@sap/xssec
Advanced tools
Comparing version 3.4.0 to 3.5.0
# Change Log | ||
All notable changes to this project will be documented in this file. | ||
## 3.5.0 - 2023-11-14 | ||
- update dependencies (e.g. axios 0 -> 1) | ||
## 3.4.0 - 2023-10-23 | ||
@@ -5,0 +8,0 @@ - add optional x5t validation (RFC 8705) for IAS tokens |
@@ -40,5 +40,5 @@ 'use strict'; | ||
getXsuaaJwks(jku, zid, attributes = {}) { | ||
if (!jku) { | ||
throw new Error("Cannot get JWKS from empty JKU."); | ||
getXsuaaJwks(uaaDomain, zid, attributes = {}) { | ||
if (!uaaDomain) { | ||
throw new Error("Cannot get JWKS from empty uaaDomain."); | ||
} | ||
@@ -50,3 +50,3 @@ | ||
if (!attributes.disableCache) { | ||
const keyParts = {jku, ...jwksParams}; | ||
const keyParts = {domain: uaaDomain, ...jwksParams}; | ||
replicaKey = this.createCacheKey(keyParts); | ||
@@ -58,3 +58,3 @@ | ||
if (!jwksReplica) { | ||
const xsuaaService = new XsuaaService(jku, zid); | ||
const xsuaaService = new XsuaaService(uaaDomain, zid); | ||
jwksReplica = new JwksReplica(xsuaaService, this.expirationTime, this.refreshPeriod).withParams(jwksParams); | ||
@@ -61,0 +61,0 @@ |
@@ -81,7 +81,5 @@ 'use strict'; | ||
try { | ||
this.updateJwks(); | ||
} catch(e) { | ||
debugError("Asynchronous JWKS refresh failed.", e); | ||
} | ||
this.updateJwks().catch((e) => { | ||
debugError("Asynchronous JWKS refresh failed.", e) | ||
}); | ||
} | ||
@@ -121,2 +119,2 @@ | ||
module.exports = JwksReplica; | ||
module.exports = JwksReplica; |
@@ -8,4 +8,2 @@ 'use strict'; | ||
const errors = require('./errors'); | ||
// use environment variable DEBUG with value 'xssec:*' for trace/error messages | ||
@@ -81,2 +79,6 @@ const debug = require('debug'); | ||
if(options.params) { | ||
axios_options.params = options.params; | ||
} | ||
if (options.form) { | ||
@@ -428,2 +430,6 @@ const formData = options.configType?.toLowerCase() === IAS ? toFormArray(options.form) : options.form; | ||
if (zid) { | ||
options.params = { zid }; | ||
} | ||
if (attributes) { | ||
@@ -430,0 +436,0 @@ if (attributes.correlationId) { |
@@ -54,5 +54,5 @@ 'use strict'; | ||
async fetchJwks(params = {}) { | ||
if(params.client_id !== this.serviceCredentials.clientid) { | ||
if(params.client_id && params.client_id !== this.serviceCredentials.clientid) { | ||
return Promise.reject("Invalid state: IdentityService#fetchJwks called with client_id value that is different from the client_id of the IdentityService object."); | ||
} | ||
} | ||
@@ -62,3 +62,3 @@ await this.fetchOidcInfo(); | ||
return new Promise(async (res, rej) => { | ||
return new Promise((res, rej) => { | ||
try { | ||
@@ -65,0 +65,0 @@ requests.fetchOIDCKey(jwksEndpoint, params, (err, json) => { |
@@ -5,18 +5,24 @@ 'use strict'; | ||
const PROTOCOL = "https://"; | ||
class XsuaaService { | ||
#jku; | ||
#url; | ||
#jku // JWKS URL | ||
#zid; // optional zone id | ||
// immutable public fields | ||
get url() { return this.#url; } | ||
get jku() { return this.#jku; } | ||
get zid() { return this.#zid; } | ||
constructor(jku, zid) { | ||
if(jku === undefined) { | ||
throw new Error("XsuaaService requires a jku to fetch JWKS from."); | ||
constructor(uaaDomain, zid) { | ||
if (uaaDomain === undefined) { | ||
throw new Error("XsuaaService requires a uaaDomain to fetch JWKS from."); | ||
} | ||
this.#jku = jku; | ||
this.#url = uaaDomain.startsWith(PROTOCOL) ? uaaDomain : `${PROTOCOL}${uaaDomain}`; | ||
this.#zid = zid; | ||
this.#jku = `${this.url}/token_keys`; | ||
} | ||
async fetchJwks() { | ||
@@ -41,3 +47,3 @@ return new Promise((res, rej) => { | ||
...this, | ||
jku: this.jku, | ||
url: this.url, | ||
zid: this.zid | ||
@@ -44,0 +50,0 @@ } |
@@ -266,13 +266,2 @@ 'use strict'; | ||
function validateJku(jkuUrl, uaaDomain) { | ||
if (!uaaDomain) { | ||
throw new Error("JKU could not be validated because attribute 'uaadomain' is missing from service credentials."); | ||
} | ||
var tokenKeyUrl = url.parse(jkuUrl); | ||
if (tokenKeyUrl.hostname.substring(tokenKeyUrl.hostname.indexOf(uaaDomain), tokenKeyUrl.hostname.length) !== uaaDomain) { | ||
throw new Error(`JKU of JWT token (${jkuUrl}) does not match UAA domain (${uaaDomain}).`); | ||
} | ||
} | ||
/* Adds missing line breaks to malformed PEM keys. | ||
@@ -338,12 +327,5 @@ * For backward-compatibility, a specific kind of malformed PEM needs to be supported that is lacking line breaks around the header and footer. | ||
try { | ||
validateJku(header.jku, serviceCredentials.uaadomain); | ||
} catch(e) { | ||
debugTrace("Using verification key from service configuration because JKU validation failed.", e.toString()); | ||
return callback(null, keyFromConfig); | ||
} | ||
let jwk; | ||
try { | ||
const jwks = jwksManager.getXsuaaJwks(header.jku, token.getZoneId(), attributes); | ||
const jwks = jwksManager.getXsuaaJwks(serviceCredentials.uaadomain || serviceCredentials.url, token.getZoneId(), attributes); | ||
jwk = await jwks.get(header.kid); | ||
@@ -458,12 +440,5 @@ } catch(e) { | ||
try { | ||
validateJku(header.jku, serviceCredentials.uaadomain); | ||
} catch(e) { | ||
debugTrace("Using verification key from service configuration because JKU validation failed.", e.toString()); | ||
return callback(null, keyFromConfig); | ||
} | ||
let jwk; | ||
try { | ||
const jwks = jwksManager.getXsuaaJwks(header.jku, token.getZoneId(), attributes); | ||
const jwks = jwksManager.getXsuaaJwks(serviceCredentials.uaadomain || serviceCredentials.url, token.getZoneId(), attributes); | ||
jwk = await jwks.get(header.kid); | ||
@@ -470,0 +445,0 @@ } catch(e) { |
{ | ||
"name": "@sap/xssec", | ||
"version": "3.4.0", | ||
"version": "3.5.0", | ||
"description": "XS Advanced Container Security API for node.js", | ||
@@ -24,24 +24,22 @@ "main": "./lib", | ||
"engines": { | ||
"node": ">=16.1.0" | ||
"node": ">=18" | ||
}, | ||
"devDependencies": { | ||
"@sap/xsenv": "^3.1.1", | ||
"convert": "^4.12.0", | ||
"eslint": "^8.50.0", | ||
"@sap/xsenv": "^4", | ||
"convert": "^4.13.2", | ||
"eslint": "^8.53.0", | ||
"istanbul": "^0.4.5", | ||
"jwt-decode": "^3.1.2", | ||
"mocha": "^8.0.0", | ||
"node-forge": "^1.3.0", | ||
"should": "^13.2.1", | ||
"sinon": "^14.0.0" | ||
"jwt-decode": "^4", | ||
"mocha": "^10.2.0", | ||
"node-forge": "^1.3.1", | ||
"rewire": "^7.0.0", | ||
"should": "^13.2.3", | ||
"sinon": "^17.0.1" | ||
}, | ||
"dependencies": { | ||
"axios": "^0.26.0", | ||
"debug": "^4.3.2", | ||
"axios": "^1.6", | ||
"debug": "^4.3.4", | ||
"jsonwebtoken": "^9.0.2", | ||
"lru-cache": "^6.0.0", | ||
"node-rsa": "^1.1.1", | ||
"rewire": "^7.0.0", | ||
"valid-url": "1.0.9" | ||
"node-rsa": "^1.1.1" | ||
} | ||
} |
@@ -210,3 +210,5 @@ @sap/xssec: XS Advanced Container Security API for node.js | ||
// when creating securityContext manually | ||
xssec.createSecurityContext(access_token, { x5tValidation: true }, function(error, securityContext, tokenInfo) { ... }); | ||
xssec.createSecurityContext(access_token, | ||
{ x5tValidation: true, x509Certificate: ... // PEM or DER encoded certificate as string | ||
}, function(error, securityContext, tokenInfo) { ... }); | ||
@@ -213,0 +215,0 @@ // when using passport |
4
477
157759
10
2455
+ Addedasynckit@0.4.0(transitive)
+ Addedaxios@1.6.8(transitive)
+ Addedcombined-stream@1.0.8(transitive)
+ Addeddelayed-stream@1.0.0(transitive)
+ Addedform-data@4.0.0(transitive)
+ Addedmime-db@1.52.0(transitive)
+ Addedmime-types@2.1.35(transitive)
+ Addedproxy-from-env@1.1.0(transitive)
- Removedlru-cache@^6.0.0
- Removedrewire@^7.0.0
- Removedvalid-url@1.0.9
- Removed@eslint-community/eslint-utils@4.4.0(transitive)
- Removed@eslint-community/regexpp@4.10.0(transitive)
- Removed@eslint/eslintrc@2.1.4(transitive)
- Removed@eslint/js@8.57.0(transitive)
- Removed@humanwhocodes/config-array@0.11.14(transitive)
- Removed@humanwhocodes/module-importer@1.0.1(transitive)
- Removed@humanwhocodes/object-schema@2.0.3(transitive)
- Removed@nodelib/fs.scandir@2.1.5(transitive)
- Removed@nodelib/fs.stat@2.0.5(transitive)
- Removed@nodelib/fs.walk@1.2.8(transitive)
- Removed@ungap/structured-clone@1.2.0(transitive)
- Removedacorn@8.11.3(transitive)
- Removedacorn-jsx@5.3.2(transitive)
- Removedajv@6.12.6(transitive)
- Removedansi-regex@5.0.1(transitive)
- Removedansi-styles@4.3.0(transitive)
- Removedargparse@2.0.1(transitive)
- Removedaxios@0.26.1(transitive)
- Removedbalanced-match@1.0.2(transitive)
- Removedbrace-expansion@1.1.11(transitive)
- Removedcallsites@3.1.0(transitive)
- Removedchalk@4.1.2(transitive)
- Removedcolor-convert@2.0.1(transitive)
- Removedcolor-name@1.1.4(transitive)
- Removedconcat-map@0.0.1(transitive)
- Removedcross-spawn@7.0.3(transitive)
- Removeddeep-is@0.1.4(transitive)
- Removeddoctrine@3.0.0(transitive)
- Removedescape-string-regexp@4.0.0(transitive)
- Removedeslint@8.57.0(transitive)
- Removedeslint-scope@7.2.2(transitive)
- Removedeslint-visitor-keys@3.4.3(transitive)
- Removedespree@9.6.1(transitive)
- Removedesquery@1.5.0(transitive)
- Removedesrecurse@4.3.0(transitive)
- Removedestraverse@5.3.0(transitive)
- Removedesutils@2.0.3(transitive)
- Removedfast-deep-equal@3.1.3(transitive)
- Removedfast-json-stable-stringify@2.1.0(transitive)
- Removedfast-levenshtein@2.0.6(transitive)
- Removedfastq@1.17.1(transitive)
- Removedfile-entry-cache@6.0.1(transitive)
- Removedfind-up@5.0.0(transitive)
- Removedflat-cache@3.2.0(transitive)
- Removedflatted@3.3.1(transitive)
- Removedfs.realpath@1.0.0(transitive)
- Removedglob@7.2.3(transitive)
- Removedglob-parent@6.0.2(transitive)
- Removedglobals@13.24.0(transitive)
- Removedgraphemer@1.4.0(transitive)
- Removedhas-flag@4.0.0(transitive)
- Removedignore@5.3.1(transitive)
- Removedimport-fresh@3.3.0(transitive)
- Removedimurmurhash@0.1.4(transitive)
- Removedinflight@1.0.6(transitive)
- Removedinherits@2.0.4(transitive)
- Removedis-extglob@2.1.1(transitive)
- Removedis-glob@4.0.3(transitive)
- Removedis-path-inside@3.0.3(transitive)
- Removedisexe@2.0.0(transitive)
- Removedjs-yaml@4.1.0(transitive)
- Removedjson-buffer@3.0.1(transitive)
- Removedjson-schema-traverse@0.4.1(transitive)
- Removedjson-stable-stringify-without-jsonify@1.0.1(transitive)
- Removedkeyv@4.5.4(transitive)
- Removedlevn@0.4.1(transitive)
- Removedlocate-path@6.0.0(transitive)
- Removedlodash.merge@4.6.2(transitive)
- Removedlru-cache@6.0.0(transitive)
- Removedminimatch@3.1.2(transitive)
- Removednatural-compare@1.4.0(transitive)
- Removedonce@1.4.0(transitive)
- Removedoptionator@0.9.4(transitive)
- Removedp-limit@3.1.0(transitive)
- Removedp-locate@5.0.0(transitive)
- Removedparent-module@1.0.1(transitive)
- Removedpath-exists@4.0.0(transitive)
- Removedpath-is-absolute@1.0.1(transitive)
- Removedpath-key@3.1.1(transitive)
- Removedprelude-ls@1.2.1(transitive)
- Removedpunycode@2.3.1(transitive)
- Removedqueue-microtask@1.2.3(transitive)
- Removedresolve-from@4.0.0(transitive)
- Removedreusify@1.0.4(transitive)
- Removedrewire@7.0.0(transitive)
- Removedrimraf@3.0.2(transitive)
- Removedrun-parallel@1.2.0(transitive)
- Removedshebang-command@2.0.0(transitive)
- Removedshebang-regex@3.0.0(transitive)
- Removedstrip-ansi@6.0.1(transitive)
- Removedstrip-json-comments@3.1.1(transitive)
- Removedsupports-color@7.2.0(transitive)
- Removedtext-table@0.2.0(transitive)
- Removedtype-check@0.4.0(transitive)
- Removedtype-fest@0.20.2(transitive)
- Removeduri-js@4.4.1(transitive)
- Removedvalid-url@1.0.9(transitive)
- Removedwhich@2.0.2(transitive)
- Removedword-wrap@1.2.5(transitive)
- Removedwrappy@1.0.2(transitive)
- Removedyallist@4.0.0(transitive)
- Removedyocto-queue@0.1.0(transitive)
Updatedaxios@^1.6
Updateddebug@^4.3.4