javascript-solid-server 0.0.53 → 0.0.55
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/auth/solid-oidc.js +27 -8
- package/src/idp/index.js +4 -0
- package/src/idp/provider.js +2 -0
package/package.json
CHANGED
package/src/auth/solid-oidc.js
CHANGED
|
@@ -20,6 +20,19 @@ const jwksCache = new Map();
|
|
|
20
20
|
// Cache TTL (15 minutes)
|
|
21
21
|
const CACHE_TTL = 15 * 60 * 1000;
|
|
22
22
|
|
|
23
|
+
// Trusted issuers (skip SSRF check) - populated by server config
|
|
24
|
+
const trustedIssuers = new Set();
|
|
25
|
+
|
|
26
|
+
/**
|
|
27
|
+
* Add a trusted issuer (e.g., the server's own issuer)
|
|
28
|
+
* Trusted issuers bypass SSRF validation since they're configured by admin
|
|
29
|
+
*/
|
|
30
|
+
export function addTrustedIssuer(issuer) {
|
|
31
|
+
const normalized = issuer.replace(/\/$/, '');
|
|
32
|
+
trustedIssuers.add(normalized);
|
|
33
|
+
trustedIssuers.add(normalized + '/');
|
|
34
|
+
}
|
|
35
|
+
|
|
23
36
|
// DPoP proof max age (5 minutes)
|
|
24
37
|
const DPOP_MAX_AGE = 5 * 60;
|
|
25
38
|
|
|
@@ -206,15 +219,21 @@ async function getOidcConfig(issuer) {
|
|
|
206
219
|
return cached.config;
|
|
207
220
|
}
|
|
208
221
|
|
|
209
|
-
//
|
|
210
|
-
const
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
222
|
+
// Check if this is a trusted issuer (e.g., our own server)
|
|
223
|
+
const normalizedIssuer = issuer.replace(/\/$/, '');
|
|
224
|
+
const isTrusted = trustedIssuers.has(normalizedIssuer) || trustedIssuers.has(normalizedIssuer + '/');
|
|
225
|
+
|
|
226
|
+
// SSRF Protection: Validate issuer URL before fetching (skip for trusted issuers)
|
|
227
|
+
if (!isTrusted) {
|
|
228
|
+
const validation = await validateExternalUrl(issuer, {
|
|
229
|
+
requireHttps: true,
|
|
230
|
+
blockPrivateIPs: true,
|
|
231
|
+
resolveDNS: true
|
|
232
|
+
});
|
|
215
233
|
|
|
216
|
-
|
|
217
|
-
|
|
234
|
+
if (!validation.valid) {
|
|
235
|
+
throw new Error(`Invalid OIDC issuer: ${validation.error}`);
|
|
236
|
+
}
|
|
218
237
|
}
|
|
219
238
|
|
|
220
239
|
const configUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
|
package/src/idp/index.js
CHANGED
|
@@ -18,6 +18,7 @@ import {
|
|
|
18
18
|
handleCredentials,
|
|
19
19
|
handleCredentialsInfo,
|
|
20
20
|
} from './credentials.js';
|
|
21
|
+
import { addTrustedIssuer } from '../auth/solid-oidc.js';
|
|
21
22
|
|
|
22
23
|
/**
|
|
23
24
|
* IdP Fastify Plugin
|
|
@@ -32,6 +33,9 @@ export async function idpPlugin(fastify, options) {
|
|
|
32
33
|
throw new Error('IdP requires issuer URL');
|
|
33
34
|
}
|
|
34
35
|
|
|
36
|
+
// Register our own issuer as trusted (bypasses SSRF check for self-validation)
|
|
37
|
+
addTrustedIssuer(issuer);
|
|
38
|
+
|
|
35
39
|
// Initialize signing keys
|
|
36
40
|
await initializeKeys();
|
|
37
41
|
|
package/src/idp/provider.js
CHANGED
|
@@ -109,12 +109,14 @@ export async function createProvider(issuer) {
|
|
|
109
109
|
maxAge: 14 * 24 * 60 * 60 * 1000, // 14 days
|
|
110
110
|
httpOnly: true,
|
|
111
111
|
sameSite: 'lax',
|
|
112
|
+
secure: process.env.NODE_ENV === 'production' || issuer.startsWith('https://'),
|
|
112
113
|
path: '/',
|
|
113
114
|
},
|
|
114
115
|
short: {
|
|
115
116
|
signed: true,
|
|
116
117
|
httpOnly: true,
|
|
117
118
|
sameSite: 'lax',
|
|
119
|
+
secure: process.env.NODE_ENV === 'production' || issuer.startsWith('https://'),
|
|
118
120
|
path: '/',
|
|
119
121
|
},
|
|
120
122
|
},
|