samlesa 4.3.5 → 4.5.0

package/README.md

@@ -159,16 +159,19 @@ const { context: samlResponse } = await idp.createLoginResponse({
 ```typescript
 import { ServiceProvider, IdentityProvider } from 'samlesa';
 
-// Create SOAP login request (Artifact binding)
-const soapRequest = await sp.createLoginSoapRequest(idp, 'artifact', {
-  inResponseTo: '_requestId',
-});
+// Create front-channel artifact login request
+const loginRequest = sp.createLoginRequest(idp, 'artifact');
+
+// Parse ArtifactResolve request on the SP artifact resolution endpoint
+const artifactResolve = await sp.parseArtifactResolveRequest(idp, soapXml);
 
-// Parse Artifact Resolve request
-const artifactResult = await sp.parseLoginRequestResolve(idp, soapXml);
+// Create ArtifactResponse with the resolved SAML message
+const artifactResponse = await sp.createArtifactResolveResponse(idp, {
+  inResponseTo: artifactResolve.extract.request.id,
+});
 
-// Resolve SAML Response by Artifact ID
-const responseResult = await sp.parseLoginResponseResolve(idp, artifactId, request);
+// Parse artifact-based login response from the ACS endpoint
+const responseResult = await sp.parseLoginResponse(idp, 'artifact', request);
 ```
 
 ---

package/build/src/artifact.js

@@ -0,0 +1,55 @@
+import * as crypto from 'node:crypto';
+export const SAML2_ARTIFACT_TYPE_CODE = 0x0004;
+export const SAML2_ARTIFACT_LENGTH = 44;
+export function computeArtifactSourceId(entityId) {
+    return crypto.createHash('sha1').update(entityId).digest().subarray(0, 20);
+}
+export function generateArtifactId(entityId, endpointIndex = 0) {
+    if (!entityId || typeof entityId !== 'string') {
+        throw new Error('ERR_INVALID_ARTIFACT_ENTITY_ID');
+    }
+    if (!Number.isInteger(endpointIndex) || endpointIndex < 0 || endpointIndex > 0xffff) {
+        throw new Error('ERR_INVALID_ARTIFACT_ENDPOINT_INDEX');
+    }
+    const typeCode = Buffer.alloc(2);
+    typeCode.writeUInt16BE(SAML2_ARTIFACT_TYPE_CODE, 0);
+    const endpointIndexBuffer = Buffer.alloc(2);
+    endpointIndexBuffer.writeUInt16BE(endpointIndex, 0);
+    const artifact = Buffer.concat([
+        typeCode,
+        endpointIndexBuffer,
+        computeArtifactSourceId(entityId),
+        crypto.randomBytes(20),
+    ]);
+    return artifact.toString('base64');
+}
+export function parseArtifact(artifact) {
+    if (typeof artifact !== 'string' || artifact.trim() === '') {
+        throw new Error('ERR_INVALID_ARTIFACT');
+    }
+    const decoded = Buffer.from(artifact, 'base64');
+    if (decoded.length !== SAML2_ARTIFACT_LENGTH) {
+        throw new Error('ERR_INVALID_ARTIFACT_LENGTH');
+    }
+    const typeCode = decoded.readUInt16BE(0);
+    if (typeCode !== SAML2_ARTIFACT_TYPE_CODE) {
+        throw new Error('ERR_UNSUPPORTED_ARTIFACT_TYPE');
+    }
+    return {
+        artifact,
+        typeCode,
+        endpointIndex: decoded.readUInt16BE(2),
+        sourceId: decoded.subarray(4, 24).toString('hex'),
+        messageHandle: decoded.subarray(24, 44).toString('hex'),
+    };
+}
+export function validateArtifact(artifact, expectedEntityId) {
+    const parsed = parseArtifact(artifact);
+    if (expectedEntityId) {
+        const expectedSourceId = computeArtifactSourceId(expectedEntityId).toString('hex');
+        if (parsed.sourceId !== expectedSourceId) {
+            throw new Error('ERR_UNMATCH_ARTIFACT_SOURCE');
+        }
+    }
+    return parsed;
+}