@sap/xssec
Advanced tools
Comparing version 4.1.1 to 4.1.2
# Change Log | ||
All notable changes to this project will be documented in this file. | ||
## 4.1.2 - 2024-06-21 | ||
- fix for IdentityService token fetch requests: app_tid is now properly sent with the request | ||
## 4.1.1 - 2024-06-19 | ||
@@ -5,0 +8,0 @@ - add new service configuration flag for JWKS cache: 'validation.jwks.shared' (boolean) |
{ | ||
"name": "@sap/xssec", | ||
"version": "4.1.1", | ||
"version": "4.1.2", | ||
"description": "XS Advanced Container Security API for node.js", | ||
@@ -5,0 +5,0 @@ "main": "./src", |
@@ -57,3 +57,3 @@ 'use strict'; | ||
if (this.hasProofTokenEnabled() || this.hasX5tEnabled()) { | ||
if (this.#proofTokenCheckRequired(token) || this.hasX5tEnabled()) { | ||
if (contextConfig.clientCertificatePem == null) { | ||
@@ -103,3 +103,3 @@ throw new MissingClientCertificateError(); | ||
const issuerUrl = IdentityService.getSafeUrlFromTokenIssuer(token, this.credentials.domains); | ||
const jwksParams = { | ||
@@ -111,7 +111,9 @@ clientid: this.credentials.clientid, | ||
const keyParts = { url: issuerUrl, ...jwksParams }; | ||
if (this.hasProofTokenEnabled()) { | ||
const proofTokenCheck = this.#proofTokenCheckRequired(token); | ||
if (proofTokenCheck) { | ||
keyParts.certSub = contextConfig.clientCertificate?.subject; | ||
jwksParams.clientCertificatePem = contextConfig.clientCertificatePem?.replaceAll("\\n", "").replaceAll("\n", ""); | ||
} | ||
const cacheKey = createCacheKey(keyParts); | ||
@@ -122,3 +124,3 @@ | ||
const issuerService = issuerUrl === this.credentials.url ? this : new IdentityService({ url: issuerUrl, clientid: this.credentials.clientid }); | ||
const extractHeaders = this.hasProofTokenEnabled() ? "headers" : null; | ||
const extractHeaders = proofTokenCheck ? "headers" : null; | ||
@@ -130,3 +132,3 @@ return async (correlationId) => { | ||
jwks: new Jwks(jwksResponse.keys), | ||
servicePlans: this.hasProofTokenEnabled() ? jwksResponse.headers.get(SERVICE_PLAN_HEADER)?.split(",").map(plan => plan.replaceAll("\\\"", "")) : null | ||
servicePlans: proofTokenCheck ? jwksResponse.headers.get(SERVICE_PLAN_HEADER)?.split(",").map(plan => plan.replaceAll("\\\"", "")) : null | ||
}; | ||
@@ -153,3 +155,3 @@ } | ||
const { jwks, servicePlans } = cachedResponse; | ||
if (this.hasProofTokenEnabled()) { | ||
if (proofTokenCheck) { | ||
contextConfig.servicePlans = servicePlans; | ||
@@ -236,8 +238,14 @@ } | ||
* Adds clientid, app_tid and either clientsecret or an mTLS agent based on client certificate, depending on the type of credentials. | ||
* @param {RequestInit} request | ||
* @param {URLSearchParams} request.body | ||
* @param {Types.TokenFetchOptions} options | ||
* @override | ||
*/ | ||
addClientAuthentication(formData, options = {}) { | ||
super.addClientAuthentication(formData, options); | ||
addClientAuthentication(request, options = {}) { | ||
super.addClientAuthentication(request, options); | ||
formData.app_tid = options.app_tid ?? this.credentials.app_tid; | ||
const app_tid = options.app_tid ?? this.credentials.app_tid; | ||
if(app_tid != null) { | ||
request.body.append("app_tid", app_tid); | ||
} | ||
} | ||
@@ -277,2 +285,12 @@ | ||
/** | ||
* Returns whether a proof token check has to be done for the given token. | ||
* The decision depends on the type of token. | ||
* Tokens with claim ias_api are App2App tokens for which a proof token check must not be done, even when enabled via the configuration. | ||
* @param {IdentityServiceToken} token | ||
*/ | ||
#proofTokenCheckRequired(token) { | ||
return this.hasProofTokenEnabled() && token.payload.ias_apis == null; | ||
} | ||
/** | ||
* Returns an issuer URL based on the issuer of the token if it can be succesfully validated against a list of trusted domains. | ||
@@ -279,0 +297,0 @@ * @param {IdentityServiceToken} token token from which issuer is extracted |
@@ -37,5 +37,5 @@ export = SecurityContext; | ||
} | ||
type Service = import('../service/Service'); | ||
type Token = import('../token/Token'); | ||
import Types = require("../util/Types"); | ||
type Service = import("../service/Service"); | ||
type Token = import("../token/Token"); | ||
//# sourceMappingURL=SecurityContext.d.ts.map |
@@ -1,2 +0,1 @@ | ||
/// <reference types="node" /> | ||
export = Jwk; | ||
@@ -3,0 +2,0 @@ declare class Jwk { |
@@ -77,9 +77,3 @@ export = IdentityService; | ||
/** | ||
* Prepares the given formData and fetch options to use this service's client credentials for authentication. | ||
* Adds clientid, app_tid and either clientsecret or an mTLS agent based on client certificate, depending on the type of credentials. | ||
* @override | ||
*/ | ||
override addClientAuthentication(formData: any, options?: {}): void; | ||
/** | ||
* @override | ||
* @inheritdoc | ||
@@ -86,0 +80,0 @@ */ |
@@ -127,6 +127,6 @@ export = Service; | ||
import ResponseCache = require("../cache/ResponseCache"); | ||
type Token = import('../token/Token'); | ||
type SecurityContext = import('../context/SecurityContext'); | ||
type Jwks = import('../jwks/Jwks'); | ||
type ValidationError = import('../error/validation/ValidationError'); | ||
type Token = import("../token/Token"); | ||
type SecurityContext = import("../context/SecurityContext"); | ||
type Jwks = import("../jwks/Jwks"); | ||
type ValidationError = import("../error/validation/ValidationError"); | ||
//# sourceMappingURL=Service.d.ts.map |
@@ -1,2 +0,2 @@ | ||
export type X509Certificate = import('crypto').X509Certificate; | ||
export type X509Certificate = import("crypto").X509Certificate; | ||
export type ServiceCredentials = { | ||
@@ -3,0 +3,0 @@ clientid: string; |
@@ -1,2 +0,1 @@ | ||
/// <reference types="node" /> | ||
import { X509Certificate } from "crypto"; | ||
@@ -14,5 +13,5 @@ /** | ||
*/ | ||
export function createCacheKey(parts?: any): string; | ||
export function createCacheKey(parts?: object): string; | ||
export function parsePemCertificate(pem: any): X509Certificate; | ||
export function shrinkRequestOptionsForLog(request: any): any; | ||
//# sourceMappingURL=util.d.ts.map |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
244295
3913