client-certificate-auth 2.0.1 → 2.0.2

package/lib/clientCertificateAuth.cjs

@@ -85,8 +85,8 @@ function clientCertificateAuth(callback, options = {}) {
         queueMicrotask(() => {
             try {
                 const result = hook(...args);
-                if (result instanceof Promise) {
-                    result.catch(err => console.error('client-certificate-auth: hook error:', err));
+                if (isThenable(result)) {
+                    Promise.resolve(result).catch(err => console.error('client-certificate-auth: hook error:', err));
                 }
             } catch (err) {
                 console.error('client-certificate-auth: hook error:', err);

package/lib/clientCertificateAuth.js

@@ -118,8 +118,8 @@ export default function clientCertificateAuth(callback, options = {}) {
     queueMicrotask(() => {
       try {
         const result = hook(...args);
-        if (result instanceof Promise) {
-          result.catch(err => console.error('client-certificate-auth: hook error:', err));
+        if (isThenable(result)) {
+          Promise.resolve(result).catch(err => console.error('client-certificate-auth: hook error:', err));
         }
       } catch (err) {
         console.error('client-certificate-auth: hook error:', err);

package/lib/helpers.js

@@ -38,7 +38,8 @@ export function allowCN(names) {
  * Create a validation callback that allows certificates with matching fingerprints.
  * Supports SHA-1 fingerprints (compared against cert.fingerprint) and SHA-256
  * fingerprints with "SHA256:" prefix (compared against cert.fingerprint256).
- * Fingerprints without a prefix are treated as SHA-1.
+ * Fingerprints without a prefix are treated as SHA-1. Hex inputs are
+ * normalized: case and colon delimiters are ignored on both sides.
  *
  * @param {string[]} fingerprints - Allowed fingerprints
  * @returns {ValidationCallback}
@@ -46,28 +47,30 @@ export function allowCN(names) {
  * @example
  * app.use(clientCertificateAuth(allowFingerprints([
  *   'SHA256:AB:CD:EF:...',  // matched against cert.fingerprint256
- *   'AB:CD:EF:...'          // matched against cert.fingerprint (SHA-1)
+ *   'AB:CD:EF:...',         // colon-delimited, matched against cert.fingerprint
+ *   'ABCDEF...'             // contiguous hex also matches cert.fingerprint
  * ])));
  */
 export function allowFingerprints(fingerprints) {
+    const normalize = (fp) => fp.toUpperCase().replace(/:/g, '');
     const sha256Allowed = new Set();
     const sha1Allowed = new Set();
 
     for (const fp of fingerprints) {
         const upper = fp.toUpperCase();
         if (upper.startsWith('SHA256:')) {
-            sha256Allowed.add(upper.slice(7));
+            sha256Allowed.add(normalize(upper.slice(7)));
         } else {
-            sha1Allowed.add(upper);
+            sha1Allowed.add(normalize(upper));
         }
     }
 
     return (cert) => {
         if (sha1Allowed.size > 0 && cert.fingerprint) {
-            if (sha1Allowed.has(cert.fingerprint.toUpperCase())) {return true;}
+            if (sha1Allowed.has(normalize(cert.fingerprint))) {return true;}
         }
         if (sha256Allowed.size > 0 && cert.fingerprint256) {
-            if (sha256Allowed.has(cert.fingerprint256.toUpperCase())) {return true;}
+            if (sha256Allowed.has(normalize(cert.fingerprint256))) {return true;}
         }
         return false;
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "client-certificate-auth",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "Express/Connect middleware for mTLS client certificate authentication with reverse proxy support (AWS ALB, Envoy, Cloudflare, Traefik)",
   "homepage": "https://github.com/tgies/client-certificate-auth",
   "bugs": {