XS Advanced Container Security API for node.js. 

XS Advanced Container Security API for node.js

sap_extncrepos

@sap/xssec

All notable changes to this project will be documented in this file.

- Send either both x-app_tid & x-client_id headers or none of them to IAS /certs endpoint to prevent bad request

- restore backward-compatibility feature: use cleanUpPemKey function on verification keys to support PEM with missing line breaks-

- restore backward-compatible behaviour: use verificationKey as fallback if KID is not found in JWKS but throw error about missing KID if it fails

- add app_tid to formular for token exchanges

- support for "x-app_tid" and "x-client-id" header for IAS cert endpoint

- bugfix for unknown variable in new cache implementation

- Replaced keycache implementation with new JwksReplica implementation: When a JWKS is used for validation, it is now checked if the cached replica will expire soon (default refresh period: 15min before expiration). If so, it will be refreshed in the background and the cached replica will still be used for validation until it has expired completely (default expiration time: 30min since last refresh). Validation of incoming requests will only be blocked by an expired JWKS if it could not be refreshed during the refresh period. Only one call at a time will be performed to refresh the JWKS.

- Addd support for resource-attribute for token flow/token exchange calls

- obfuscate credentials in debug output, when xssec:request debug variable is set

- hotfix: upgrade to newest jsonwebtoken version ^9.0.0 because of security issue complainings. But the library was never affected

- allow IAS issuer without https protocol prefix

- allow setting timeout without having credentials object provided

- hofix in keycache implementation if you turn off to use the cache

- add support for timeout setting for all requests-calls 

- support for password token flow in requests module

- support for setting scopes for all requests to XSUAA

- fix correlationID header names to "x-vcap-request-id" or "x-correlationid"

- support for "x-correlation-id" header to be set for createSecurityContext and tokenexchange-calls

- support to turn off the internal cache for a createSecurityContext call

- add additional getter for user properties on XSUAA context

- remove deed and unneeded code for IAS context

- fix token flows in requests if subdomain is provided using certificate

- replace got with axios library because of a bug in got lib during https get

- fix to be backward-compatible for tokenFlow-APIs

- fix an issue with IAS multitenancy support

- remove the deprecated request library with got library

- add checkFollowingInstanceScope to SecurityContext to retrieve instance specific scope without need to build scope string on your own

- fix a reference error in key verification

- support for multitenance IAS applications using 'x-zone_uuid' Header in jwks call

- Support for tokenexchanges with X.509 certificates managed by XSUAA

- Support for tokenexchanges with manually managed X.509 certificates

- support for configuration objects that does not provide a clientsecret (but a certificate)

- Add some more error and tracing information

- Support for IAS token validation. ([more details](doc/IAS.md))

- Feature: Support for IAS to XSUAA token exchange ([more details](doc/IAStoXSUAA.md))

- Feature: Support for ZoneID enabled token flows ([more details](doc/TokenFlows.md))

- Bugfix: Tokenexchange with additional attributes may result in a wrong formatted url

- Feature: The passport middleware allows to provide scopes to be validated at authentication time. Details [here](http://www.passportjs.org/docs/oauth/#scope)

- Support for multiple configurations for one security context ([more details here](doc/MultiConfiguration.md))

- Bugfix: support for additional attributes in token exchange

- Bugfix: authorization now in payload for better XSUAA support

- correct support for azp (clientid) in token payload

- The requests to the XSUAA are now available using the requests module also if you do not have a securityContext

- Set request library to version 2.88.2 because of security vulnerability

- Increase timeout for jwt-bearer token flow to reduce of timeouts with very big tokens.

const constants = require('./constants');

// use environment variable DEBUG with value 'xssec:*' for trace/error messages

const debugTrace = debug('xssec:requests');

const debugError = debug('xssec:requests');

debugError.log = console.error.bind(console);

debugTrace.log = console.log.bind(console);

const CORRELATIONID_HEADER = "x-vcap-request-id";

const DEFAULT_USER_TOKEN_TIMEOUT = 10 * 1000;

        if (val !== null && val !== undefined) {

                for (let i = 0; i < val.length; ++i) {

                    ret.push([n, val[i]]);

            } else if (typeof val === 'object') {

                ret.push([n, JSON.stringify(val)]);

async function _requestToNetworkAXIOS(fnc, options, cb) {

        let opt = JSON.parse(JSON.stringify(options));

        if (opt.https && opt.https.key) {

            opt.https.key = "<Private Key for MTLS>";

        if (opt.form && opt.form.client_secret) {

            opt.form.client_secret = "<ClientSecret>"

            opt.form.cert = "<Certificates>"

        if (opt.form && opt.form.assertion) {

            opt.form.assertion = "<Assertion>"

        debugTrace(fnc + '::HTTP Call with %O', opt);

        maxRedirects: 0, //no followRedirect

        timeout: options.timeout || DEFAULT_TIMEOUT

        axios_options.data = new url.URLSearchParams(toFormArray(options.form)).toString();

        axios_options.httpsAgent = new https.Agent({

            cert: options.https.certificate,

        const result = await axios(axios_options);

            cb(null, json[options._responseToken], json);

            cb(null, json.id_token || json.access_token || json, json);

let _requestToNetwork = _requestToNetworkAXIOS;

function validateParameters(serviceCredentials, cb) {

    if (app_tid && attributes && attributes.clientId) {

        // these two headers must be present both at the same time or not at all to prevent bad requests

        options.headers["x-app_tid"] = app_tid;

        options.headers["x-client_id"] = attributes.clientId;

        if(attributes.clientId) {        

            options.headers["x-client_id"] = attributes.clientId;

            options.headers[CORRELATIONID_HEADER] = attributes.correlationId;

    return _requestToNetwork(".oidc-jkws", options, cb);

function getAttributes(config, defaultTimeout, maxTimeout) {

        let timeout = config.timeout || defaultTimeout;

        } else if (timeout < DEFAULT_TIMEOUT) {

            configType: config.type || "xsuaa",

            correlationId: config.correlationId,

module.exports.requestUserToken = function (appToken, config, additionalAttributes, scopes, subdomain, zoneId, cb) {

    //make it backward-compatible (where zoneId is not provided at all)

    const serviceCredentials = getServiceCredentials(config);

    const attributes = getAttributes(config, DEFAULT_USER_TOKEN_TIMEOUT, 10 * 1000);

    var error = validateParameters(serviceCredentials, cb);

    const urlWithCorrectSubdomain = buildSubdomain(serviceCredentials, subdomain);

        var options = buildOptions(serviceCredentials,

            'urn:ietf:params:oauth:grant-type:jwt-bearer',

        options.form.assertion = appToken;

        return _requestToNetwork("requestUserToken", options, cb);

        //the verification of the serviceCredentials fails

module.exports.requestPasswordUserToken = function (subdomain, config, additionalAttributes, cb) {

    const error = validateParameters(serviceCredentials, cb);

    // adapt subdomain in service url, if necessary

  "description": "XS Advanced Container Security API for node.js",

    "prepareRelease": "npm prune --production"

  "license": "SAP DEVELOPER LICENSE AGREEMENT",

		# Change Log
		All notable changes to this project will be documented in this file.

		## 3.3.3 - 2023-08-08
		- Send either both x-app_tid & x-client_id headers or none of them to IAS /certs endpoint to prevent bad request

		## 3.3.2 - 2023-07-28
		@@ -5,0 +8,0 @@ - restore backward-compatibility feature: use cleanUpPemKey function on verification keys to support PEM with missing line breaks-

		{
		"name": "@sap/xssec",
		"version": "3.3.2",
		"version": "3.3.3",
		"description": "XS Advanced Container Security API for node.js",
		@@ -5,0 +5,0 @@ "main": "./lib",

New alerts

Fixed alerts

Improved metrics

Worsened metrics

		@@ -251,11 +251,9 @@ 'use strict';

		if (app_tid) {
		if (app_tid && attributes && attributes.clientId) {
		// these two headers must be present both at the same time or not at all to prevent bad requests
		options.headers["x-app_tid"] = app_tid;
		options.headers["x-client_id"] = attributes.clientId;
		}

		if (attributes) {
		if(attributes.clientId) {
		options.headers["x-client_id"] = attributes.clientId;
		}

		if (attributes) {
		if (attributes.correlationId) {
		@@ -262,0 +260,0 @@ options.headers[CORRELATIONID_HEADER] = attributes.correlationId;