npm - @rodit/rodit-auth-be - Versions diffs - 9.11.16 → 9.11.20 - Mend

@rodit/rodit-auth-be 9.11.16 → 9.11.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/auth/tokenservice.js +161 -19
package/package.json +1 -1

package/lib/auth/tokenservice.js CHANGED Viewed

@@ -973,6 +973,31 @@ function resolveCredentialExpirationUnix(now, sessionExpiration, own_rodit) {
         keyCreationDuration,
       });
+      const signatureStart = Date.now();
+      const timeString = await unixTimeToDateString(now);
+      const roditidandtimestamp = new TextEncoder().encode(
+        token.rodit_id + timeString
+      );
+      let privateKeyToUse = config_own_rodit.own_rodit_bytes_private_key;
+      if (Buffer.isBuffer(privateKeyToUse)) {
+        privateKeyToUse = new Uint8Array(privateKeyToUse);
+      } else if (!(privateKeyToUse instanceof Uint8Array)) {
+        privateKeyToUse = new Uint8Array(Array.from(privateKeyToUse));
+      }
+      const own_rodit_bytes_signature = nacl.sign.detached(
+        roditidandtimestamp,
+        privateKeyToUse
+      );
+      const renewed_rodit_idsignature = Buffer.from(
+        own_rodit_bytes_signature
+      ).toString("base64url");
+      logger.debug("Regenerated rodit_idsignature for renewed credential", {
+        requestId,
+        signatureDuration: Date.now() - signatureStart,
+        roditId: token.rodit_id,
+        iat: now,
+      });
       // Keep existing session ID and creation time
       const session_id = existingSessionId;
       const session_iat = token.session_iat;
@@ -1028,7 +1053,7 @@ function resolveCredentialExpirationUnix(now, sessionExpiration, own_rodit) {
         rodit_id: token.rodit_id,
         rodit_owner: token.rodit_owner,
         rodit_allowediso3166list: token.rodit_allowediso3166list,
-        rodit_idsignature: token.rodit_idsignature,
+        rodit_idsignature: renewed_rodit_idsignature,
         rodit_maxrequests: token.rodit_maxrequests,
         rodit_maxrqwindow: token.rodit_maxrqwindow,
         rodit_permissionedroutes: token.rodit_permissionedroutes,
@@ -1665,14 +1690,35 @@ function resolveCredentialExpirationUnix(now, sessionExpiration, own_rodit) {
         newToken = renewalResult.newToken;
         if (isExpired && !newToken) {
-          logger.error("Token expired and renewal failed", {
-            component: "JwtAuth",
-            method: "validate_jwt_token_be",
-            requestId,
-            jti: payload.jti
-          });
-          throw new Error("Error 007: Token has expired and renewal failed");
+          const renewalNow = Math.floor(Date.now() / 1000);
+          const sessionExpUnix =
+            payload.session_exp != null ? Number(payload.session_exp) : null;
+          const sessionStillActive =
+            Number.isFinite(sessionExpUnix) && sessionExpUnix > renewalNow;
+          if (sessionStillActive) {
+            logger.warn(
+              "Credential expired and renewal failed but session still active; allowing request",
+              {
+                component: "JwtAuth",
+                method: "validate_jwt_token_be",
+                requestId,
+                jti: payload.jti,
+                sessionExp: sessionExpUnix,
+                now: renewalNow,
+              }
+            );
+          } else {
+            logger.error("Token expired and renewal failed", {
+              component: "JwtAuth",
+              method: "validate_jwt_token_be",
+              requestId,
+              jti: payload.jti,
+              sessionExp: sessionExpUnix,
+            });
+            throw new Error("Error 007: Token has expired and renewal failed");
+          }
         }
       } else if (isExpired) {
         logger.info("Allowing signature-valid expired token for special flow", {
@@ -2213,6 +2259,70 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
   }
 }
+  /**
+   * Decide brief vs thorough renewal verification using existing SECURITY_OPTIONS constants.
+   *
+   * @param {Object} params
+   * @returns {Object} Plan with shouldDoFullVerification, urgency, pThorough, newduration, floors
+   */
+  function resolveRenewalVerificationPlan({
+    forceRenewal = false,
+    durationLeftpct = 0,
+    currentDuration = 0,
+    lapsedProportion = 0.8,
+    thresholdValidationType = 0.1,
+    durationRamp = 0.85,
+    fallbackJwtDuration = 3600,
+    roditMaxRqWindow,
+    randomNumber = Math.random(),
+  }) {
+    const eligibilityTail = 1.0 - lapsedProportion;
+    const safeCurrentDuration = Math.max(0, Number(currentDuration) || 0);
+    const newduration = safeCurrentDuration * durationRamp;
+    let urgency;
+    if (forceRenewal) {
+      urgency = 1;
+    } else if (eligibilityTail <= 0) {
+      urgency = 1;
+    } else {
+      const tailFraction = durationLeftpct / 100 / eligibilityTail;
+      urgency = Math.min(1, Math.max(0, 1 - tailFraction));
+    }
+    const pThorough =
+      thresholdValidationType + urgency * (1 - thresholdValidationType);
+    const baselineDuration = Math.max(1, Number(fallbackJwtDuration) || 3600);
+    const rampedFloor = baselineDuration * eligibilityTail * durationRamp;
+    const maxRqWindow = Number(roditMaxRqWindow) || baselineDuration;
+    const rqWindowFloor = maxRqWindow * eligibilityTail;
+    const stochasticThorough = urgency >= 1 || randomNumber < pThorough;
+    const rampedFloorThorough = newduration <= rampedFloor;
+    const rqWindowFloorThorough = newduration <= rqWindowFloor;
+    const deterministicThorough = rampedFloorThorough || rqWindowFloorThorough;
+    let verificationReason = "brief";
+    if (deterministicThorough) {
+      verificationReason = rampedFloorThorough ? "ramped_floor" : "rq_window_floor";
+    } else if (stochasticThorough) {
+      verificationReason = "stochastic";
+    }
+    return {
+      shouldDoFullVerification: stochasticThorough || deterministicThorough,
+      urgency,
+      pThorough,
+      newduration,
+      rampedFloor,
+      rqWindowFloor,
+      stochasticThorough,
+      deterministicThorough,
+      verificationReason,
+    };
+  }
   /**
    * Check if a token needs renewal and renew if necessary
    *
@@ -2236,12 +2346,16 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
     const DURATIONRAMP = parseFloat(
       config.get('SECURITY_OPTIONS.DURATIONRAMP', '0.85')
     );
+    const FALLBACK_JWT_DURATION = parseInt(
+      config.get('SECURITY_OPTIONS.FALLBACK_JWT_DURATION', '3600'),
+      10
+    );
     const currentTime = Math.floor(Date.now() / 1000);
     const timeLeft = payload.exp - currentTime;
     const currentDuration = payload.exp - payload.iat;
-    const durationLeftpct = (timeLeft / currentDuration) * 100;
-    const newduration = currentDuration * DURATIONRAMP;
+    const durationLeftpct =
+      currentDuration > 0 ? (timeLeft / currentDuration) * 100 : 0;
     // Log session information
     const sessionInfo = {
@@ -2301,13 +2415,40 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
       ...sessionInfo,
     });
-    // Determine verification method
-    const randomNumber = Math.random();
-    const shouldDoFullVerification =
-      randomNumber < THRESHOLD_VALIDATION_TYPE ||
-      newduration >
-        payload.rodit_maxrqwindow *
-          (100 - (LAPSED_LIFETIME_PROPORTION_4RENEWAL_ELIGIBILITY * 100));
+    const renewalPlan = resolveRenewalVerificationPlan({
+      forceRenewal,
+      durationLeftpct,
+      currentDuration,
+      lapsedProportion: LAPSED_LIFETIME_PROPORTION_4RENEWAL_ELIGIBILITY,
+      thresholdValidationType: THRESHOLD_VALIDATION_TYPE,
+      durationRamp: DURATIONRAMP,
+      fallbackJwtDuration: FALLBACK_JWT_DURATION,
+      roditMaxRqWindow: payload.rodit_maxrqwindow,
+    });
+    const {
+      shouldDoFullVerification,
+      urgency,
+      pThorough,
+      newduration,
+      rampedFloor,
+      rqWindowFloor,
+      verificationReason,
+    } = renewalPlan;
+    logger.debug("Renewal verification plan", {
+      component: "TokenRenewalService",
+      method: "checkandrenew_jwt_token",
+      requestId,
+      forceRenewal,
+      durationLeftpct: durationLeftpct.toFixed(1),
+      urgency: urgency.toFixed(3),
+      pThorough: pThorough.toFixed(3),
+      newduration: Math.floor(newduration),
+      rampedFloor: Math.floor(rampedFloor),
+      rqWindowFloor: Math.floor(rqWindowFloor),
+      verificationReason,
+      shouldDoFullVerification,
+    });
     const verificationStartTime = Date.now();
@@ -2392,7 +2533,7 @@ async function thorough_validate_jwt_token_be(token, requestId = ulid()) {
           logInfo: {
             newDuration: newduration,
             reason: shouldDoFullVerification
-              ? "Thorough verification"
+              ? `Thorough verification (${verificationReason})`
               : "Brief verification",
             notAfter: notAfter,
             renewalDuration,
@@ -2439,6 +2580,7 @@ module.exports = {
   generate_jwt_token,
   base64url2jwk_public_key,
   checkandrenew_jwt_token,
+  resolveRenewalVerificationPlan,
   thorough_validate_jwt_token_be,
   brief_validate_jwt_token_be,
   generate_jwt_token_fromtoken,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rodit/rodit-auth-be",
-  "version": "9.11.16",
+  "version": "9.11.20",
   "description": "RODiT-based authentication system for Express.js applications",
   "main": "index.js",
   "exports": {