {
         response = await fetch(options.revocationEndpoint, {
             method: "POST",
-            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": userAgent_1.USER_AGENT,
+            },
             body,
             signal: options.signal,
         });

package/dist/oauth/tokenExchange.js CHANGED Viewed

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeCodeForTokens = exchangeCodeForTokens;
 const errors_1 = require("./errors");
 const tokenResponse_1 = require("./tokenResponse");
+const userAgent_1 = require("../userAgent");
 /**
  * Exchanges an authorization code for a `TokenSet` via the
  * authorization server's token endpoint (RFC 6749 §4.1.3 + RFC 7636
@@ -27,6 +28,7 @@ async function exchangeCodeForTokens(options) {
             headers: {
                 "Content-Type": "application/x-www-form-urlencoded",
                 Accept: "application/json",
+                "User-Agent": userAgent_1.USER_AGENT,
             },
             body,
             signal: options.signal,

package/dist/userAgent.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * `User-Agent` header value sent on all outbound requests, per
+ * Service Development Standards §4.4.
+ *
+ * Format: `axe-auth/v<package-version>` (e.g. `axe-auth/v1.0.2`).
+ *
+ * The npm scope (`@deque/`) is deliberately omitted from the wire format:
+ * `@` and `/` are not valid `tchar` per RFC 9110 §5.6.2, so a token like
+ * `@deque/axe-auth` would make the User-Agent malformed and risk WAF
+ * rejection (e.g. OWASP CRS rule 920330).
+ */
+export declare const USER_AGENT: string;

package/dist/userAgent.js ADDED Viewed

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.USER_AGENT = void 0;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const pkg = JSON.parse((0, node_fs_1.readFileSync)((0, node_path_1.join)(__dirname, "..", "package.json"), "utf-8"));
+/**
+ * `User-Agent` header value sent on all outbound requests, per
+ * Service Development Standards §4.4.
+ *
+ * Format: `axe-auth/v<package-version>` (e.g. `axe-auth/v1.0.2`).
+ *
+ * The npm scope (`@deque/`) is deliberately omitted from the wire format:
+ * `@` and `/` are not valid `tchar` per RFC 9110 §5.6.2, so a token like
+ * `@deque/axe-auth` would make the User-Agent malformed and risk WAF
+ * rejection (e.g. OWASP CRS rule 920330).
+ */
+exports.USER_AGENT = `axe-auth/v${pkg.version}`;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@deque/axe-auth",
-  "version": "1.1.0-next.73fce274",
+  "version": "1.1.0-next.74c778ee",
   "description": "CLI authentication utility for Deque services",
   "license": "SEE LICENSE IN LICENSE",
   "type": "commonjs",