oidc-provider
Advanced tools
Comparing version 8.4.3 to 8.4.4
@@ -12,14 +12,16 @@ import { InvalidRequest } from '../../helpers/errors.js'; | ||
export default async function checkDpopJkt(ctx, next) { | ||
const { params } = ctx.oidc; | ||
const { params, route } = ctx.oidc; | ||
const dPoP = await dpopValidate(ctx); | ||
if (dPoP) { | ||
const { ReplayDetection } = ctx.oidc.provider; | ||
const unique = await ReplayDetection.unique( | ||
ctx.oidc.client.clientId, | ||
dPoP.jti, | ||
epochTime() + 300, | ||
); | ||
if (route !== 'pushed_authorization_request') { | ||
const { ReplayDetection } = ctx.oidc.provider; | ||
const unique = await ReplayDetection.unique( | ||
ctx.oidc.client.clientId, | ||
dPoP.jti, | ||
epochTime() + 300, | ||
); | ||
ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected')); | ||
ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected')); | ||
} | ||
@@ -26,0 +28,0 @@ if (params.dpop_jkt && params.dpop_jkt !== dPoP.thumbprint) { |
@@ -5,2 +5,4 @@ import * as JWT from '../../helpers/jwt.js'; | ||
import isPlainObject from '../../helpers/_/is_plain_object.js'; | ||
import dpopValidate from '../../helpers/validate_dpop.js'; | ||
import epochTime from '../../helpers/epoch_time.js'; | ||
@@ -232,2 +234,15 @@ import checkResponseMode from './check_response_mode.js'; | ||
if (!pushedRequestObject && payload.jti && payload.exp && payload.iss) { | ||
if (route === 'pushed_authorization_request') { | ||
const dPoP = await dpopValidate(ctx); | ||
if (dPoP) { | ||
const { ReplayDetection } = ctx.oidc.provider; | ||
const unique = await ReplayDetection.unique( | ||
ctx.oidc.client.clientId, | ||
dPoP.jti, | ||
epochTime() + 300, | ||
); | ||
ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected')); | ||
} | ||
} | ||
const unique = await ctx.oidc.provider.ReplayDetection.unique( | ||
@@ -234,0 +249,0 @@ payload.iss, |
@@ -167,3 +167,3 @@ const RECOGNIZED_METADATA = [ | ||
const noVSCHAR = /[^\x20-\x7E]/; | ||
export const noVSCHAR = /[^\x20-\x7E]/; | ||
// const noNQCHAR = /[^\x21\x23-\x5B\x5D-\x7E]/; | ||
@@ -170,0 +170,0 @@ // const noNQSCHAR = /[^\x20-\x21\x23-\x5B\x5D-\x7E]/; |
@@ -14,3 +14,8 @@ import { createHash } from 'node:crypto'; | ||
const weakMap = new WeakMap(); | ||
export default async (ctx, accessToken) => { | ||
if (weakMap.has(ctx)) { | ||
return weakMap.get(ctx); | ||
} | ||
const { | ||
@@ -110,3 +115,6 @@ features: { dPoP: dPoPConfig }, | ||
return { thumbprint, jti: payload.jti, iat: payload.iat }; | ||
const result = { thumbprint, jti: payload.jti, iat: payload.iat }; | ||
weakMap.set(ctx, result); | ||
return result; | ||
}; |
@@ -6,2 +6,3 @@ import { InvalidRequest, InvalidClientAuth } from '../helpers/errors.js'; | ||
import certificateThumbprint from '../helpers/certificate_thumbprint.js'; | ||
import { noVSCHAR } from '../consts/client_attributes.js'; | ||
@@ -15,3 +16,11 @@ import rejectDupes from './reject_dupes.js'; | ||
function decodeAuthToken(token) { | ||
return decodeURIComponent(token.replace(/\+/g, '%20')); | ||
// TODO: in v9.x consider enabling stricter encoding check | ||
// if (token.match(/[^a-zA-Z0-9%+]/)) { | ||
// throw new Error(); | ||
// } | ||
const authToken = decodeURIComponent(token.replace(/\+/g, '%20')); | ||
if (noVSCHAR.test(authToken)) { | ||
throw new Error('invalid character found'); | ||
} | ||
return authToken; | ||
} | ||
@@ -18,0 +27,0 @@ |
{ | ||
"name": "oidc-provider", | ||
"version": "8.4.3", | ||
"version": "8.4.4", | ||
"description": "OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
528744
13730