@typekcz-nocobase-plugins/plugin-oidc-plus 1.0.2 → 1.0.3

package/dist/node_modules/nanoid/index.d.cts

@@ -0,0 +1,91 @@
+/**
+ * Generate secure URL-friendly unique ID.
+ *
+ * By default, the ID will have 21 symbols to have a collision probability
+ * similar to UUID v4.
+ *
+ * ```js
+ * import { nanoid } from 'nanoid'
+ * model.id = nanoid() //=> "Uakgb_J5m9g-0JDMbcJqL"
+ * ```
+ *
+ * @param size Size of the ID. The default size is 21.
+ * @returns A random string.
+ */
+export function nanoid(size?: number): string
+
+/**
+ * Generate secure unique ID with custom alphabet.
+ *
+ * Alphabet must contain 256 symbols or less. Otherwise, the generator
+ * will not be secure.
+ *
+ * @param alphabet Alphabet used to generate the ID.
+ * @param defaultSize Size of the ID. The default size is 21.
+ * @returns A random string generator.
+ *
+ * ```js
+ * const { customAlphabet } = require('nanoid')
+ * const nanoid = customAlphabet('0123456789абвгдеё', 5)
+ * nanoid() //=> "8ё56а"
+ * ```
+ */
+export function customAlphabet(
+  alphabet: string,
+  defaultSize?: number
+): (size?: number) => string
+
+/**
+ * Generate unique ID with custom random generator and alphabet.
+ *
+ * Alphabet must contain 256 symbols or less. Otherwise, the generator
+ * will not be secure.
+ *
+ * ```js
+ * import { customRandom } from 'nanoid/format'
+ *
+ * const nanoid = customRandom('abcdef', 5, size => {
+ *   const random = []
+ *   for (let i = 0; i < size; i++) {
+ *     random.push(randomByte())
+ *   }
+ *   return random
+ * })
+ *
+ * nanoid() //=> "fbaef"
+ * ```
+ *
+ * @param alphabet Alphabet used to generate a random string.
+ * @param size Size of the random string.
+ * @param random A random bytes generator.
+ * @returns A random string generator.
+ */
+export function customRandom(
+  alphabet: string,
+  size: number,
+  random: (bytes: number) => Uint8Array
+): () => string
+
+/**
+ * URL safe symbols.
+ *
+ * ```js
+ * import { urlAlphabet } from 'nanoid'
+ * const nanoid = customAlphabet(urlAlphabet, 10)
+ * nanoid() //=> "Uakgb_J5m9"
+ * ```
+ */
+export const urlAlphabet: string
+
+/**
+ * Generate an array of random bytes collected from hardware noise.
+ *
+ * ```js
+ * import { customRandom, random } from 'nanoid'
+ * const nanoid = customRandom("abcdef", 5, random)
+ * ```
+ *
+ * @param bytes Size of the array.
+ * @returns An array of random bytes.
+ */
+export function random(bytes: number): Uint8Array

package/dist/node_modules/nanoid/index.js

@@ -1,7 +1,15 @@
 import crypto from 'crypto'
+
 import { urlAlphabet } from './url-alphabet/index.js'
+
+// It is best to make fewer, larger requests to the crypto module to
+// avoid system call overhead. So, random numbers are generated in a
+// pool. The pool is a Buffer that is larger than the initial random
+// request size by this multiplier. The pool is enlarged if subsequent
+// requests exceed the maximum buffer size.
 const POOL_SIZE_MULTIPLIER = 128
 let pool, poolOffset
+
 let fillPool = bytes => {
   if (!pool || pool.length < bytes) {
     pool = Buffer.allocUnsafe(bytes * POOL_SIZE_MULTIPLIER)
@@ -13,33 +21,65 @@ let fillPool = bytes => {
   }
   poolOffset += bytes
 }
+
 let random = bytes => {
-  fillPool((bytes -= 0))
+  // `|=` convert `bytes` to number to prevent `valueOf` abusing and pool pollution
+  fillPool((bytes |= 0))
   return pool.subarray(poolOffset - bytes, poolOffset)
 }
+
 let customRandom = (alphabet, defaultSize, getRandom) => {
+  // First, a bitmask is necessary to generate the ID. The bitmask makes bytes
+  // values closer to the alphabet size. The bitmask calculates the closest
+  // `2^31 - 1` number, which exceeds the alphabet size.
+  // For example, the bitmask for the alphabet size 30 is 31 (00011111).
   let mask = (2 << (31 - Math.clz32((alphabet.length - 1) | 1))) - 1
+  // Though, the bitmask solution is not perfect since the bytes exceeding
+  // the alphabet size are refused. Therefore, to reliably generate the ID,
+  // the random bytes redundancy has to be satisfied.
+
+  // Note: every hardware random generator call is performance expensive,
+  // because the system call for entropy collection takes a lot of time.
+  // So, to avoid additional system calls, extra bytes are requested in advance.
+
+  // Next, a step determines how many random bytes to generate.
+  // The number of random bytes gets decided upon the ID size, mask,
+  // alphabet size, and magic number 1.6 (using 1.6 peaks at performance
+  // according to benchmarks).
   let step = Math.ceil((1.6 * mask * defaultSize) / alphabet.length)
+
   return (size = defaultSize) => {
     let id = ''
     while (true) {
       let bytes = getRandom(step)
+      // A compact alternative for `for (let i = 0; i < step; i++)`.
       let i = step
       while (i--) {
+        // Adding `|| ''` refuses a random byte that exceeds the alphabet size.
         id += alphabet[bytes[i] & mask] || ''
         if (id.length === size) return id
       }
     }
   }
 }
+
 let customAlphabet = (alphabet, size = 21) =>
   customRandom(alphabet, size, random)
+
 let nanoid = (size = 21) => {
-  fillPool((size -= 0))
+  // `|=` convert `size` to number to prevent `valueOf` abusing and pool pollution
+  fillPool((size |= 0))
   let id = ''
+  // We are reading directly from the random pool to avoid creating new array
   for (let i = poolOffset - size; i < poolOffset; i++) {
+    // It is incorrect to use bytes exceeding the alphabet size.
+    // The following mask reduces the random byte in the 0-255 value
+    // range to the 0-63 value range. Therefore, adding hacks, such
+    // as empty string fallback or magic numbers, is unneccessary because
+    // the bitmask trims bytes down to the alphabet size.
     id += urlAlphabet[pool[i] & 63]
   }
   return id
 }
+
 export { nanoid, customAlphabet, customRandom, urlAlphabet, random }

package/dist/node_modules/nanoid/non-secure/index.cjs

@@ -1,21 +1,34 @@
+// This alphabet uses `A-Za-z0-9_-` symbols.
+// The order of characters is optimized for better gzip and brotli compression.
+// References to the same file (works both for gzip and brotli):
+// `'use`, `andom`, and `rict'`
+// References to the brotli default dictionary:
+// `-26T`, `1983`, `40px`, `75px`, `bush`, `jack`, `mind`, `very`, and `wolf`
 let urlAlphabet =
   'useandom-26T198340PX75pxJACKVERYMINDBUSHWOLF_GQZbfghjklqvwyzrict'
+
 let customAlphabet = (alphabet, defaultSize = 21) => {
   return (size = defaultSize) => {
     let id = ''
-    let i = size
+    // A compact alternative for `for (var i = 0; i < step; i++)`.
+    let i = size | 0
     while (i--) {
+      // `| 0` is more compact and faster than `Math.floor()`.
       id += alphabet[(Math.random() * alphabet.length) | 0]
     }
     return id
   }
 }
+
 let nanoid = (size = 21) => {
   let id = ''
-  let i = size
+  // A compact alternative for `for (var i = 0; i < step; i++)`.
+  let i = size | 0
   while (i--) {
+    // `| 0` is more compact and faster than `Math.floor()`.
     id += urlAlphabet[(Math.random() * 64) | 0]
   }
   return id
 }
+
 module.exports = { nanoid, customAlphabet }

package/dist/node_modules/nanoid/non-secure/index.js

@@ -1,21 +1,34 @@
+// This alphabet uses `A-Za-z0-9_-` symbols.
+// The order of characters is optimized for better gzip and brotli compression.
+// References to the same file (works both for gzip and brotli):
+// `'use`, `andom`, and `rict'`
+// References to the brotli default dictionary:
+// `-26T`, `1983`, `40px`, `75px`, `bush`, `jack`, `mind`, `very`, and `wolf`
 let urlAlphabet =
   'useandom-26T198340PX75pxJACKVERYMINDBUSHWOLF_GQZbfghjklqvwyzrict'
+
 let customAlphabet = (alphabet, defaultSize = 21) => {
   return (size = defaultSize) => {
     let id = ''
-    let i = size
+    // A compact alternative for `for (var i = 0; i < step; i++)`.
+    let i = size | 0
     while (i--) {
+      // `| 0` is more compact and faster than `Math.floor()`.
       id += alphabet[(Math.random() * alphabet.length) | 0]
     }
     return id
   }
 }
+
 let nanoid = (size = 21) => {
   let id = ''
-  let i = size
+  // A compact alternative for `for (var i = 0; i < step; i++)`.
+  let i = size | 0
   while (i--) {
+    // `| 0` is more compact and faster than `Math.floor()`.
     id += urlAlphabet[(Math.random() * 64) | 0]
   }
   return id
 }
+
 export { nanoid, customAlphabet }

package/dist/node_modules/nanoid/package.json

@@ -1 +1 @@
-{"name":"nanoid","version":"3.3.4","description":"A tiny (116 bytes), secure URL-friendly unique string ID generator","keywords":["uuid","random","id","url"],"engines":{"node":"^10 || ^12 || ^13.7 || ^14 || >=15.0.1"},"author":"Andrey Sitnik <andrey@sitnik.ru>","license":"MIT","repository":"ai/nanoid","browser":{"./index.js":"./index.browser.js","./async/index.js":"./async/index.browser.js","./async/index.cjs":"./async/index.browser.cjs","./index.cjs":"./index.browser.cjs"},"react-native":"index.js","bin":"./bin/nanoid.cjs","sideEffects":false,"types":"./index.d.ts","type":"module","main":"index.cjs","module":"index.js","exports":{".":{"types":"./index.d.ts","browser":"./index.browser.js","require":"./index.cjs","import":"./index.js","default":"./index.js"},"./index.d.ts":"./index.d.ts","./package.json":"./package.json","./async/package.json":"./async/package.json","./async":{"browser":"./async/index.browser.js","require":"./async/index.cjs","import":"./async/index.js","default":"./async/index.js"},"./non-secure/package.json":"./non-secure/package.json","./non-secure":{"require":"./non-secure/index.cjs","import":"./non-secure/index.js","default":"./non-secure/index.js"},"./url-alphabet/package.json":"./url-alphabet/package.json","./url-alphabet":{"require":"./url-alphabet/index.cjs","import":"./url-alphabet/index.js","default":"./url-alphabet/index.js"}},"_lastModified":"2024-03-26T12:28:54.494Z"}
+{"name":"nanoid","version":"3.3.8","description":"A tiny (116 bytes), secure URL-friendly unique string ID generator","keywords":["uuid","random","id","url"],"engines":{"node":"^10 || ^12 || ^13.7 || ^14 || >=15.0.1"},"funding":[{"type":"github","url":"https://github.com/sponsors/ai"}],"author":"Andrey Sitnik <andrey@sitnik.ru>","license":"MIT","repository":"ai/nanoid","browser":{"./index.js":"./index.browser.js","./async/index.js":"./async/index.browser.js","./async/index.cjs":"./async/index.browser.cjs","./index.cjs":"./index.browser.cjs"},"react-native":"index.js","bin":"./bin/nanoid.cjs","sideEffects":false,"types":"./index.d.ts","type":"module","main":"index.cjs","module":"index.js","exports":{".":{"browser":"./index.browser.js","require":{"types":"./index.d.cts","default":"./index.cjs"},"import":{"types":"./index.d.ts","default":"./index.js"},"default":"./index.js"},"./package.json":"./package.json","./async/package.json":"./async/package.json","./async":{"browser":"./async/index.browser.js","require":{"types":"./index.d.cts","default":"./async/index.cjs"},"import":{"types":"./index.d.ts","default":"./async/index.js"},"default":"./async/index.js"},"./non-secure/package.json":"./non-secure/package.json","./non-secure":{"require":{"types":"./index.d.cts","default":"./non-secure/index.cjs"},"import":{"types":"./index.d.ts","default":"./non-secure/index.js"},"default":"./non-secure/index.js"},"./url-alphabet/package.json":"./url-alphabet/package.json","./url-alphabet":{"require":{"types":"./index.d.cts","default":"./url-alphabet/index.cjs"},"import":{"types":"./index.d.ts","default":"./url-alphabet/index.js"},"default":"./url-alphabet/index.js"}},"_lastModified":"2025-03-05T12:36:57.578Z"}

package/dist/node_modules/nanoid/url-alphabet/index.cjs

@@ -1,3 +1,7 @@
+// This alphabet uses `A-Za-z0-9_-` symbols.
+// The order of characters is optimized for better gzip and brotli compression.
+// Same as in non-secure/index.js
 let urlAlphabet =
   'useandom-26T198340PX75pxJACKVERYMINDBUSHWOLF_GQZbfghjklqvwyzrict'
+
 module.exports = { urlAlphabet }

package/dist/node_modules/nanoid/url-alphabet/index.js

@@ -1,3 +1,7 @@
+// This alphabet uses `A-Za-z0-9_-` symbols.
+// The order of characters is optimized for better gzip and brotli compression.
+// Same as in non-secure/index.js
 let urlAlphabet =
   'useandom-26T198340PX75pxJACKVERYMINDBUSHWOLF_GQZbfghjklqvwyzrict'
+
 export { urlAlphabet }

package/dist/node_modules/openid-client/lib/client.js

@@ -191,7 +191,7 @@ class BaseClient {
       authorization_signed_response_alg: 'RS256',
       response_types: ['code'],
       token_endpoint_auth_method: 'client_secret_basic',
-      ...(this.fapi()
+      ...(this.fapi1()
         ? {
             grant_types: ['authorization_code', 'implicit'],
             id_token_signed_response_alg: 'PS256',
@@ -201,6 +201,13 @@ class BaseClient {
             token_endpoint_auth_method: undefined,
           }
         : undefined),
+      ...(this.fapi2()
+        ? {
+            id_token_signed_response_alg: 'PS256',
+            authorization_signed_response_alg: 'PS256',
+            token_endpoint_auth_method: undefined,
+          }
+        : undefined),
       ...metadata,
     };
 
@@ -221,6 +228,26 @@ class BaseClient {
       }
     }
 
+    if (this.fapi2()) {
+      if (
+        properties.tls_client_certificate_bound_access_tokens &&
+        properties.dpop_bound_access_tokens
+      ) {
+        throw new TypeError(
+          'either tls_client_certificate_bound_access_tokens or dpop_bound_access_tokens must be set to true',
+        );
+      }
+
+      if (
+        !properties.tls_client_certificate_bound_access_tokens &&
+        !properties.dpop_bound_access_tokens
+      ) {
+        throw new TypeError(
+          'either tls_client_certificate_bound_access_tokens or dpop_bound_access_tokens must be set to true',
+        );
+      }
+    }
+
     handleCommonMistakes(this, metadata, properties);
 
     assertSigningAlgValuesSupport('token', this.issuer, properties);
@@ -824,7 +851,7 @@ class BaseClient {
         });
       }
 
-      if (this.fapi()) {
+      if (this.fapi1()) {
         if (!payload.s_hash && (tokenSet.state || state)) {
           throw new RPError({
             message: 'missing required property s_hash',
@@ -1631,9 +1658,17 @@ class BaseClient {
   }
 
   fapi() {
+    return this.fapi1() || this.fapi2();
+  }
+
+  fapi1() {
     return this.constructor.name === 'FAPI1Client';
   }
 
+  fapi2() {
+    return this.constructor.name === 'FAPI2Client';
+  }
+
   async validateJARM(response) {
     const expectedAlg = this.authorization_signed_response_alg;
     const { payload } = await this.validateJWT(response, expectedAlg, ['iss', 'exp', 'aud']);

package/dist/node_modules/openid-client/lib/helpers/client.js

@@ -92,9 +92,6 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
     case 'private_key_jwt':
     case 'client_secret_jwt': {
       const timestamp = now();
-      const audience = [
-        ...new Set([this.issuer.issuer, this.issuer.token_endpoint].filter(Boolean)),
-      ];
 
       const assertion = await clientAssertion.call(this, endpoint, {
         iat: timestamp,
@@ -102,7 +99,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
         jti: random(),
         iss: this.client_id,
         sub: this.client_id,
-        aud: audience,
+        aud: this.issuer.issuer,
         ...clientAssertionPayload,
       });
 

package/dist/node_modules/openid-client/lib/helpers/request.js

@@ -79,7 +79,7 @@ module.exports = async function request(options, { accessToken, mTLS = false, DP
     opts.headers.DPoP = await this.dpopProof(
       {
         htu: `${url.origin}${url.pathname}`,
-        htm: options.method,
+        htm: options.method || 'GET',
         nonce: nonces.get(nonceKey),
       },
       DPoP,