samlesa 4.3.4 → 4.4.0

package/README.md

@@ -154,22 +154,25 @@ const { context: samlResponse } = await idp.createLoginResponse({
 });
 ```
 
-### Artifact Binding Support
-
-```typescript
-import { ServiceProvider, IdentityProvider } from 'samlesa';
-
-// Create SOAP login request (Artifact binding)
-const soapRequest = await sp.createLoginSoapRequest(idp, 'artifact', {
-  inResponseTo: '_requestId',
-});
-
-// Parse Artifact Resolve request
-const artifactResult = await sp.parseLoginRequestResolve(idp, soapXml);
-
-// Resolve SAML Response by Artifact ID
-const responseResult = await sp.parseLoginResponseResolve(idp, artifactId, request);
-```
+### Artifact Binding Support
+
+```typescript
+import { ServiceProvider, IdentityProvider } from 'samlesa';
+
+// Create front-channel artifact login request
+const loginRequest = sp.createLoginRequest(idp, 'artifact');
+
+// Parse ArtifactResolve request on the SP artifact resolution endpoint
+const artifactResolve = await sp.parseArtifactResolveRequest(idp, soapXml);
+
+// Create ArtifactResponse with the resolved SAML message
+const artifactResponse = await sp.createArtifactResolveResponse(idp, {
+  inResponseTo: artifactResolve.extract.request.id,
+});
+
+// Parse artifact-based login response from the ACS endpoint
+const responseResult = await sp.parseLoginResponse(idp, 'artifact', request);
+```
 
 ---
 

package/build/src/artifact.js

@@ -0,0 +1,55 @@
+import * as crypto from 'node:crypto';
+export const SAML2_ARTIFACT_TYPE_CODE = 0x0004;
+export const SAML2_ARTIFACT_LENGTH = 44;
+export function computeArtifactSourceId(entityId) {
+    return crypto.createHash('sha1').update(entityId).digest().subarray(0, 20);
+}
+export function generateArtifactId(entityId, endpointIndex = 0) {
+    if (!entityId || typeof entityId !== 'string') {
+        throw new Error('ERR_INVALID_ARTIFACT_ENTITY_ID');
+    }
+    if (!Number.isInteger(endpointIndex) || endpointIndex < 0 || endpointIndex > 0xffff) {
+        throw new Error('ERR_INVALID_ARTIFACT_ENDPOINT_INDEX');
+    }
+    const typeCode = Buffer.alloc(2);
+    typeCode.writeUInt16BE(SAML2_ARTIFACT_TYPE_CODE, 0);
+    const endpointIndexBuffer = Buffer.alloc(2);
+    endpointIndexBuffer.writeUInt16BE(endpointIndex, 0);
+    const artifact = Buffer.concat([
+        typeCode,
+        endpointIndexBuffer,
+        computeArtifactSourceId(entityId),
+        crypto.randomBytes(20),
+    ]);
+    return artifact.toString('base64');
+}
+export function parseArtifact(artifact) {
+    if (typeof artifact !== 'string' || artifact.trim() === '') {
+        throw new Error('ERR_INVALID_ARTIFACT');
+    }
+    const decoded = Buffer.from(artifact, 'base64');
+    if (decoded.length !== SAML2_ARTIFACT_LENGTH) {
+        throw new Error('ERR_INVALID_ARTIFACT_LENGTH');
+    }
+    const typeCode = decoded.readUInt16BE(0);
+    if (typeCode !== SAML2_ARTIFACT_TYPE_CODE) {
+        throw new Error('ERR_UNSUPPORTED_ARTIFACT_TYPE');
+    }
+    return {
+        artifact,
+        typeCode,
+        endpointIndex: decoded.readUInt16BE(2),
+        sourceId: decoded.subarray(4, 24).toString('hex'),
+        messageHandle: decoded.subarray(24, 44).toString('hex'),
+    };
+}
+export function validateArtifact(artifact, expectedEntityId) {
+    const parsed = parseArtifact(artifact);
+    if (expectedEntityId) {
+        const expectedSourceId = computeArtifactSourceId(expectedEntityId).toString('hex');
+        if (parsed.sourceId !== expectedSourceId) {
+            throw new Error('ERR_UNMATCH_ARTIFACT_SOURCE');
+        }
+    }
+    return parsed;
+}