@nocobase/plugin-idp-oauth 2.1.0-alpha.17 → 2.1.0-alpha.19

package/dist/node_modules/undici/lib/web/infra/index.js

@@ -0,0 +1,229 @@
+'use strict'
+
+const assert = require('node:assert')
+const { utf8DecodeBytes } = require('../../encoding')
+
+/**
+ * @param {(char: string) => boolean} condition
+ * @param {string} input
+ * @param {{ position: number }} position
+ * @returns {string}
+ *
+ * @see https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points
+ */
+function collectASequenceOfCodePoints (condition, input, position) {
+  // 1. Let result be the empty string.
+  let result = ''
+
+  // 2. While position doesn’t point past the end of input and the
+  // code point at position within input meets the condition condition:
+  while (position.position < input.length && condition(input[position.position])) {
+    // 1. Append that code point to the end of result.
+    result += input[position.position]
+
+    // 2. Advance position by 1.
+    position.position++
+  }
+
+  // 3. Return result.
+  return result
+}
+
+/**
+ * A faster collectASequenceOfCodePoints that only works when comparing a single character.
+ * @param {string} char
+ * @param {string} input
+ * @param {{ position: number }} position
+ * @returns {string}
+ *
+ * @see https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points
+ */
+function collectASequenceOfCodePointsFast (char, input, position) {
+  const idx = input.indexOf(char, position.position)
+  const start = position.position
+
+  if (idx === -1) {
+    position.position = input.length
+    return input.slice(start)
+  }
+
+  position.position = idx
+  return input.slice(start, position.position)
+}
+
+const ASCII_WHITESPACE_REPLACE_REGEX = /[\u0009\u000A\u000C\u000D\u0020]/g // eslint-disable-line no-control-regex
+
+/**
+ * @param {string} data
+ * @returns {Uint8Array | 'failure'}
+ *
+ * @see https://infra.spec.whatwg.org/#forgiving-base64-decode
+ */
+function forgivingBase64 (data) {
+  // 1. Remove all ASCII whitespace from data.
+  data = data.replace(ASCII_WHITESPACE_REPLACE_REGEX, '')
+
+  let dataLength = data.length
+  // 2. If data’s code point length divides by 4 leaving
+  // no remainder, then:
+  if (dataLength % 4 === 0) {
+    // 1. If data ends with one or two U+003D (=) code points,
+    // then remove them from data.
+    if (data.charCodeAt(dataLength - 1) === 0x003D) {
+      --dataLength
+      if (data.charCodeAt(dataLength - 1) === 0x003D) {
+        --dataLength
+      }
+    }
+  }
+
+  // 3. If data’s code point length divides by 4 leaving
+  // a remainder of 1, then return failure.
+  if (dataLength % 4 === 1) {
+    return 'failure'
+  }
+
+  // 4. If data contains a code point that is not one of
+  //  U+002B (+)
+  //  U+002F (/)
+  //  ASCII alphanumeric
+  // then return failure.
+  if (/[^+/0-9A-Za-z]/.test(data.length === dataLength ? data : data.substring(0, dataLength))) {
+    return 'failure'
+  }
+
+  const buffer = Buffer.from(data, 'base64')
+  return new Uint8Array(buffer.buffer, buffer.byteOffset, buffer.byteLength)
+}
+
+/**
+ * @param {number} char
+ * @returns {boolean}
+ *
+ * @see https://infra.spec.whatwg.org/#ascii-whitespace
+ */
+function isASCIIWhitespace (char) {
+  return (
+    char === 0x09 || // \t
+    char === 0x0a || // \n
+    char === 0x0c || // \f
+    char === 0x0d || // \r
+    char === 0x20    // space
+  )
+}
+
+/**
+ * @param {Uint8Array} input
+ * @returns {string}
+ *
+ * @see https://infra.spec.whatwg.org/#isomorphic-decode
+ */
+function isomorphicDecode (input) {
+  // 1. To isomorphic decode a byte sequence input, return a string whose code point
+  //    length is equal to input’s length and whose code points have the same values
+  //    as the values of input’s bytes, in the same order.
+  const length = input.length
+  if ((2 << 15) - 1 > length) {
+    return String.fromCharCode.apply(null, input)
+  }
+  let result = ''
+  let i = 0
+  let addition = (2 << 15) - 1
+  while (i < length) {
+    if (i + addition > length) {
+      addition = length - i
+    }
+    result += String.fromCharCode.apply(null, input.subarray(i, i += addition))
+  }
+  return result
+}
+
+const invalidIsomorphicEncodeValueRegex = /[^\x00-\xFF]/ // eslint-disable-line no-control-regex
+
+/**
+ * @param {string} input
+ * @returns {string}
+ *
+ * @see https://infra.spec.whatwg.org/#isomorphic-encode
+ */
+function isomorphicEncode (input) {
+  // 1. Assert: input contains no code points greater than U+00FF.
+  assert(!invalidIsomorphicEncodeValueRegex.test(input))
+
+  // 2. Return a byte sequence whose length is equal to input’s code
+  //    point length and whose bytes have the same values as the
+  //    values of input’s code points, in the same order
+  return input
+}
+
+/**
+ * @see https://infra.spec.whatwg.org/#parse-json-bytes-to-a-javascript-value
+ * @param {Uint8Array} bytes
+ */
+function parseJSONFromBytes (bytes) {
+  return JSON.parse(utf8DecodeBytes(bytes))
+}
+
+/**
+ * @param {string} str
+ * @param {boolean} [leading=true]
+ * @param {boolean} [trailing=true]
+ * @returns {string}
+ *
+ * @see https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace
+ */
+function removeASCIIWhitespace (str, leading = true, trailing = true) {
+  return removeChars(str, leading, trailing, isASCIIWhitespace)
+}
+
+/**
+ * @param {string} str
+ * @param {boolean} leading
+ * @param {boolean} trailing
+ * @param {(charCode: number) => boolean} predicate
+ * @returns {string}
+ */
+function removeChars (str, leading, trailing, predicate) {
+  let lead = 0
+  let trail = str.length - 1
+
+  if (leading) {
+    while (lead < str.length && predicate(str.charCodeAt(lead))) lead++
+  }
+
+  if (trailing) {
+    while (trail > 0 && predicate(str.charCodeAt(trail))) trail--
+  }
+
+  return lead === 0 && trail === str.length - 1 ? str : str.slice(lead, trail + 1)
+}
+
+// https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-a-json-string
+function serializeJavascriptValueToJSONString (value) {
+  // 1. Let result be ? Call(%JSON.stringify%, undefined, « value »).
+  const result = JSON.stringify(value)
+
+  // 2. If result is undefined, then throw a TypeError.
+  if (result === undefined) {
+    throw new TypeError('Value is not JSON serializable')
+  }
+
+  // 3. Assert: result is a string.
+  assert(typeof result === 'string')
+
+  // 4. Return result.
+  return result
+}
+
+module.exports = {
+  collectASequenceOfCodePoints,
+  collectASequenceOfCodePointsFast,
+  forgivingBase64,
+  isASCIIWhitespace,
+  isomorphicDecode,
+  isomorphicEncode,
+  parseJSONFromBytes,
+  removeASCIIWhitespace,
+  removeChars,
+  serializeJavascriptValueToJSONString
+}

package/dist/node_modules/undici/lib/web/subresource-integrity/Readme.md

@@ -0,0 +1,9 @@
+# Subresource Integrity
+
+based on Editor’s Draft, 12 June 2025
+
+This module provides support for Subresource Integrity (SRI) in the context of web fetch operations. SRI is a security feature that allows clients to verify that fetched resources are delivered without unexpected manipulation.
+
+## Links
+
+- [Subresource Integrity](https://w3c.github.io/webappsec-subresource-integrity/)

package/dist/node_modules/undici/lib/web/subresource-integrity/subresource-integrity.js

@@ -0,0 +1,307 @@
+'use strict'
+
+const assert = require('node:assert')
+const { runtimeFeatures } = require('../../util/runtime-features.js')
+
+/**
+ * @typedef {object} Metadata
+ * @property {SRIHashAlgorithm} alg - The algorithm used for the hash.
+ * @property {string} val - The base64-encoded hash value.
+ */
+
+/**
+ * @typedef {Metadata[]} MetadataList
+ */
+
+/**
+ * @typedef {('sha256' | 'sha384' | 'sha512')} SRIHashAlgorithm
+ */
+
+/**
+ * @type {Map<SRIHashAlgorithm, number>}
+ *
+ * The valid SRI hash algorithm token set is the ordered set « "sha256",
+ * "sha384", "sha512" » (corresponding to SHA-256, SHA-384, and SHA-512
+ * respectively). The ordering of this set is meaningful, with stronger
+ * algorithms appearing later in the set.
+ *
+ * @see https://w3c.github.io/webappsec-subresource-integrity/#valid-sri-hash-algorithm-token-set
+ */
+const validSRIHashAlgorithmTokenSet = new Map([['sha256', 0], ['sha384', 1], ['sha512', 2]])
+
+// https://nodejs.org/api/crypto.html#determining-if-crypto-support-is-unavailable
+/** @type {import('node:crypto')} */
+let crypto
+
+if (runtimeFeatures.has('crypto')) {
+  crypto = require('node:crypto')
+  const cryptoHashes = crypto.getHashes()
+
+  // If no hashes are available, we cannot support SRI.
+  if (cryptoHashes.length === 0) {
+    validSRIHashAlgorithmTokenSet.clear()
+  }
+
+  for (const algorithm of validSRIHashAlgorithmTokenSet.keys()) {
+    // If the algorithm is not supported, remove it from the list.
+    if (cryptoHashes.includes(algorithm) === false) {
+      validSRIHashAlgorithmTokenSet.delete(algorithm)
+    }
+  }
+} else {
+  // If crypto is not available, we cannot support SRI.
+  validSRIHashAlgorithmTokenSet.clear()
+}
+
+/**
+ * @typedef GetSRIHashAlgorithmIndex
+ * @type {(algorithm: SRIHashAlgorithm) => number}
+ * @param {SRIHashAlgorithm} algorithm
+ * @returns {number} The index of the algorithm in the valid SRI hash algorithm
+ * token set.
+ */
+
+const getSRIHashAlgorithmIndex = /** @type {GetSRIHashAlgorithmIndex} */ (Map.prototype.get.bind(
+  validSRIHashAlgorithmTokenSet))
+
+/**
+ * @typedef IsValidSRIHashAlgorithm
+ * @type {(algorithm: string) => algorithm is SRIHashAlgorithm}
+ * @param {*} algorithm
+ * @returns {algorithm is SRIHashAlgorithm}
+ */
+
+const isValidSRIHashAlgorithm = /** @type {IsValidSRIHashAlgorithm} */ (
+  Map.prototype.has.bind(validSRIHashAlgorithmTokenSet)
+)
+
+/**
+ * @param {Uint8Array} bytes
+ * @param {string} metadataList
+ * @returns {boolean}
+ *
+ * @see https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist
+ */
+const bytesMatch = runtimeFeatures.has('crypto') === false || validSRIHashAlgorithmTokenSet.size === 0
+  // If node is not built with OpenSSL support, we cannot check
+  // a request's integrity, so allow it by default (the spec will
+  // allow requests if an invalid hash is given, as precedence).
+  ? () => true
+  : (bytes, metadataList) => {
+    // 1. Let parsedMetadata be the result of parsing metadataList.
+      const parsedMetadata = parseMetadata(metadataList)
+
+      // 2. If parsedMetadata is empty set, return true.
+      if (parsedMetadata.length === 0) {
+        return true
+      }
+
+      // 3. Let metadata be the result of getting the strongest
+      //    metadata from parsedMetadata.
+      const metadata = getStrongestMetadata(parsedMetadata)
+
+      // 4. For each item in metadata:
+      for (const item of metadata) {
+      // 1. Let algorithm be the item["alg"].
+        const algorithm = item.alg
+
+        // 2. Let expectedValue be the item["val"].
+        const expectedValue = item.val
+
+        // See https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e
+        // "be liberal with padding". This is annoying, and it's not even in the spec.
+
+        // 3. Let actualValue be the result of applying algorithm to bytes .
+        const actualValue = applyAlgorithmToBytes(algorithm, bytes)
+
+        // 4. If actualValue is a case-sensitive match for expectedValue,
+        //    return true.
+        if (caseSensitiveMatch(actualValue, expectedValue)) {
+          return true
+        }
+      }
+
+      // 5. Return false.
+      return false
+    }
+
+/**
+ * @param {MetadataList} metadataList
+ * @returns {MetadataList} The strongest hash algorithm from the metadata list.
+ */
+function getStrongestMetadata (metadataList) {
+  // 1. Let result be the empty set and strongest be the empty string.
+  const result = []
+  /** @type {Metadata|null} */
+  let strongest = null
+
+  // 2. For each item in set:
+  for (const item of metadataList) {
+    // 1. Assert: item["alg"] is a valid SRI hash algorithm token.
+    assert(isValidSRIHashAlgorithm(item.alg), 'Invalid SRI hash algorithm token')
+
+    // 2. If result is the empty set, then:
+    if (result.length === 0) {
+      // 1. Append item to result.
+      result.push(item)
+
+      // 2. Set strongest to item.
+      strongest = item
+
+      // 3. Continue.
+      continue
+    }
+
+    // 3. Let currentAlgorithm be strongest["alg"], and currentAlgorithmIndex be
+    // the index of currentAlgorithm in the valid SRI hash algorithm token set.
+    const currentAlgorithm = /** @type {Metadata} */ (strongest).alg
+    const currentAlgorithmIndex = getSRIHashAlgorithmIndex(currentAlgorithm)
+
+    // 4. Let newAlgorithm be the item["alg"], and newAlgorithmIndex be the
+    // index of newAlgorithm in the valid SRI hash algorithm token set.
+    const newAlgorithm = item.alg
+    const newAlgorithmIndex = getSRIHashAlgorithmIndex(newAlgorithm)
+
+    // 5. If newAlgorithmIndex is less than currentAlgorithmIndex, then continue.
+    if (newAlgorithmIndex < currentAlgorithmIndex) {
+      continue
+
+    // 6. Otherwise, if newAlgorithmIndex is greater than
+    // currentAlgorithmIndex:
+    } else if (newAlgorithmIndex > currentAlgorithmIndex) {
+      // 1. Set strongest to item.
+      strongest = item
+
+      // 2. Set result to « item ».
+      result[0] = item
+      result.length = 1
+
+    // 7. Otherwise, newAlgorithmIndex and currentAlgorithmIndex are the same
+    // value. Append item to result.
+    } else {
+      result.push(item)
+    }
+  }
+
+  // 3. Return result.
+  return result
+}
+
+/**
+ * @param {string} metadata
+ * @returns {MetadataList}
+ *
+ * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
+ */
+function parseMetadata (metadata) {
+  // 1. Let result be the empty set.
+  /** @type {MetadataList} */
+  const result = []
+
+  // 2. For each item returned by splitting metadata on spaces:
+  for (const item of metadata.split(' ')) {
+    // 1. Let expression-and-options be the result of splitting item on U+003F (?).
+    const expressionAndOptions = item.split('?', 1)
+
+    // 2. Let algorithm-expression be expression-and-options[0].
+    const algorithmExpression = expressionAndOptions[0]
+
+    // 3. Let base64-value be the empty string.
+    let base64Value = ''
+
+    // 4. Let algorithm-and-value be the result of splitting algorithm-expression on U+002D (-).
+    const algorithmAndValue = [algorithmExpression.slice(0, 6), algorithmExpression.slice(7)]
+
+    // 5. Let algorithm be algorithm-and-value[0].
+    const algorithm = algorithmAndValue[0]
+
+    // 6. If algorithm is not a valid SRI hash algorithm token, then continue.
+    if (!isValidSRIHashAlgorithm(algorithm)) {
+      continue
+    }
+
+    // 7. If algorithm-and-value[1] exists, set base64-value to
+    // algorithm-and-value[1].
+    if (algorithmAndValue[1]) {
+      base64Value = algorithmAndValue[1]
+    }
+
+    // 8. Let metadata be the ordered map
+    // «["alg" → algorithm, "val" → base64-value]».
+    const metadata = {
+      alg: algorithm,
+      val: base64Value
+    }
+
+    // 9. Append metadata to result.
+    result.push(metadata)
+  }
+
+  // 3. Return result.
+  return result
+}
+
+/**
+ * Applies the specified hash algorithm to the given bytes
+ *
+ * @typedef {(algorithm: SRIHashAlgorithm, bytes: Uint8Array) => string} ApplyAlgorithmToBytes
+ * @param {SRIHashAlgorithm} algorithm
+ * @param {Uint8Array} bytes
+ * @returns {string}
+ */
+const applyAlgorithmToBytes = (algorithm, bytes) => {
+  return crypto.hash(algorithm, bytes, 'base64')
+}
+
+/**
+ * Compares two base64 strings, allowing for base64url
+ * in the second string.
+ *
+ * @param {string} actualValue base64 encoded string
+ * @param {string} expectedValue base64 or base64url encoded string
+ * @returns {boolean}
+ */
+function caseSensitiveMatch (actualValue, expectedValue) {
+  // Ignore padding characters from the end of the strings by
+  // decreasing the length by 1 or 2 if the last characters are `=`.
+  let actualValueLength = actualValue.length
+  if (actualValueLength !== 0 && actualValue[actualValueLength - 1] === '=') {
+    actualValueLength -= 1
+  }
+  if (actualValueLength !== 0 && actualValue[actualValueLength - 1] === '=') {
+    actualValueLength -= 1
+  }
+  let expectedValueLength = expectedValue.length
+  if (expectedValueLength !== 0 && expectedValue[expectedValueLength - 1] === '=') {
+    expectedValueLength -= 1
+  }
+  if (expectedValueLength !== 0 && expectedValue[expectedValueLength - 1] === '=') {
+    expectedValueLength -= 1
+  }
+
+  if (actualValueLength !== expectedValueLength) {
+    return false
+  }
+
+  for (let i = 0; i < actualValueLength; ++i) {
+    if (
+      actualValue[i] === expectedValue[i] ||
+      (actualValue[i] === '+' && expectedValue[i] === '-') ||
+      (actualValue[i] === '/' && expectedValue[i] === '_')
+    ) {
+      continue
+    }
+    return false
+  }
+
+  return true
+}
+
+module.exports = {
+  applyAlgorithmToBytes,
+  bytesMatch,
+  caseSensitiveMatch,
+  isValidSRIHashAlgorithm,
+  getStrongestMetadata,
+  parseMetadata
+}