oauth4webapi 2.8.0 → 2.8.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/build/index.js +8 -2
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -44,7 +44,7 @@ import * as oauth2 from 'oauth4webapi'
|
|
|
44
44
|
**`example`** Deno import
|
|
45
45
|
|
|
46
46
|
```js
|
|
47
|
-
import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.8.
|
|
47
|
+
import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.8.1/mod.ts'
|
|
48
48
|
```
|
|
49
49
|
|
|
50
50
|
- Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)
|
package/build/index.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
let USER_AGENT;
|
|
2
2
|
if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
|
|
3
3
|
const NAME = 'oauth4webapi';
|
|
4
|
-
const VERSION = 'v2.8.
|
|
4
|
+
const VERSION = 'v2.8.1';
|
|
5
5
|
USER_AGENT = `${NAME}/${VERSION}`;
|
|
6
6
|
}
|
|
7
7
|
function looseInstanceOf(input, expected) {
|
|
@@ -1785,6 +1785,7 @@ async function validateDPoP(as, request, accessTokenClaims, options) {
|
|
|
1785
1785
|
if (typeof accessTokenClaims.cnf?.jkt !== 'string') {
|
|
1786
1786
|
throw new OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim');
|
|
1787
1787
|
}
|
|
1788
|
+
const clockSkew = getClockSkew(options);
|
|
1788
1789
|
const proof = await validateJwt(request.headers.get('dpop'), checkSigningAlgorithm.bind(undefined, undefined, as?.dpop_signing_alg_values_supported || SUPPORTED_JWS_ALGS), async ({ jwk, alg }) => {
|
|
1789
1790
|
if (!jwk) {
|
|
1790
1791
|
throw new OPE('DPoP Proof is missing the jwk header parameter');
|
|
@@ -1794,9 +1795,14 @@ async function validateDPoP(as, request, accessTokenClaims, options) {
|
|
|
1794
1795
|
throw new OPE('DPoP Proof jwk header parameter must contain a public key');
|
|
1795
1796
|
}
|
|
1796
1797
|
return key;
|
|
1797
|
-
},
|
|
1798
|
+
}, clockSkew, getClockTolerance(options))
|
|
1798
1799
|
.then(checkJwtType.bind(undefined, 'dpop+jwt'))
|
|
1799
1800
|
.then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']));
|
|
1801
|
+
const now = epochTime() + clockSkew;
|
|
1802
|
+
const diff = Math.abs(now - proof.claims.iat);
|
|
1803
|
+
if (diff > 300) {
|
|
1804
|
+
throw new OPE('DPoP Proof iat is not recent enough');
|
|
1805
|
+
}
|
|
1800
1806
|
if (proof.claims.htm !== request.method) {
|
|
1801
1807
|
throw new OPE('DPoP Proof htm mismatch');
|
|
1802
1808
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "oauth4webapi",
|
|
3
|
-
"version": "2.8.
|
|
3
|
+
"version": "2.8.1",
|
|
4
4
|
"description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"access token",
|
|
@@ -67,14 +67,14 @@
|
|
|
67
67
|
"devDependencies": {
|
|
68
68
|
"@koa/cors": "^5.0.0",
|
|
69
69
|
"@types/koa__cors": "^5.0.0",
|
|
70
|
-
"@types/node": "^20.11.
|
|
70
|
+
"@types/node": "^20.11.6",
|
|
71
71
|
"@types/oidc-provider": "^8.4.3",
|
|
72
72
|
"@types/qunit": "^2.19.10",
|
|
73
73
|
"archiver": "^6.0.1",
|
|
74
74
|
"ava": "^5.3.1",
|
|
75
75
|
"chrome-launcher": "^1.1.0",
|
|
76
76
|
"edge-runtime": "^2.5.8",
|
|
77
|
-
"esbuild": "^0.19.
|
|
77
|
+
"esbuild": "^0.19.12",
|
|
78
78
|
"jose": "^5.2.0",
|
|
79
79
|
"oidc-provider": "^8.4.5",
|
|
80
80
|
"patch-package": "^8.0.0",
|