@sap/xssec - npm Package Compare versions

Comparing version 4.1.1 to 4.1.2

CHANGELOG.md

		# Change Log
		All notable changes to this project will be documented in this file.

		## 4.1.2 - 2024-06-21
		- fix for IdentityService token fetch requests: app_tid is now properly sent with the request

		## 4.1.1 - 2024-06-19
		@@ -5,0 +8,0 @@ - add new service configuration flag for JWKS cache: 'validation.jwks.shared' (boolean)

package.json

		{
		"name": "@sap/xssec",
		"version": "4.1.1",
		"version": "4.1.2",
		"description": "XS Advanced Container Security API for node.js",
		@@ -5,0 +5,0 @@ "main": "./src",

src/service/IdentityService.js

		@@ -57,3 +57,3 @@ 'use strict';

		if (this.hasProofTokenEnabled() \|\| this.hasX5tEnabled()) {
		if (this.#proofTokenCheckRequired(token) \|\| this.hasX5tEnabled()) {
		if (contextConfig.clientCertificatePem == null) {
		@@ -103,3 +103,3 @@ throw new MissingClientCertificateError();
		const issuerUrl = IdentityService.getSafeUrlFromTokenIssuer(token, this.credentials.domains);


		const jwksParams = {
		@@ -111,7 +111,9 @@ clientid: this.credentials.clientid,
		const keyParts = { url: issuerUrl, ...jwksParams };

		if (this.hasProofTokenEnabled()) {

		const proofTokenCheck = this.#proofTokenCheckRequired(token);
		if (proofTokenCheck) {
		keyParts.certSub = contextConfig.clientCertificate?.subject;
		jwksParams.clientCertificatePem = contextConfig.clientCertificatePem?.replaceAll("\\n", "").replaceAll("\n", "");
		}

		const cacheKey = createCacheKey(keyParts);
		@@ -122,3 +124,3 @@
		const issuerService = issuerUrl === this.credentials.url ? this : new IdentityService({ url: issuerUrl, clientid: this.credentials.clientid });
		const extractHeaders = this.hasProofTokenEnabled() ? "headers" : null;
		const extractHeaders = proofTokenCheck ? "headers" : null;

		@@ -130,3 +132,3 @@ return async (correlationId) => {
		jwks: new Jwks(jwksResponse.keys),
		servicePlans: this.hasProofTokenEnabled() ? jwksResponse.headers.get(SERVICE_PLAN_HEADER)?.split(",").map(plan => plan.replaceAll("\\\"", "")) : null
		servicePlans: proofTokenCheck ? jwksResponse.headers.get(SERVICE_PLAN_HEADER)?.split(",").map(plan => plan.replaceAll("\\\"", "")) : null
		};
		@@ -153,3 +155,3 @@ }
		const { jwks, servicePlans } = cachedResponse;
		if (this.hasProofTokenEnabled()) {
		if (proofTokenCheck) {
		contextConfig.servicePlans = servicePlans;
		@@ -236,8 +238,14 @@ }
		* Adds clientid, app_tid and either clientsecret or an mTLS agent based on client certificate, depending on the type of credentials.
		* @param {RequestInit} request
		* @param {URLSearchParams} request.body
		* @param {Types.TokenFetchOptions} options
		* @override
		*/
		addClientAuthentication(formData, options = {}) {
		super.addClientAuthentication(formData, options);
		addClientAuthentication(request, options = {}) {
		super.addClientAuthentication(request, options);

		formData.app_tid = options.app_tid ?? this.credentials.app_tid;
		const app_tid = options.app_tid ?? this.credentials.app_tid;
		if(app_tid != null) {
		request.body.append("app_tid", app_tid);
		}
		}
		@@ -277,2 +285,12 @@
		/**
		* Returns whether a proof token check has to be done for the given token.
		* The decision depends on the type of token.
		* Tokens with claim ias_api are App2App tokens for which a proof token check must not be done, even when enabled via the configuration.
		* @param {IdentityServiceToken} token
		*/
		#proofTokenCheckRequired(token) {
		return this.hasProofTokenEnabled() && token.payload.ias_apis == null;
		}

		/**
		* Returns an issuer URL based on the issuer of the token if it can be succesfully validated against a list of trusted domains.
		@@ -279,0 +297,0 @@ * @param {IdentityServiceToken} token token from which issuer is extracted

types/context/SecurityContext.d.ts

 @@ -37,5 +37,5 @@ export = SecurityContext;
 type Service = import('../service/Service');
 type Token = import('../token/Token');
 import Types = require("../util/Types");
 type Service = import("../service/Service");
 type Token = import("../token/Token");
 //# sourceMappingURL=SecurityContext.d.ts.map

types/jwks/Jwk.d.ts

		@@ -1,2 +0,1 @@
		/// <reference types="node" />
		export = Jwk;
		@@ -3,0 +2,0 @@ declare class Jwk {

types/service/IdentityService.d.ts

		@@ -77,9 +77,3 @@ export = IdentityService;
		/**
		* Prepares the given formData and fetch options to use this service's client credentials for authentication.
		* Adds clientid, app_tid and either clientsecret or an mTLS agent based on client certificate, depending on the type of credentials.
		* @override
		*/
		override addClientAuthentication(formData: any, options?: {}): void;
		/**
		* @override
		* @inheritdoc
		@@ -86,0 +80,0 @@ */

types/service/Service.d.ts

		@@ -127,6 +127,6 @@ export = Service;
		import ResponseCache = require("../cache/ResponseCache");
		type Token = import('../token/Token');
		type SecurityContext = import('../context/SecurityContext');
		type Jwks = import('../jwks/Jwks');
		type ValidationError = import('../error/validation/ValidationError');
		type Token = import("../token/Token");
		type SecurityContext = import("../context/SecurityContext");
		type Jwks = import("../jwks/Jwks");
		type ValidationError = import("../error/validation/ValidationError");
		//# sourceMappingURL=Service.d.ts.map

types/util/Types.d.ts

		@@ -1,2 +0,2 @@
		export type X509Certificate = import('crypto').X509Certificate;
		export type X509Certificate = import("crypto").X509Certificate;
		export type ServiceCredentials = {
		@@ -3,0 +3,0 @@ clientid: string;

types/util/util.d.ts

		@@ -1,2 +0,1 @@
		/// <reference types="node" />
		import { X509Certificate } from "crypto";
		@@ -14,5 +13,5 @@ /**
		*/
		export function createCacheKey(parts?: any): string;
		export function createCacheKey(parts?: object): string;
		export function parsePemCertificate(pem: any): X509Certificate;
		export function shrinkRequestOptionsForLog(request: any): any;
		//# sourceMappingURL=util.d.ts.map

types/cache/ResponseCache.d.ts.map