From 525748647c8a8c6e79073bf8965c639c36f262b5 Mon Sep 17 00:00:00 2001 From: Peter Loer <ploer@acm.org> Date: Wed, 30 Dec 2015 12:18:25 -0800 Subject: [PATCH 01/13] v0.15.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index ea1cfea02..20aa10efe 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-saml", - "version": "0.14.0", + "version": "0.15.0", "licenses": [ { "type": "MIT", From ade5f0ed8b1f95d39f6b553f3c05671c1f77442f Mon Sep 17 00:00:00 2001 From: Xavier Dumesnil <xavier@frontapp.com> Date: Thu, 18 Aug 2016 17:25:11 -0700 Subject: [PATCH 02/13] Fix tests with latest version of shouldjs cf: https://github.com/shouldjs/should.js/wiki/Breaking-changes#changes-for-9x --- test/tests.js | 138 +++++++++++++++++++++++++------------------------- 1 file changed, 69 insertions(+), 69 deletions(-) diff --git a/test/tests.js b/test/tests.js index 4e5202951..a7f8dff89 100644 --- a/test/tests.js +++ b/test/tests.js @@ -165,7 +165,7 @@ describe( 'passport-saml /', function() { should.exist(passedRequest); passedRequest.url.should.eql('/login'); passedRequest.method.should.eql('POST'); - passedRequest.body.should.eql(check.samlResponse); + passedRequest.body.should.match(check.samlResponse); } else { should.not.exist(passedRequest); } @@ -193,52 +193,52 @@ describe( 'passport-saml /', function() { { name: "Empty Config", config: {}, result: { - 'samlp:AuthnRequest': - { '$': + 'samlp:AuthnRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Version: '2.0', ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', AssertionConsumerServiceURL: 'http://localhost:3033/login', Destination: 'https://wwwexampleIdp.com/saml'}, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'onelogin_saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], - 'samlp:NameIDPolicy': - [ { '$': + 'samlp:NameIDPolicy': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', AllowCreate: 'true' } } ], - 'samlp:RequestedAuthnContext': - [ { '$': + 'samlp:RequestedAuthnContext': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Comparison: 'exact' }, - 'saml:AuthnContextClassRef': + 'saml:AuthnContextClassRef': [ { _: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } ] } } }, { name: "Empty Config w/ HTTP-POST binding", config: { authnRequestBinding: 'HTTP-POST' }, result: { - 'samlp:AuthnRequest': - { '$': + 'samlp:AuthnRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Version: '2.0', ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', AssertionConsumerServiceURL: 'http://localhost:3033/login', Destination: 'https://wwwexampleIdp.com/saml'}, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'onelogin_saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], - 'samlp:NameIDPolicy': - [ { '$': + 'samlp:NameIDPolicy': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', AllowCreate: 'true' } } ], - 'samlp:RequestedAuthnContext': - [ { '$': + 'samlp:RequestedAuthnContext': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Comparison: 'exact' }, - 'saml:AuthnContextClassRef': + 'saml:AuthnContextClassRef': [ { _: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } ] } } }, @@ -250,9 +250,9 @@ describe( 'passport-saml /', function() { attributeConsumingServiceIndex: 123, forceAuthn: false }, - result: { - 'samlp:AuthnRequest': - { '$': + result: { + 'samlp:AuthnRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Version: '2.0', ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', @@ -260,19 +260,19 @@ describe( 'passport-saml /', function() { AttributeConsumingServiceIndex: '123', Destination: 'https://wwwexampleIdp.com/saml', IsPassive: 'true'}, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'http://exampleSp.com/saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], - 'samlp:NameIDPolicy': - [ { '$': + 'samlp:NameIDPolicy': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Format: 'alternateIdentifier', AllowCreate: 'true' } } ], - 'samlp:RequestedAuthnContext': - [ { '$': + 'samlp:RequestedAuthnContext': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Comparison: 'exact' }, - 'saml:AuthnContextClassRef': + 'saml:AuthnContextClassRef': [ { _: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } ] } } }, @@ -284,9 +284,9 @@ describe( 'passport-saml /', function() { attributeConsumingServiceIndex: 123, skipRequestCompression: true }, - result: { - 'samlp:AuthnRequest': - { '$': + result: { + 'samlp:AuthnRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Version: '2.0', ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', @@ -294,19 +294,19 @@ describe( 'passport-saml /', function() { AttributeConsumingServiceIndex: '123', Destination: 'https://wwwexampleIdp.com/saml', IsPassive: 'true' }, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'http://exampleSp.com/saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], - 'samlp:NameIDPolicy': - [ { '$': + 'samlp:NameIDPolicy': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Format: 'alternateIdentifier', AllowCreate: 'true' } } ], - 'samlp:RequestedAuthnContext': - [ { '$': + 'samlp:RequestedAuthnContext': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Comparison: 'exact' }, - 'saml:AuthnContextClassRef': + 'saml:AuthnContextClassRef': [ { _: 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } ] } } }, @@ -320,9 +320,9 @@ describe( 'passport-saml /', function() { disableRequestedAuthnContext: true, forceAuthn: true }, - result: { - 'samlp:AuthnRequest': - { '$': + result: { + 'samlp:AuthnRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Version: '2.0', ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', @@ -331,11 +331,11 @@ describe( 'passport-saml /', function() { Destination: 'https://wwwexampleIdp.com/saml', IsPassive: 'true', ForceAuthn: 'true' }, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'http://exampleSp.com/saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], - 'samlp:NameIDPolicy': - [ { '$': + 'samlp:NameIDPolicy': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Format: 'alternateIdentifier', AllowCreate: 'true' } } ] } } @@ -348,9 +348,9 @@ describe( 'passport-saml /', function() { attributeConsumingServiceIndex: 123, authnContext: 'myAuthnContext' }, - result: { - 'samlp:AuthnRequest': - { '$': + result: { + 'samlp:AuthnRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Version: '2.0', ProtocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', @@ -358,19 +358,19 @@ describe( 'passport-saml /', function() { AttributeConsumingServiceIndex: '123', Destination: 'https://wwwexampleIdp.com/saml', IsPassive: 'true'}, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'http://exampleSp.com/saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], - 'samlp:NameIDPolicy': - [ { '$': + 'samlp:NameIDPolicy': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Format: 'alternateIdentifier', AllowCreate: 'true' } } ], - 'samlp:RequestedAuthnContext': - [ { '$': + 'samlp:RequestedAuthnContext': + [ { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', Comparison: 'exact' }, - 'saml:AuthnContextClassRef': + 'saml:AuthnContextClassRef': [ { _: 'myAuthnContext', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ] } ] } } } @@ -393,7 +393,7 @@ describe( 'passport-saml /', function() { }) ); - app.get( '/login', + app.get( '/login', passport.authenticate( "saml", { samlFallback: 'login-request', session: false } ), function(req, res) { res.status(200).send("200 OK"); @@ -458,16 +458,16 @@ describe( 'passport-saml /', function() { describe( 'saml.js / ', function() { it( 'generateLogoutRequest', function( done ) { - var expectedRequest = { - 'samlp:LogoutRequest': - { '$': + var expectedRequest = { + 'samlp:LogoutRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion', //ID: '_85ba0a112df1ffb57805', Version: '2.0', //IssueInstant: '2014-05-29T03:32:23Z', Destination: 'foo' }, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'onelogin_saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], 'saml:NameID': [ { _: 'bar', '$': { Format: 'foo' } } ] } }; @@ -488,16 +488,16 @@ describe( 'passport-saml /', function() { }); it( 'generateLogoutRequest adds the NameQualifier and SPNameQualifier to the saml request', function( done ) { - var expectedRequest = { - 'samlp:LogoutRequest': - { '$': + var expectedRequest = { + 'samlp:LogoutRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion', //ID: '_85ba0a112df1ffb57805', Version: '2.0', //IssueInstant: '2014-05-29T03:32:23Z', Destination: 'foo' }, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'onelogin_saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], 'saml:NameID': [ { _: 'bar', '$': { Format: 'foo', @@ -522,9 +522,9 @@ describe( 'passport-saml /', function() { }); it( 'generateLogoutResponse', function( done ) { - var expectedResponse = { - 'samlp:LogoutResponse': - { '$': + var expectedResponse = { + 'samlp:LogoutResponse': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion', //ID: '_d11b3c5e085b2417f4aa', @@ -546,21 +546,21 @@ describe( 'passport-saml /', function() { }); it( 'generateLogoutRequest', function( done ) { - var expectedRequest = { - 'samlp:LogoutRequest': - { '$': + var expectedRequest = { + 'samlp:LogoutRequest': + { '$': { 'xmlns:samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion', //ID: '_85ba0a112df1ffb57805', Version: '2.0', //IssueInstant: '2014-05-29T03:32:23Z', Destination: 'foo' }, - 'saml:Issuer': + 'saml:Issuer': [ { _: 'onelogin_saml', '$': { 'xmlns:saml': 'urn:oasis:names:tc:SAML:2.0:assertion' } } ], 'saml:NameID': [ { _: 'bar', '$': { Format: 'foo' } } ], - 'saml2p:SessionIndex': - [ { _: 'session-id', + 'saml2p:SessionIndex': + [ { _: 'session-id', '$': { 'xmlns:saml2p': 'urn:oasis:names:tc:SAML:2.0:protocol' } } ] } }; var samlObj = new SAML( { entryPoint: "foo" } ); @@ -722,7 +722,7 @@ describe( 'passport-saml /', function() { }); it('accept response with an attributeStatement element without attributeValue', function(done) { - var container = { + var container = { SAMLResponse : fs.readFileSync( __dirname + '/static/response-with-uncomplete-attribute.xml' ).toString('base64') From 785ed3b05206ce88c06cc2961c7a1c45d3bf7689 Mon Sep 17 00:00:00 2001 From: Xavier Dumesnil <xavier@frontapp.com> Date: Thu, 18 Aug 2016 17:31:15 -0700 Subject: [PATCH 03/13] Updagrade to xml-encryption 0.9 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 20aa10efe..b24e98c2d 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "xml-crypto": "0.8.x", "xmldom": "0.1.x", "xmlbuilder": "2.5.x", - "xml-encryption": "~0.7" + "xml-encryption": "~0.9" }, "devDependencies": { "body-parser": "1.9.x", From 25b6dd01c782461e0677b64d6dda67693bfc879c Mon Sep 17 00:00:00 2001 From: Xavier Dumesnil <xavier@frontapp.com> Date: Thu, 18 Aug 2016 17:33:48 -0700 Subject: [PATCH 04/13] Send EncryptedAssertion node when trying to decrypt the assertion --- lib/passport-saml/saml.js | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js index 2ef65955f..ced03089e 100644 --- a/lib/passport-saml/saml.js +++ b/lib/passport-saml/saml.js @@ -60,7 +60,7 @@ SAML.prototype.initialize = function (options) { options.cacheProvider = new InMemoryCacheProvider( {keyExpirationPeriodMs: options.requestIdExpirationPeriodMs }); } - + if (!options.logoutUrl) { // Default to Entry Point options.logoutUrl = options.entryPoint || ''; @@ -157,7 +157,7 @@ SAML.prototype.generateAuthorizeRequest = function (req, isPassive, callback) { '@IssueInstant': instant, '@ProtocolBinding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', '@AssertionConsumerServiceURL': self.getCallbackUrl(req), - '@Destination': self.options.entryPoint, + '@Destination': self.options.entryPoint, 'saml:Issuer' : { '@xmlns:saml' : 'urn:oasis:names:tc:SAML:2.0:assertion', '#text': self.options.issuer @@ -371,7 +371,7 @@ SAML.prototype.getAuthorizeForm = function (req, callback) { .replace(/"/g, '"') .replace(/</g, '<') .replace(/>/g, '>') - // Add other replacements here for HTML only + // Add other replacements here for HTML only // Or for XML, only if the named entities are defined in its DTD. .replace(/\r\n/g, preserveCR) // Must be before the next replacement. .replace(/[\r\n]/g, preserveCR); @@ -552,21 +552,18 @@ SAML.prototype.validatePostResponse = function (container, callback) { if (!self.options.decryptionPvk) throw new Error('No decryption key for encrypted SAML response'); - var encryptedDatas = xpath( encryptedAssertions[0], "./*[local-name()='EncryptedData']"); - if (encryptedDatas.length != 1) - throw new Error('Invalid signature'); - var encryptedDataXml = encryptedDatas[0].toString(); + var encryptedAssertionXml = encryptedAssertions[0].toString(); var xmlencOptions = { key: self.options.decryptionPvk }; - return Q.ninvoke(xmlenc, 'decrypt', encryptedDataXml, xmlencOptions) + return Q.ninvoke(xmlenc, 'decrypt', encryptedAssertionXml, xmlencOptions) .then(function(decryptedXml) { var decryptedDoc = new xmldom.DOMParser().parseFromString(decryptedXml); var decryptedAssertions = xpath(decryptedDoc, "/*[local-name()='Assertion']"); if (decryptedAssertions.length != 1) throw new Error('Invalid EncryptedAssertion content'); - if (self.options.cert && - !validSignature && + if (self.options.cert && + !validSignature && !self.validateSignature(decryptedXml, decryptedAssertions[0], self.options.cert)) throw new Error('Invalid signature'); @@ -574,7 +571,7 @@ SAML.prototype.validatePostResponse = function (container, callback) { }); } - // If there's no assertion, fall back on xml2js response parsing for the status & + // If there's no assertion, fall back on xml2js response parsing for the status & // LogoutResponse code. var parserConfig = { @@ -708,7 +705,7 @@ SAML.prototype.processValidlySignedAssertion = function(xml, inResponseTo, callb } } } - + // Test to see that if we have a SubjectConfirmation InResponseTo that it matches // the 'InResponseTo' attribute set in the Response if (self.options.validateInResponseTo) { From c0eac66d3bc53bde8b8fe67f5f4e627a006bc930 Mon Sep 17 00:00:00 2001 From: Xavier Dumesnil <xavier@frontapp.com> Date: Thu, 18 Aug 2016 18:20:08 -0700 Subject: [PATCH 05/13] Add test for an encrypted Okta response --- test/tests.js | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/test/tests.js b/test/tests.js index a7f8dff89..723f3823b 100644 --- a/test/tests.js +++ b/test/tests.js @@ -29,6 +29,20 @@ describe( 'passport-saml /', function() { expectedNameIDStartsWith: 'ben', mockDate: '2014-05-27T23:29:35.426Z' }, + { name: 'Okta -- valid encrypted response should succeed', + samlResponse: { + SAMLResponse: '', + RelayState: '', + }, + config: { + entryPoint: 'https://frontapp.oktapreview.com/app/frontdev584714_front_1/exk7xdi6axPfombzx0h7/sso/saml', + cert: 'MIIDoDCCAoigAwIBAgIGAVaZ04POMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxETAPBgNVBAMMCGZyb250YXBwMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMB4XDTE2MDgxNzE4NDUzMVoXDTI2MDgxNzE4NDYzMVowgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjERMA8GA1UEAwwIZnJvbnRhcHAxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvplQONVwknRy1iBnaoZtsOz28A7XW2tRpFW+0La7RJexbziIwEy1bPZENhfwjPZA1oHHZqi5l315BxXKWJqmmNmbDCFDo+/FYFCoHXliiLm9vqDbR1br6ByqeY0GfxyTPKHZxb2FSes30TffDknpMQd/8kA9YWaW5xDlu2ivWJI+sfcOJOMd6t+gcfXj58a5fP8Mwm6Y220KeZSvrVpEV2KDp9hln7fhhoxHZ7K/BYbidqdwLzeUQXpb6LIrxtKdug2FofS+ONs6yLIQRmrbCB7SVX1QA8JInMn+fzrGtZmFiHR0aFbyhiO78v/ufDa6S+XpYyp2b6D4SnzeggnobAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAJ2wcFVffFHSd9pj6RgoNHXZBsWp0HUZrNekiSbgomr4tSDefWtKb04nFIlRytfVs/k74wmbNiRCE8nDVBrBDFA/+Tv/3PowZXHjXKBofUuScTP4/Tw1N/ywf7V+XY5kV3VmLBL6ax+ULJauR/YGIIMsIc/rS2D04aAcScU9pqVh2ML7nTH7gFqYrxypavmVk6K94vLjs0ggF2TGp7tXCRjeOlPPJS+MOJHJhTBWYFWvBLclU3zcri3ws7GqJMpeiHa7rMoHV0onxWsZTZW57ybaIWKLt1goAooC7hq0rx7oNlOvrys5lllhBySYYC3ycqca/D0+GxXLcEr9QwP7TVw=', + decryptionPvk: fs.readFileSync(__dirname + '/static/testshib encryption pvk.pem') + }, + expectedStatusCode: 200, + expectedNameIDStartsWith: 'xavier', + mockDate: '2016-08-19T01:15:32.681Z' + }, { name: 'Onelogin -- invalid cert (from Okta case) should fail', samlResponse: { SAMLResponse: 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0\r\nYzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6\r\nbmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJSNjg5YjA3MzNiY2Nj\r\nYTIyYTEzN2UzNjU0ODMwMzEyMzMyOTQwYjFiZSIgVmVyc2lvbj0iMi4wIiBJ\r\nc3N1ZUluc3RhbnQ9IjIwMTQtMDUtMjhUMDA6MTY6MDhaIiBEZXN0aW5hdGlv\r\nbj0ie3JlY2lwaWVudH0iIEluUmVzcG9uc2VUbz0iX2E2ZmM0NmJlODRlMWUz\r\nY2YzYzUwIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29t\r\nL3NhbWwvbWV0YWRhdGEvMzcxNzU1PC9zYW1sOklzc3Vlcj48c2FtbHA6U3Rh\r\ndHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6\r\ndGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48\r\nc2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIw\r\nMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIw\r\nMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBWZXJzaW9uPSIyLjAiIElEPSJwZngz\r\nYjYzYzdiZS1mZTg2LTYyZmQtOGNiNS0xNmFiNjI3M2VmYWEiIElzc3VlSW5z\r\ndGFudD0iMjAxNC0wNS0yOFQwMDoxNjowOFoiPjxzYW1sOklzc3Vlcj5odHRw\r\nczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbC9tZXRhZGF0YS8zNzE3NTU8L3Nh\r\nbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cu\r\ndzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpD\r\nYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53\r\nMy5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1l\r\ndGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1s\r\nZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4M2I2M2M3\r\nYmUtZmU4Ni02MmZkLThjYjUtMTZhYjYyNzNlZmFhIj48ZHM6VHJhbnNmb3Jt\r\ncz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcv\r\nMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJh\r\nbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94\r\nbWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRo\r\nb2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRz\r\naWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5EQ25QVFFZQmIxaEtzcGJlNmZn\r\nMVUzcTh4bjQ9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2Rz\r\nOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPmUwK2FGb21BMCtKQVkw\r\nZjl0S3F6SXVxSVZTU3c3TGlGVXNuZUVES1BCV2RpVHoxc01kZ3IvMnkxZTkr\r\ncmphUzJtUm1DaS92U1FMWTN6VFl6MGhwNm5KTlUxOStUV29YbzlrSFF5V1Q0\r\nS2tlUUw0WHMvZ1ovQW9LQzIwaUhWS3RwUHBzMElRME1sL3FSb291U2l0dDZT\r\nZi9XRHoyTFYvcFdjSDJoeDV0djN4U3czNmhLMk5RYzdxdzdyMW1FWG52Y2pY\r\nUmVZbzhyclZmN1hIR0d4Tm9SSUVJQ1VJaTExMHV2c1dlbVNYZjBaMGR5YjBG\r\nVllPV3VTc1FNRGx6TnBoZUFEQmlmRk80VVRmU0VoRlp2bjhrVkNHWlVJd3Ji\r\nT2haMmQvK1lFdGd5dVRnK3F0c2xnZnk0ZHdkNFR2RWNmdVJ6UVRhemVlZnBy\r\nU0Z5aVFja0FYT2pjdz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5m\r\nbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlFRnpDQ0F2\r\nK2dBd0lCQWdJVUZKc1VqUE03QW1Xdk50RXZVTFNIbFRUTWlMUXdEUVlKS29a\r\nSWh2Y05BUUVGQlFBd1dERUxNQWtHQTFVRUJoTUNWVk14RVRBUEJnTlZCQW9N\r\nQ0ZOMVluTndZV05sTVJVd0V3WURWUVFMREF4UGJtVk1iMmRwYmlCSlpGQXhI\r\nekFkQmdOVkJBTU1Gazl1WlV4dloybHVJRUZqWTI5MWJuUWdOREl6TkRrd0ho\r\nY05NVFF3TlRFek1UZ3dOakV5V2hjTk1Ua3dOVEUwTVRnd05qRXlXakJZTVFz\r\nd0NRWURWUVFHRXdKVlV6RVJNQThHQTFVRUNnd0lVM1ZpYzNCaFkyVXhGVEFU\r\nQmdOVkJBc01ERTl1WlV4dloybHVJRWxrVURFZk1CMEdBMVVFQXd3V1QyNWxU\r\nRzluYVc0Z1FXTmpiM1Z1ZENBME1qTTBPVENDQVNJd0RRWUpLb1pJaHZjTkFR\r\nRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLckF6SmRZOUZ6Rkx0NWJsQXJKZlB6\r\nZ2k4N0VuRkdsVGZjVjVUMVRVRHdMQmxEa1kvMFpHS25NT3BmM0Q3aWUyQzRw\r\nUEZPSW1Pb2djTTVrcERETDdxeFRYWjFld1hWeWpCZE11MjlORzJDNk56V2VR\r\nVFVNVWppMDFFY0hrQzhvK1B0czhBTmlOT1ljanhFZXloRXl6SktnRWl6YmxZ\r\nek1NS3pkck9FVDZRdXFXbzNDODNLKzUrNWRzakRuMW9vS0dSd2ozSHZnc1lj\r\nRnJRbDlOb2pnUUZqb29id3NpRS83QStPSmhMcEJjeS9uU1Znbm9KYU1mck8r\r\nSnNudWtaUHp0Ym50THZPbDU2K1ZyYTBOOG41TkFZaGFTYXlQaXYvYXloalZn\r\namZYZDF0ak1WVE9pRGtuVU93aXpadUoxWTNRSDk0dlV0QmdwMFdCcEJTcy94\r\nTXlUczhDQXdFQUFhT0IyRENCMVRBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFV\r\nZERnUVdCQlJRTzRXcE01Zld3eGliNDlXVHVKa2ZZRGJ4T0RDQmxRWURWUjBq\r\nQklHTk1JR0tnQlJRTzRXcE01Zld3eGliNDlXVHVKa2ZZRGJ4T0tGY3BGb3dX\r\nREVMTUFrR0ExVUVCaE1DVlZNeEVUQVBCZ05WQkFvTUNGTjFZbk53WVdObE1S\r\nVXdFd1lEVlFRTERBeFBibVZNYjJkcGJpQkpaRkF4SHpBZEJnTlZCQU1NRms5\r\ndVpVeHZaMmx1SUVGalkyOTFiblFnTkRJek5EbUNGQlNiRkl6ek93SmxyemJS\r\nTDFDMGg1VTB6SWkwTUE0R0ExVWREd0VCL3dRRUF3SUhnREFOQmdrcWhraUc5\r\ndzBCQVFVRkFBT0NBUUVBQ2REQUFvYVpGQ0VZNXBtZndiS3VLclh0TzVpRThs\r\nV3RpQ1BqQ1pFVXVUNmJYUk5jcXJkbnVWL0VBZlg5V1FvWGphbFBpMGVNNzh6\r\nS21idlJHU1RVSHdXdzQ5UkhqRmZlSlVLdkhOZU5uRmdUWERqRVBOaE12aDY5\r\na0htNDUzbEZSbUIra2s2eWp0WFJaYVFFd1M4VXVvMk90K2tyZ05ibDZvVEJa\r\nSjBBSEgxTXRaRUNEbG9tczFLbTd6c0s4d0FpNWk4VFZJS2tWcjViMlZsaHJM\r\nZ0ZNdnpaNVZpQXhJTUdCNnc0N3lZNFFHUUIvNVE4eWE5aEJzOXZrbit3dWJB\r\nK3lyNGoxNEpYWjdibFZLRFNUWXZhNjVFYStQcUh5cnArV25tbmJ3Mk9iUzdp\r\nV2V4aVR5MWpEM0cwUjJhdkRCRmpNOEZqNURiZnVmc0UxYjBVMTBSVHRnPT08\r\nL2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5m\r\nbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBG\r\nb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9y\r\nbWF0OnRyYW5zaWVudCI+cGxvZXJAc3Vic3BhY2Vzdy5jb208L3NhbWw6TmFt\r\nZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2Fz\r\naXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0\r\nQ29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTQtMDUtMjhUMDA6\r\nMTk6MDhaIiBSZWNpcGllbnQ9IntyZWNpcGllbnR9IiBJblJlc3BvbnNlVG89\r\nIl9hNmZjNDZiZTg0ZTFlM2NmM2M1MCIvPjwvc2FtbDpTdWJqZWN0Q29uZmly\r\nbWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVm\r\nb3JlPSIyMDE0LTA1LTI4VDAwOjEzOjA4WiIgTm90T25PckFmdGVyPSIyMDE0\r\nLTA1LTI4VDAwOjE5OjA4WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48\r\nc2FtbDpBdWRpZW5jZT57YXVkaWVuY2V9PC9zYW1sOkF1ZGllbmNlPjwvc2Ft\r\nbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1s\r\nOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wNS0yOFQwMDox\r\nNjowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTQtMDUtMjlUMDA6MTY6\r\nMDhaIiBTZXNzaW9uSW5kZXg9Il8zMGE0YWY1MC1jODJiLTAxMzEtZjhiNS03\r\nODJiY2I1NmZjYWEiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNv\r\nbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6\r\nY2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRo\r\nbkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpB\r\ndXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9u\r\nc2U+Cgo=\r\n' From 6501c235cf9821c33750ca12caf5e1557154039e Mon Sep 17 00:00:00 2001 From: Xavier Dumesnil <xavier@frontapp.com> Date: Thu, 18 Aug 2016 18:28:17 -0700 Subject: [PATCH 06/13] Fix tests on Node.js:stable --- test/samlTests.js | 2 +- test/tests.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/samlTests.js b/test/samlTests.js index 9a6ae158c..98e01b136 100644 --- a/test/samlTests.js +++ b/test/samlTests.js @@ -45,7 +45,7 @@ describe('SAML.js', function() { // NOTE: This test only tests existence of the assertion, not the correctness it('calls callback with saml request object', function(done) { saml.getAuthorizeUrl(req, function(err, target) { - url.parse(target, true).query.should.have.property('SAMLRequest'); + should(url.parse(target, true).query).have.property('SAMLRequest'); done(); }); }); diff --git a/test/tests.js b/test/tests.js index 723f3823b..9ee27aa94 100644 --- a/test/tests.js +++ b/test/tests.js @@ -179,7 +179,7 @@ describe( 'passport-saml /', function() { should.exist(passedRequest); passedRequest.url.should.eql('/login'); passedRequest.method.should.eql('POST'); - passedRequest.body.should.match(check.samlResponse); + should(passedRequest.body).match(check.samlResponse); } else { should.not.exist(passedRequest); } From 411e4f7fe3b3bc14dd39d1ba6ad72d51c34b5fb5 Mon Sep 17 00:00:00 2001 From: Keith Bartholomew <keith.bartholomew@rackspace.com> Date: Sun, 16 Oct 2016 21:41:30 -0500 Subject: [PATCH 07/13] Add the ability to sign with SHA-512 --- lib/passport-saml/saml.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js index 2ef65955f..e76e7dffb 100644 --- a/lib/passport-saml/saml.js +++ b/lib/passport-saml/saml.js @@ -66,7 +66,7 @@ SAML.prototype.initialize = function (options) { options.logoutUrl = options.entryPoint || ''; } - // sha1 or sha256 + // sha1, sha256, or sha512 if (!options.signatureAlgorithm) { options.signatureAlgorithm = 'sha1'; } @@ -114,6 +114,10 @@ SAML.prototype.signRequest = function (samlMessage) { samlMessage.SigAlg = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'; signer = crypto.createSign('RSA-SHA256'); break; + case 'sha512': + samlMessage.SigAlg = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'; + signer = crypto.createSign('RSA-SHA512'); + break; default: samlMessage.SigAlg = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'; signer = crypto.createSign('RSA-SHA1'); From 01611572d1b71300a66034ea603d739c8b26b95b Mon Sep 17 00:00:00 2001 From: Mark Stosberg <mark@rideamigos.com> Date: Wed, 14 Sep 2016 11:09:22 -0400 Subject: [PATCH 08/13] Fixes #170: Clarify that the certificate are looking for is: 1. public, not private 2. a signing certificate and not an encryption certificate --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 491ad68e3..a933f1270 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To s privateCert: fs.readFileSync('./cert.pem', 'utf-8') ``` -It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's certificate using the `cert` confguration key: +It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's public signing certificate using the `cert` configuration key: ```javascript cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==' From 62604435febd0aa1d26ae0652e545c721e8ca11d Mon Sep 17 00:00:00 2001 From: Xavier Dumesnil <xavier@frontapp.com> Date: Fri, 17 Mar 2017 14:51:19 -0700 Subject: [PATCH 09/13] Use latest version of xml-encryption --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index b24e98c2d..9be00ee5c 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "xml-crypto": "0.8.x", "xmldom": "0.1.x", "xmlbuilder": "2.5.x", - "xml-encryption": "~0.9" + "xml-encryption": "~0.10" }, "devDependencies": { "body-parser": "1.9.x", From 010874d587f48688038fbb273fcb672b03426979 Mon Sep 17 00:00:00 2001 From: Akseli Nurmio <akseli@nurmio.fi> Date: Tue, 21 Mar 2017 22:16:33 +0200 Subject: [PATCH 10/13] Remove unused ejs package from devDeps --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 20aa10efe..8c90d76a3 100644 --- a/package.json +++ b/package.json @@ -40,7 +40,6 @@ }, "devDependencies": { "body-parser": "1.9.x", - "ejs": "1.0.x", "express": "4.x", "jshint": "*", "mocha": "*", From 9d7f676e590bd3d81af2518c89838610cd9c2672 Mon Sep 17 00:00:00 2001 From: Paul Spicer <pdspicer@gmail.com> Date: Fri, 31 Mar 2017 00:58:29 -0400 Subject: [PATCH 11/13] Updated README to include sha512 as a listed option --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a933f1270..7ecee328a 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ Config parameter details: * `cert`: see 'security and signatures' * `privateCert`: see 'security and signatures' * `decryptionPvk`: optional private key that will be used to attempt to decrypt any encrypted assertions that are received - * `signatureAlgorithm`: optionally set the signature algorithm for signing requests, valid values are 'sha1' (default) or 'sha256' + * `signatureAlgorithm`: optionally set the signature algorithm for signing requests, valid values are 'sha1' (default), 'sha256', or 'sha512' * Additional SAML behaviors * `additionalParams`: dictionary of additional query params to add to all requests * `additionalAuthorizeParams`: dictionary of additional query params to add to 'authorize' requests From 6d1215bf96e9e352c25e92d282cba513ed8e876c Mon Sep 17 00:00:00 2001 From: Paul Spicer <pdspicer@gmail.com> Date: Fri, 31 Mar 2017 20:09:50 -0400 Subject: [PATCH 12/13] Update deps to latest --- lib/passport-saml/saml.js | 10 +++++----- package.json | 16 ++++++++-------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js index 9e7e5d4f7..42d4c208b 100644 --- a/lib/passport-saml/saml.js +++ b/lib/passport-saml/saml.js @@ -917,13 +917,13 @@ SAML.prototype.generateServiceProviderMetadata = function( decryptionCert ) { } } }, - '#list' : [ + 'EncryptionMethod' : [ // this should be the set that the xmlenc library supports - { 'EncryptionMethod': { '@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' } }, - { 'EncryptionMethod': { '@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' } }, - { 'EncryptionMethod': { '@Algorithm': 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' } }, + { '@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' }, + { '@Algorithm': 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' }, + { '@Algorithm': 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' } ] - }; + } } if (this.options.logoutCallbackUrl) { diff --git a/package.json b/package.json index 1d7ef0517..b10bb23bc 100644 --- a/package.json +++ b/package.json @@ -31,22 +31,22 @@ "main": "./lib/passport-saml", "dependencies": { "passport-strategy": "*", - "q": "1.1.x", + "q": "^1.5.0", + "xml-crypto": "^0.9.0", + "xml-encryption": "~0.10", "xml2js": "0.4.x", - "xml-crypto": "0.8.x", - "xmldom": "0.1.x", - "xmlbuilder": "2.5.x", - "xml-encryption": "~0.10" + "xmlbuilder": "^8.2.2", + "xmldom": "0.1.x" }, "devDependencies": { - "body-parser": "1.9.x", + "body-parser": "^1.17.1", "express": "4.x", "jshint": "*", "mocha": "*", + "passport": "0.3.x", "request": "*", "should": "*", - "sinon": "^1.10.2", - "passport": "0.3.x" + "sinon": "^2.1.0" }, "engines": { "node": ">= 0.8.0" From 4d97ffcb7918526cfc6101207fe04d14a0abd23e Mon Sep 17 00:00:00 2001 From: Mark Stosberg <mark@rideamigos.com> Date: Thu, 5 Oct 2017 17:02:14 -0400 Subject: [PATCH 13/13] README: link to related sections and clarify decryptionCert docs Before it wasn't clear whether `decryptionCert` referred to `decryptionPvk` or the public cert it is paired with. Adding the word "public" clarifies that. --- README.md | 6 +++--- package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7ecee328a..33983dce8 100644 --- a/README.md +++ b/README.md @@ -48,8 +48,8 @@ Config parameter details: * `host`: host for callback; will be combined with path and protocol to construct callback url if `callbackUrl` is not specified (default: `localhost`) * `entryPoint`: identity provider entrypoint * `issuer`: issuer string to supply to identity provider - * `cert`: see 'security and signatures' - * `privateCert`: see 'security and signatures' + * `cert`: see [Security and signatures](#security-and-signatures) + * `privateCert`: see [Security and signatures](#security-and-signatures) * `decryptionPvk`: optional private key that will be used to attempt to decrypt any encrypted assertions that are received * `signatureAlgorithm`: optionally set the signature algorithm for signing requests, valid values are 'sha1' (default), 'sha256', or 'sha512' * Additional SAML behaviors @@ -104,7 +104,7 @@ app.get('/login', As a convenience, the strategy object exposes a `generateServiceProviderMetadata` method which will generate a service provider metadata document suitable for supplying to an identity provider. This method will only work on strategies which are configured with a `callbackUrl` (since the relative path for the callback is not sufficient information to generate a complete metadata document). -The `decryptionCert` argument should be a certificate matching the `decryptionPvk` and is required if the strategy is configured with a `decryptionPvk`. +The `decryptionCert` argument should be a public certificate matching the `decryptionPvk` and is required if the strategy is configured with a `decryptionPvk`. ## Security and signatures diff --git a/package.json b/package.json index b10bb23bc..fd42c1d52 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "passport-saml", - "version": "0.15.0", + "version": "0.16.1", "licenses": [ { "type": "MIT",