Merge remote-tracking branch 'upstream/v8.x' into yanndanthu/update-t…

…o-v8.4.6

.eslintrc

@@ -1,10 +1,36 @@
 {
   "extends": "airbnb-base",
-  "parser": "babel-eslint",
   "rules": {
     "no-empty": ["error", { "allowEmptyCatch": true }],
-    "no-underscore-dangle": ["error", { "allow": ["_claim_names", "_claim_sources", "_matchedRouteName"] }],
+    "no-underscore-dangle": ["error", { "allow": ["_claim_names", "_claim_sources", "_matchedRouteName", "__dirname"] }],
     "import/order": ["error", { "groups": ["builtin", "external", "internal", "parent", "sibling", "index"], "newlines-between": "always" }],
-    "symbol-description": ["off"]
+    "symbol-description": ["off"],
+    "import/extensions": ["error", "ignorePackages"],
+    "no-restricted-syntax": [
+      "error",
+      {
+        "selector": "LabeledStatement",
+        "message": "Labels are a form of GOTO; using them makes code confusing and hard to maintain and understand."
+      },
+      {
+        "selector": "WithStatement",
+        "message": "`with` is disallowed in strict mode because it makes code impossible to predict and optimize."
+      }
+    ],
+    "max-len": [
+      "error",
+      100,
+      2,
+      {
+        "ignoreUrls": true,
+        "ignoreComments": true,
+        "ignoreRegExpLiterals": true,
+        "ignoreStrings": true,
+        "ignoreTemplateLiterals": true
+      }
+    ]
+  },
+  "parserOptions": {
+    "ecmaVersion": "latest"
   }
 }

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -40,7 +40,7 @@ body:
           required: true
         - label: I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
           required: true
-        - label: I have searched the [FAQ](https://github.com/panva/node-oidc-provider/blob/v7.x/docs/README.md#faq) and couldn't find anything related.
+        - label: I have searched the [FAQ](https://github.com/panva/node-oidc-provider/blob/v8.x/docs/README.md#faq) and couldn't find anything related.
           required: true
         - label: I agree to follow this project's [Code of Conduct](https://github.com/panva/node-oidc-provider/blob/main/CODE_OF_CONDUCT.md)
           required: true

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"

.github/workflows/codeql.yml

@@ -22,6 +22,7 @@ on:
 
 jobs:
   analyze:
+    if: ${{ github.repository == 'panva/node-oidc-provider' }}
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
@@ -38,11 +39,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +57,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,6 +70,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/conformance.yml

@@ -0,0 +1,177 @@
+name: Conformance Checks
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '55 11 * * 1'
+  workflow_dispatch:
+
+jobs:
+  build:
+    if: ${{ github.repository == 'panva/node-oidc-provider' || github.event_name == 'workflow_dispatch' }}
+    uses: panva/.github/.github/workflows/build-conformance-suite.yml@main
+
+  run:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    env:
+      SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
+      SETUP: ${{ toJSON(matrix.setup) }}
+    continue-on-error: ${{ startsWith(matrix.setup.plan, 'fapi2') }}
+    strategy:
+      fail-fast: false
+      matrix:
+        setup:
+          # OP Basic
+          - plan: oidcc-basic-certification-test-plan
+
+          # OP Hybrid
+          - plan: oidcc-hybrid-certification-test-plan
+
+          # OP Implicit
+          - plan: oidcc-implicit-certification-test-plan
+
+          # OP Dynamic
+          - plan: oidcc-dynamic-certification-test-plan
+            response_type: code
+          - plan: oidcc-dynamic-certification-test-plan
+            response_type: id_token
+          - plan: oidcc-dynamic-certification-test-plan
+            response_type: id_token token
+          - plan: oidcc-dynamic-certification-test-plan
+            response_type: code id_token
+          - plan: oidcc-dynamic-certification-test-plan
+            response_type: code token
+          - plan: oidcc-dynamic-certification-test-plan
+            response_type: code id_token token
+
+          # RP-Initiated OP
+          - plan: oidcc-rp-initiated-logout-certification-test-plan
+
+          # Back-Channel OP
+          - plan: oidcc-backchannel-rp-initiated-logout-certification-test-plan
+
+          # FAPI 1.0 Advanced (Final)
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: by_value
+            client_auth_type: private_key_jwt
+            fapi_response_mode: plain_response
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: pushed
+            client_auth_type: private_key_jwt
+            fapi_response_mode: plain_response
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: by_value
+            client_auth_type: private_key_jwt
+            fapi_response_mode: jarm
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: pushed
+            client_auth_type: private_key_jwt
+            fapi_response_mode: jarm
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: by_value
+            client_auth_type: mtls
+            fapi_response_mode: plain_response
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: pushed
+            client_auth_type: mtls
+            fapi_response_mode: plain_response
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: by_value
+            client_auth_type: mtls
+            fapi_response_mode: jarm
+          - plan: fapi1-advanced-final-test-plan
+            fapi_auth_request_method: pushed
+            client_auth_type: mtls
+            fapi_response_mode: jarm
+
+          # FAPI RW-CIBA-ID1
+          - plan: fapi-ciba-id1-test-plan
+            client_auth_type: private_key_jwt
+            ciba_mode: poll
+          - plan: fapi-ciba-id1-test-plan
+            client_auth_type: private_key_jwt
+            ciba_mode: ping
+          - plan: fapi-ciba-id1-test-plan
+            client_auth_type: mtls
+            ciba_mode: poll
+          - plan: fapi-ciba-id1-test-plan
+            client_auth_type: mtls
+            ciba_mode: ping
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/iron # 20
+          cache: 'npm'
+      - run: npm clean-install
+      - name: Run oidc-provider (OIDC)
+        run: |
+          set -o pipefail
+          node certification/oidc/docker |& tee server.log &
+        if: ${{ startsWith(matrix.setup.plan, 'oidcc') }}
+        env:
+          PORT: 3000
+          DEBUG: oidc-provider:*
+          ISSUER: https://172.17.0.1:3000
+          NODE_TLS_REJECT_UNAUTHORIZED: 0
+      - name: Run oidc-provider (FAPI)
+        run: |
+          set -o pipefail
+          node certification/fapi |& tee server.log &
+        if: ${{ startsWith(matrix.setup.plan, 'fapi') }}
+        env:
+          ISSUER: https://172.17.0.1:3000
+          PORT: 3000
+          DEBUG: oidc-provider:*
+          NODE_OPTIONS: --tls-cipher-list="DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384"
+          NODE_TLS_REJECT_UNAUTHORIZED: 0
+      - name: Set Conformance Suite Version
+        run: |
+          export VERSION=($(curl --silent "https://gitlab.com/api/v4/projects/4175605/releases" | jq -r '.[0].tag_name'))
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+      - name: Load Cached Conformance Suite Build
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: ./conformance-suite
+          key: ${{ needs.build.outputs.cache-key }}
+          fail-on-cache-miss: true
+      - name: Run Conformance Suite
+        working-directory: ./conformance-suite
+        run: |
+          docker-compose -f docker-compose-dev.yml up -d
+          while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done
+      - name: Adjust configuration files for CI
+        run: |
+          sed -i -e 's/op.panva.cz/172.17.0.1:3000/g' certification/oidc/plan.json
+          sed -i -e 's/mtls.fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
+          sed -i -e 's/fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
+      - name: Run the plan
+        run: npx mocha --timeout 0 --retries 1 certification/runner
+        env:
+          NODE_TLS_REJECT_UNAUTHORIZED: 0
+      - name: Add server log to artifact
+        if: ${{ failure() }}
+        run: |
+          zip -ur ${{ env.EXPORT_FILE }} server.log
+      - name: Upload test artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          path: export-*.zip
+          name: certification html results idx(${{ strategy.job-index }})
+          if-no-files-found: ignore
+        if: ${{ always() }}
+      - name: Stop Conformance Suite
+        working-directory: ./conformance-suite
+        run: |
+          killall -SIGINT node
+          docker-compose -f docker-compose-dev.yml down
+          sudo rm -rf mongo

.github/workflows/lock.yml

@@ -6,13 +6,15 @@ on:
 
 jobs:
   lock:
+    if: ${{ github.repository == 'panva/node-oidc-provider' }}
     continue-on-error: true
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@e460dfeb36e731f3aeb214be6b0c9a9d9a67eda6
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
           github-token: ${{ github.token }}
           issue-inactive-days: '90'
           issue-lock-reason: ''
           pr-inactive-days: '90'
           pr-lock-reason: ''
+          discussion-inactive-days: "90"

.github/workflows/release.yml

@@ -0,0 +1,58 @@
+name: Release
+
+on:
+  push:
+    tags: ['v[0-9]+.[0-9]+.[0-9]+']
+
+jobs:
+  npm:
+    if: ${{ github.repository == 'panva/node-oidc-provider' }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/iron # 20
+          registry-url: https://registry.npmjs.org
+          always-auth: true
+      - run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  cleanup:
+    needs:
+      - npm
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - run: git push origin $GITHUB_SHA:v8.x
+      - run: git push origin HEAD:main
+
+  github:
+    needs:
+      - npm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/iron # 20
+          cache: 'npm'
+      - run: node .release-notes.cjs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/retry.yml

@@ -0,0 +1,17 @@
+name: Retry
+
+on:
+  workflow_run:
+    workflows:
+      - Conformance Checks
+    types:
+      - completed
+
+jobs:
+  retry:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.run_attempt == 1 }}
+    steps:
+      - run: gh api -XPOST ${{ github.event.workflow_run.rerun_url }}-failed-jobs
+        env:
+          GH_TOKEN: ${{ github.token }}