samlesa 3.4.3 → 4.0.0

package/build/src/entity-sp.js

@@ -4,12 +4,11 @@
  * @desc  Declares the actions taken by service provider
  */
 import Entity from './entity.js';
-import Artifact from './binding-artifact.js';
+import artifactBinding from './binding-artifact.js';
 import { namespace } from './urn.js';
 import redirectBinding from './binding-redirect.js';
 import postBinding from './binding-post.js';
 import simpleSignBinding from './binding-simplesign.js';
-import artifactSignBinding from './binding-artifact.js';
 import { flow } from './flow.js';
 /*
  * @desc interface function
@@ -19,8 +18,7 @@ export default function (props) {
 }
 /**
  * @desc Service provider can be configured using either metadata importing or spSetting
- * @param  {object} spSettingimport { FlowResult } from '../types/src/flow.d';
-
+ * @param  {object} spSetting
  */
 export class ServiceProvider extends Entity {
     /**
@@ -61,8 +59,13 @@ export class ServiceProvider extends Entity {
                 // Object context = {id, context, signature, sigAlg}
                 context = simpleSignBinding.base64LoginRequest({ idp, sp: this }, customTagReplacement);
                 break;
+            case nsBinding.artifact:
+                context = artifactBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
+                    idp,
+                    sp: this
+                }, customTagReplacement);
+                break;
             default:
-                // Will support artifact in the next release
                 throw new Error('ERR_SP_LOGIN_REQUEST_UNDEFINED_BINDING');
         }
         return {
@@ -73,13 +76,7 @@ export class ServiceProvider extends Entity {
         };
     }
     async createLoginSoapRequest(idp, binding = 'artifact', config) {
-        const nsBinding = namespace.binding;
-        const protocol = nsBinding[binding];
-        if (this.entityMeta.isAuthnRequestSigned() !== idp.entityMeta.isWantAuthnRequestsSigned()) {
-            throw new Error('ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLAG');
-        }
-        let context = null;
-        context = await artifactSignBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
+        const context = await artifactBinding.soapLoginRequest("/*[local-name(.)='AuthnRequest']", {
             idp,
             sp: this,
             inResponse: config?.inResponseTo,
@@ -106,22 +103,27 @@ export class ServiceProvider extends Entity {
         });
     }
     /**
-     * @desc   request SamlResponse by Arc id
+     * @desc   Parse and validate Artifact Resolve request
      * @param  {IdentityProvider}   idp             object of identity provider
-     * @param  {string}   binding                   protocol binding
-     * @param  {request}   req                      request
+     * @param  {string}   xml                       SOAP request XML string
      */
     parseLoginRequestResolve(idp, xml) {
         const self = this;
-        return Artifact.parseLoginRequestResolve({
+        return artifactBinding.parseLoginRequestResolve({
             idp: idp,
             sp: self,
             xml: xml
         });
     }
+    /**
+     * @desc   Resolve SAML Response by Artifact ID
+     * @param  {IdentityProvider}   idp             object of identity provider
+     * @param  {string}   art                       Artifact string
+     * @param  {request}   req                      request
+     */
     parseLoginResponseResolve(idp, art, request) {
         const self = this;
-        return Artifact.parseLoginResponseResolve({
+        return artifactBinding.parseLoginResponseResolve({
             idp: idp,
             sp: self,
             art: art

package/build/src/flow.js

@@ -225,7 +225,7 @@ async function postFlow(options) {
     if (parserType === 'SAMLResponse'
         && extractedProperties.conditions
         && !verifyTime(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, self.entitySetting.clockDrifts)) {
-        return Promise.reject('ERR_CONDITION_SESSION');
+        return Promise.reject('ERR_CONDITION_UNCONFIRMED');
     }
     // invalid subjectConfirmation time
     // invalid time
@@ -416,13 +416,6 @@ async function postArtifactFlow(options) {
     //There is no validation of the response here. The upper-layer application
     // should verify the result by itself to see if the destination is equal to the SP acs and
     // whether the response.id is used to prevent replay attacks.
-    let destination = extractedProperties?.response?.destination;
-    let isExit = self?.entityMeta?.meta?.assertionConsumerService?.filter((item) => {
-        return item?.location === destination;
-    });
-    if (isExit?.length === 0) {
-        return Promise.reject('ERR_Destination_URL');
-    }
     if (parserType === 'SAMLResponse') {
         let destination = extractedProperties?.response?.destination;
         let isExit = self?.entityMeta?.meta?.assertionConsumerService?.filter((item) => {

package/build/src/libsaml.js

@@ -5,7 +5,7 @@
  */
 import { X509Certificate } from 'node:crypto';
 import xml from 'xml';
-import utility, { flattenDeep, inflateString, isString } from './utility.js';
+import utility, { inflateString, isString, normalizeCertificates } from './utility.js';
 ;
 import * as crypto from 'node:crypto';
 import { algorithms, namespace, wording } from './urn.js';
@@ -524,13 +524,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                     else if (opts.metadata) {
                         const certificateNode = select(".//*[local-name() = 'X509Certificate']", signatureNode);
                         let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
-                        if (Array.isArray(metadataCert)) {
-                            metadataCert = flattenDeep(metadataCert);
-                        }
-                        else if (typeof metadataCert === 'string') {
-                            metadataCert = [metadataCert];
-                        }
-                        metadataCert = metadataCert.map(utility.normalizeCerString);
+                        metadataCert = normalizeCertificates(metadataCert);
                         if (certificateNode.length === 0 && metadataCert.length === 0) {
                             throw new Error('NO_SELECTED_CERTIFICATE');
                         }
@@ -580,14 +574,12 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 }
                 else if (opts.metadata) {
                     const certificateNode = select(".//*[local-name() = 'X509Certificate']", signatureNode);
+                    console.log(opts.metadata.getX509Certificate);
+                    console.log(certUse.signing);
+                    console.log("执行情况");
+                    console.log(opts);
                     let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
-                    if (Array.isArray(metadataCert)) {
-                        metadataCert = flattenDeep(metadataCert);
-                    }
-                    else if (typeof metadataCert === 'string') {
-                        metadataCert = [metadataCert];
-                    }
-                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    metadataCert = normalizeCertificates(metadataCert);
                     if (certificateNode.length === 0 && metadataCert.length === 0) {
                         throw new Error('NO_SELECTED_CERTIFICATE');
                     }
@@ -627,13 +619,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 else if (opts.metadata) {
                     const certificateNode = select(".//*[local-name() = 'X509Certificate']", signatureNode);
                     let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
-                    if (Array.isArray(metadataCert)) {
-                        metadataCert = flattenDeep(metadataCert);
-                    }
-                    else if (typeof metadataCert === 'string') {
-                        metadataCert = [metadataCert];
-                    }
-                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    metadataCert = normalizeCertificates(metadataCert);
                     if (certificateNode.length === 0 && metadataCert.length === 0) {
                         throw new Error('NO_SELECTED_CERTIFICATE');
                     }
@@ -791,13 +777,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                     const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
                     // 证书处理逻辑
                     let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
-                    if (Array.isArray(metadataCert)) {
-                        metadataCert = flattenDeep(metadataCert);
-                    }
-                    else if (typeof metadataCert === 'string') {
-                        metadataCert = [metadataCert];
-                    }
-                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    metadataCert = normalizeCertificates(metadataCert);
                     // 没有证书的情况
                     if (certificateNode.length === 0 && metadataCert.length === 0) {
                         throw new Error('NO_SELECTED_CERTIFICATE');
@@ -1070,13 +1050,7 @@ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="{ID}"
                 else if (opts.metadata) {
                     const certificateNode = select(".//*[local-name(.)='X509Certificate']", signatureNode);
                     let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
-                    if (Array.isArray(metadataCert)) {
-                        metadataCert = flattenDeep(metadataCert);
-                    }
-                    else if (typeof metadataCert === 'string') {
-                        metadataCert = [metadataCert];
-                    }
-                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    metadataCert = normalizeCertificates(metadataCert);
                     if (certificateNode.length === 0 && metadataCert.length === 0) {
                         throw new Error('NO_SELECTED_CERTIFICATE');
                     }

package/build/src/schemaValidator.js

@@ -43,13 +43,11 @@ const metadataSchemas = [
  */
 function detectXXEIndicators(samlString) {
     const xxePatterns = [
-        /<!DOCTYPE\s[^>]*>/i,
-        /<!ENTITY\s+[^\s>]+\s+(?:SYSTEM|PUBLIC)\s+['"][^>]*>/i,
-        /&[a-zA-Z0-9._-]+;/g,
-        /SYSTEM\s*=/i,
-        /PUBLIC\s*=/i,
-        /file:\/\//,
-        /\.dtd['"]?/
+        /<!DOCTYPE\s[^>]*>/i, // DOCTYPE 声明
+        /<!ENTITY\s+[^\s>]+\s+(?:SYSTEM|PUBLIC)\s+['"][^>]*>/i, // 外部实体声明
+        /SYSTEM\s*['"]\s*file:\/\//i, // file:// 协议的系统引用
+        /SYSTEM\s*['"]\s*\.\.\/.*\.dtd['"]?/i, // 相对路径的 DTD 引用
+        /PUBLIC\s*['"][^'"]*['"]\s*['"][^'"]*\.dtd['"]?/i // 公共 DTD 引用
     ];
     const matches = {};
     xxePatterns.forEach((pattern, index) => {

package/build/src/urn.js

@@ -189,22 +189,31 @@ const messageConfigurations = {
 const algorithms = {
     // 1. 签名算法定义 (SignatureMethod)
     signature: {
-        // ❌ 原文错误修正：ECDSA 不能用 rsa-sha256 的 URI
-        ECDSA_SHA256: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha256',
-        ECDSA_SHA384: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha384',
-        ECDSA_SHA512: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha512',
-        DSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#dsa-sha1',
-        RSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+        // ❌ 不安全的算法（已废弃）
+        RSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', // ⚠️ 已废弃，不推荐使用
+        DSA_SHA1: 'http://www.w3.org/2000/09/xmldsig#dsa-sha1', // ⚠️ 已废弃，不推荐使用
+        // ✅ 安全的 RSA 算法（推荐）
         RSA_SHA224: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224',
-        RSA_SHA256: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', // 推荐
+        RSA_SHA256: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', // ⭐ 推荐
         RSA_SHA384: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384',
         RSA_SHA512: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512',
-        // XML Signature 1.1 PSS 填充 (更安全)
+        // ✅ ECDSA 算法（推荐）
+        ECDSA_SHA256: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha256', // ⭐ 推荐
+        ECDSA_SHA384: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha384',
+        ECDSA_SHA512: 'http://www.w3.org/2007/05/xmldsig-more#ecdsa-sha512',
+        // ✅ XML Signature 1.1 PSS 填充（更安全）
         RSA_PSS_SHA256: 'http://www.w3.org/2007/05/xmldsig-more#rsa-pss-sha256',
-        // EdDSA (Ed25519)
-        EDDSA_ED25519: 'http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519',
+        // ✅ EdDSA (Ed25519/Ed448)
+        EDDSA_ED25519: 'http://www.w3.org/2007/05/xmldsig-more#eddsa-ed25519', // ⭐ 推荐
         EDDSA_ED488: 'http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448'
     },
+    // 不安全的算法列表（用于验证和阻止）
+    unsafeAlgorithms: [
+        'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+        'http://www.w3.org/2000/09/xmldsig#dsa-sha1',
+        'http://www.w3.org/2000/09/xmldsig#hmac-sha1',
+        'http://www.w3.org/2000/09/xmldsig#sha1',
+    ],
     // 2. 摘要算法定义 (DigestMethod)
     // 注意：这里直接使用标准推荐的 URI，SHA-2xx 系列推荐使用 xmlenc 命名空间
     digest: {
@@ -322,4 +331,77 @@ const elementsOrder = {
     onelogin: ['KeyDescriptor', 'NameIDFormat', 'ArtifactResolutionService', 'SingleLogoutService', 'AssertionConsumerService', 'AttributeConsumingService'],
     shibboleth: ['KeyDescriptor', 'ArtifactResolutionService', 'SingleLogoutService', 'NameIDFormat', 'AssertionConsumerService', 'AttributeConsumingService',],
 };
-export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations, getBindingName };
+/**
+ * 默认安全配置
+ */
+const defaultSecurityOptions = {
+    allowSHA1: false,
+    allowRSA15: false,
+    allowTripleDES: false,
+};
+/**
+ * 当前安全配置
+ */
+let currentSecurityOptions = { ...defaultSecurityOptions };
+/**
+ * 设置安全配置
+ * @param options 安全配置选项
+ */
+function setSecurityOptions(options) {
+    currentSecurityOptions = { ...currentSecurityOptions, ...options };
+}
+/**
+ * 获取当前安全配置
+ * @returns 安全配置对象
+ */
+function getSecurityOptions() {
+    return currentSecurityOptions;
+}
+/**
+ * 重置为默认安全配置
+ */
+function resetSecurityOptions() {
+    currentSecurityOptions = { ...defaultSecurityOptions };
+}
+/**
+ * 验证算法是否安全
+ * @param algorithm 算法 URI
+ * @returns 验证结果
+ */
+function validateAlgorithm(algorithm) {
+    // 检查 SHA-1
+    if (!currentSecurityOptions.allowSHA1 && algorithm.toLowerCase().includes('sha1')) {
+        return {
+            valid: false,
+            reason: 'SHA-1 algorithm is not allowed. Use SHA-256 or stronger.'
+        };
+    }
+    // 检查 RSA-1_5
+    if (!currentSecurityOptions.allowRSA15 && algorithm.includes('rsa-1_5')) {
+        return {
+            valid: false,
+            reason: 'RSA-1_5 key encryption is not allowed. Use RSA-OAEP instead.'
+        };
+    }
+    // 检查 TripleDES
+    if (!currentSecurityOptions.allowTripleDES && algorithm.includes('tripledes')) {
+        return {
+            valid: false,
+            reason: 'TripleDES encryption is not allowed. Use AES-GCM instead.'
+        };
+    }
+    return { valid: true };
+}
+/**
+ * 检查算法是否为不安全算法
+ * @param algorithm 算法 URI
+ * @returns 检查结果
+ */
+function checkUnsafeAlgorithm(algorithm) {
+    const isUnsafe = algorithms.unsafeAlgorithms.some(unsafeAlg => algorithm.toLowerCase().includes(unsafeAlg.toLowerCase().replace('http://www.w3.org/2000/09/xmldsig#', '').replace('#', ''))) || algorithm.toLowerCase().includes('sha1');
+    return {
+        isUnsafe,
+        algorithm: isUnsafe ? algorithm : undefined
+    };
+}
+export { namespace, tags, algorithms, wording, elementsOrder, messageConfigurations, getBindingName, defaultSecurityOptions, setSecurityOptions, getSecurityOptions, resetSecurityOptions, validateAlgorithm, checkUnsafeAlgorithm };

package/build/src/utility.js

@@ -178,11 +178,21 @@ function applyDefault(obj1, obj2) {
  * @return {string} public key fetched from the certificate
  */
 function getPublicKeyPemFromCertificate(x509CertificateString) {
-    const derBuffer = Buffer.from(x509CertificateString, 'base64');
+    // 清理证书字符串：移除 PEM 头尾、换行符、空格等
+    const cleanCert = x509CertificateString
+        .replace(/-----BEGIN CERTIFICATE-----/g, '')
+        .replace(/-----END CERTIFICATE-----/g, '')
+        .replace(/\r\n/g, '')
+        .replace(/\n/g, '')
+        .replace(/\r/g, '')
+        .replace(/ /g, '')
+        .trim();
+    // 将 Base64 字符串转换为 PEM 格式（添加头尾标记）
+    const pemCert = `-----BEGIN CERTIFICATE-----\n${cleanCert}\n-----END CERTIFICATE-----`;
     // 解析 X.509 证书
-    const cert2 = new X509Certificate(derBuffer);
+    const cert2 = new X509Certificate(pemCert);
     const publicKeyObject = cert2.publicKey;
-    // 3. 导出为 PEM 格式
+    // 导出为 PEM 格式
     return publicKeyObject.export({
         type: 'spki', // 使用 Subject Public Key Info 结构
         format: 'pem' // 输出 PEM 格式
@@ -312,6 +322,192 @@ export function castArrayOpt(a) {
 export function notEmpty(value) {
     return value !== null && value !== undefined;
 }
+/**
+ * @desc 验证 RelayState 是否符合 SAML 2.0 规范
+ * @param {string} relayState - RelayState 值
+ * @returns {{ valid: boolean; error?: string }} 验证结果
+ */
+export function validateRelayState(relayState) {
+    // RelayState 是可选的
+    if (!relayState || relayState.length === 0) {
+        return { valid: true };
+    }
+    // 验证长度（SAML 规范限制 80 字节）
+    if (relayState.length > 80) {
+        return {
+            valid: false,
+            error: 'RelayState exceeds 80 bytes'
+        };
+    }
+    // 验证是否为合法 URL（如果是 URL）
+    if (relayState.startsWith('http://') || relayState.startsWith('https://')) {
+        try {
+            new URL(relayState);
+        }
+        catch {
+            return {
+                valid: false,
+                error: 'RelayState is not a valid URL'
+            };
+        }
+    }
+    return { valid: true };
+}
+/**
+ * @desc 敏感信息键名列表（用于日志脱敏）
+ */
+const sensitiveKeys = [
+    'privateKey',
+    'privateKeyPass',
+    'encPrivateKey',
+    'encPrivateKeyPass',
+    'password',
+    'secret',
+    'signingCert',
+    'encryptCert'
+];
+/**
+ * @desc 验证并标准化证书数组，处理 null、undefined、空字符串、非数组等边界情况
+ * @param {any} metadataCert - 证书输入，可能是 string、string[]、null、undefined 或其他类型
+ * @returns {string[]} 标准化后的证书字符串数组（纯 Base64 格式，无 PEM 头尾和换行）
+ * @throws {Error} 当证书格式无效时抛出错误
+ */
+export function normalizeCertificates(metadataCert) {
+    // 处理 null 或 undefined
+    if (metadataCert === null || metadataCert === undefined) {
+        return [];
+    }
+    let certArray;
+    // 转换为数组
+    if (Array.isArray(metadataCert)) {
+        // 扁平化嵌套数组
+        certArray = flattenDeep(metadataCert);
+    }
+    else if (typeof metadataCert === 'string') {
+        // 单个字符串转为数组
+        certArray = [metadataCert];
+    }
+    else {
+        // 不支持的类型
+        console.warn(`normalizeCertificates: 不支持的证书类型 ${typeof metadataCert}，返回空数组`);
+        return [];
+    }
+    // 过滤和清理证书
+    const cleanedCerts = certArray
+        .filter((cert) => {
+        // 过滤 null、undefined、空字符串
+        if (cert === null || cert === undefined) {
+            return false;
+        }
+        if (typeof cert !== 'string') {
+            console.warn(`normalizeCertificates: 跳过非字符串证书类型 ${typeof cert}`);
+            return false;
+        }
+        const trimmed = cert.trim();
+        if (trimmed.length === 0) {
+            return false;
+        }
+        return true;
+    })
+        .map((cert) => {
+        // 清理证书字符串：移除 PEM 头尾、换行符、空格等
+        return cert
+            .replace(/-----BEGIN CERTIFICATE-----/g, '')
+            .replace(/-----END CERTIFICATE-----/g, '')
+            .replace(/\r\n/g, '')
+            .replace(/\n/g, '')
+            .replace(/\r/g, '')
+            .replace(/ /g, '')
+            .trim();
+    })
+        .filter((cert) => cert.length > 0); // 再次过滤空字符串
+    // 验证证书格式（可选，仅验证 Base64 格式）
+    const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+    for (const cert of cleanedCerts) {
+        if (!base64Regex.test(cert)) {
+            throw new Error(`无效的证书格式：证书必须是有效的 Base64 编码，当前值：${cert.substring(0, 50)}...`);
+        }
+    }
+    return cleanedCerts;
+}
+/**
+ * @desc 验证证书是否有效（可选，用于更严格的验证）
+ * @param {string} certificateBase64 - Base64 编码的证书（不含 PEM 头尾）
+ * @returns {{ isValid: boolean; error?: string }} 验证结果
+ */
+export function validateCertificate(certificateBase64) {
+    try {
+        // 清理证书
+        const cleanCert = certificateBase64
+            .replace(/-----BEGIN CERTIFICATE-----/g, '')
+            .replace(/-----END CERTIFICATE-----/g, '')
+            .replace(/\r\n/g, '')
+            .replace(/\n/g, '')
+            .replace(/\r/g, '')
+            .replace(/ /g, '')
+            .trim();
+        // 验证 Base64 格式
+        const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+        if (!base64Regex.test(cleanCert)) {
+            return {
+                isValid: false,
+                error: '无效的 Base64 编码'
+            };
+        }
+        // 转换为 PEM 格式
+        const pemCert = `-----BEGIN CERTIFICATE-----\n${cleanCert}\n-----END CERTIFICATE-----`;
+        // 尝试解析证书
+        const cert = new X509Certificate(pemCert);
+        // 检查有效期
+        const now = new Date();
+        if (new Date(cert.validFrom) > now || new Date(cert.validTo) < now) {
+            return {
+                isValid: false,
+                error: '证书已过期或尚未生效'
+            };
+        }
+        // 检查公钥类型
+        const keyType = cert.publicKey.asymmetricKeyType;
+        if (keyType && !['rsa', 'ec'].includes(keyType)) {
+            return {
+                isValid: false,
+                error: '证书使用不支持的公钥类型'
+            };
+        }
+        return { isValid: true };
+    }
+    catch (error) {
+        return {
+            isValid: false,
+            error: error instanceof Error ? error.message : '未知错误'
+        };
+    }
+}
+/**
+ * @desc 日志脱敏函数，过滤敏感信息
+ * @param {any} data - 需要脱敏的数据
+ * @returns {any} 脱敏后的数据
+ */
+export function sanitizeLog(data) {
+    if (typeof data !== 'object' || data === null) {
+        return data;
+    }
+    const sanitized = Array.isArray(data) ? [] : {};
+    for (const [key, value] of Object.entries(data)) {
+        // 检查是否为敏感键名
+        if (sensitiveKeys.some(k => k.toLowerCase() === key.toLowerCase())) {
+            sanitized[key] = '***REDACTED***';
+        }
+        else if (typeof value === 'object' && value !== null) {
+            // 递归处理嵌套对象
+            sanitized[key] = sanitizeLog(value);
+        }
+        else {
+            sanitized[key] = value;
+        }
+    }
+    return sanitized;
+}
 const utility = {
     isString,
     base64Encode,
@@ -327,5 +523,9 @@ const utility = {
     readPrivateKey,
     convertToString,
     isNonEmptyArray,
+    validateRelayState,
+    sanitizeLog,
+    normalizeCertificates,
+    validateCertificate,
 };
 export default utility;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "samlesa",
-  "version": "3.4.3",
+  "version": "4.0.0",
   "description": "High-level API for Single Sign On (SAML 2.0) baseed on samlify ",
   "main": "build/index.js",
   "keywords": [
@@ -12,14 +12,23 @@
   ],
   "type": "module",
   "typings": "types/index.d.ts",
+  "homepage": "https://saml.veclea.com",
   "scripts": {
     "build": "tsc && copyfiles -u 1 src/schema/**/* build/src",
-    "docs": "docsify serve -o docs",
+    "build:fast": "tsc",
+    "build:clean": "tsc --build --clean && pnpm run build",
+    "docs:dev": "cd docs && npm run docs:dev",
+    "docs:build": "cd docs && npm run docs:build",
+    "docs:preview": "cd docs && npm run docs:preview",
+    "docs:deploy": "vercel --prod",
     "lint": "tslint -p .",
     "lint:fix": "tslint -p . --fix",
-    "test": "vitest",
-    "test:watch": "vitest --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
+    "test:fast": "vitest run --pool=forks",
+    "test:artifact": "vitest run test/artifact.test.ts",
+    "generate-certs": "node scripts/generate-certs.js",
     "hooks:postinstall": "mklink /J .git\\hooks\\pre-commit .pre-commit.sh || copy .pre-commit.sh .git\\hooks\\pre-commit"
   },
   "exports": {
@@ -40,6 +49,10 @@
     "url": "https://github.com/Veclea/samlify.git",
     "type": "git"
   },
+  "bugs": {
+    "url": "https://github.com/Veclea/samlify/issues"
+  },
+  "docs": "https://saml.veclea.com",
   "license": "MIT",
   "dependencies": {
     "@xmldom/xmldom": "^0.9.8",