npm - zuplo - Versions diffs - 6.70.15 → 6.70.21 - Mend

zuplo 6.70.15 → 6.70.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/docs/policies/mtls-auth-inbound/intro.md CHANGED Viewed

@@ -1,6 +1,32 @@
-This policy will authenticate users based on mTLS certificates that are
-configured for your project. This policy is available only to enterprise
-customers (contact sales@zuplo.com to request info). When a requests is
-authenticated with an mTLS certificate, the certificate data will be set as the
-user object of the request. The `user.sub` property will be the value of the
-certificates DN.
+This policy verifies client mTLS results supplied by Zuplo's edge proxy. It
+checks the incoming mTLS verification status and, when enforcement is enabled,
+rejects requests where no client certificate was presented, certificate
+verification failed, or the certificate metadata cannot be parsed.
+When verification passes, the policy parses the client certificate metadata and
+sets it on `request.user.data.mtlsAuth`. The metadata includes `subject`,
+`issuer`, `notBefore`, `notAfter`, and `sha256Fingerprint`. If `request.user`
+already exists, its `sub` is preserved. Otherwise, the policy creates
+`request.user` with the certificate subject as `sub`.
+Set `allowUnauthenticatedRequests` to `true` to enable passthrough mode. In
+passthrough mode, requests are allowed even when mTLS verification fails or no
+certificate is present. If a parseable certificate is present, the policy still
+sets `request.user.data.mtlsAuth`; otherwise it leaves the request unchanged.
+Set `certIssuerDN` to the fully qualified issuer distinguished name to require
+on the client certificate. When set and enforcement is enabled, the policy
+rejects certificates whose parsed issuer DN does not match. Comparison is
+order-sensitive on RDNs (e.g. `"CN=foo, O=bar"` does not match
+`"O=bar, CN=foo"`, which matches RFC 4514 §2.1 semantics) but tolerant of
+casing and whitespace, so `"CN=example-ca, O=Example, C=US"` matches
+`"cn=Example-CA,o=example,c=us"`. Multi-valued RDNs (`+`) and hex-encoded
+values (`#...`) are not normalized. The simplest way to obtain the expected
+value is to inspect `request.user.data.mtlsAuth.issuer` from a request signed
+by the desired CA.
+The `certIssuerDN` is useful when you want to distinguish between client certs from
+different CAs if you have multiple set on your account. It is recommended to set this by default.
+Note: this policy does not work with local development since it relies on metadata from the upstream reverse proxy,
+it is recommended to test this using a working-copy or preview environment.

package/docs/policies/mtls-auth-inbound/schema.json CHANGED Viewed

@@ -4,8 +4,8 @@
   "type": "object",
   "title": "mTLS Auth",
   "isDeprecated": false,
-  "isPaidAddOn": true,
-  "isEnterprise": false,
+  "isPaidAddOn": false,
+  "isEnterprise": true,
   "isInternal": false,
   "isBeta": false,
   "isHidden": false,
@@ -37,17 +37,12 @@
             "allowUnauthenticatedRequests": {
               "type": "boolean",
               "default": false,
-              "description": "Indicates whether the request should continue if authentication fails. Default is `false` which means unauthenticated users will automatically receive a 401 response."
+              "description": "Allows requests to continue even when mTLS verification fails, no client certificate is presented, or the certificate metadata cannot be parsed. Defaults to false."
             },
-            "allowExpiredCertificates": {
-              "type": "boolean",
-              "default": false,
-              "description": "Indicates whether the request should continue if the certificate is expired."
-            },
-            "allowRevokedCertificates": {
-              "type": "boolean",
-              "default": false,
-              "description": "Indicates whether the request should continue if the certificate is revoked."
+            "certIssuerDN": {
+              "type": "string",
+              "description": "Optional fully qualified issuer distinguished name to require on the client certificate. When set, the policy rejects certificates whose parsed issuer DN does not match this string exactly. The expected format matches the parsed metadata issuer, e.g. \"CN=example-ca, O=Example, C=US\".",
+              "examples": ["CN=example-ca, O=Example, C=US"]
             }
           }
         }
@@ -57,9 +52,8 @@
           "export": "MTLSAuthInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
-            "allowExpiredCertificates": false,
-            "allowRevokedCertificates": false,
-            "allowUnauthenticatedRequests": false
+            "allowUnauthenticatedRequests": false,
+            "certIssuerDN": "CN=example-ca, O=Example, C=US"
           }
         }
       ]

package/docs/policies/prompt-injection-outbound/schema.json CHANGED Viewed

@@ -9,7 +9,7 @@
   "isInternal": false,
   "isBeta": false,
   "isHidden": false,
-  "products": ["api-gateway"],
+  "products": ["ai-gateway", "mcp-gateway"],
   "description": "Uses an LLM agent to detect prompt injection attempts in user provided content or potentially poisoned response bodies. This is primarily intended to be used with downstream LLM agents who are at risk of having prompt injection attacks executed against them.",
   "deprecatedMessage": "",
   "required": ["handler"],

package/docs/policies/semantic-cache-inbound/schema.json CHANGED Viewed

@@ -9,7 +9,7 @@
   "isInternal": false,
   "isBeta": true,
   "isHidden": false,
-  "products": ["api-gateway"],
+  "products": ["ai-gateway"],
   "description": "Respond to matched incoming requests with semantically cached content\n\nThe Semantic Cache Inbound policy caches responses based on semantic similarity of cache keys rather than exact matches. This allows for more flexible caching where similar requests can return cached responses even if the cache key is not exactly the same.\n\nThe policy uses Large Language Model (LLM) embeddings to determine semantic similarity between cache keys based on a configurable similarity tolerance.\n\nOptions: - semanticTolerance: The semantic similarity threshold for semantic cache matches (0-1, default: 0.2). Values closer to 0 require higher similarity. Can be overridden by custom functions. - expirationSecondsTtl: The timeout of the cache in seconds (default: 3600, 1 hour). Can be overridden by custom functions. - namespace: Optional namespace to isolate cache entries (default: \"default\"). Useful for multi-tenant scenarios or different cache contexts. - cacheBy: Determines how cache keys are generated: 'function' for custom logic or 'propertyPath' to extract from JSON body.",
   "deprecatedMessage": "",
   "required": ["handler"],

package/docs/policies/xml-to-json-outbound/schema.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft-07/schema",
   "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
   "type": "object",
-  "title": "XML to JSON Outbound",
+  "title": "XML to JSON",
   "isDeprecated": false,
   "isPaidAddOn": false,
   "isEnterprise": false,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "zuplo",
-  "version": "6.70.15",
+  "version": "6.70.21",
   "type": "module",
   "description": "The programmable API Gateway",
   "author": "Zuplo, Inc.",
@@ -19,9 +19,9 @@
     "zuplo": "zuplo.js"
   },
   "dependencies": {
-    "@zuplo/cli": "6.70.15",
-    "@zuplo/core": "6.70.15",
-    "@zuplo/runtime": "6.70.15",
+    "@zuplo/cli": "6.70.21",
+    "@zuplo/core": "6.70.21",
+    "@zuplo/runtime": "6.70.21",
     "@zuplo/test": "1.4.0"
   }
 }