Merge master (upstream v8.0.0): add encryption algorithm options

- Bring in upstream v8.0.0 (feat: add encryption algorithm options auth0#157)
- Keep DRC customizations: absoluteUrls metadata feature, Node>=22,
  nyc coverage, mocha 11.3.0, @auth0/xmldom 0.1.23, security overrides
- Keep ci.yml with Node 22.x + actions v4 (reject upstream regression to v1)
- Retain v7.2.0 changelog entry alongside upstream v8.0.0 entry
- Error regex updated to OpenSSL 3 / Node 22 specific pattern

Author: drc-bsvee

CHANGELOG.md

@@ -1,6 +1,14 @@
-# Changelog
+# [8.0.0](https://github.com/auth0/node-samlp/compare/v7.1.1...v8.0.0) (2026-03-31)
 
-All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+
+### Features
+
+* add encryption algorithm options ([#157](https://github.com/auth0/node-samlp/issues/157)) ([1444aad](https://github.com/auth0/node-samlp/commit/1444aad42039578d0a659576141318c91e8e5afe))
+
+
+### BREAKING CHANGES
+
+* adding encryption algorithm in options(if not set, defaults to http://www.w3.org/2009/xmlenc11#aes256-gcm), adding disallowEncryptionWithInsecureAlgorithm to enforce secure encryption algorithms
 
 ## [7.2.0](https://github.com/DataRecognitionCorporation/node-samlp/compare/v7.1.1...v7.2.0) (2026-04-02)
 
@@ -25,7 +33,6 @@ All notable changes to this project will be documented in this file. See [standa
 * replace istanbul with nyc@15 for coverage
 * update CI workflow to Node.js 22.x; upgrade actions/checkout and actions/setup-node to v4
 
-
 ### [7.1.1](https://github.com/auth0/node-samlp/compare/v7.1.0...v7.1.1) (2023-11-20)
 
 

README.md

@@ -40,7 +40,11 @@ Options
 | RelayState          | state of the auth process                        | ```req.query.RelayState || req.body.RelayState``` |
 | sessionIndex          | the index of a particular session between the principal identified by the subject and the authenticating authority                        | _SessionIndex is not included_ |
 | responseHandler       | custom response handler for SAML response f(SAMLResponse, options, req, res, next) | HTML response that POSTS to postUrl |
-
+| encryptionPublicKey | Public key used to encrypt the SAML assertion |
+| encryptionCert | Certificate used to encrypt SAML assertion |
+| encryptionAlgorithm | The encryption algorithm to encrypt saml assertion | http://www.w3.org/2009/xmlenc11#aes256-gcm ([node-xml-encryption](https://github.com/auth0/node-xml-encryption/blob/master/README.md) details the available encryption algorithms and configuration options.) |
+| disallowEncryptionWithInsecureAlgorithm | If true, disallows encryption with algorithms considered insecure by [node-xml-encryption](https://github.com/auth0/node-xml-encryption/blob/master/README.md) | true |
+| warnOnInsecureEncryptionAlgorithm | If true, logs a warning when using an insecure encryption algorithm (using disallowEncryptionWithInsecureAlgorithm as false) | true |
 
 Add the middleware as follows:
 

lib/samlp.js

@@ -106,7 +106,10 @@ function getSamlResponse(samlConfig, user, callback) {
     sessionIndex: options.sessionIndex,
     typedAttributes: options.typedAttributes,
     includeAttributeNameFormat: options.includeAttributeNameFormat,
-    signatureNamespacePrefix: options.signatureNamespacePrefix
+    signatureNamespacePrefix: options.signatureNamespacePrefix,
+    encryptionAlgorithm: options.encryptionAlgorithm,
+    disallowEncryptionWithInsecureAlgorithm: options.disallowEncryptionWithInsecureAlgorithm,
+    warnOnInsecureEncryptionAlgorithm: options.warnOnInsecureEncryptionAlgorithm
   }, function (err, samlAssertion) {
     if (err) return callback(err);
 

package.json

@@ -1,11 +1,15 @@
 {
   "name": "samlp",
-  "version": "7.2.0",
+  "version": "8.0.0",
   "engines": {
     "node": ">=22"
   },
   "description": "SAML Protocol server middleware",
   "main": "lib/index.js",
+  "files": [
+    "lib",
+    "templates"
+  ],
   "scripts": {
     "test": "./node_modules/.bin/_mocha -R spec --colors",
     "cover": "nyc ./node_modules/.bin/_mocha -R spec --colors",
@@ -24,13 +28,13 @@
   "license": "mit",
   "dependencies": {
     "@auth0/thumbprint": "0.0.6",
+    "@auth0/xmldom": "0.1.23",
     "auth0-id-generator": "^0.2.0",
     "ejs": "^3.1.10",
     "flowstate": "^0.4.0",
     "querystring": "^0.2.0",
     "saml": "^4.0.0",
     "xml-crypto": "^2.0.0",
-    "@auth0/xmldom": "0.1.23",
     "xpath": "0.0.5",
     "xtend": "^1.0.3"
   },

test/samlp.tests.js

@@ -10,6 +10,7 @@ var querystring = require('querystring');
 var encoder = require('../lib/encoders');
 var fs = require('fs');
 var path = require('path');
+var getSamlResponse = require('../lib/samlp').getSamlResponse;
 
 describe('samlp', function () {
 
@@ -697,7 +698,7 @@ describe('samlp', function () {
         it('should return an error', function (done) {
           doRawSAMLRequest(function (response) {
             expect(response.statusCode).to.equal(400);
-            expect(response.body).to.match(/(PEM routines|DECODER routines)/);
+            expect(response.body).to.match(/error:[\w:]+:(PEM routines[\w:]*:no start line|DECODER routines[\w:]*:unsupported)/);
             done();
           });
         });
@@ -746,7 +747,7 @@ describe('samlp', function () {
         it('should return an error', function (done) {
           doRawSAMLRequest(function (response) {
             expect(response.statusCode).to.equal(400);
-            expect(response.body).to.match(/(PEM routines|DECODER routines)/);
+            expect(response.body).to.match(/error:[\w:]+:(PEM routines[\w:]*:no start line|DECODER routines[\w:]*:unsupported)/);
             done();
           });
         });
@@ -872,4 +873,94 @@ describe('samlp', function () {
       });
     });
   });
+
+  describe('when using encryption options', function () {
+
+    describe('when using insecure algorithm', function () {
+      var body, $, response;
+
+      before(function (done) {
+        server.options = {
+          encryptionPublicKey: fs.readFileSync(path.join(__dirname, 'fixture/sp1.pem')),
+          encryptionCert:      fs.readFileSync(path.join(__dirname, 'fixture/sp1.pem')),
+          encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
+          disallowEncryptionWithInsecureAlgorithm: true,
+          warnOnInsecureEncryptionAlgorithm: false
+        };
+        request.get({
+          jar: request.jar(),
+          uri: 'http://localhost:5050/samlp?SAMLRequest=' + urlEncodedSAMLRequest + '&RelayState=123'
+        }, function (err, res, b) {
+          if (err) return done(err);
+          body = b;
+          response = res;
+          $ = cheerio.load(body);
+          done();
+        });
+      });
+
+      it('should return an error with disallowEncryptionWithInsecureAlgorithm set to true', function () {
+        expect(response.statusCode).to.equal(400);
+        expect(body).to.equal('encryption algorithm http://www.w3.org/2001/04/xmlenc#aes256-cbc is not secure');
+      });
+    });
+
+    describe('when using insecure encryption algorithm with disallowEncryptionWithInsecureAlgorithm set to false', function () {
+      var body, $, response;
+
+      before(function (done) {
+        server.options = {
+          encryptionPublicKey: fs.readFileSync(path.join(__dirname, 'fixture/sp1.pem')),
+          encryptionCert:      fs.readFileSync(path.join(__dirname, 'fixture/sp1.pem')),
+          encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
+          disallowEncryptionWithInsecureAlgorithm: false,
+          warnOnInsecureEncryptionAlgorithm: false
+        };
+        request.get({
+          jar: request.jar(),
+          uri: 'http://localhost:5050/samlp?SAMLRequest=' + urlEncodedSAMLRequest + '&RelayState=123'
+        }, function (err, res, b) {
+          if (err) return done(err);
+          body = b;
+          response = res;
+          $ = cheerio.load(body);
+          done();
+        });
+      });
+
+      it('should return success with disallowEncryptionWithInsecureAlgorithm set to false', function (done) {
+        expect(response.statusCode).to.equal(200);
+        done();
+      });
+    });
+
+    describe('when using secure encryption algorithm', function () {
+      var body, $, response;
+
+      before(function (done) {
+        server.options = {
+          encryptionPublicKey: fs.readFileSync(path.join(__dirname, 'fixture/sp1.pem')),
+          encryptionCert:      fs.readFileSync(path.join(__dirname, 'fixture/sp1.pem')),
+          encryptionAlgorithm: 'http://www.w3.org/2009/xmlenc11#aes256-gcm',
+          disallowEncryptionWithInsecureAlgorithm: true,
+          warnOnInsecureEncryptionAlgorithm: false
+        };
+        request.get({
+          jar: request.jar(),
+          uri: 'http://localhost:5050/samlp?SAMLRequest=' + urlEncodedSAMLRequest + '&RelayState=123'
+        }, function (err, res, b) {
+          if (err) return done(err);
+          body = b;
+          response = res;
+          $ = cheerio.load(body);
+          done();
+        });
+      });
+
+      it('should return success when using a secure algorithm', function (done) {
+        expect(response.statusCode).to.equal(200);
+        done();
+      });
+    });
+  });
 });