oidc-token-hash - npm Package Compare versions

Comparing version 1.0.1 to 2.0.0

package.json

 {
   "name": "oidc-token-hash",
-  "version": "1.0.1",
-  "description": "Create and validate hashes pushed by OpenID Connect providers to ID Tokens.",
+  "version": "2.0.0",
+  "description": "Create and validate ID Token hashes from OpenID Connect providers.",
   "main": "lib/index.js",
   "scripts": {
     "test": "node test",
+    "coverage": "nyc node test",
     "lint": "eslint lib test"
@@ -17,2 +18,3 @@ },
     "at_hash",
+    "s_hash",
     "c_hash",
@@ -31,6 +33,13 @@ "validate"
   "devDependencies": {
-    "eslint": "^3.5.0",
-    "eslint-config-airbnb-base": "^7.1.0",
-    "eslint-plugin-import": "^1.15.0"
+    "eslint": "^3.19.0",
+    "eslint-config-airbnb-base": "^7.2.0",
+    "eslint-plugin-import": "^1.16.0",
+    "nyc": "^11.2.1"
+  },
+  "nyc": {
+    "reporter": [
+      "lcov",
+      "text-summary"
+    ]
   }
 }

README.md

 # oidc-token-hash
 
-[![build][travis-image]][travis-url] [![dependencies][david-image]][david-url] [![npm][npm-image]][npm-url] [![licence][licence-image]][licence-url]
+[![build][travis-image]][travis-url] [![codecov][codecov-image]][codecov-url]
 
-oidc-token-hash validates (and generates) ID Token claims like at_hash or c_hash for OpenID Clients
-and Providers.
+oidc-token-hash validates (and generates) ID Token `_hash` claims such as `at_hash` or `c_hash`.
 
@@ -17,5 +16,5 @@ ## Usage
 
-oidcTokenHash(at_hash, access_token); // => true
-oidcTokenHash(at_hash, 'foobar'); // => false
-oidcTokenHash.valid('foobar', access_token); // => false
+oidcTokenHash(at_hash, access_token, 'RS256'); // => true
+oidcTokenHash(at_hash, 'foobar', 'RS256'); // => false
+oidcTokenHash.valid('foobar', access_token, 'RS256'); // => false
 ```
@@ -26,14 +25,15 @@
 // access_token from first example
-oidcTokenHash.generate(access_token); // => 'x7vk7f6BvQj0jQHYFIk4ag'
-oidcTokenHash.generate(access_token, 384); // => 'ups_76_7CCye_J1WIyGHKVG7AAs2olYm'
-oidcTokenHash.generate(access_token, 512); // => 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ'
+oidcTokenHash.generate(access_token, 'RS256'); // => 'x7vk7f6BvQj0jQHYFIk4ag'
+oidcTokenHash.generate(access_token, 'HS384'); // => 'ups_76_7CCye_J1WIyGHKVG7AAs2olYm'
+oidcTokenHash.generate(access_token, 'ES512'); // => 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ'
 ```
 
+## Changelog
+- 2.0.0 - rather then assuming the alg based on the hash length `#valid()` now requires a third
+  argument with the JOSE header `alg` value, resulting in strict validation
+- 1.0.0 - initial release
+
 [travis-image]: https://img.shields.io/travis/panva/oidc-token-hash/master.svg?style=flat-square&maxAge=7200
 [travis-url]: https://travis-ci.org/panva/oidc-token-hash
-[david-image]: https://img.shields.io/david/panva/oidc-token-hash.svg?style=flat-square&maxAge=7200
-[david-url]: https://david-dm.org/panva/oidc-token-hash
-[npm-image]: https://img.shields.io/npm/v/oidc-token-hash.svg?style=flat-square&maxAge=7200
-[npm-url]: https://www.npmjs.com/package/oidc-token-hash
-[licence-image]: https://img.shields.io/github/license/panva/oidc-token-hash.svg?style=flat-square&maxAge=7200
-[licence-url]: LICENSE.md
+[codecov-image]: https://img.shields.io/codecov/c/github/panva/oidc-token-hash/master.svg?style=flat-square&maxAge=7200
+[codecov-url]: https://codecov.io/gh/panva/oidc-token-hash

test/validate.js

@@ -9,24 +9,57 @@ 'use strict';
 // non correct lengths
-assert.ok(!oidcTokenHash('x7vk7f6BvQj0jQHYFI', 'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw'));
-assert.ok(!oidcTokenHash('x7vk7fx7vk7f6BvQj0jQHYFI', 'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw'));
+assert(!oidcTokenHash('x7vk7f6BvQj0jQHYFI',
+  'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw',
+  'RS256'));
+assert(!oidcTokenHash('x7vk7fx7vk7f6BvQj0jQHYFI',
+  'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw',
+  'RS256'));
 
-assert.ok(!oidcTokenHash('', ''));
-assert.ok(!oidcTokenHash(null, null));
-assert.ok(!oidcTokenHash(null, undefined));
-assert.ok(!oidcTokenHash(undefined, null));
-assert.ok(!oidcTokenHash(undefined, undefined));
+assert(!oidcTokenHash('', '', 'none'));
+assert(!oidcTokenHash(null, null, 'none'));
+assert(!oidcTokenHash(null, undefined, 'none'));
+assert(!oidcTokenHash(undefined, null, 'none'));
+assert(!oidcTokenHash(undefined, undefined, 'none'));
 
 // 256 lengths
-assert.ok( oidcTokenHash('x7vk7f6BvQj0jQHYFIk4ag', 'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw'));
-assert.ok(!oidcTokenHash('x7vk7f6BvQj0jQHYFIk4ag', '--JiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw'));
-assert.ok(!oidcTokenHash('--vk7f6BvQj0jQHYFIk4--', 'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw'));
+assert( oidcTokenHash('x7vk7f6BvQj0jQHYFIk4ag',
+  'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw',
+  'HS256'));
+assert(!oidcTokenHash('x7vk7f6BvQj0jQHYFIk4ag',
+  '--JiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw',
+  'HS256'));
+assert(!oidcTokenHash('--vk7f6BvQj0jQHYFIk4--',
+  'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw',
+  'HS256'));
 
 // 384 lengths
-assert.ok( oidcTokenHash('rEF91trffQGMQVyqcnZvwddyQGLs6GTF', 'NjlkNjk2ZGUtZWQ1YS00MmQ3LWExOGUtMjNiYTY2MDU4YjJhYmJls2NqVk9DX1z2vDl4MZMeF2XLfMwiXWmRYzUL0t_IY1nWFp6Moeu2GVmBoT_d0Acl4upDyfdGRjeR-ZIsUQ'));
-assert.ok(!oidcTokenHash('rEF91trffQGMQVyqcnZvwddyQGLs6GTF', '--lkNjk2ZGUtZWQ1YS00MmQ3LWExOGUtMjNiYTY2MDU4YjJhYmJls2NqVk9DX1z2vDl4MZMeF2XLfMwiXWmRYzUL0t_IY1nWFp6Moeu2GVmBoT_d0Acl4upDyfdGRjeR-ZIsUQ'));
-assert.ok(!oidcTokenHash('--F91trffQGMQVyqcnZvwddyQGLs6G--', 'NjlkNjk2ZGUtZWQ1YS00MmQ3LWExOGUtMjNiYTY2MDU4YjJhYmJls2NqVk9DX1z2vDl4MZMeF2XLfMwiXWmRYzUL0t_IY1nWFp6Moeu2GVmBoT_d0Acl4upDyfdGRjeR-ZIsUQ'));
+assert( oidcTokenHash('rEF91trffQGMQVyqcnZvwddyQGLs6GTF',
+  'NjlkNjk2ZGUtZWQ1YS00MmQ3LWExOGUtMjNiYTY2MDU4YjJhYmJls2NqVk9DX1z2vDl4MZMeF2XLfMwiXWmRYzUL0t_IY1nWFp6Moeu2GVmBoT_d0Acl4upDyfdGRjeR-ZIsUQ',
+  'RS384'));
+assert(!oidcTokenHash('rEF91trffQGMQVyqcnZvwddyQGLs6GTF',
+  '--lkNjk2ZGUtZWQ1YS00MmQ3LWExOGUtMjNiYTY2MDU4YjJhYmJls2NqVk9DX1z2vDl4MZMeF2XLfMwiXWmRYzUL0t_IY1nWFp6Moeu2GVmBoT_d0Acl4upDyfdGRjeR-ZIsUQ',
+  'RS384'));
+assert(!oidcTokenHash('--F91trffQGMQVyqcnZvwddyQGLs6G--',
+  'NjlkNjk2ZGUtZWQ1YS00MmQ3LWExOGUtMjNiYTY2MDU4YjJhYmJls2NqVk9DX1z2vDl4MZMeF2XLfMwiXWmRYzUL0t_IY1nWFp6Moeu2GVmBoT_d0Acl4upDyfdGRjeR-ZIsUQ',
+  'RS384'));
 
 // 512 lengths
-assert.ok( oidcTokenHash('HgIOjpEKMhvtwzZvjUdUmMYayc0gOvaxkZEsautS1KM', 'N2IwZmM5Y2YtZWJiYS00ZjA5LTkyZTktZTc0MjY5NDlmZDUwv7m2UfVNLyXYhcEicgYZ5LsQbZ7huJNibUjqAmPAWhyyxWRgXdZp4iTl2lE2ezdC3W-x93gkIg00rNok1MYgqA'));
-assert.ok(!oidcTokenHash('HgIOjpEKMhvtwzZvjUdUmMYayc0gOvaxkZEsautS1KM', '--IwZmM5Y2YtZWJiYS00ZjA5LTkyZTktZTc0MjY5NDlmZDUwv7m2UfVNLyXYhcEicgYZ5LsQbZ7huJNibUjqAmPAWhyyxWRgXdZp4iTl2lE2ezdC3W-x93gkIg00rNok1MYgqA'));
-assert.ok(!oidcTokenHash('--IOjpEKMhvtwzZvjUdUmMYayc0gOvaxkZEsautS1--', 'N2IwZmM5Y2YtZWJiYS00ZjA5LTkyZTktZTc0MjY5NDlmZDUwv7m2UfVNLyXYhcEicgYZ5LsQbZ7huJNibUjqAmPAWhyyxWRgXdZp4iTl2lE2ezdC3W-x93gkIg00rNok1MYgqA'));
+assert( oidcTokenHash('HgIOjpEKMhvtwzZvjUdUmMYayc0gOvaxkZEsautS1KM',
+  'N2IwZmM5Y2YtZWJiYS00ZjA5LTkyZTktZTc0MjY5NDlmZDUwv7m2UfVNLyXYhcEicgYZ5LsQbZ7huJNibUjqAmPAWhyyxWRgXdZp4iTl2lE2ezdC3W-x93gkIg00rNok1MYgqA',
+  'ES512'));
+assert(!oidcTokenHash('HgIOjpEKMhvtwzZvjUdUmMYayc0gOvaxkZEsautS1KM',
+  '--IwZmM5Y2YtZWJiYS00ZjA5LTkyZTktZTc0MjY5NDlmZDUwv7m2UfVNLyXYhcEicgYZ5LsQbZ7huJNibUjqAmPAWhyyxWRgXdZp4iTl2lE2ezdC3W-x93gkIg00rNok1MYgqA',
+  'ES512'));
+assert(!oidcTokenHash('--IOjpEKMhvtwzZvjUdUmMYayc0gOvaxkZEsautS1--',
+  'N2IwZmM5Y2YtZWJiYS00ZjA5LTkyZTktZTc0MjY5NDlmZDUwv7m2UfVNLyXYhcEicgYZ5LsQbZ7huJNibUjqAmPAWhyyxWRgXdZp4iTl2lE2ezdC3W-x93gkIg00rNok1MYgqA',
+  'ES512'));
+
+// mismatch between header alg and the length of the hash
+assert(!oidcTokenHash('x7vk7f6BvQj0jQHYFIk4ag',
+  'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw',
+  'RS384'));
+assert(!oidcTokenHash('rEF91trffQGMQVyqcnZvwddyQGLs6GTF',
+  'NjlkNjk2ZGUtZWQ1YS00MmQ3LWExOGUtMjNiYTY2MDU4YjJhYmJls2NqVk9DX1z2vDl4MZMeF2XLfMwiXWmRYzUL0t_IY1nWFp6Moeu2GVmBoT_d0Acl4upDyfdGRjeR-ZIsUQ',
+  'RS256'));
+assert(!oidcTokenHash('HgIOjpEKMhvtwzZvjUdUmMYayc0gOvaxkZEsautS1KM',
+  'N2IwZmM5Y2YtZWJiYS00ZjA5LTkyZTktZTc0MjY5NDlmZDUwv7m2UfVNLyXYhcEicgYZ5LsQbZ7huJNibUjqAmPAWhyyxWRgXdZp4iTl2lE2ezdC3W-x93gkIg00rNok1MYgqA',
+  'RS256'));

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

13169

increased by19.5%

Lines of code

146

increased by69.77%

Worsened metrics

Dev dependency count

4

increased by33.33%

No dependency changes