Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

oidc-provider

Package Overview
Dependencies
Maintainers
1
Versions
339
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

oidc-provider - npm Package Compare versions

Comparing version 8.4.3 to 8.4.4

18

lib/actions/authorization/check_dpop_jkt.js

@@ -12,14 +12,16 @@ import { InvalidRequest } from '../../helpers/errors.js';

export default async function checkDpopJkt(ctx, next) {
const { params } = ctx.oidc;
const { params, route } = ctx.oidc;
const dPoP = await dpopValidate(ctx);
if (dPoP) {
const { ReplayDetection } = ctx.oidc.provider;
const unique = await ReplayDetection.unique(
ctx.oidc.client.clientId,
dPoP.jti,
epochTime() + 300,
);
if (route !== 'pushed_authorization_request') {
const { ReplayDetection } = ctx.oidc.provider;
const unique = await ReplayDetection.unique(
ctx.oidc.client.clientId,
dPoP.jti,
epochTime() + 300,
);
ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
}

@@ -26,0 +28,0 @@ if (params.dpop_jkt && params.dpop_jkt !== dPoP.thumbprint) {

@@ -5,2 +5,4 @@ import * as JWT from '../../helpers/jwt.js';

import isPlainObject from '../../helpers/_/is_plain_object.js';
import dpopValidate from '../../helpers/validate_dpop.js';
import epochTime from '../../helpers/epoch_time.js';

@@ -232,2 +234,15 @@ import checkResponseMode from './check_response_mode.js';

if (!pushedRequestObject && payload.jti && payload.exp && payload.iss) {
if (route === 'pushed_authorization_request') {
const dPoP = await dpopValidate(ctx);
if (dPoP) {
const { ReplayDetection } = ctx.oidc.provider;
const unique = await ReplayDetection.unique(
ctx.oidc.client.clientId,
dPoP.jti,
epochTime() + 300,
);
ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
}
}
const unique = await ctx.oidc.provider.ReplayDetection.unique(

@@ -234,0 +249,0 @@ payload.iss,

@@ -167,3 +167,3 @@ const RECOGNIZED_METADATA = [

const noVSCHAR = /[^\x20-\x7E]/;
export const noVSCHAR = /[^\x20-\x7E]/;
// const noNQCHAR = /[^\x21\x23-\x5B\x5D-\x7E]/;

@@ -170,0 +170,0 @@ // const noNQSCHAR = /[^\x20-\x21\x23-\x5B\x5D-\x7E]/;

@@ -14,3 +14,8 @@ import { createHash } from 'node:crypto';

const weakMap = new WeakMap();
export default async (ctx, accessToken) => {
if (weakMap.has(ctx)) {
return weakMap.get(ctx);
}
const {

@@ -110,3 +115,6 @@ features: { dPoP: dPoPConfig },

return { thumbprint, jti: payload.jti, iat: payload.iat };
const result = { thumbprint, jti: payload.jti, iat: payload.iat };
weakMap.set(ctx, result);
return result;
};

@@ -6,2 +6,3 @@ import { InvalidRequest, InvalidClientAuth } from '../helpers/errors.js';

import certificateThumbprint from '../helpers/certificate_thumbprint.js';
import { noVSCHAR } from '../consts/client_attributes.js';

@@ -15,3 +16,11 @@ import rejectDupes from './reject_dupes.js';

function decodeAuthToken(token) {
return decodeURIComponent(token.replace(/\+/g, '%20'));
// TODO: in v9.x consider enabling stricter encoding check
// if (token.match(/[^a-zA-Z0-9%+]/)) {
// throw new Error();
// }
const authToken = decodeURIComponent(token.replace(/\+/g, '%20'));
if (noVSCHAR.test(authToken)) {
throw new Error('invalid character found');
}
return authToken;
}

@@ -18,0 +27,0 @@

{
"name": "oidc-provider",
"version": "8.4.3",
"version": "8.4.4",
"description": "OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect",

@@ -5,0 +5,0 @@ "keywords": [

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc