From 8be9dba839b5dd926ccaf7270c3210d2442570e2 Mon Sep 17 00:00:00 2001 From: Tomas Micko Date: Wed, 3 Jul 2024 07:30:14 +0200 Subject: [PATCH 1/3] IS-9286 Send 'token-handler-version' header with every request --- src/oauth-agent-client.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/oauth-agent-client.ts b/src/oauth-agent-client.ts index 906ed6b..f39d27c 100644 --- a/src/oauth-agent-client.ts +++ b/src/oauth-agent-client.ts @@ -171,7 +171,8 @@ export class OAuthAgentClient { private async fetch(method: string, path: string, content?: URLSearchParams): Promise { const headers= { - accept: 'application/json' + accept: 'application/json', + 'token-handler-version': '1' } as Record if (path == 'login/start' || path == 'login/end') { From 8bab0bd77d94e2e7383793790e3d1815c27882fd Mon Sep 17 00:00:00 2001 From: Tomas Micko Date: Wed, 3 Jul 2024 07:32:03 +0200 Subject: [PATCH 2/3] Prepare 1.1.0-rc.3 --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57acb26..2bc6949 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Token Handler Assistant Changelog +## [1.1.0-rc.3] - 2024-07-03 + +- Send `token-handler-version` header in all requests + ## [1.1.0-rc.2] - 2024-06-24 - Add forgotten `RefreshResponse` to exports. diff --git a/package-lock.json b/package-lock.json index 492e7c8..da500e2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@curity/token-handler-js-assistant", - "version": "1.1.0-rc.2", + "version": "1.1.0-rc.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@curity/token-handler-js-assistant", - "version": "1.1.0-rc.2", + "version": "1.1.0-rc.3", "license": "Apache-2.0", "devDependencies": { "@types/jest": "^29.5.12", diff --git a/package.json b/package.json index e8cef16..c05c683 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@curity/token-handler-js-assistant", - "version": "1.1.0-rc.2", + "version": "1.1.0-rc.3", "description": "Curity Token Handler JavaScript helper library", "main": "lib/token-handler-assistant-lib.js", "types": "lib/index.d.ts", From 17559fbc263a00b2a6349dee45c907a9c37ce6e1 Mon Sep 17 00:00:00 2001 From: Tomas Micko Date: Wed, 3 Jul 2024 13:32:54 +0200 Subject: [PATCH 3/3] Update README --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 373b067..2c09c53 100644 --- a/README.md +++ b/README.md @@ -91,4 +91,12 @@ on every load of the SPA. This function makes a decision based the query string ); } ``` - Note: This is just a simplified example. The timeout has to be cleared properly (before every refresh, or before logout). \ No newline at end of file + Note: This is just a simplified example. The timeout has to be cleared properly (before every refresh, or before logout). + +## Cookie Security + +- `SameSite=Strict` cookies are sent to APIs, which cannot be sent from malicious sites +- to ensure that only precise whitelisted origins can send cookies to APIs, a `token-handler-version: 1` header is + sent by this library on every request to the OAuth Agent. In cross-origin deployments this ensures that a CORS pre-flight + request authorizes access. SPA developers may be required to send this header to token handler proxies as well (refer + to the token handler proxy documentation for details). \ No newline at end of file