This repository has been archived by the owner on Oct 4, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <[email protected]> Co-authored-by: German Lena <[email protected]> Co-authored-by: Sandrino Di Mattia <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Marcos Castany <[email protected]> Co-authored-by: Gustavo Narea <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: radekk <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: Matthew Machuga <[email protected]> Co-authored-by: Robert <[email protected]> Co-authored-by: Arkadiusz Kaɫkus <[email protected]> Co-authored-by: gkwang <[email protected]> Co-authored-by: Eva Sarafianou <[email protected]> Co-authored-by: Fady Makram <[email protected]> Co-authored-by: Jose Luis Diaz <[email protected]> Co-authored-by: Yamil Asusta <[email protected]> Co-authored-by: Robin Bijlani <[email protected]> Co-authored-by: Hernan Zalazar <[email protected]> Co-authored-by: Nico Sabena <[email protected]> Co-authored-by: KalleV <[email protected]>
- Loading branch information
23 people
committed
Sep 29, 2022
1 parent
17a8d41
commit ff241e8