🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more
Sign In

@openparachute/scope-guard

Package Overview
Dependencies
Maintainers
1
Versions
12
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@openparachute/scope-guard - npm Package Compare versions

Comparing version
0.4.0-rc.1
to
0.4.0-rc.2
+13
-0
dist/validate.d.ts

@@ -56,2 +56,15 @@ import { type JwksGetter, type JwksOptions } from "./jwks.js";

vaultScope: string[];
/**
* Raw `permissions` claim from the validated JWT payload, surfaced
* verbatim. scope-guard does NOT interpret it — it parses-and-passes the
* object so resource servers can read their own permission shapes without
* re-decoding the token. e.g. vault reads `permissions.scoped_tags` for
* tag-scoping; scope-guard knows nothing of `scoped_tags` semantics.
*
* Present only when the validated payload carries a non-null plain object
* under `permissions`. Absent or non-object (string / number / array)
* surfaces as `undefined` — distinct from an empty object `{}` so consumers
* can tell "no permissions claim" from "permissions claim with no entries."
*/
permissions?: Record<string, unknown>;
}

@@ -58,0 +71,0 @@ /** Reasons a hub JWT may fail validation. Each maps to a `HubJwtError.code`. */

+14
-1

@@ -134,2 +134,15 @@ import { jwtVerify } from "jose";

: [];
// permissions: raw passthrough of the consumer-interpreted permissions
// object (e.g. vault's `scoped_tags`). scope-guard surfaces it verbatim
// without knowing its shape. Only a non-null plain object is surfaced;
// absent / null / non-object (string, number, array) leaves it
// `undefined` so "no claim" stays distinguishable from `{}`. Mirrors
// the defensive style of vaultScope above — malformed input is tolerated
// (left undefined), never thrown on.
const permissionsRaw = payload.permissions;
const permissions = typeof permissionsRaw === "object" &&
permissionsRaw !== null &&
!Array.isArray(permissionsRaw)
? permissionsRaw
: undefined;
// Revocation enforcement runs LAST — only consulted if the JWT is

@@ -157,3 +170,3 @@ // otherwise valid. Cheaper checks (signature, iss, aud, expiry,

}
return { sub: payload.sub, scopes, aud, jti, clientId, vaultScope };
return { sub: payload.sub, scopes, aud, jti, clientId, vaultScope, permissions };
},

@@ -160,0 +173,0 @@ resetJwksCache() {

+1
-1
{
"name": "@openparachute/scope-guard",
"version": "0.4.0-rc.1",
"version": "0.4.0-rc.2",
"description": "Hub-issued JWT validation for Parachute resource servers (vault, scribe, parachute-agent, third-party modules).",

@@ -5,0 +5,0 @@ "license": "AGPL-3.0",