npm - oauth4webapi - Versions diffs - 2.9.0 → 2.10.0 - Mend

oauth4webapi 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -44,7 +44,7 @@ import * as oauth2 from 'oauth4webapi'
 **`example`** Deno import
 ```js
-import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.9.0/mod.ts'
+import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.10.0/mod.ts'
 ```
 - Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)

package/build/index.d.ts CHANGED Viewed

@@ -161,12 +161,13 @@ export declare const clockTolerance: unique symbol;
  *
  * - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly
  *   ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
- * - Returning self-constructed {@link Response} instances prohibits AS-signalled DPoP Nonce caching.
+ * - Returning self-constructed {@link Response} instances prohibits AS/RS-signalled DPoP Nonce
+ *   caching.
  *
  * @example
  *
- * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) hooks feature for logging outgoing
- * requests and their responses.
+ * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) for retries and its hooks feature for
+ * logging outgoing requests and their responses.
  *
  * ```js
  * import ky from 'ky'
@@ -200,7 +201,7 @@ export declare const clockTolerance: unique symbol;
  *
  * @example
  *
- * Using [nodejs/undici](https://github.com/nodejs/undici) for mocking.
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to mock responses in tests.
  *
  * ```js
  * import * as undici from 'undici'
@@ -1183,12 +1184,22 @@ export interface IDToken extends JWTPayload {
     readonly azp?: string;
     readonly [claim: string]: JsonValue | undefined;
 }
+export interface AuthorizationDetails {
+    readonly type: string;
+    readonly locations?: string[];
+    readonly actions?: string[];
+    readonly datatypes?: string[];
+    readonly privileges?: string[];
+    readonly identifier?: string;
+    readonly [parameter: string]: JsonValue | undefined;
+}
 export interface TokenEndpointResponse {
     readonly access_token: string;
     readonly expires_in?: number;
     readonly id_token?: string;
     readonly refresh_token?: string;
     readonly scope?: string;
+    readonly authorization_details?: AuthorizationDetails[];
     /**
      * NOTE: because the value is case insensitive it is always returned lowercased
      */
@@ -1201,6 +1212,7 @@ export interface OpenIDTokenEndpointResponse {
     readonly id_token: string;
     readonly refresh_token?: string;
     readonly scope?: string;
+    readonly authorization_details?: AuthorizationDetails[];
     /**
      * NOTE: because the value is case insensitive it is always returned lowercased
      */
@@ -1213,6 +1225,7 @@ export interface OAuth2TokenEndpointResponse {
     readonly id_token?: undefined;
     readonly refresh_token?: string;
     readonly scope?: string;
+    readonly authorization_details?: AuthorizationDetails[];
     /**
      * NOTE: because the value is case insensitive it is always returned lowercased
      */
@@ -1223,6 +1236,7 @@ export interface ClientCredentialsGrantResponse {
     readonly access_token: string;
     readonly expires_in?: number;
     readonly scope?: string;
+    readonly authorization_details?: AuthorizationDetails[];
     /**
      * NOTE: because the value is case insensitive it is always returned lowercased
      */
@@ -1393,11 +1407,12 @@ export interface IntrospectionResponse {
     readonly jti?: string;
     readonly username?: string;
     readonly aud?: string | string[];
-    readonly scope: string;
+    readonly scope?: string;
     readonly sub?: string;
     readonly nbf?: number;
     readonly token_type?: string;
     readonly cnf?: ConfirmationClaims;
+    readonly authorization_details?: AuthorizationDetails[];
     readonly [claim: string]: JsonValue | undefined;
 }
 /**
@@ -1596,6 +1611,8 @@ export interface JWTAccessTokenClaims extends JWTPayload {
     readonly iat: number;
     readonly jti: string;
     readonly client_id: string;
+    readonly authorization_details?: AuthorizationDetails[];
+    readonly scope?: string;
     readonly [claim: string]: JsonValue | undefined;
 }
 export interface ValidateJWTAccessTokenOptions extends HttpRequestOptions {

package/build/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.9.0';
+    const VERSION = 'v2.10.0';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 function looseInstanceOf(input, expected) {
@@ -143,14 +143,13 @@ const SUPPORTED_JWS_ALGS = [
 ];
 function processDpopNonce(response) {
     try {
-        if (response.headers.has('dpop-nonce')) {
-            const url = new URL(response.url);
-            dpopNonces.set(url.origin, response.headers.get('dpop-nonce'));
+        const nonce = response.headers.get('dpop-nonce');
+        if (nonce) {
+            dpopNonces.set(new URL(response.url).origin, nonce);
         }
     }
-    finally {
-        return response;
-    }
+    catch { }
+    return response;
 }
 function normalizeTyp(value) {
     return value.toLowerCase().replace(/^application\//, '');
@@ -201,7 +200,7 @@ export async function discoveryRequest(issuerIdentifier, options) {
             break;
         case 'oauth2':
             if (url.pathname === '/') {
-                url.pathname = `.well-known/oauth-authorization-server`;
+                url.pathname = '.well-known/oauth-authorization-server';
             }
             else {
                 url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace('//', '/');
@@ -342,21 +341,14 @@ function keyToJws(key) {
     }
 }
 function getClockSkew(client) {
-    if (client && clockSkew in client) {
-        if (Number.isFinite(client[clockSkew])) {
-            return client[clockSkew];
-        }
-    }
-    return 0;
+    const skew = client?.[clockSkew];
+    return typeof skew === 'number' && Number.isFinite(skew) ? skew : 0;
 }
 function getClockTolerance(client) {
-    if (client && clockTolerance in client) {
-        const tolerance = client[clockTolerance];
-        if (Number.isFinite(tolerance) && Math.sign(tolerance) !== -1) {
-            return tolerance;
-        }
-    }
-    return 30;
+    const tolerance = client?.[clockTolerance];
+    return typeof tolerance === 'number' && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1
+        ? tolerance
+        : 30;
 }
 function epochTime() {
     return Math.floor(Date.now() / 1000);
@@ -489,8 +481,8 @@ export async function issueRequestObject(as, client, parameters, privateKey) {
         resource.length > 1) {
         claims.resource = resource;
     }
-    if (parameters.has('claims')) {
-        const value = parameters.get('claims');
+    let value = parameters.get('claims');
+    if (value) {
         if (value === '[object Object]') {
             throw new OPE('"claims" parameter must be passed as a UTF-8 encoded JSON');
         }
@@ -540,24 +532,22 @@ async function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken)
     headers.set('dpop', proof);
 }
 let jwkCache;
-async function publicJwk(key) {
-    jwkCache || (jwkCache = new WeakMap());
-    if (jwkCache.has(key)) {
-        return jwkCache.get(key);
-    }
+async function getSetPublicJwkCache(key) {
     const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key);
     const jwk = { kty, e, n, x, y, crv };
     jwkCache.set(key, jwk);
     return jwk;
 }
+async function publicJwk(key) {
+    jwkCache || (jwkCache = new WeakMap());
+    return jwkCache.get(key) || getSetPublicJwkCache(key);
+}
 function validateEndpoint(value, endpoint, options) {
     if (typeof value !== 'string') {
         if (options?.[useMtlsAlias]) {
             throw new TypeError(`"as.mtls_endpoint_aliases.${endpoint}" must be a string`);
         }
-        else {
-            throw new TypeError(`"as.${endpoint}" must be a string`);
-        }
+        throw new TypeError(`"as.${endpoint}" must be a string`);
     }
     return new URL(value);
 }
@@ -621,10 +611,10 @@ export function parseWwwAuthenticateChallenges(response) {
     if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
-    if (!response.headers.has('www-authenticate')) {
+    const header = response.headers.get('www-authenticate');
+    if (header === null) {
         return undefined;
     }
-    const header = response.headers.get('www-authenticate');
     const result = [];
     for (const { 1: scheme, index } of header.matchAll(SCHEMES_REGEXP)) {
         result.push([scheme, index]);
@@ -791,7 +781,7 @@ async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
         }
         throw new OPE('error when selecting a JWT verification key, no applicable keys found');
     }
-    else if (length !== 1) {
+    if (length !== 1) {
         throw new OPE('error when selecting a JWT verification key, multiple applicable keys found, a "kid" JWT Header Parameter is required');
     }
     const key = await importJwk(alg, jwk);
@@ -1771,8 +1761,9 @@ function normalizeHtu(htu) {
     url.hash = '';
     return url.href;
 }
-async function validateDPoP(as, request, accessTokenClaims, options) {
-    if (!request.headers.has('dpop')) {
+async function validateDPoP(as, request, accessToken, accessTokenClaims, options) {
+    const header = request.headers.get('dpop');
+    if (header === null) {
         throw new OPE('operation indicated DPoP use but the request has no DPoP HTTP Header');
     }
     if (request.headers.get('authorization')?.toLowerCase().startsWith('dpop ') === false) {
@@ -1782,7 +1773,7 @@ async function validateDPoP(as, request, accessTokenClaims, options) {
         throw new OPE('operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim');
     }
     const clockSkew = getClockSkew(options);
-    const proof = await validateJwt(request.headers.get('dpop'), checkSigningAlgorithm.bind(undefined, undefined, as?.dpop_signing_alg_values_supported || SUPPORTED_JWS_ALGS), async ({ jwk, alg }) => {
+    const proof = await validateJwt(header, checkSigningAlgorithm.bind(undefined, undefined, as?.dpop_signing_alg_values_supported || SUPPORTED_JWS_ALGS), async ({ jwk, alg }) => {
         if (!jwk) {
             throw new OPE('DPoP Proof is missing the jwk header parameter');
         }
@@ -1807,7 +1798,6 @@ async function validateDPoP(as, request, accessTokenClaims, options) {
         throw new OPE('DPoP Proof htu mismatch');
     }
     {
-        const accessToken = request.headers.get('authorization').split(' ')[1];
         const expected = b64u(await crypto.subtle.digest('SHA-256', encoder.encode(accessToken)));
         if (proof.claims.ath !== expected) {
             throw new OPE('DPoP Proof ath mismatch');
@@ -1856,7 +1846,7 @@ export async function validateJwtAccessToken(as, request, expectedAudience, opti
         throw new OPE('"expectedAudience" must be a non-empty string');
     }
     const authorization = request.headers.get('authorization');
-    if (!authorization) {
+    if (authorization === null) {
         throw new OPE('"request" is missing an Authorization HTTP Header');
     }
     let { 0: scheme, 1: accessToken, length } = authorization.split(' ');
@@ -1911,7 +1901,7 @@ export async function validateJwtAccessToken(as, request, expectedAudience, opti
         scheme === 'dpop' ||
         claims.cnf?.jkt !== undefined ||
         request.headers.has('dpop')) {
-        await validateDPoP(as, request, claims, options);
+        await validateDPoP(as, request, accessToken, claims, options);
     }
     return claims;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "2.9.0",
+  "version": "2.10.0",
   "description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
   "keywords": [
     "access token",
@@ -67,7 +67,7 @@
   "devDependencies": {
     "@koa/cors": "^5.0.0",
     "@types/koa__cors": "^5.0.0",
-    "@types/node": "^20.11.15",
+    "@types/node": "^20.11.16",
     "@types/oidc-provider": "^8.4.3",
     "@types/qunit": "^2.19.10",
     "archiver": "^6.0.1",
@@ -75,12 +75,12 @@
     "chrome-launcher": "^1.1.0",
     "edge-runtime": "^2.5.8",
     "esbuild": "^0.20.0",
-    "jose": "^5.2.0",
+    "jose": "^5.2.1",
     "oidc-provider": "^8.4.5",
     "patch-package": "^8.0.0",
-    "prettier": "^3.2.4",
+    "prettier": "^3.2.5",
     "prettier-plugin-jsdoc": "^1.3.0",
-    "puppeteer-core": "^21.10.0",
+    "puppeteer-core": "^21.11.0",
     "qunit": "^2.20.0",
     "raw-body": "^2.5.2",
     "selfsigned": "^2.4.1",
@@ -88,7 +88,7 @@
     "tsx": "^4.7.0",
     "typedoc": "^0.25.7",
     "typedoc-plugin-markdown": "^3.17.1",
-    "typedoc-plugin-mdn-links": "^3.1.14",
+    "typedoc-plugin-mdn-links": "^3.1.15",
     "typescript": "^5.3.3",
     "undici": "^5.28.2"
   }