samlesa 3.4.2 → 3.4.3

package/build/src/binding-artifact.js

@@ -5,11 +5,13 @@
  */
 import { checkStatus } from "./flow.js";
 import { ParserType, StatusCode, wording } from './urn.js';
+import * as crypto from "node:crypto";
 import libsaml from './libsaml.js';
 import libsamlSoap from './libsamlSoap.js';
 import utility, { get } from './utility.js';
 import { fileURLToPath } from "node:url";
 import { randomUUID } from 'node:crypto';
+import postBinding from './binding-post.js';
 import { artifactResolveFields, extract, loginRequestFields, loginResponseFields, logoutRequestFields, logoutResponseFields } from "./extractor.js";
 import { verifyTime } from "./validator.js";
 import { sendArtifactResolve } from "./soap.js";
@@ -137,141 +139,111 @@ function soapLoginRequest(referenceTagXPath, entity, customTagReplacement) {
     throw new Error('ERR_GENERATE_POST_LOGIN_REQUEST_MISSING_METADATA');
 }
 /**
- * @desc Generate a base64 encoded login response
- * @param  {object} requestInfo                 corresponding request, used to obtain the id
- * @param  {object} entity                      object includes both idp and sp
- * @param  {object} user                        current logged user (e.g. req.user)
- * @param  {function} customTagReplacement     used when developers have their own login response template
- * @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
- * @param AttributeStatement
+ * Generates a SAML 2.0 compliant Artifact ID.
+ * Format: [4-byte source ID][2-byte endpoint index][20-byte sequence value]
+ * @param issuerId The entity ID of the issuing party (IdP).
+ * @param endpointIndex The index of the destination endpoint (default is '0004' for Artifact Resolution Service).
+ * @returns The Base64 encoded Artifact ID string.
  */
-async function soapLoginResponse(requestInfo = {}, entity, user = {}, customTagReplacement, encryptThenSign = false, AttributeStatement = []) {
-    const idpSetting = entity.idp.entitySetting;
-    const spSetting = entity.sp.entitySetting;
-    const id = idpSetting.generateID();
+/**
+ * 生成符合 SAML 2.0 规范的 Artifact
+ * 结构: [TypeCode: 2 bytes] + [EndpointIndex: 2 bytes] + [SourceID: 20 bytes] + [MessageHandle: 20 bytes]
+ */
+function generateArtifactId(issuerId, endpointIndex = 1) {
+    // 1. SourceID: 20 bytes SHA-1
+    const issuerHash = crypto.createHash('sha1').update(issuerId).digest();
+    const sourceId = issuerHash.subarray(0, 20); // 必须 20 字节
+    // 2. TypeCode: 0x0004
+    const typeCode = Buffer.from([0x00, 0x04]);
+    // 3. EndpointIndex: 2 bytes Big Endian
+    const indexBuffer = Buffer.alloc(2);
+    indexBuffer.writeUInt16BE(endpointIndex, 0);
+    // 4. MessageHandle: 20 random bytes
+    const messageHandle = crypto.randomBytes(20);
+    // 5. Concat: 2 + 2 + 20 + 20 = 44 bytes
+    const artifactBytes = Buffer.concat([typeCode, indexBuffer, sourceId, messageHandle]);
+    // 6. Base64
+    return artifactBytes.toString('base64');
+}
+// Initial response that sends only the artifact ID
+async function soapLoginResponse(params) {
+    const { entity } = params;
     const metadata = {
         idp: entity.idp.entityMeta,
         sp: entity.sp.entityMeta,
     };
-    const nameIDFormat = idpSetting.nameIDFormat;
-    const selectedNameIDFormat = Array.isArray(nameIDFormat) ? nameIDFormat[0] : nameIDFormat;
-    if (metadata && metadata.idp && metadata.sp) {
-        const base = metadata.sp.getAssertionConsumerService(binding.post);
-        let rawSamlResponse;
-        const nowTime = new Date();
-        const spEntityID = metadata.sp.getEntityID();
-        const oneMinutesLaterTime = new Date(nowTime.getTime());
-        oneMinutesLaterTime.setMinutes(oneMinutesLaterTime.getMinutes() + 5);
-        const OneMinutesLater = oneMinutesLaterTime.toISOString();
-        const now = nowTime.toISOString();
-        const acl = metadata.sp.getAssertionConsumerService(binding.post);
-        const sessionIndex = 'session' + idpSetting.generateID(); // 这个是当前系统的会话索引，用于单点注销
-        const tenHoursLaterTime = new Date(nowTime.getTime());
-        tenHoursLaterTime.setHours(tenHoursLaterTime.getHours() + 10);
-        const tenHoursLater = tenHoursLaterTime.toISOString();
-        const tvalue = {
-            ID: id,
-            AssertionID: idpSetting.generateID(),
-            Destination: base,
-            Audience: spEntityID,
-            EntityID: spEntityID,
-            SubjectRecipient: acl,
-            Issuer: metadata.idp.getEntityID(),
-            IssueInstant: now,
-            AssertionConsumerServiceURL: acl,
-            StatusCode: StatusCode.Success,
-            // can be customized
-            ConditionsNotBefore: now,
-            ConditionsNotOnOrAfter: OneMinutesLater,
-            SubjectConfirmationDataNotOnOrAfter: OneMinutesLater,
-            NameIDFormat: selectedNameIDFormat,
-            NameID: user?.NameID || '',
-            InResponseTo: get(requestInfo, 'extract.request.id', ''),
-            AuthnStatement: `<saml:AuthnStatement AuthnInstant="${now}" SessionNotOnOrAfter="${tenHoursLater}" SessionIndex="${sessionIndex}"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>`,
-            AttributeStatement: libsaml.attributeStatementBuilder(AttributeStatement),
-        };
-        if (idpSetting.loginResponseTemplate && customTagReplacement) {
-            const template = customTagReplacement(idpSetting.loginResponseTemplate.context);
-            rawSamlResponse = get(template, 'context', null);
-        }
-        else {
-            if (requestInfo !== null) {
-                tvalue.InResponseTo = requestInfo?.extract?.request?.id ?? '';
-            }
-            rawSamlResponse = libsaml.replaceTagsByValue(libsaml.defaultLoginResponseTemplate.context, tvalue);
-        }
-        const { privateKey, privateKeyPass, requestSignatureAlgorithm: signatureAlgorithm } = idpSetting;
-        const config = {
-            privateKey,
-            privateKeyPass,
-            signatureAlgorithm,
-            signingCert: metadata.idp.getX509Certificate('signing'),
-            isBase64Output: false,
-        };
-        // step: sign assertion ? -> encrypted ? -> sign message ?
-        if (metadata.sp.isWantAssertionsSigned()) {
-            rawSamlResponse = libsaml.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                referenceTagXPath: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']",
-                signatureConfig: {
-                    prefix: 'ds',
-                    location: {
-                        reference: "/*[local-name(.)='Response']/*[local-name(.)='Assertion']/*[local-name(.)='Issuer']",
-                        action: 'after'
-                    },
-                },
-            });
-        }
-        // console.debug('after assertion signed', rawSamlResponse);
-        // SAML response must be signed sign message first, then encrypt
-        if (!encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            // console.debug('sign then encrypt and sign entire message');
-            // @ts-ignore
-            rawSamlResponse = libsaml.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                isMessageSigned: true,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-        }
-        // console.debug('after message signed', rawSamlResponse);
-        if (idpSetting.isAssertionEncrypted) {
-            // console.debug('idp is configured to do encryption');
-            const context = await libsaml.encryptAssertion(entity.idp, entity.sp, rawSamlResponse);
-            if (encryptThenSign) {
-                //need to decode it
-                rawSamlResponse = utility.base64Decode(context);
-            }
-            else {
-                return Promise.resolve({ id, context });
-            }
-        }
-        //sign after encrypting
-        if (encryptThenSign && (spSetting.wantMessageSigned || !metadata.sp.isWantAssertionsSigned())) {
-            // @ts-ignore
-            rawSamlResponse = libsaml.constructSAMLSignature({
-                ...config,
-                rawSamlMessage: rawSamlResponse,
-                isMessageSigned: true,
-                transformationAlgorithms: spSetting.transformationAlgorithms,
-                signatureConfig: spSetting.signatureConfig || {
-                    prefix: 'ds',
-                    location: { reference: "/*[local-name(.)='Response']/*[local-name(.)='Issuer']", action: 'after' },
-                },
-            });
-        }
-        return Promise.resolve({
-            id,
-            context: utility.base64Encode(rawSamlResponse),
-        });
+    if (!metadata.idp || !metadata.sp) {
+        throw new Error('ERR_GENERATE_ARTIFACT_MISSING_METADATA');
     }
-    throw new Error('ERR_GENERATE_POST_LOGIN_RESPONSE_MISSING_METADATA');
+    // 1. Generate the base SAML Response (Base64 encoded)
+    const samlResponseResult = await postBinding.base64LoginResponse(params);
+    const samlResponseXml = utility.base64Decode(samlResponseResult.context);
+    console.log(samlResponseXml);
+    console.log("我日你妈==");
+    // 2. Generate the SAML 2.0 Artifact ID
+    const artifactId = generateArtifactId(metadata.idp.getEntityID());
+    // 3. Cache the SAML Response XML using the artifactId as the key
+    // TODO: Implement your Redis caching logic here
+    // Example:
+    // const redisExpirySeconds = 300; // e.g., expire after 5 minutes
+    // await redis.setex(`artifact_cache:${artifactId}`, redisExpirySeconds, samlResponseXml);
+    // --- INSERT YOUR REDIS LOGIC HERE ---
+    // Example: await cacheInRedis(artifactId, samlResponseXml);
+    // 4. Prepare config for SOAP signing (reusing IDP settings)
+    const idpSetting = entity.idp.entitySetting;
+    const spSetting = entity.sp.entitySetting;
+    const config = {
+        privateKey: idpSetting.privateKey,
+        privateKeyPass: idpSetting.privateKeyPass,
+        signatureAlgorithm: idpSetting.requestSignatureAlgorithm,
+        signingCert: metadata.idp.getX509Certificate('signing'),
+        isBase64Output: false,
+    };
+    // 5. Construct the SOAP Envelope containing the Artifact ID
+    // This is CORRECT - in the initial response we only send the artifact ID
+    // The actual SAML response will be retrieved by the SP using the artifact resolution service
+    const soapBodyContent = `<samlp:ArtifactResponse
+                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                                  ID="${samlResponseResult.id}_artifact_resp"
+                                  InResponseTo="${params.requestInfo?.extract?.request?.id || ''}"
+                                  Version="2.0"
+                                  IssueInstant="${new Date().toISOString()}">
+                                       <saml2:Issuer>${metadata.idp.getEntityID()}</saml2:Issuer>
+        <samlp:Status>
+            <samlp:StatusCode Value="${StatusCode.Success}"/>
+        </samlp:Status>
+       ${samlResponseXml}
+    </samlp:ArtifactResponse>`;
+    const soapEnvelope = `
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+    <soap:Header/>
+    <soap:Body>${soapBodyContent}</soap:Body>
+</soap:Envelope>`;
+    // 6. Sign the SOAP Envelope
+    // Reference the Body element for signature
+    // @ts-ignore
+    // @ts-ignore
+    const signedSoapEnvelope = libsaml.constructSAMLSignature({
+        ...config,
+        rawSamlMessage: soapEnvelope,
+        transformationAlgorithms: spSetting.transformationAlgorithms,
+        isMessageSigned: true,
+        referenceTagXPath: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']",
+        signatureConfig: {
+            prefix: 'ds',
+            location: {
+                // Place signature inside the ArtifactResponse element, before the Status element
+                reference: "/*[local-name(.)='Envelope']/*[local-name(.)='Body']/*[local-name(.)='ArtifactResponse']/*[local-name(.)='Status']",
+                action: 'before'
+            },
+        },
+    });
+    // 7. Return the Artifact ID and the Base64 encoded signed SOAP message
+    return {
+        id: artifactId, // This is the key you'll need for resolving the artifact later
+        context: utility.base64Encode(signedSoapEnvelope), // The SOAP message to send back
+    };
 }
 async function parseLoginRequestResolve(params) {
     let { idp, sp, xml, } = params;

package/build/src/entity-idp.js

@@ -10,6 +10,7 @@ import { namespace } from './urn.js';
 import postBinding from './binding-post.js';
 import redirectBinding from './binding-redirect.js';
 import simpleSignBinding from './binding-simplesign.js';
+import artifactBinding from './binding-artifact.js';
 import { flow } from './flow.js';
 /**
  * Identity provider can be configured using either metadata importing or idpSetting
@@ -36,7 +37,7 @@ export class IdentityProvider extends Entity {
      * @param params
      */
     async createLoginResponse(params) {
-        const bindType = params?.binding ?? 'post';
+        const bindType = (params?.binding ?? 'post');
         const { sp, requestInfo = {}, user = {}, customTagReplacement, encryptThenSign = false, relayState = '', AttributeStatement = [], idpInit = false, } = params;
         const protocol = namespace.binding[bindType];
         // can support post, redirect and post simple sign bindings for login response
@@ -66,6 +67,19 @@ export class IdentityProvider extends Entity {
                     idp: this,
                     sp,
                 }, user, relayState, customTagReplacement, AttributeStatement);
+            case namespace.binding.artifact:
+                return artifactBinding.soapLoginResponse({
+                    requestInfo,
+                    entity: {
+                        idp: this,
+                        sp,
+                    },
+                    user,
+                    customTagReplacement,
+                    encryptThenSign,
+                    AttributeStatement,
+                    idpInit,
+                });
             default:
                 throw new Error('ERR_CREATE_RESPONSE_UNDEFINED_BINDING');
         }

package/build/src/extractor.js

@@ -117,10 +117,27 @@ export const loginRequestFields = [
     { key: 'signature', localPath: ['AuthnRequest', 'Signature'], attributes: [], context: true }
 ];
 export const artifactResolveFields = [
-    { key: 'request', localPath: ['ArtifactResolve'], attributes: ['ID', 'IssueInstant', 'Version'] },
-    { key: 'issuer', localPath: ['ArtifactResolve', 'Issuer'], attributes: [] },
-    { key: 'Artifact', localPath: ['ArtifactResolve', 'Artifact'], attributes: [] },
-    { key: 'signature', localPath: ['ArtifactResolve', 'Signature'], attributes: [], context: true },
+    {
+        key: 'request',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve'],
+        attributes: ['ID', 'IssueInstant', 'Version', 'Destination']
+    },
+    {
+        key: 'issuer',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Issuer'],
+        attributes: []
+    },
+    {
+        key: 'artifact',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Artifact'],
+        attributes: []
+    },
+    {
+        key: 'signature',
+        localPath: ['Envelope', 'Body', 'ArtifactResolve', 'Signature'],
+        attributes: [],
+        context: true
+    },
 ];
 export const artifactResponseFields = [
     { key: 'request', localPath: ['Envelope', 'Body', 'ArtifactResolve'], attributes: ['ID', 'IssueInstant', 'Version'] },
@@ -1487,6 +1504,9 @@ export function extractSp(context) {
 export function extractAuthRequest(context) {
     return extract(context, loginRequestFields);
 }
-export function extractResponse(context, ass) {
+export function extractResponse(context) {
     return extractSpToll(context, loginResponseFieldsFullList);
 }
+export function extractArtifactResolve(context) {
+    return extract(context, artifactResolveFields);
+}

package/build/src/schemaValidator.js

@@ -5,7 +5,8 @@ import { fileURLToPath } from 'node:url';
 import { DOMParser } from '@xmldom/xmldom';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-let normal = [
+// 定义各个场景所需的 schema 文件列表（保持不变）
+const normalSchemas = [
     'saml-schema-protocol-2.0.xsd',
     'saml-schema-assertion-2.0.xsd',
     'xmldsig-core-schema.xsd',
@@ -15,33 +16,31 @@ let normal = [
     'saml-schema-ecp-2.0.xsd',
     'saml-schema-dce-2.0.xsd'
 ];
-let soapSchema = [
+const soapSchemas = [
     'soap-envelope.xsd',
     'xml.xsd',
-    // 2. SOAP核心模式（所有SOAP消息的基础）
-    // 3. XML签名模式（SAML签名的前置依赖）
     'xmldsig-core-schema.xsd',
-    // 4. XML加密模式（SAML断言加密的前置依赖）
     'xenc-schema.xsd',
     'xenc-schema-11.xsd',
-    // 5. SAML核心模式（最基础的SAML组件）
-    'saml-schema-assertion-2.0.xsd', // 断言定义
-    // 6. SAML协议模式（依赖断言模式）
+    'saml-schema-assertion-2.0.xsd',
     'saml-schema-protocol-2.0.xsd',
-    // 7. SAML扩展模式（依赖核心模式）
-    'saml-schema-metadata-2.0.xsd', // 元数据
-    'saml-schema-ecp-2.0.xsd', // ECP扩展
-    'saml-schema-dce-2.0.xsd' // DCE扩展
+    'saml-schema-metadata-2.0.xsd',
+    'saml-schema-ecp-2.0.xsd',
+    'saml-schema-dce-2.0.xsd'
 ];
-let meta = [
-    'saml-schema-metadata-2.0.xsd', // 元数据
+const metadataSchemas = [
+    'saml-schema-metadata-2.0.xsd',
     'xml.xsd',
     'saml-schema-assertion-2.0.xsd',
     'xmldsig-core-schema.xsd',
     'xenc-schema.xsd',
-    'xenc-schema-11.xsd',
+    'xenc-schema-11.xsd'
 ];
-let schemas = normal;
+/**
+ * 检测 XML 字符串中是否存在 XXE 攻击指示器
+ * @param samlString 待检测的 XML 字符串
+ * @returns 如果存在可疑模式则返回匹配详情，否则返回 null
+ */
 function detectXXEIndicators(samlString) {
     const xxePatterns = [
         /<!DOCTYPE\s[^>]*>/i,
@@ -64,94 +63,112 @@ function detectXXEIndicators(samlString) {
     });
     return Object.keys(matches).length > 0 ? matches : null;
 }
+/**
+ * 加载指定的 schema 文件内容
+ * @param schemaNames 文件名数组
+ * @returns 包含 fileName 和 contents 的对象数组
+ */
+async function loadSchemas(schemaNames) {
+    const schemaPath = path.resolve(__dirname, 'schema');
+    return Promise.all(schemaNames.map(async (file) => ({
+        fileName: file,
+        contents: await fs.promises.readFile(`${schemaPath}/${file}`, 'utf-8')
+    })));
+}
+/**
+ * 验证 SAML 消息（普通或 SOAP）
+ * @param xml XML 字符串
+ * @param isSoap 是否为 SOAP 消息，默认 false
+ * @returns true 表示验证通过，否则抛出错误
+ * @throws 当检测到 XXE 或验证失败时抛出错误
+ */
 export const validate = async (xml, isSoap = false) => {
+    // 检测 XXE 攻击
     const indicators = detectXXEIndicators(xml);
     if (indicators) {
         throw new Error('ERR_EXCEPTION_VALIDATE_XML');
     }
-    schemas = isSoap ? soapSchema : normal;
-    const schemaPath = path.resolve(__dirname, 'schema');
-    const [xmlParse, ...preload] = await Promise.all(schemas.map(async (file) => ({
-        fileName: file,
-        contents: await fs.promises.readFile(`${schemaPath}/${file}`, 'utf-8')
-    })));
+    // 根据类型选择对应的 schema 列表（避免全局变量并发问题）
+    const schemaList = isSoap ? soapSchemas : normalSchemas;
+    const schemas = await loadSchemas(schemaList);
     try {
         const validationResult = await validateXML({
-            xml: [
-                {
-                    fileName: 'content.xml',
-                    contents: xml,
-                },
-            ],
+            xml: [{ fileName: 'content.xml', contents: xml }],
             extension: 'schema',
-            schema: [xmlParse],
-            preload: [xmlParse, ...preload],
+            schema: [schemas[0]], // 第一个 schema 作为主入口
+            preload: [schemas[0], ...schemas.slice(1)], // 其余作为预加载
         });
         if (validationResult.valid) {
             return true;
         }
+        // 验证失败，抛出错误对象
         throw validationResult.errors;
     }
     catch (error) {
-        throw new Error('ERR_EXCEPTION_VALIDATE_XML');
+        // 保留原始错误信息
+        throw error;
     }
 };
+/**
+ * 验证 SAML 元数据，并可选择解析元数据类型
+ * @param xml XML 字符串
+ * @param isParse 是否解析并返回元数据类型，默认 false
+ * @returns 验证通过时：若 isParse 为 true 返回 { isValid: true, metadataType: string }，否则返回 true；
+ *          验证失败时返回 Error 对象（保持原行为）
+ */
 export const validateMetadata = async (xml, isParse = false) => {
+    // 检测 XXE 攻击
     const indicators = detectXXEIndicators(xml);
     if (indicators) {
         throw new Error('ERR_EXCEPTION_VALIDATE_XML');
     }
-    schemas = meta;
-    const schemaPath = path.resolve(__dirname, 'schema');
-    const [xmlParse, ...preload] = await Promise.all(schemas.map(async (file) => ({
-        fileName: file,
-        contents: await fs.promises.readFile(`${schemaPath}/${file}`, 'utf-8')
-    })));
+    const schemas = await loadSchemas(metadataSchemas);
     try {
+        // @ts-ignore
         const validationResult = await validateXML({
-            xml: [
-                {
-                    fileName: 'content.xml',
-                    contents: xml,
-                },
-            ],
+            xml: [{ fileName: 'content.xml', contents: xml }],
             extension: 'schema',
-            schema: [xmlParse],
-            preload: [xmlParse, ...preload],
+            schema: [schemas[0]],
+            preload: [schemas[0], ...schemas.slice(1)],
         });
         if (validationResult.valid) {
             if (isParse) {
-                // 解析 XML 为 DOM 对象
+                // 解析 XML 并确定元数据类型
                 const parser = new DOMParser();
                 const xmlDoc = parser.parseFromString(xml, 'text/xml');
-                // 检查 IdP 和 SP 描述符元素
+                // 检查解析错误（防御性编程）
+                const parserError = xmlDoc.getElementsByTagName('parsererror');
+                if (parserError.length > 0) {
+                    // 解析失败，视为无效 XML，返回错误对象（与原逻辑一致）
+                    return new Error('XML parsing failed');
+                }
                 const idpDescriptor = xmlDoc.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:metadata', 'IDPSSODescriptor');
                 const spDescriptor = xmlDoc.getElementsByTagNameNS('urn:oasis:names:tc:SAML:2.0:metadata', 'SPSSODescriptor');
-                // 判断元数据类型
                 let metadataType;
                 if (idpDescriptor.length > 0 && spDescriptor.length > 0) {
-                    metadataType = 'both'; // 同时包含 IdP 和 SP
+                    metadataType = 'both';
                 }
                 else if (idpDescriptor.length > 0) {
-                    metadataType = 'IdP'; // 身份提供者
+                    metadataType = 'IdP';
                 }
                 else if (spDescriptor.length > 0) {
-                    metadataType = 'SP'; // 服务提供者
+                    metadataType = 'SP';
                 }
                 else {
-                    metadataType = 'unknown'; // 无法确定
+                    metadataType = 'unknown';
                 }
-                // 返回验证结果和元数据类型
                 return {
                     isValid: true,
-                    metadataType: metadataType
+                    metadataType
                 };
             }
             return true;
         }
-        throw validationResult.errors;
+        // 验证失败，返回错误对象（保持原行为）
+        return validationResult.errors;
     }
     catch (error) {
-        return error;
+        // 捕获其他异常（如文件读取失败）并返回错误对象
+        return error instanceof Error ? error : new Error(String(error));
     }
 };

package/build/src/urn.js

@@ -10,6 +10,16 @@ export var BindingNamespace;
     BindingNamespace["SimpleSign"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign";
     BindingNamespace["Artifact"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact";
 })(BindingNamespace || (BindingNamespace = {}));
+export const NamespaceBindingMap = {
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': 'redirect',
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'post',
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign': 'simplesign',
+    'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact': 'artifact'
+};
+// 可选：添加反向查找函数
+function getBindingName(uri) {
+    return NamespaceBindingMap[uri];
+}
 export var MessageSignatureOrder;
 (function (MessageSignatureOrder) {
     MessageSignatureOrder["STE"] = "sign-then-encrypt";
@@ -51,6 +61,12 @@ const namespace = {
         artifact: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
         soap: 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
     },
+    bindMap: {
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': 'redirect',
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': 'post',
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign': 'simplesign',
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact': 'artifact'
+    },
     names: {
         protocol: 'urn:oasis:names:tc:SAML:2.0:protocol',
         assertion: 'urn:oasis:names:tc:SAML:2.0:assertion',
@@ -306,4 +322,4 @@ const elementsOrder = {
     onelogin: ['KeyDescriptor', 'NameIDFormat', 'ArtifactResolutionService', 'SingleLogoutService', 'AssertionConsumerService', 'AttributeConsumingService'],
     shibboleth: ['KeyDescriptor', 'ArtifactResolutionService', 'SingleLogoutService', 'NameIDFormat', 'AssertionConsumerService', 'AttributeConsumingService',],
 };
-export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations };
+export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations, getBindingName };

package/package.json

@@ -1,75 +1,75 @@
-{
-  "name": "samlesa",
-  "version": "3.4.2",
-  "description": "High-level API for Single Sign On (SAML 2.0) baseed on samlify ",
-  "main": "build/index.js",
-  "keywords": [
-    "nodejs",
-    "saml2",
-    "sso",
-    "slo",
-    "metadata"
-  ],
-  "type": "module",
-  "typings": "types/index.d.ts",
-  "scripts": {
-    "build": "tsc && copyfiles -u 1 src/schema/**/* build/src",
-    "docs": "docsify serve -o docs",
-    "lint": "tslint -p .",
-    "lint:fix": "tslint -p . --fix",
-    "test": "vitest",
-    "test:watch": "vitest --watch",
-    "test:coverage": "vitest run --coverage",
-    "hooks:postinstall": "mklink /J .git\\hooks\\pre-commit .pre-commit.sh || copy .pre-commit.sh .git\\hooks\\pre-commit"
-  },
-  "exports": {
-    ".": {
-      "types": "./types/index.d.ts",
-      "import": "./build/index.js"
-    }
-  },
-  "files": [
-    "build",
-    "types"
-  ],
-  "contributors": [
-    "Veclea <vemocle@gmail.com>"
-  ],
-  "author": "Veclea",
-  "repository": {
-    "url": "https://github.com/Veclea/samlify.git",
-    "type": "git"
-  },
-  "license": "MIT",
-  "dependencies": {
-    "@xmldom/xmldom": "^0.9.8",
-    "axios": "^1.13.5",
-    "camelcase": "^9.0.0",
-    "cross-env": "^10.1.0",
-    "iconv-lite": "^0.7.2",
-    "ts-node": "^10.9.2",
-    "vite-tsconfig-paths": "^6.1.1",
-    "xml": "^1.0.1",
-    "xml-crypto": "^6.1.2",
-    "xml-crypto-next": "^7.0.4",
-    "xml-encryption-next": "^4.6.0",
-    "xml-escape": "^1.1.0",
-    "xml2js": "^0.6.2",
-    "xmllint-wasm": "^5.1.0",
-    "xpath": "^0.0.34"
-  },
-  "devDependencies": {
-    "@types/node": "^25.3.2",
-    "@types/pako": "2.0.4",
-    "@types/uuid": "11.0.0",
-    "@vitest/coverage-istanbul": "^4.0.18",
-    "@vitest/coverage-v8": "4.0.18",
-    "copyfiles": "^2.4.1",
-    "coveralls": "^3.1.1",
-    "esbuild": "^0.27.3",
-    "jsdom": "^28.1.0",
-    "timekeeper": "^2.3.1",
-    "typescript": "5.9.3",
-    "vitest": "^4.0.18"
-  }
-}
+{
+  "name": "samlesa",
+  "version": "3.4.3",
+  "description": "High-level API for Single Sign On (SAML 2.0) baseed on samlify ",
+  "main": "build/index.js",
+  "keywords": [
+    "nodejs",
+    "saml2",
+    "sso",
+    "slo",
+    "metadata"
+  ],
+  "type": "module",
+  "typings": "types/index.d.ts",
+  "scripts": {
+    "build": "tsc && copyfiles -u 1 src/schema/**/* build/src",
+    "docs": "docsify serve -o docs",
+    "lint": "tslint -p .",
+    "lint:fix": "tslint -p . --fix",
+    "test": "vitest",
+    "test:watch": "vitest --watch",
+    "test:coverage": "vitest run --coverage",
+    "hooks:postinstall": "mklink /J .git\\hooks\\pre-commit .pre-commit.sh || copy .pre-commit.sh .git\\hooks\\pre-commit"
+  },
+  "exports": {
+    ".": {
+      "types": "./types/index.d.ts",
+      "import": "./build/index.js"
+    }
+  },
+  "files": [
+    "build",
+    "types"
+  ],
+  "contributors": [
+    "Veclea <vemocle@gmail.com>"
+  ],
+  "author": "Veclea",
+  "repository": {
+    "url": "https://github.com/Veclea/samlify.git",
+    "type": "git"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "@xmldom/xmldom": "^0.9.8",
+    "axios": "^1.13.6",
+    "camelcase": "^9.0.0",
+    "cross-env": "^10.1.0",
+    "iconv-lite": "^0.7.2",
+    "ts-node": "^10.9.2",
+    "vite-tsconfig-paths": "^6.1.1",
+    "xml": "^1.0.1",
+    "xml-crypto": "^6.1.2",
+    "xml-crypto-next": "^7.0.4",
+    "xml-encryption-next": "^4.6.0",
+    "xml-escape": "^1.1.0",
+    "xml2js": "^0.6.2",
+    "xmllint-wasm": "^5.2.0",
+    "xpath": "^0.0.34"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "@types/pako": "2.0.4",
+    "@types/uuid": "11.0.0",
+    "@vitest/coverage-istanbul": "^4.1.2",
+    "@vitest/coverage-v8": "4.1.2",
+    "copyfiles": "^2.4.1",
+    "coveralls": "^3.1.1",
+    "esbuild": "^0.27.4",
+    "jsdom": "^29.0.1",
+    "timekeeper": "^2.3.1",
+    "typescript": "6.0.2",
+    "vitest": "^4.1.2"
+  }
+}

package/types/src/binding-artifact.d.ts

@@ -1,5 +1,6 @@
 import type { BindingContext } from './entity.js';
 import { IdentityProviderConstructor as IdentityProvider, ServiceProviderConstructor as ServiceProvider } from "./types.js";
+import { Base64LoginResponseParams } from "./types.js";
 /**
  * @desc Generate a base64 encoded login request
  * @param  {string} referenceTagXPath           reference uri
@@ -7,16 +8,7 @@ import { IdentityProviderConstructor as IdentityProvider, ServiceProviderConstru
  * @param customTagReplacement
  */
 declare function soapLoginRequest(referenceTagXPath: string, entity: any, customTagReplacement?: (template: string) => BindingContext): any;
-/**
- * @desc Generate a base64 encoded login response
- * @param  {object} requestInfo                 corresponding request, used to obtain the id
- * @param  {object} entity                      object includes both idp and sp
- * @param  {object} user                        current logged user (e.g. req.user)
- * @param  {function} customTagReplacement     used when developers have their own login response template
- * @param  {boolean}  encryptThenSign           whether or not to encrypt then sign first (if signing). Defaults to sign-then-encrypt
- * @param AttributeStatement
- */
-declare function soapLoginResponse(requestInfo: any | undefined, entity: any, user?: any, customTagReplacement?: (template: string) => BindingContext, encryptThenSign?: boolean, AttributeStatement?: never[]): Promise<BindingContext>;
+declare function soapLoginResponse(params: Base64LoginResponseParams): Promise<BindingContext>;
 declare function parseLoginRequestResolve(params: {
     idp: IdentityProvider;
     sp: ServiceProvider;

package/types/src/binding-artifact.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"binding-artifact.d.ts","sourceRoot":"","sources":["../../src/binding-artifact.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,aAAa,CAAC;AAMhD,OAAO,EACH,2BAA2B,IAAI,gBAAgB,EAC/C,0BAA0B,IAAI,eAAe,EAChD,MAAM,YAAY,CAAC;AAwCpB;;;;;GAKG;AACH,iBAAS,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,GAAG,GAAG,CAkGlI;AAED;;;;;;;;GAQG;AACH,iBAAe,iBAAiB,CAAC,WAAW,EAAE,GAAG,YAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,GAAE,GAAQ,EAAE,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,EAAE,eAAe,GAAE,OAAe,EAAE,kBAAkB,UAAK,GAAG,OAAO,CAAC,cAAc,CAAC,CAuIpO;AAED,iBAAe,wBAAwB,CAAC,MAAM,EAAE;IAC5C,GAAG,EAAE,gBAAgB,CAAC;IACtB,EAAE,EAAE,eAAe,CAAC;IACpB,GAAG,EAAE,MAAM,CAAA;CACd;;;GAqDA;AAED,iBAAe,yBAAyB,CAAC,MAAM,EAAE;IAAE,GAAG,EAAE,gBAAgB,CAAC;IAAC,EAAE,EAAE,eAAe,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE;;;GAgP3G;AAED,QAAA,MAAM,mBAAmB;;;;;CAOxB,CAAC;AAEF,eAAe,mBAAmB,CAAC"}
+{"version":3,"file":"binding-artifact.d.ts","sourceRoot":"","sources":["../../src/binding-artifact.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,aAAa,CAAC;AAShD,OAAO,EACH,2BAA2B,IAAI,gBAAgB,EAC/C,0BAA0B,IAAI,eAAe,EAChD,MAAM,YAAY,CAAC;AAiBpB,OAAO,EAAC,yBAAyB,EAAC,MAAM,YAAY,CAAC;AAwBrD;;;;;GAKG;AACH,iBAAS,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,GAAG,GAAG,CAkGlI;AAqCD,iBAAe,iBAAiB,CAAC,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,cAAc,CAAC,CA0F3F;AAID,iBAAe,wBAAwB,CAAC,MAAM,EAAE;IAC5C,GAAG,EAAE,gBAAgB,CAAC;IACtB,EAAE,EAAE,eAAe,CAAC;IACpB,GAAG,EAAE,MAAM,CAAA;CACd;;;GAqDA;AAED,iBAAe,yBAAyB,CAAC,MAAM,EAAE;IAAE,GAAG,EAAE,gBAAgB,CAAC;IAAC,EAAE,EAAE,eAAe,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE;;;GAgP3G;AAED,QAAA,MAAM,mBAAmB;;;;;CAOxB,CAAC;AAEF,eAAe,mBAAmB,CAAC"}

package/types/src/entity-idp.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"entity-idp.d.ts","sourceRoot":"","sources":["../../src/entity-idp.ts"],"names":[],"mappings":"AAYA,OAAO,MAAM,EAAE,EAAC,KAAK,gBAAgB,EAAC,MAAM,aAAa,CAAC;AAC1D,OAAO,EACH,0BAA0B,IAAI,eAAe,EAE7C,wBAAwB,EACxB,KAAK,wBAAwB,EAChC,MAAM,YAAY,CAAC;AAMpB,OAAO,EAAO,KAAK,UAAU,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,aAAa,CAAC;AAEhD;;GAEG;AACH,MAAM,CAAC,OAAO,WAAW,KAAK,EAAE,wBAAwB,oBAEvD;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,MAAM;IAEhC,UAAU,EAAE,wBAAwB,CAAC;gBAEjC,UAAU,EAAE,wBAAwB;IAWhD;;;OAGG;IACU,mBAAmB,CAAC,MAAM,EAAE;QACrC,EAAE,EAAE,eAAe,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAClC,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC3B,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,CAAC;QAC5D,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,kBAAkB,CAAC,EAAE,EAAE,CAAC;QACxB,OAAO,CAAC,EAAE,KAAK,CAAC;KACnB;IAuDD;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,gBAAgB;CAYhF"}
+{"version":3,"file":"entity-idp.d.ts","sourceRoot":"","sources":["../../src/entity-idp.ts"],"names":[],"mappings":"AAYA,OAAO,MAAM,EAAE,EAAC,KAAK,gBAAgB,EAAC,MAAM,aAAa,CAAC;AAC1D,OAAO,EACH,0BAA0B,IAAI,eAAe,EAE7C,wBAAwB,EACxB,KAAK,wBAAwB,EAChC,MAAM,YAAY,CAAC;AAOpB,OAAO,EAAO,KAAK,UAAU,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,aAAa,CAAC;AAEhD;;GAEG;AACH,MAAM,CAAC,OAAO,WAAW,KAAK,EAAE,wBAAwB,oBAEvD;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,MAAM;IAEhC,UAAU,EAAE,wBAAwB,CAAC;gBAEjC,UAAU,EAAE,wBAAwB;IAWhD;;;OAGG;IACU,mBAAmB,CAAC,MAAM,EAAE;QACrC,EAAE,EAAE,eAAe,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAClC,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC3B,oBAAoB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,cAAc,CAAC;QAC5D,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,kBAAkB,CAAC,EAAE,EAAE,CAAC;QACxB,OAAO,CAAC,EAAE,KAAK,CAAC;KAEnB;IAiED;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,gBAAgB;CAYhF"}

package/types/src/extractor.d.ts

@@ -32,6 +32,7 @@ export declare function extractSpData(context: string): any;
 export declare function extractIdp(context: string): any;
 export declare function extractSp(context: string): any;
 export declare function extractAuthRequest(context: string): any;
-export declare function extractResponse(context: string, ass: any): any;
+export declare function extractResponse(context: string): any;
+export declare function extractArtifactResolve(context: string): any;
 export {};
 //# sourceMappingURL=extractor.d.ts.map

package/types/src/extractor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"extractor.d.ts","sourceRoot":"","sources":["../../src/extractor.ts"],"names":[],"mappings":"AAMA,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,GAAG,CAAC;IAEnC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAOD,MAAM,MAAM,eAAe,GAAG,cAAc,EAAE,CAAC;AA4B/C,eAAO,MAAM,kBAAkB,EAAE,eAsFhC,CAAC;AAKF,eAAO,MAAM,qBAAqB,EAAE,eAKnC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,eAKpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,eAGvC,CAAC;AAEF,eAAO,MAAM,iCAAiC,EAAE,eAG/C,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,eAGxC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,SAAS,EAAE,GAAG,KAAK,eAAe,CAWrE,CAAC;AAqMF,eAAO,MAAM,mBAAmB,EAAE,eAMjC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,eAIlC,CAAC;AAKF,eAAO,MAAM,iBAAiB,EAAE,eAiI/B,CAAC;AAOF,eAAO,MAAM,gBAAgB,EAAE,eAyL9B,CAAC;AAEF,wBAAgB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,OAiN/D;AASD,eAAO,MAAM,2BAA2B,EAAE,eAkZzC,CAAC;AAIF;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,OAkRrE;AAKD,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,OAE5C;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,OAEzC;AAGD,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,OAExC;AACD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,OAEjD;AACD,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAC,GAAG,EAAC,GAAG,OAEtD"}
+{"version":3,"file":"extractor.d.ts","sourceRoot":"","sources":["../../src/extractor.ts"],"names":[],"mappings":"AAMA,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,EAAE,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,GAAG,CAAC;IAEnC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAOD,MAAM,MAAM,eAAe,GAAG,cAAc,EAAE,CAAC;AA4B/C,eAAO,MAAM,kBAAkB,EAAE,eAsFhC,CAAC;AAKF,eAAO,MAAM,qBAAqB,EAAE,eAsBnC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,eAKpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,eAGvC,CAAC;AAEF,eAAO,MAAM,iCAAiC,EAAE,eAG/C,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,eAGxC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,CAAC,CAAC,SAAS,EAAE,GAAG,KAAK,eAAe,CAWrE,CAAC;AAqMF,eAAO,MAAM,mBAAmB,EAAE,eAMjC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,eAIlC,CAAC;AAKF,eAAO,MAAM,iBAAiB,EAAE,eAiI/B,CAAC;AAOF,eAAO,MAAM,gBAAgB,EAAE,eAyL9B,CAAC;AAEF,wBAAgB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,OAiN/D;AASD,eAAO,MAAM,2BAA2B,EAAE,eAkZzC,CAAC;AAIF;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,OAkRrE;AAKD,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,OAE5C;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,OAEzC;AAGD,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,OAExC;AACD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,OAEjD;AACD,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,OAE9C;AACD,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,OAErD"}

package/types/src/schemaValidator.d.ts

@@ -1,3 +1,20 @@
+/**
+ * 验证 SAML 消息（普通或 SOAP）
+ * @param xml XML 字符串
+ * @param isSoap 是否为 SOAP 消息，默认 false
+ * @returns true 表示验证通过，否则抛出错误
+ * @throws 当检测到 XXE 或验证失败时抛出错误
+ */
 export declare const validate: (xml: string, isSoap?: boolean) => Promise<boolean>;
-export declare const validateMetadata: (xml: string, isParse?: boolean) => Promise<any>;
+/**
+ * 验证 SAML 元数据，并可选择解析元数据类型
+ * @param xml XML 字符串
+ * @param isParse 是否解析并返回元数据类型，默认 false
+ * @returns 验证通过时：若 isParse 为 true 返回 { isValid: true, metadataType: string }，否则返回 true；
+ *          验证失败时返回 Error 对象（保持原行为）
+ */
+export declare const validateMetadata: (xml: string, isParse?: boolean) => Promise<true | Error | readonly import("xmllint-wasm").XMLValidationError[] | {
+    isValid: boolean;
+    metadataType: string;
+}>;
 //# sourceMappingURL=schemaValidator.d.ts.map

package/types/src/schemaValidator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schemaValidator.d.ts","sourceRoot":"","sources":["../../src/schemaValidator.ts"],"names":[],"mappings":"AA8EA,eAAO,MAAM,QAAQ,GAAU,KAAK,MAAM,EAAC,SAAQ,OAAe,qBAmCjE,CAAC;AACF,eAAO,MAAM,gBAAgB,GAAU,KAAK,MAAM,EAAC,UAAS,OAAe,iBA6D1E,CAAC"}
+{"version":3,"file":"schemaValidator.d.ts","sourceRoot":"","sources":["../../src/schemaValidator.ts"],"names":[],"mappings":"AAsFA;;;;;;GAMG;AACH,eAAO,MAAM,QAAQ,GAAU,KAAK,MAAM,EAAE,SAAQ,OAAe,qBA4BlE,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gBAAgB,GAAU,KAAK,MAAM,EAAE,UAAS,OAAe;;;EA+D3E,CAAC"}

package/types/src/urn.d.ts

@@ -9,6 +9,8 @@ export declare enum BindingNamespace {
     SimpleSign = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign",
     Artifact = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
 }
+export declare const NamespaceBindingMap: Record<string, 'redirect' | 'post' | 'simplesign' | 'artifact'>;
+declare function getBindingName(uri: string): 'redirect' | 'post' | 'simplesign' | 'artifact' | undefined;
 export declare enum MessageSignatureOrder {
     STE = "sign-then-encrypt",
     ETS = "encrypt-then-sign"
@@ -46,6 +48,12 @@ declare const namespace: {
         artifact: string;
         soap: string;
     };
+    bindMap: {
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect': string;
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': string;
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign': string;
+        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact': string;
+    };
     names: {
         protocol: string;
         assertion: string;
@@ -260,5 +268,5 @@ declare const elementsOrder: {
     onelogin: string[];
     shibboleth: string[];
 };
-export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations };
+export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations, getBindingName };
 //# sourceMappingURL=urn.d.ts.map

package/types/src/urn.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"urn.d.ts","sourceRoot":"","sources":["../../src/urn.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,oBAAY,gBAAgB;IAC1B,QAAQ,uDAAuD;IAC/D,IAAI,mDAAmD;IACvD,UAAU,8DAA8D;IACxE,QAAQ,uDAAuD;CAChE;AAED,oBAAY,qBAAqB;IAC/B,GAAG,sBAAsB;IACzB,GAAG,sBAAsB;CAC1B;AAED,oBAAY,UAAU;IAEpB,OAAO,+CAA+C;IACtD,SAAS,iDAAiD;IAC1D,SAAS,iDAAiD;IAC1D,eAAe,uDAAuD;IAEtE,UAAU,mDAAmD;IAC7D,sBAAsB,8DAA8D;IACpF,mBAAmB,2DAA2D;IAC9E,cAAc,sDAAsD;IACpE,cAAc,sDAAsD;IACpE,SAAS,iDAAiD;IAC1D,cAAc,sDAAsD;IACpE,aAAa,qDAAqD;IAClE,kBAAkB,0DAA0D;IAC5E,aAAa,qDAAqD;IAClE,kBAAkB,0DAA0D;IAC5E,wBAAwB,gEAAgE;IACxF,qBAAqB,6DAA6D;IAClF,oBAAoB,4DAA4D;IAChF,qBAAqB,6DAA6D;IAClF,gBAAgB,wDAAwD;IACxE,kBAAkB,0DAA0D;IAC5E,gBAAgB,wDAAwD;IACxE,kBAAkB,0DAA0D;CAC7E;AAED,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8Fd,CAAC;AAEF,QAAA,MAAM,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BT,CAAC;AAEF,QAAA,MAAM,qBAAqB;;;;;CAK1B,CAAC;AAEF,QAAA,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAmFZ;;;WAGG;;;;;;;;;;;;;CAwBN,CAAC;AAaF,oBAAY,UAAU;IACpB,WAAW,gBAAgB;IAC3B,YAAY,iBAAiB;IAC7B,aAAa,kBAAkB;IAC/B,cAAc,mBAAmB;CAClC;AAED,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;CAyBZ,CAAC;AAIF,QAAA,MAAM,aAAa;;;;CAIlB,CAAC;AAEF,OAAO,EAAC,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAC,CAAC"}
+{"version":3,"file":"urn.d.ts","sourceRoot":"","sources":["../../src/urn.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,oBAAY,gBAAgB;IAC1B,QAAQ,uDAAuD;IAC/D,IAAI,mDAAmD;IACvD,UAAU,8DAA8D;IACxE,QAAQ,uDAAuD;CAChE;AACD,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,GAAG,YAAY,GAAG,UAAU,CAK/F,CAAC;AAGD,iBAAS,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,GAAG,YAAY,GAAG,UAAU,GAAG,SAAS,CAEjG;AAED,oBAAY,qBAAqB;IAC/B,GAAG,sBAAsB;IACzB,GAAG,sBAAsB;CAC1B;AAED,oBAAY,UAAU;IAEpB,OAAO,+CAA+C;IACtD,SAAS,iDAAiD;IAC1D,SAAS,iDAAiD;IAC1D,eAAe,uDAAuD;IAEtE,UAAU,mDAAmD;IAC7D,sBAAsB,8DAA8D;IACpF,mBAAmB,2DAA2D;IAC9E,cAAc,sDAAsD;IACpE,cAAc,sDAAsD;IACpE,SAAS,iDAAiD;IAC1D,cAAc,sDAAsD;IACpE,aAAa,qDAAqD;IAClE,kBAAkB,0DAA0D;IAC5E,aAAa,qDAAqD;IAClE,kBAAkB,0DAA0D;IAC5E,wBAAwB,gEAAgE;IACxF,qBAAqB,6DAA6D;IAClF,oBAAoB,4DAA4D;IAChF,qBAAqB,6DAA6D;IAClF,gBAAgB,wDAAwD;IACxE,kBAAkB,0DAA0D;IAC5E,gBAAgB,wDAAwD;IACxE,kBAAkB,0DAA0D;CAC7E;AAED,QAAA,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAoGd,CAAC;AAEF,QAAA,MAAM,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BT,CAAC;AAEF,QAAA,MAAM,qBAAqB;;;;;CAK1B,CAAC;AAEF,QAAA,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAmFZ;;;WAGG;;;;;;;;;;;;;CAwBN,CAAC;AAaF,oBAAY,UAAU;IACpB,WAAW,gBAAgB;IAC3B,YAAY,iBAAiB;IAC7B,aAAa,kBAAkB;IAC/B,cAAc,mBAAmB;CAClC;AAED,QAAA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;CAyBZ,CAAC;AAIF,QAAA,MAAM,aAAa;;;;CAIlB,CAAC;AAEF,OAAO,EAAC,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAC,cAAc,EAAC,CAAC"}