Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
@sap/xssec
Advanced tools
@sap/xssec - npm Package Compare versions
Comparing version 2.1.17 to 2.2.0
| # Change Log | ||
| All notable changes to this project will be documented in this file. | ||
| ## 2.2.0 - 2019-06-17 | ||
| - Align key cache implementation with other container security libraries | ||
| ## 2.1.17 - 2019-05-17 | ||
@@ -5,0 +9,0 @@ |
@@ -82,8 +82,8 @@ 'use strict'; | ||
| KeyCache.prototype.getKey = function getKey(keyId, uaaUrl, cb) { | ||
| KeyCache.prototype.getKey = function getKey(tokenKeyUrl, keyId, cb) { | ||
| var self = this; | ||
| if ((keyId === null) || (keyId === undefined)) { | ||
| if ((tokenKeyUrl === null) || (tokenKeyUrl === undefined)) { | ||
| var error = new Error( | ||
| 'Parameter keyId null or undefined. To read a key from the KeyCache with function KeyCache.getKey, you need to specify parameter keyId.'); | ||
| 'Parameter tokenKeyUrl null or undefined. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter tokenKeyUrl as a valid https URL.'); | ||
| return process.nextTick(function() { | ||
@@ -93,5 +93,5 @@ cb(error, null); | ||
| } | ||
| if ((uaaUrl === null) || (uaaUrl === undefined)) { | ||
| if (validUrl.isHttpsUri(tokenKeyUrl) === undefined) { | ||
| var error = new Error( | ||
| 'Parameter uaaUrl null or undefined. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter uaaUrl as a valid https URL.'); | ||
| 'Parameter tokenKeyUrl is not a valid https URL. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter tokenKeyUrl as a valid https URL.'); | ||
| return process.nextTick(function() { | ||
@@ -101,5 +101,5 @@ cb(error, null); | ||
| } | ||
| if (validUrl.isHttpsUri(uaaUrl) === undefined) { | ||
| if ((keyId === null) || (keyId === undefined)) { | ||
| var error = new Error( | ||
| 'Parameter uaaUrl is not a valid https URL. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter uaaUrl as a valid https URL.'); | ||
| 'Parameter keyId null or undefined. To read a key from the KeyCache with function KeyCache.getKey, you need to specify parameter keyId.'); | ||
| return process.nextTick(function() { | ||
@@ -110,8 +110,8 @@ cb(error, null); | ||
| debugTrace('Looking for key with keyID: "' + keyId + '" in cache.'); | ||
| var cacheKey = tokenKeyUrl + keyId; | ||
| debugTrace('Looking for key "' + cacheKey + '" in cache.'); | ||
| // Check whether keyid is in cache | ||
| var tmpResult = this.lruCache.get(keyId); | ||
| var tmpResult = this.lruCache.get(cacheKey); | ||
| if (tmpResult !== undefined) { | ||
| debugTrace('Key with keyID: "' + keyId | ||
| + '" found in cache. Returning key "' + tmpResult + '".'); | ||
| debugTrace('Key with keyID: "' + keyId + '" found in cache. Returning key "' + tmpResult + '".'); | ||
| return process.nextTick(function() { | ||
@@ -123,4 +123,3 @@ cb(null, tmpResult); | ||
| // UAA | ||
| var error = new Error('Key with keyID: "' + keyId | ||
| + '" not found in cache. Configuration says not to query UAA.'); | ||
| var error = new Error('Key "' + cacheKey + '" not found in cache. Configuration says not to query UAA.'); | ||
| return process.nextTick(function() { | ||
@@ -132,8 +131,6 @@ cb(error, null); | ||
| var options = { | ||
| url : uaaUrl + this.tokenKeyPath, | ||
| url : tokenKeyUrl, | ||
| timeout: 2000 | ||
| }; | ||
| debugTrace('Key with keyID: "' + keyId | ||
| + '" not found in cache. Querying keys from UAA via URL "' | ||
| + options.url + '".'); | ||
| debugTrace('Key "' + cacheKey + '" not found in cache. Querying keys from UAA via URL "' + options.url + '".'); | ||
| request | ||
@@ -176,3 +173,3 @@ .get( | ||
| // breaks before adding the key to the cache | ||
| self.addKey(json.keys[i].kid, | ||
| self.addKey(tokenKeyUrl + json.keys[i].kid, | ||
| json.keys[i].value.replace( | ||
@@ -190,7 +187,5 @@ /(\r\n|\n|\r)/gm, '')); | ||
| } | ||
| var tmpResult = self.lruCache.get(keyId); | ||
| var tmpResult = self.lruCache.get(cacheKey); | ||
| if (tmpResult !== undefined) { | ||
| debugTrace('Key with keyID: "' + keyId | ||
| + '" found in cache. Returning key "' | ||
| + tmpResult + '".'); | ||
| debugTrace('Key "' + cacheKey + '" found in cache. Returning key "' + tmpResult + '".'); | ||
| return process.nextTick(function() { | ||
@@ -201,5 +196,4 @@ cb(null, tmpResult); | ||
| var error = new Error( | ||
| 'Obtained token keys from UAA, but key with requested keyID "' | ||
| + keyId | ||
| + '" still not found in cache.'); | ||
| 'Obtained token keys from UAA, but key with requested keyID "' + | ||
| cacheKey + '" still not found in cache.'); | ||
| return process.nextTick(function() { | ||
@@ -206,0 +200,0 @@ cb(error, null); |
@@ -571,3 +571,2 @@ 'use strict'; | ||
| } | ||
| var uaaURLString = config.url; | ||
| var invalidatedTokenHeaderJSON = null; | ||
@@ -584,38 +583,11 @@ try { | ||
| invalidatedTokenHeaderJSON = JSON.parse(invalidatedTokenHeaderString); | ||
| if (!invalidatedTokenHeaderJSON.kid || invalidatedTokenHeaderJSON.kid == 'legacy-token-key') { | ||
| if (!invalidatedTokenHeaderJSON.kid || invalidatedTokenHeaderJSON.kid == 'legacy-token-key' || !invalidatedTokenHeaderJSON.jku) { | ||
| return cb(null, config.verificationkey); | ||
| } | ||
| var invalidatedTokenContentBuffer = new Buffer(invalidatedTokenParts[1], 'base64'); | ||
| var invalidatedTokenContentString = invalidatedTokenContentBuffer.toString('utf8'); | ||
| var invalidatedTokenContentJSON = JSON.parse(invalidatedTokenContentString); | ||
| if (!invalidatedTokenContentJSON.iss) { | ||
| var error = new Error('JWT token contains no iss field. Giving up.', null); | ||
| error.statuscode = 400; | ||
| return cb(error); | ||
| } | ||
| var tokenIssuer = invalidatedTokenContentJSON.iss; | ||
| var tokenIssuerURL = url.parse(tokenIssuer); | ||
| var tokenIssuerURLHostname = tokenIssuerURL.hostname; | ||
| var tokenIssuerURLIDZIndex = tokenIssuerURLHostname.indexOf('.'); | ||
| if (tokenIssuerURLIDZIndex < 0) { | ||
| debugTrace('\nUnexpected Issuer Format in JWT. Use legacy-token-key.'); | ||
| return cb(null, config.verificationkey); | ||
| } | ||
| var tokenIssuerIDZ = tokenIssuerURLHostname.substring(0, tokenIssuerURLIDZIndex); | ||
| debugTrace('\nIdentity zone of token issuer: '+tokenIssuerIDZ+'\n'); | ||
| var uaaURL = url.parse(uaaURLString); | ||
| var uaaURLHostname = uaaURL.hostname; | ||
| var uaaURLIDZIndex = uaaURLHostname.indexOf('.'); | ||
| if (uaaURLIDZIndex < 0) { | ||
| var error = new Error('Unexpected format of UAA URL in configuration. Giving up.', null); | ||
| error.statuscode = 500; | ||
| return cb(error); | ||
| } | ||
| var uaaURLHostnameWithoutIDZ = uaaURLHostname.substring(uaaURLIDZIndex, uaaURLHostname.length); | ||
| var newHostname = tokenIssuerIDZ + uaaURLHostnameWithoutIDZ; | ||
| uaaURL.hostname = newHostname; | ||
| uaaURL.host = null; | ||
| uaaURLString = url.format(uaaURL); | ||
| return keyCache.getKey(invalidatedTokenHeaderJSON.kid, uaaURLString, cb); | ||
| validateJku(invalidatedTokenHeaderJSON.jku, config.uaadomain, function(err) { | ||
| if (err) { | ||
| return cb(null, config.verificationkey); | ||
| } | ||
| return keyCache.getKey(invalidatedTokenHeaderJSON.jku, invalidatedTokenHeaderJSON.kid, cb); | ||
| }); | ||
| } catch (e) { | ||
@@ -627,2 +599,17 @@ e.statuscode = 403; | ||
| function validateJku(jkuUrl, uaaDomain, cb) { | ||
| if (uaaDomain === null || uaaDomain === undefined) { | ||
| var errorString = 'Service is not properly configured in \'VCAP_SERVICES\', attribute \'uaadomain\' is missing. Use legacy-token-key.'; | ||
| debugTrace('\n' + errorString); | ||
| return cb(new Error(errorString)); | ||
| } | ||
| var tokenKeyUrl = url.parse(jkuUrl); | ||
| if (tokenKeyUrl.hostname.substring(tokenKeyUrl.hostname.indexOf(uaaDomain), tokenKeyUrl.hostname.length) === uaaDomain) { | ||
| var errorString = 'JKU of the JWT token (' + jkuUrl + ') does not match with the uaa domain (' + uaaDomain + '). Use legacy-token-key.'; | ||
| debugTrace('\n' + errorString); | ||
| return cb(new Error(errorString)); | ||
| } | ||
| cb(null); | ||
| } | ||
| function checkTokenLocal(accessToken, verificationkey, ssojwt, cb) { | ||
@@ -629,0 +616,0 @@ |
@@ -1,1 +0,1 @@ | ||
| {"bundleDependencies":false,"dependencies":{"@sap/node-jwt":"^1.4.13","@sap/xsenv":"^2.0.0","debug":"4.1.1","lru-cache":"5.1.1","request":"2.88.0","valid-url":"1.0.9"},"deprecated":false,"description":"XS Advanced Container Security API for node.js","devDependencies":{"filter-node-package":"2.0.0","istanbul":"^0.4.5","jwt-decode":"^2.2.0","mocha":"^5.1.0","should":"^13.2.1"},"keywords":["xs"],"main":"./lib","name":"@sap/xssec","repository":{"type":"git"},"scripts":{"prepareRelease":"clean-packages && npm prune --production","test":"make test"},"version":"2.1.17","license":"SEE LICENSE IN developer-license-3.1.txt"} | ||
| {"bundleDependencies":false,"dependencies":{"@sap/node-jwt":"^1.5.0","@sap/xsenv":"^2.0.0","debug":"4.1.1","lru-cache":"5.1.1","request":"2.88.0","valid-url":"1.0.9"},"deprecated":false,"description":"XS Advanced Container Security API for node.js","devDependencies":{"filter-node-package":"2.0.0","istanbul":"^0.4.5","jwt-decode":"^2.2.0","mocha":"^5.1.0","should":"^13.2.1"},"keywords":["xs"],"main":"./lib","name":"@sap/xssec","repository":{"type":"git"},"scripts":{"prepareRelease":"clean-packages && npm prune --production","test":"make test"},"version":"2.2.0","license":"SEE LICENSE IN developer-license-3.1.txt"} |
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
- decreased by-0.3%
180847
- Lines of code
- decreased by-1.59%
1173
Dependency changes
Updated@sap/node-jwt@^1.5.0