openid-client - npm Package Compare versions

Comparing version 1.15.0 to 1.16.0

CHANGELOG.md

@@ -8,2 +8,4 @@ # openid-client CHANGELOG
 <!-- TOC START min:2 max:2 link:true update:true -->
+  - [Version 1.16.0](#version-1160)
+  - [Version 1.15.0](#version-1150)
   - [Version 1.14.0](#version-1140)
@@ -29,2 +31,7 @@ - [Version 1.13.0](#version-1130)
 
+## Version 1.16.0
+- [DIFF](https://github.com/panva/node-openid-client/compare/v1.15.0...v1.15.1)
+- added `s_hash` value validation support for ID Tokens returned by authorization endpoint
+- fixed edge cases where valid `_hash` but from invalid sha-length was accepted
+
 ## Version 1.15.0
@@ -31,0 +38,0 @@ - [DIFF](https://github.com/panva/node-openid-client/compare/v1.14.0...v1.15.0)

lib/client.js

@@ -103,4 +103,6 @@ 'use strict';
 
-  assert(authParams.response_type === 'code' || authParams.nonce,
-    'nonce MUST be provided for implicit and hybrid flows');
+  assert(
+    authParams.response_type === 'code' || authParams.nonce,
+    'nonce MUST be provided for implicit and hybrid flows'
+  );
 
@@ -146,4 +148,6 @@ return authParams;
 
-const deprecatedKeystore = util.deprecate(keystore => keystore,
-  'passing keystore directly is deprecated, pass an object with keystore property instead');
+const deprecatedKeystore = util.deprecate(
+  keystore => keystore,
+  'passing keystore directly is deprecated, pass an object with keystore property instead'
+);
 
@@ -159,4 +163,6 @@ class Client {
     if (String(properties.token_endpoint_auth_method).endsWith('_jwt')) {
-      assert(this.issuer.token_endpoint_auth_signing_alg_values_supported,
-        'token_endpoint_auth_signing_alg_values_supported must be provided on the issuer');
+      assert(
+        this.issuer.token_endpoint_auth_signing_alg_values_supported,
+        'token_endpoint_auth_signing_alg_values_supported must be provided on the issuer'
+      );
     }
@@ -170,4 +176,6 @@
       if (String(properties[`${endpoint}_endpoint_auth_method`]).endsWith('_jwt')) {
-        assert(this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`],
-          `${endpoint}_endpoint_auth_signing_alg_values_supported must be provided on the issuer`);
+        assert(
+          this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`],
+          `${endpoint}_endpoint_auth_signing_alg_values_supported must be provided on the issuer`
+        );
       }
@@ -236,4 +244,6 @@ });
 
-    assert(isString || isIncomingMessage,
-      '#callbackParams only accepts string urls, http.IncomingMessage or a lookalike');
+    assert(
+      isString || isIncomingMessage,
+      '#callbackParams only accepts string urls, http.IncomingMessage or a lookalike'
+    );
 
@@ -296,3 +306,3 @@ let uri;
         .then(tokenset => this.decryptIdToken(tokenset, 'id_token'))
-        .then(tokenset => this.validateIdToken(tokenset, toCheck.nonce, 'authorization', toCheck.max_age));
+        .then(tokenset => this.validateIdToken(tokenset, toCheck.nonce, 'authorization', toCheck.max_age, toCheck.state));
     }
@@ -405,3 +415,3 @@
    */
-  validateIdToken(tokenSet, nonce, returnedBy, maxAge) {
+  validateIdToken(tokenSet, nonce, returnedBy, maxAge, state) {
     let idToken = tokenSet;
@@ -491,10 +501,15 @@
       assert(payload.c_hash || !tokenSet.code, 'missing required property c_hash');
+
+      if (payload.s_hash) {
+        assert(state, 'cannot verify s_hash, state not provided');
+        assert(tokenHash(payload.s_hash, state, header.alg), 's_hash mismatch');
+      }
     }
 
     if (tokenSet.access_token && payload.at_hash !== undefined) {
-      assert(tokenHash(payload.at_hash, tokenSet.access_token), 'at_hash mismatch');
+      assert(tokenHash(payload.at_hash, tokenSet.access_token, header.alg), 'at_hash mismatch');
     }
 
     if (tokenSet.code && payload.c_hash !== undefined) {
-      assert(tokenHash(payload.c_hash, tokenSet.code), 'c_hash mismatch');
+      assert(tokenHash(payload.c_hash, tokenSet.code, header.alg), 'c_hash mismatch');
     }
@@ -755,4 +770,6 @@
           if (!alg) {
-            alg = _.find(this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`],
-              signAlg => key.algorithms('sign').indexOf(signAlg) !== -1);
+            alg = _.find(
+              this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`],
+              signAlg => key.algorithms('sign').indexOf(signAlg) !== -1
+            );
           }
@@ -773,4 +790,6 @@
 
-          alg = _.find(this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`],
-            signAlg => algz.indexOf(signAlg) !== -1);
+          alg = _.find(
+            this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`],
+            signAlg => algz.indexOf(signAlg) !== -1
+          );
         }
@@ -798,3 +817,3 @@
     switch (this[`${endpoint}_endpoint_auth_method`] || this.token_endpoint_auth_method) {
-      case 'none' :
+      case 'none':
         return {
@@ -812,4 +831,4 @@ body: {
         };
-      case 'private_key_jwt' :
-      case 'client_secret_jwt' : {
+      case 'private_key_jwt':
+      case 'client_secret_jwt': {
         const timestamp = now();
@@ -824,6 +843,8 @@ return this.createSign(endpoint).then(sign => sign.update(JSON.stringify({
         })).final().then((client_assertion) => { // eslint-disable-line camelcase, arrow-body-style
-          return { body: {
-            client_assertion,
-            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
-          } };
+          return {
+            body: {
+              client_assertion,
+              client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+            },
+          };
         }));
@@ -830,0 +851,0 @@ }

lib/expect_response.js

@@ -8,6 +8,8 @@ 'use strict';
   return function expectResponseBody(response) {
-    assert(response.body,
-      `expected ${statusCode} ${STATUS_CODES[statusCode]} with body, got ${response.statusCode} ${STATUS_CODES[response.statusCode]} without one`);
+    assert(
+      response.body,
+      `expected ${statusCode} ${STATUS_CODES[statusCode]} with body, got ${response.statusCode} ${STATUS_CODES[response.statusCode]} without one`
+    );
     return response;
   };
 };

package.json

 {
   "name": "openid-client",
-  "version": "1.15.0",
+  "version": "1.16.0",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js servers, supports passportjs",
@@ -46,5 +46,4 @@ "main": "lib/index.js",
     "chai": "^4.0.0",
-    "co-mocha": "^1.1.3",
     "eslint": "^4.3.0",
-    "eslint-config-airbnb-base": "^11.0.0",
+    "eslint-config-airbnb-base": "^12.0.0",
     "eslint-plugin-import": "^2.0.1",
@@ -56,7 +55,7 @@ "koa": "^2.2.0",
     "koa-session": "^5.0.0",
-    "mocha": "^3.0.0",
+    "mocha": "^4.0.0",
     "nock": "^9.0.14",
     "nyc": "^11.0.1",
     "readable-mock-req": "^0.2.2",
-    "sinon": "^3.0.0",
+    "sinon": "^4.0.0",
     "timekeeper": "^2.0.0"
@@ -70,4 +69,4 @@ },
     "lru-cache": "^4.0.1",
-    "node-jose": "^0.9.4",
-    "oidc-token-hash": "^1.0.0",
+    "node-jose": "^0.10.0",
+    "oidc-token-hash": "^2.0.0",
     "uuid": "^3.0.0"
@@ -74,0 +73,0 @@ },

No alert changes

Improved metrics

Total package byte prevSize

77984

increased by0.9%

Dev dependency count

15

decreased by-6.25%

Lines of code

1412

increased by1.58%

Dependency changes

• + Addednode-jose@0.10.0(transitive)

• + Addedoidc-token-hash@2.0.0(transitive)

• - Removednode-jose@0.9.5(transitive)

• - Removedoidc-token-hash@1.0.1(transitive)

• Updatednode-jose@^0.10.0

• Updatedoidc-token-hash@^2.0.0