npm - @openstax/ts-utils - Versions diffs - 1.39.0 → 1.39.1 - Mend

@openstax/ts-utils 1.39.0 → 1.39.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cjs/services/httpMessageVerifier/index.js +50 -10
package/dist/cjs/tsconfig.without-specs.cjs.tsbuildinfo +1 -1
package/dist/esm/services/httpMessageVerifier/index.js +50 -10
package/dist/esm/tsconfig.without-specs.esm.tsbuildinfo +1 -1
package/package.json +2 -1

package/dist/esm/services/httpMessageVerifier/index.js CHANGED Viewed

@@ -2,6 +2,7 @@
 import { createHash } from 'crypto';
 import { createVerifier, httpbis } from 'http-message-signatures';
 import { SigningKeyNotFoundError } from 'jwks-rsa';
+import { ByteSequence, parseDictionary, parseItem, Token } from 'structured-headers';
 import { assertString } from '../../assertions';
 import { resolveConfigValue } from '../../config';
 import { InvalidRequestError } from '../../errors';
@@ -28,9 +29,25 @@ export const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configPr
             // but we do not bother matching the Signature-Agent names with the Signature names
             // as that would be awkward with the packages we use
             const signatureAgentString = (_a = headers['signature-agent']) !== null && _a !== void 0 ? _a : '';
-            const signatureAgentMatches = [...signatureAgentString.matchAll(/([^=]+)="([^"]+)"/g)];
-            const signatureAgents = signatureAgentMatches.length == 0 ?
-                [signatureAgentString] : [...new Set(signatureAgentMatches.map((match) => match[2]))];
+            let rawValues;
+            // Try parsing as RFC 8941 Item first (e.g., "https://url" or bare token)
+            try {
+                rawValues = [parseItem(signatureAgentString)];
+            }
+            catch {
+                // If item parsing fails, try parsing as a Dictionary (e.g., sig="https://url")
+                rawValues = Array.from(parseDictionary(signatureAgentString).values());
+            }
+            // Convert values to strings (handle Token, string, and reject others) and deduplicate
+            const signatureAgents = [...new Set(rawValues.map(([bareItem]) => {
+                    if (bareItem instanceof Token) {
+                        return bareItem.toString();
+                    }
+                    return assertString(bareItem, new InvalidRequestError('Signature-Agent values must be strings or tokens'));
+                }))];
+            if (signatureAgents.length === 0) {
+                throw new InvalidRequestError('Signature-Agent header is required');
+            }
             const keys = (await Promise.all(signatureAgents.map(async (signatureAgent) => {
                 if (!await signatureAgentVerifier(signatureAgent)) {
                     throw new InvalidRequestError('Signature-Agent verification failed');
@@ -75,14 +92,37 @@ export const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configPr
             // For example, if a GET request uses configOverride to make content-digest not required
             if (!headers['content-digest'])
                 return true;
-            const match = headers['content-digest'].match(/^(sha-256|sha-512)=:([^:]+):/);
-            if (!match)
+            let contentDigest;
+            try {
+                contentDigest = parseDictionary(headers['content-digest']);
+            }
+            catch {
                 throw new InvalidRequestError('Unsupported Content-Digest header format');
-            const contentDigestAlg = match[1];
-            const contentDigestHash = match[2];
-            const calculatedContentDigestHash = createHash(contentDigestAlg).update(assertString(body)).digest('base64');
-            if (calculatedContentDigestHash !== contentDigestHash.replace(/:/g, '')) {
-                throw new InvalidRequestError('Calculated Content-Digest value did not match header');
+            }
+            if (contentDigest.size === 0) {
+                throw new InvalidRequestError('Content-Digest header is required');
+            }
+            // Map Content-Digest algorithm names to Node's crypto algorithm names
+            const algorithmMap = {
+                'sha-256': 'sha256',
+                'sha-512': 'sha512',
+            };
+            for (const [algorithm, value] of contentDigest.entries()) {
+                const [bareItem] = value;
+                // Convert ByteSequence to string, or assert it's already a string
+                const hashValue = bareItem instanceof ByteSequence
+                    ? bareItem.toBase64()
+                    : assertString(bareItem, new InvalidRequestError('Content-Digest values must be strings'));
+                const cryptoAlgorithm = algorithmMap[algorithm];
+                if (!cryptoAlgorithm) {
+                    throw new InvalidRequestError(`Unsupported Content-Digest algorithm: ${algorithm}`);
+                }
+                // Calculate the hash
+                const calculatedHash = createHash(cryptoAlgorithm).update(assertString(body, new InvalidRequestError('Request body is required when Content-Digest is present'))).digest('base64');
+                // Compare with the provided hash
+                if (calculatedHash !== hashValue) {
+                    throw new InvalidRequestError(`Calculated Content-Digest value did not match header for algorithm ${algorithm}`);
+                }
             }
             return true;
         },