@sap/xssec
Advanced tools
Comparing version 3.0.5 to 3.0.6
# Change Log | ||
All notable changes to this project will be documented in this file. | ||
## 3.0.6 - 2020-07-01 | ||
- Audience Validation validates to true when the derived client_id of broker-clone token matches the trusted client. This is relevant to support tokens of grant type user_token that contains no scopes. | ||
## 3.0.5 - 2020-06-26 | ||
- Audience Validation accepts tokens of grant type user_token that does not provide aud claim. In that case the audience is derived from the audiences from the scopes. | ||
- Audience Validation is skipped when cid of token matches the trusted client. | ||
- Use getSubaccountId() method only to fetch the subaccount id, e.g. for calling the metering API for user-based pricing. | ||
- In case you are interested in the customers tenant GUID make use of getZoneId method instead! | ||
- A new [TokenInfo](/doc/TokenInfo.md) class is introduced for better logging capabilities. | ||
## 3.0.3 - 2020-05-25 | ||
@@ -6,0 +15,0 @@ |
@@ -56,3 +56,3 @@ 'use strict'; | ||
foreignMode = false; | ||
var allowedAudiences = getAllowedAudiencesFromToken(audiencesFromToken, scopesFromToken || []); | ||
var allowedAudiences = extractAudiencesFromToken(audiencesFromToken, scopesFromToken || [], cid); | ||
if (validateSameClientId(cid) === true || validateAudienceOfXsuaaBrokerClone(allowedAudiences) === true || validateDefault(allowedAudiences) === true) { | ||
@@ -69,7 +69,8 @@ return ValidationResults.createValid(); | ||
function validateSameClientId(cid) { | ||
if(!cid || !clientId) { | ||
function validateSameClientId(cidFromToken) { | ||
if(!cidFromToken || !clientId) { | ||
return false; | ||
} | ||
return clientId.trim() === cid.trim(); | ||
return cidFromToken.trim() === clientId.trim(); | ||
} | ||
@@ -114,7 +115,7 @@ | ||
this.getListOfAudiencesFromToken = function(aud, scopes) { | ||
return getAllowedAudiencesFromToken(aud || [], scopes || []); | ||
this.getListOfAudiencesFromToken = function(aud, scopes, cid) { | ||
return extractAudiencesFromToken(aud || [], scopes || [], cid); | ||
} | ||
function getAllowedAudiencesFromToken(aud, scopes) { | ||
function extractAudiencesFromToken(aud, scopes, cid) { | ||
var audiences = []; | ||
@@ -147,3 +148,8 @@ var tokenAudiences = aud || []; | ||
} | ||
} | ||
} | ||
if(cid && audiences.indexOf(cid) === -1) { | ||
audiences.push(cid); | ||
} | ||
return audiences; | ||
@@ -150,0 +156,0 @@ } |
{ | ||
"name": "@sap/xssec", | ||
"version": "3.0.5", | ||
"version": "3.0.6", | ||
"description": "XS Advanced Container Security API for node.js", | ||
@@ -5,0 +5,0 @@ "main": "./lib", |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
89303
1216