oidc-provider - npm Package Compare versions

Comparing version 8.4.3 to 8.4.4

lib/actions/authorization/check_dpop_jkt.js

@@ -12,14 +12,16 @@ import { InvalidRequest } from '../../helpers/errors.js';
 export default async function checkDpopJkt(ctx, next) {
-  const { params } = ctx.oidc;
+  const { params, route } = ctx.oidc;
 
   const dPoP = await dpopValidate(ctx);
   if (dPoP) {
-    const { ReplayDetection } = ctx.oidc.provider;
-    const unique = await ReplayDetection.unique(
-      ctx.oidc.client.clientId,
-      dPoP.jti,
-      epochTime() + 300,
-    );
+    if (route !== 'pushed_authorization_request') {
+      const { ReplayDetection } = ctx.oidc.provider;
+      const unique = await ReplayDetection.unique(
+        ctx.oidc.client.clientId,
+        dPoP.jti,
+        epochTime() + 300,
+      );
 
-    ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
+      ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
+    }
 
@@ -26,0 +28,0 @@ if (params.dpop_jkt && params.dpop_jkt !== dPoP.thumbprint) {

lib/actions/authorization/process_request_object.js

@@ -5,2 +5,4 @@ import * as JWT from '../../helpers/jwt.js';
 import isPlainObject from '../../helpers/_/is_plain_object.js';
+import dpopValidate from '../../helpers/validate_dpop.js';
+import epochTime from '../../helpers/epoch_time.js';
 
@@ -232,2 +234,15 @@ import checkResponseMode from './check_response_mode.js';
   if (!pushedRequestObject && payload.jti && payload.exp && payload.iss) {
+    if (route === 'pushed_authorization_request') {
+      const dPoP = await dpopValidate(ctx);
+      if (dPoP) {
+        const { ReplayDetection } = ctx.oidc.provider;
+        const unique = await ReplayDetection.unique(
+          ctx.oidc.client.clientId,
+          dPoP.jti,
+          epochTime() + 300,
+        );
+
+        ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
+      }
+    }
     const unique = await ctx.oidc.provider.ReplayDetection.unique(
@@ -234,0 +249,0 @@ payload.iss,

lib/consts/client_attributes.js

@@ -167,3 +167,3 @@ const RECOGNIZED_METADATA = [
 
-const noVSCHAR = /[^\x20-\x7E]/;
+export const noVSCHAR = /[^\x20-\x7E]/;
 // const noNQCHAR = /[^\x21\x23-\x5B\x5D-\x7E]/;
@@ -170,0 +170,0 @@ // const noNQSCHAR = /[^\x20-\x21\x23-\x5B\x5D-\x7E]/;

lib/helpers/validate_dpop.js

@@ -14,3 +14,8 @@ import { createHash } from 'node:crypto';
 
+const weakMap = new WeakMap();
 export default async (ctx, accessToken) => {
+  if (weakMap.has(ctx)) {
+    return weakMap.get(ctx);
+  }
+
   const {
@@ -110,3 +115,6 @@ features: { dPoP: dPoPConfig },
 
-  return { thumbprint, jti: payload.jti, iat: payload.iat };
+  const result = { thumbprint, jti: payload.jti, iat: payload.iat };
+  weakMap.set(ctx, result);
+
+  return result;
 };

lib/shared/token_auth.js

@@ -6,2 +6,3 @@ import { InvalidRequest, InvalidClientAuth } from '../helpers/errors.js';
 import certificateThumbprint from '../helpers/certificate_thumbprint.js';
+import { noVSCHAR } from '../consts/client_attributes.js';
 
@@ -15,3 +16,11 @@ import rejectDupes from './reject_dupes.js';
 function decodeAuthToken(token) {
-  return decodeURIComponent(token.replace(/\+/g, '%20'));
+  // TODO: in v9.x consider enabling stricter encoding check
+  // if (token.match(/[^a-zA-Z0-9%+]/)) {
+  //   throw new Error();
+  // }
+  const authToken = decodeURIComponent(token.replace(/\+/g, '%20'));
+  if (noVSCHAR.test(authToken)) {
+    throw new Error('invalid character found');
+  }
+  return authToken;
 }
@@ -18,0 +27,0 @@

package.json

 {
   "name": "oidc-provider",
-  "version": "8.4.3",
+  "version": "8.4.4",
   "description": "OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect",
@@ -5,0 +5,0 @@ "keywords": [

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

528744

increased by0.2%

Lines of code

13730

increased by0.23%

No dependency changes