npm - @openstax/ts-utils - Versions diffs - 1.39.0 → 1.39.1 - Mend

@openstax/ts-utils 1.39.0 → 1.39.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cjs/services/httpMessageVerifier/index.js +50 -10
package/dist/cjs/tsconfig.without-specs.cjs.tsbuildinfo +1 -1
package/dist/esm/services/httpMessageVerifier/index.js +50 -10
package/dist/esm/tsconfig.without-specs.esm.tsbuildinfo +1 -1
package/package.json +2 -1

package/dist/cjs/services/httpMessageVerifier/index.js CHANGED Viewed

@@ -5,6 +5,7 @@ exports.createHttpMessageVerifier = void 0;
 const crypto_1 = require("crypto");
 const http_message_signatures_1 = require("http-message-signatures");
 const jwks_rsa_1 = require("jwks-rsa");
+const structured_headers_1 = require("structured-headers");
 const assertions_1 = require("../../assertions");
 const config_1 = require("../../config");
 const errors_1 = require("../../errors");
@@ -31,9 +32,25 @@ const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configProvider)
             // but we do not bother matching the Signature-Agent names with the Signature names
             // as that would be awkward with the packages we use
             const signatureAgentString = (_a = headers['signature-agent']) !== null && _a !== void 0 ? _a : '';
-            const signatureAgentMatches = [...signatureAgentString.matchAll(/([^=]+)="([^"]+)"/g)];
-            const signatureAgents = signatureAgentMatches.length == 0 ?
-                [signatureAgentString] : [...new Set(signatureAgentMatches.map((match) => match[2]))];
+            let rawValues;
+            // Try parsing as RFC 8941 Item first (e.g., "https://url" or bare token)
+            try {
+                rawValues = [(0, structured_headers_1.parseItem)(signatureAgentString)];
+            }
+            catch {
+                // If item parsing fails, try parsing as a Dictionary (e.g., sig="https://url")
+                rawValues = Array.from((0, structured_headers_1.parseDictionary)(signatureAgentString).values());
+            }
+            // Convert values to strings (handle Token, string, and reject others) and deduplicate
+            const signatureAgents = [...new Set(rawValues.map(([bareItem]) => {
+                    if (bareItem instanceof structured_headers_1.Token) {
+                        return bareItem.toString();
+                    }
+                    return (0, assertions_1.assertString)(bareItem, new errors_1.InvalidRequestError('Signature-Agent values must be strings or tokens'));
+                }))];
+            if (signatureAgents.length === 0) {
+                throw new errors_1.InvalidRequestError('Signature-Agent header is required');
+            }
             const keys = (await Promise.all(signatureAgents.map(async (signatureAgent) => {
                 if (!await signatureAgentVerifier(signatureAgent)) {
                     throw new errors_1.InvalidRequestError('Signature-Agent verification failed');
@@ -78,14 +95,37 @@ const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configProvider)
             // For example, if a GET request uses configOverride to make content-digest not required
             if (!headers['content-digest'])
                 return true;
-            const match = headers['content-digest'].match(/^(sha-256|sha-512)=:([^:]+):/);
-            if (!match)
+            let contentDigest;
+            try {
+                contentDigest = (0, structured_headers_1.parseDictionary)(headers['content-digest']);
+            }
+            catch {
                 throw new errors_1.InvalidRequestError('Unsupported Content-Digest header format');
-            const contentDigestAlg = match[1];
-            const contentDigestHash = match[2];
-            const calculatedContentDigestHash = (0, crypto_1.createHash)(contentDigestAlg).update((0, assertions_1.assertString)(body)).digest('base64');
-            if (calculatedContentDigestHash !== contentDigestHash.replace(/:/g, '')) {
-                throw new errors_1.InvalidRequestError('Calculated Content-Digest value did not match header');
+            }
+            if (contentDigest.size === 0) {
+                throw new errors_1.InvalidRequestError('Content-Digest header is required');
+            }
+            // Map Content-Digest algorithm names to Node's crypto algorithm names
+            const algorithmMap = {
+                'sha-256': 'sha256',
+                'sha-512': 'sha512',
+            };
+            for (const [algorithm, value] of contentDigest.entries()) {
+                const [bareItem] = value;
+                // Convert ByteSequence to string, or assert it's already a string
+                const hashValue = bareItem instanceof structured_headers_1.ByteSequence
+                    ? bareItem.toBase64()
+                    : (0, assertions_1.assertString)(bareItem, new errors_1.InvalidRequestError('Content-Digest values must be strings'));
+                const cryptoAlgorithm = algorithmMap[algorithm];
+                if (!cryptoAlgorithm) {
+                    throw new errors_1.InvalidRequestError(`Unsupported Content-Digest algorithm: ${algorithm}`);
+                }
+                // Calculate the hash
+                const calculatedHash = (0, crypto_1.createHash)(cryptoAlgorithm).update((0, assertions_1.assertString)(body, new errors_1.InvalidRequestError('Request body is required when Content-Digest is present'))).digest('base64');
+                // Compare with the provided hash
+                if (calculatedHash !== hashValue) {
+                    throw new errors_1.InvalidRequestError(`Calculated Content-Digest value did not match header for algorithm ${algorithm}`);
+                }
             }
             return true;
         },