Tags: tgies/client-certificate-auth
Tags
Modernize v1.0.0 Release (#11) * Modernize package for v1.0.0 release - Migrate to ES modules with CommonJS compatibility wrapper - Add TypeScript declarations (.d.ts/.d.cts) - Replace Travis CI with GitHub Actions - Update to modern Node.js 18+ with c8 coverage - Add ESLint with flat config - Add integration tests for real mTLS connections - Update README and add CHANGELOG - Add .gitignore and FUNDING.yml * Migrate test runner from Mocha to Jest - Replace Mocha with Jest for testing - Update package.json scripts for Jest with ESM support - Add jest.config.js with test patterns and timeout - Remove .mocharc.json - Update eslint.config.js to use Jest globals - Update .npmignore for Jest config - Add test for cached module branch (100% branch coverage) * feat(WORK-001): Reverse proxy certificate passthrough support Complete implementation of certificate extraction from proxy headers: Presets: - aws-alb: X-Amzn-Mtls-Clientcert (URL-encoded PEM) - envoy: X-Forwarded-Client-Cert (XFCC format) - cloudflare: Cf-Client-Cert-Der-Base64 (Base64 DER) - traefik: X-Forwarded-Tls-Client-Cert (Base64 DER with chain) Features: - certificateSource option for preset selection - certificateHeader/headerEncoding for custom headers - fallbackToSocket option for hybrid deployments - Full cert chain support via issuerCertificate linking Testing: - 93 unit/integration tests with 100% coverage - 13 E2E tests with real nginx, Envoy, Traefik proxies - Docker Compose test infrastructure Documentation: - Updated README with proxy configuration examples - TypeScript declarations for all new APIs - Security considerations documented * docs: add MIT license * feat: attach client certificate to req.clientCertificate WORK-002: After successful certificate extraction, the middleware now attaches the certificate to req.clientCertificate for downstream handler access. This is now the default behavior - no opt-in option needed. Changes: - Middleware attaches cert to req.clientCertificate before auth callback - TypeScript declarations updated (both ESM and CJS) - Fix: CJS declarations now include WORK-001 reverse-proxy options (certificateSource, certificateHeader, headerEncoding, fallbackToSocket) - 6 new tests verifying attachment in all scenarios - README updated with usage examples The certificate is attached before the authorization callback runs, so it's available even if authorization fails (useful for error logging). * feat(helpers): implement authorization helper utilities (WORK-003) Adds a new helpers module with pre-built validation callbacks for common mTLS authorization patterns: - allowCN: match by Common Name - allowFingerprints: match by certificate fingerprint - allowIssuer: match by issuer fields (partial) - allowSubject: match by subject fields (partial) - allowOU: match by Organizational Unit - allowOrganization: match by Organization - allowSerial: match by serial number - allowSAN: match by Subject Alternative Name - allowEmail: match by email (SAN or subject) - allOf: AND combinator - anyOf: OR combinator Includes: - Full TypeScript declarations - 163 unit/integration tests with 100% coverage - 18 E2E tests with real nginx proxy - README documentation with examples Closes WORK-003 * feat: granular authorization feedback with custom error messages WORK-004: Thrown errors from authorization callbacks now get status = 401 if not already set, enabling granular feedback to Express error handlers. Changes: - ESM: Added status = 401 assignment in both sync/async catch handlers - CJS: Added req.clientCertificate decoration (was missing from WORK-002) - CJS: Added status = 401 assignment for thrown errors - Added 8 new tests (4 ESM, 4 CJS) for error status behavior - README: Added 'Custom Error Messages' section with examples * feat: add includeChain option for certificate chain access WORK-005: Full Certificate Chain Access Changes: - Add includeChain option (default: false) to include issuerCertificate chain - Normalize behavior: strip issuerCertificate from header-parsed certs unless enabled - Pass includeChain flag to getPeerCertificate() for socket-based extraction - Update TypeScript declarations with DetailedPeerCertificate support - Add 6 unit tests covering socket and header-based chain handling - Update README with new option documentation and usage examples * fix(security): remove redirectInsecure, add verifyHeader/verifyValue WORK-013: Remove Host Header Injection Vulnerability - Removed redirectInsecure option entirely (inherently insecure) - Removed from ESM, CJS, TypeScript definitions - Removed associated tests and README documentation WORK-014: Add Verification Header Support - Added verifyHeader/verifyValue options for defense-in-depth - Both options must be specified together when used - Returns 401 if verification header missing or value doesn't match - Added 4 unit tests and 2 E2E tests - Updated README with nginx configuration example BREAKING CHANGE: redirectInsecure option has been removed * docs: add User Login section to README Show how to map client certificates to user accounts using fingerprint, email, or CN-based database lookups. Includes example for attaching user object to req for downstream routes. * feat: fix type augmentation export and CJS option validation WORK-008: Add global.d.ts reference to type declarations WORK-015: Add runtime validation for unsupported CJS options Changes: - Added /// <reference path="./global.d.ts" /> to both .d.ts and .d.cts - Simplified .d.cts ClientCertificateAuthOptions to only include includeChain - Added UNSUPPORTED_OPTIONS validation in CJS wrapper that throws descriptive error - Added 9 tests for CJS unsupported options error cases - Maintains 100% test coverage (184 tests) * chore: add test:all script for combined unit and e2e tests * ci: add npm publish workflow with provenance * ci: enforce MAXIMUM COVERAGE * docs: README tweaks * docs: add Codecov integration, SECURITY.md, and CONTRIBUTING.md * docs: update CHANGELOG 1.0.0 with all implemented features * ci: exclude ESM-only entrypoints from attw validation * ci: require Node 20+, separate Codecov upload job
0.3.0: Support async auth, cleanup This is version 0.3.0. - Support asynchronous authentication function (thanks mmalecki). This closes #6. - Remove some cruft from the tree. - Call the returned function "middleware" per convention. Squashed commit of the following: commit 9fca8aa Author: Tony Gies <[email protected]> Date: Mon Mar 17 10:23:41 2014 -0500 0.3.0 commit 068bd7c Author: Tony Gies <[email protected]> Date: Mon Mar 17 10:21:25 2014 -0500 Don't track .gitignore commit 15a72e4 Merge: 4759317 cb6be60 Author: Tony Gies <[email protected]> Date: Mon Mar 17 10:18:47 2014 -0500 Merge remote-tracking branch 'mmalecki/async-authorization' into develop commit cb6be60 Author: Maciej Małecki <[email protected]> Date: Mon Mar 17 15:20:13 2014 +0100 Allow asynchronous authorization commit 4759317 Author: Tony Gies <[email protected]> Date: Wed May 8 08:27:54 2013 -0500 Name the returned function "middleware"
PreviousNext