2026 04 08 remove lodash

api/source/package.json

@@ -29,7 +29,6 @@
     "jsonwebtoken": "^9.0.2",
     "jszip": "^3.10.1",
     "jwks-rsa": "^3.1.0",
-    "lodash": "^4.17.23",
     "multer": "^2.1.1",
     "mysql2": "^3.11.2",
     "net-keepalive": "^4.0.17",

api/source/service/MetricsService.js

@@ -1,4 +1,3 @@
-const { rest } = require('lodash')
 const dbUtils = require('./utils')
 
 function genLabelPredicates ({labelNames, labelIds, labelMatch, collectionLabelTableAlias = 'cl'}) {

api/source/utils/auth.js

@@ -2,7 +2,6 @@ const config = require('./config')
 const logger = require('./logger')
 const jwt = require('jsonwebtoken')
 const retry = require('async-retry')
-const _ = require('lodash')
 const UserService = require(`../service/UserService`)
 const SmError = require('./error')
 const state = require('./state')
@@ -170,17 +169,14 @@ const validateOauthSecurity = function (req, requiredScopes) {
     const grantedScopes = typeof tokenPayload[config.oauth.claims.scope] === 'string' ? 
         tokenPayload[config.oauth.claims.scope].split(' ') : 
         tokenPayload[config.oauth.claims.scope]
-    const commonScopes = _.intersectionWith(grantedScopes, requiredScopes, function(gs, rs) {
-        if (gs === rs) return gs
-        let gsTokens = gs.split(":").filter(i => i.length)
-        let rsTokens = rs.split(":").filter(i => i.length)
-        if (gsTokens.length === 0) {
-            return false
-        }
-        else {
-            return gsTokens.every((t, i) => rsTokens[i] === t)
-        }
-    })
+    const commonScopes = grantedScopes.filter(gs =>
+        requiredScopes.some(rs => {
+            if (gs === rs) return true
+            const gsTokens = gs.split(':').filter(i => i.length)
+            const rsTokens = rs.split(':').filter(i => i.length)
+            return gsTokens.length > 0 && gsTokens.every((t, i) => rsTokens[i] === t)
+        })
+    )
     if (commonScopes.length == 0) {
         throw new SmError.OutOfScopeError()
     }

test/state/mocha/tokenValidation.test.js

@@ -109,4 +109,101 @@ describe('Token validation', function () {
       expect(res.body.error).to.equal(`Required scopes were not found in token.`)
     })
   })
+
+  describe('Token scope validation', function () {
+    const {apiPort, dbPort, oidcPort, apiOrigin, oidcOrigin} = getPorts(54080)
+
+    before(async function () {
+      this.timeout(60000)
+      oidc = new MockOidc({keyCount: 1, includeInsecureKid: false})
+      await oidc.start({port: oidcPort})
+      console.log('    ✔ oidc started')
+      console.log('    try mysql start')
+      mysql = await spawnMySQL({tag:'8.0.24', port: dbPort})
+      console.log('    ✔ mysql started')
+      console.log('    try api start')
+      api = await spawnApiPromise({
+        resolveOnType: 'started',
+        resolveOnClose: false,
+        env: {
+          STIGMAN_API_PORT: apiPort,
+          STIGMAN_DEPENDENCY_RETRIES: 2,
+          STIGMAN_DB_PASSWORD: 'stigman',
+          STIGMAN_DB_HOST: '127.0.0.1',
+          STIGMAN_DB_PORT: dbPort,
+          STIGMAN_OIDC_PROVIDER: oidcOrigin,
+          STIGMAN_LOG_LEVEL: '4'
+        }
+      })
+      console.log('    ✔ api started')
+    })
+
+    after(async function () {
+      await api.stop()
+      await mysql.stop()
+      await oidc.stop()
+      addContext(this, {title: 'api-log', value: api.logRecords})
+    })
+
+    it('should accept top-level scope "stig-manager"', async function () {
+      const res = await bearerRequest({
+        url: `${apiOrigin}/api/user`,
+        method: 'GET',
+        token: oidc.getToken({username: 'user01', scope: 'stig-manager'})
+      })
+      expect(res.status).to.equal(200)
+    })
+    it('should accept parent scope "stig-manager:user"', async function () {
+      const res = await bearerRequest({
+        url: `${apiOrigin}/api/user`,
+        method: 'GET',
+        token: oidc.getToken({username: 'user01', scope: 'stig-manager:user'})
+      })
+      expect(res.status).to.equal(200)
+    })
+    it('should accept exact scope "stig-manager:user:read"', async function () {
+      const res = await bearerRequest({
+        url: `${apiOrigin}/api/user`,
+        method: 'GET',
+        token: oidc.getToken({username: 'user01', scope: 'stig-manager:user:read'})
+      })
+      expect(res.status).to.equal(200)
+    })
+    it('should reject wrong branch scope "stig-manager:stig"', async function () {
+      const res = await bearerRequest({
+        url: `${apiOrigin}/api/user`,
+        method: 'GET',
+        token: oidc.getToken({username: 'user01', scope: 'stig-manager:stig'})
+      })
+      expect(res.status).to.equal(403)
+      expect(res.body.error).to.equal('Required scopes were not found in token.')
+    })
+    it('should reject wrong branch scope "stig-manager:collection:read"', async function () {
+      const res = await bearerRequest({
+        url: `${apiOrigin}/api/user`,
+        method: 'GET',
+        token: oidc.getToken({username: 'user01', scope: 'stig-manager:collection:read'})
+      })
+      expect(res.status).to.equal(403)
+      expect(res.body.error).to.equal('Required scopes were not found in token.')
+    })
+    it('should reject unrelated scopes "openid profile"', async function () {
+      const res = await bearerRequest({
+        url: `${apiOrigin}/api/user`,
+        method: 'GET',
+        token: oidc.getToken({username: 'user01', scope: 'openid profile'})
+      })
+      expect(res.status).to.equal(403)
+      expect(res.body.error).to.equal('Required scopes were not found in token.')
+    })
+    it('should reject empty scope', async function () {
+      const res = await bearerRequest({
+        url: `${apiOrigin}/api/user`,
+        method: 'GET',
+        token: oidc.getToken({username: 'user01', scope: ''})
+      })
+      expect(res.status).to.equal(403)
+      expect(res.body.error).to.equal('Required scopes were not found in token.')
+    })
+  })
 })