@sap/xssec - npm Package Compare versions

Comparing version 3.0.10 to 3.1.0

CHANGELOG.md

 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 3.1.0 - 2020-01-10
+- Support for multiple configurations for one security context ([more details here](doc/MultiConfiguration.md))
+- Bugfix: support for additional attributes in token exchange
+- Bugfix: authorization now in payload for better XSUAA support
+- correct support for azp (clientid) in token payload
+- method to identify an XSUAA token
 ## 3.0.10 - 2020-10-01
@@ -44,3 +50,3 @@ - The requests to the XSUAA are now available using the requests module also if you do not have a securityContext
 - Remove obsolete method requestTokenForClient (use requestToken)
-- Remove obsolete method getIdentityZone (getSubaccountId) 
+- Remove obsolete method getIdentityZone (use getZoneId() instead, or getSubaccountId() for metering purposes) 
 - Support for audience validation in token
@@ -47,0 +53,0 @@ - remove of SAP_JWT_TRUST_ACL environment variable support (functionality now comes with audience validation); see also [here](https://jam4.sapjam.com/blogs/show/oEdyQO183plBoQdrvcPw2w).

lib/requests.js

@@ -58,8 +58,5 @@ 'use strict';
             client_id: serviceCredentials.clientid,
+            client_secret: serviceCredentials.clientsecret,
             assertion: appToken
         },
-        auth: {
-            user: serviceCredentials.clientid,
-            pass: serviceCredentials.clientsecret
-        },
         timeout: 10*1000
@@ -72,2 +69,3 @@ };
     if (additionalAttributes !== null) {
+        var authorities = { "az_attr" : additionalAttributes };
         options.form.authorities = authorities;
@@ -131,3 +129,3 @@ }
     var options = {
-        url: urlWithCorrectSubdomain + '/oauth/token?grant_type=client_credentials&response_type=token',
+        url: urlWithCorrectSubdomain + '/oauth/token',
         headers: {
@@ -138,5 +136,7 @@ 'Accept': 'application/json',
         },
-        auth: {
-            user: serviceCredentials.clientid,
-            pass: serviceCredentials.clientsecret
+        form: {            
+            grant_type: 'client_credentials',
+            response_type: 'token',
+            client_id: serviceCredentials.clientid,
+            client_secret: serviceCredentials.clientsecret
         },
@@ -143,0 +143,0 @@ timeout: 2 * 1000

lib/tokeninfo.js

@@ -79,2 +79,27 @@ 'use strict';
 
+    this.getAudiencesArray = function() {
+        if(!payload.aud) {
+            return null;
+        }
+        return Array.isArray(payload.aud) ? payload.aud : [payload.aud];
+    }
+
+    this.getClientId = function() {
+        var azp = payload.azp;
+        if(azp) {
+            return azp;
+        }
+        var aud = this.getAudiencesArray();
+        if(!aud || aud.length != 1){
+            return null;
+        }
+
+        //make sure it's not an empty string
+        return aud[0] ? aud[0] : payload.cid;
+    }
+
+    this.isTokenIssuedByXSUAA = function() {
+        return payload.ext_attr ? payload.ext_attr.enhancer === "XSUAA" : false;
+    }
+
     this.verify = function(getKeyCBOrValue, cb) {
@@ -81,0 +106,0 @@ return jwt.verify(encoded,

lib/validator.js

@@ -160,3 +160,3 @@ 'use strict';
 
-function JwtTokenValidator(verificationKey, config) {
+function JwtTokenValidator(verificationKey, configArray) {
     var foreignMode = false;
@@ -190,3 +190,3 @@
 
-                if (!decodedToken.cid) {
+                if(!token.getClientId()) {
                     return returnError(400, 'Client Id not contained in access token. Giving up!');
@@ -199,8 +199,19 @@ }
 
-                var audienceValidator = new JwtAudienceValidator(config.clientid);
-                if (config.xsappname) {
-                    audienceValidator.configureTrustedClientId(config.xsappname);
+                var audienceValidator = new JwtAudienceValidator(configArray[0].clientid);
+                if (configArray[0].xsappname) {
+                    audienceValidator.configureTrustedClientId(configArray[0].xsappname);
                 }
 
-                var valid_result = audienceValidator.validateToken(decodedToken.aud, decodedToken.scope, decodedToken.cid);
+                for(var i=1;i<configArray.length;++i) {
+                    if(configArray[i]) {
+                        if (configArray[i].clientid) {
+                            audienceValidator.configureTrustedClientId(configArray[i].clientid);
+                        }
+                        if (configArray[i].xsappname) {
+                            audienceValidator.configureTrustedClientId(configArray[i].xsappname);
+                        }
+                    }
+                }
+
+                var valid_result = audienceValidator.validateToken(token.getAudiencesArray(), decodedToken.scope, decodedToken.cid);
                 if (!valid_result.isValid()) {
@@ -210,3 +221,3 @@ return returnError(401, valid_result.getErrorDescription());
 
-                if(config.clientid !== decodedToken.cid) {
+                if(configArray[0].clientid !== decodedToken.cid) {
                     foreignMode = audienceValidator.isForeignMode();
@@ -213,0 +224,0 @@ }

lib/xssec.js

@@ -14,2 +14,4 @@ 'use strict';
 const VerificationKey = require('./verificationkey');
+const { isArray } = require('util');
+const { config } = require('process');
 
@@ -36,3 +38,9 @@ debugError.log = console.error.bind(console);
 
-function SecurityContext(config) {
+function SecurityContext(configParam) {
+    //make sure the parameter is an array
+    var configArr = Array.isArray(configParam) ? configParam : [configParam];
+    
+    //our main config is always the config at position 0
+    var config = configArr[0];
+
     var userInfo = {
@@ -359,3 +367,3 @@ logonName: '',
 
-        clientId = decodedToken.cid;
+        clientId = tokenInfo.getClientId();
         expirationDate = new Date(decodedToken.exp * 1000);
@@ -420,3 +428,3 @@ grantType = decodedToken.grant_type;
         var verificationKey = new VerificationKey(config);
-        var jwtValidator = new JwtTokenValidator(verificationKey, config);
+        var jwtValidator = new JwtTokenValidator(verificationKey, configArr);
 
@@ -423,0 +431,0 @@ //Now validate the tokens

package.json

 {
   "name": "@sap/xssec",
-  "version": "3.0.10",
+  "version": "3.1.0",
   "description": "XS Advanced Container Security API for node.js",
@@ -19,2 +19,5 @@ "main": "./lib",
   ],
+  "engines": {
+    "node": ">=10.0.0"
+  },
   "devDependencies": {
@@ -25,3 +28,4 @@ "mocha": "^5.1.0",
     "jwt-decode": "^2.2.0",
-    "@sap/xsenv": "^2.2.0"
+    "@sap/xsenv": "^2.2.0",
+    "node-forge": "^0.10.0"
   },
@@ -36,2 +40,2 @@ "dependencies": {
   }
-}
+}

README.md

@@ -73,2 +73,4 @@ @sap/xssec: XS Advanced Container Security API for node.js
 
+With version 3.1.0 there is a support for multiple configuration objects for one SecurityContext. For more details have a look [here](doc/MultiConfiguration.md).
+
 ### Usage with Passport Strategy
@@ -253,3 +255,3 @@
 * `access token` ... the access token as received from UAA in the "authorization Bearer" HTTP header
-* `config` ... a structure with mandatory elements url, clientid and clientsecret or cache configuration
+* `config` ... a structure with mandatory elements url, clientid and clientsecret or cache configuration. Since version 3.1.0 it may also be an array of these structures (have a look [here](doc/MultiConfiguration.md))
 * `callback(error, securityContext, tokenInfo)`
@@ -256,0 +258,0 @@

No alert changes

Improved metrics

Total package byte prevSize

92145

increased by2.57%

Lines of code

1271

increased by3%

Number of lines in readme file

383

increased by0.52%

Worsened metrics

Dev dependency count

6

increased by20%

No dependency changes