@sap/xssec - npm Package Compare versions

Comparing version 3.0.5 to 3.0.6

CHANGELOG.md

 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 3.0.6 - 2020-07-01
+- Audience Validation validates to true when the derived client_id of broker-clone token matches the trusted client. This is relevant to support tokens of grant type user_token that contains no scopes.
 
+## 3.0.5 - 2020-06-26
+- Audience Validation accepts tokens of grant type user_token that does not provide aud claim. In that case the audience is derived from the audiences from the scopes.
+- Audience Validation is skipped when cid of token matches the trusted client.
+- Use getSubaccountId() method only to fetch the subaccount id, e.g. for calling the metering API for user-based pricing.
+- In case you are interested in the customers tenant GUID make use of getZoneId method instead!
+- A new [TokenInfo](/doc/TokenInfo.md) class is introduced for better logging capabilities.
+
 ## 3.0.3 - 2020-05-25
@@ -6,0 +15,0 @@

lib/validator.js

@@ -56,3 +56,3 @@ 'use strict';
         foreignMode = false;
-        var allowedAudiences = getAllowedAudiencesFromToken(audiencesFromToken, scopesFromToken || []);
+        var allowedAudiences = extractAudiencesFromToken(audiencesFromToken, scopesFromToken || [], cid);
         if (validateSameClientId(cid) === true || validateAudienceOfXsuaaBrokerClone(allowedAudiences) === true || validateDefault(allowedAudiences) === true) {
@@ -69,7 +69,8 @@ return ValidationResults.createValid();
 
-    function validateSameClientId(cid) {
-        if(!cid || !clientId) {
+    function validateSameClientId(cidFromToken) {
+        if(!cidFromToken || !clientId) {
             return false;
         }
-        return clientId.trim() === cid.trim();
+
+        return cidFromToken.trim() === clientId.trim();
     }
@@ -114,7 +115,7 @@
 
-    this.getListOfAudiencesFromToken = function(aud, scopes) {
-        return getAllowedAudiencesFromToken(aud || [], scopes || []);
+    this.getListOfAudiencesFromToken = function(aud, scopes, cid) {
+        return extractAudiencesFromToken(aud || [], scopes || [], cid);
     }
 
-    function getAllowedAudiencesFromToken(aud, scopes) {
+    function extractAudiencesFromToken(aud, scopes, cid) {
         var audiences = [];
@@ -147,3 +148,8 @@ var tokenAudiences = aud || [];
             }
-		}
+        }
+        
+        if(cid && audiences.indexOf(cid) === -1) {
+            audiences.push(cid);
+        }
+        
         return audiences;
@@ -150,0 +156,0 @@ }

package.json

 {
   "name": "@sap/xssec",
-  "version": "3.0.5",
+  "version": "3.0.6",
   "description": "XS Advanced Container Security API for node.js",
@@ -5,0 +5,0 @@ "main": "./lib",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

89303

increased by1.09%

Lines of code

1216

increased by0.25%

No dependency changes