Fix security warnings and update dependency versions

.gitignore

@@ -2,7 +2,6 @@
 license.json
 node_modules
 dist
-spa/cypress/reports/
 deployments/*/components/api/config.json
 deployments/*/components/spa/config.json
 deployments/*/components/webhost/config.json

api/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-bookworm-slim
+FROM node:22-bookworm-slim
 
 RUN groupadd --gid 10000 apiuser \
   && useradd --uid 10001 --gid apiuser --shell /bin/bash --create-home apiuser

api/package.json

@@ -7,19 +7,19 @@
     "main": "server.ts",
     "type": "module",
     "engines": {
-        "node": ">=20"
+        "node": ">=22"
     },
     "scripts": {
         "build": "rm -rf dist && tsc",
         "start": "npm run build && node dist/server.js"
     },
     "dependencies": {
-        "express": "^5.1.0",
-        "jose": "^6.0.10"
+        "express": "^5.2.1",
+        "jose": "^6.1.3"
     },
     "devDependencies": {
-        "@types/express": "^5.0.1",
-        "@types/node": "^20.11.30",
-        "typescript": "^5.8.3"
+        "@types/express": "^5.0.6",
+        "@types/node": "^22.13.14",
+        "typescript": "^5.9.3"
     }
 }

api/tsconfig.json

@@ -3,8 +3,8 @@
         "strict": true,
         "target": "ES2022",
         "lib": ["ES2022"],
-        "module": "ES2022",
-        "moduleResolution": "node",
+        "module": "Node18",
+        "moduleResolution": "Node16",
         "allowSyntheticDefaultImports": true,
         "outDir": "dist"
     },

deployments/build.sh

@@ -6,6 +6,14 @@
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
+#
+# Get the platform for Docker builds and default to x64
+#
+export PLATFORM='x64'
+if [ "$(uname -m)" == 'arm64' ]; then
+  PLATFORM='arm64'
+fi
+
 #
 # Get the OAuth agent and default to Node.js
 #
@@ -45,6 +53,11 @@ fi
 #
 if [ "$OAUTH_PROXY" == 'NGINX' ]; then
 
+  if [ "$(uname -m)" != 'x64' ]; then
+    echo 'NGINX modules are currently only supported on x64 hosts'
+    exit 1
+  fi
+
   docker build --no-cache -f nginx/Dockerfile -t custom_nginx:1.27.4-alpine .
   if [ $? -ne 0 ]; then
     echo "Problem encountered building the NGINX docker image"
@@ -82,6 +95,9 @@ if [ "$OAUTH_AGENT" == 'NODE' ]; then
   fi
   cd oauth-agent
 
+  # TODO: delete after merge
+  git checkout feature/dependency-updates
+
   npm install
   if [ $? -ne 0 ]; then
     echo "Problem encountered installing the OAuth Agent dependencies"
@@ -103,7 +119,10 @@ elif [ "$OAUTH_AGENT" == 'NET' ]; then
   fi
   cd oauth-agent
 
-  dotnet publish oauth-agent.csproj -c Release -r linux-x64 --no-self-contained
+  # TODO: delete after merge
+  git checkout feature/dependency-updates
+
+  dotnet publish oauth-agent.csproj -c Release -r "linux-$PLATFORM" --no-self-contained
   if [ $? -ne 0 ]; then
     echo "Problem encountered building the OAuth Agent's Java code"
     exit 1
@@ -139,7 +158,8 @@ elif [ "$OAUTH_AGENT" == 'FINANCIAL' ]; then
     exit 1
   fi
 fi
-docker build -t oauthagent:1.0.0 .
+
+docker build --build-arg "PLATFORM=$PLATFORM" -t oauthagent:1.0.0 .
 if [ $? -ne 0 ]; then
   echo "Problem encountered building the OAuth Agent docker image"
   exit 1

deployments/financial/components/idsvr/data-backup.sql

@@ -11,6 +11,7 @@ CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
 
 CREATE TABLE delegations (
   id                          VARCHAR(40)   PRIMARY KEY,
+  tenant_id                   VARCHAR(64)   NULL,
   owner                       VARCHAR(128)  NOT NULL,
   created                     BIGINT        NOT NULL,
   expires                     BIGINT        NOT NULL,
@@ -31,6 +32,7 @@ CREATE INDEX IDX_DELEGATIONS_OWNER                   ON delegations (owner ASC);
 CREATE INDEX IDX_DELEGATIONS_AUTHORIZATION_CODE_HASH ON delegations (authorization_code_hash ASC);
 
 COMMENT ON COLUMN delegations.id IS 'Unique identifier';
+COMMENT ON COLUMN delegations.tenant_id IS 'The tenant ID of this delegation';
 COMMENT ON COLUMN delegations.owner IS 'Subject for whom the delegation is issued';
 COMMENT ON COLUMN delegations.expires IS 'Moment when delegation expires, as measured in number of seconds since epoch';
 COMMENT ON COLUMN delegations.scope IS 'Space delimited list of scope values';
@@ -360,14 +362,42 @@ COMMENT ON COLUMN buckets.attributes IS 'All attributes stored for this subject/
 COMMENT ON COLUMN buckets.created IS 'When this bucket was created';
 COMMENT ON COLUMN buckets.updated IS 'When this bucket was last updated';
 
+CREATE TABLE IF NOT EXISTS database_service_providers
+(
+    id                          VARCHAR(64)       NOT NULL,
+    profile_id                  VARCHAR(64)       NOT NULL,
+    service_provider_name       VARCHAR(128)      NULL,
+    created                     TIMESTAMP         NOT NULL,
+    updated                     TIMESTAMP         NOT NULL,
+    owner                       VARCHAR(128)      NOT NULL,
+    enabled                     VARCHAR(16)       NOT NULL DEFAULT 'enabled',
+    service_provider_metadata   JSONB             NOT NULL DEFAULT '{}',
+    configuration_references    JSONB             NOT NULL DEFAULT '{}',
+    attributes                  JSONB             NOT NULL DEFAULT '{}',
+
+    PRIMARY KEY (id, profile_id)
+    );
+
+COMMENT ON COLUMN database_service_providers.id IS 'The service provider ID of this service provider instance';
+COMMENT ON COLUMN database_service_providers.profile_id IS 'The profile ID owning this service provider instance';
+COMMENT ON COLUMN database_service_providers.service_provider_name IS 'The optional database service provider display name';
+COMMENT ON COLUMN database_service_providers.created IS 'When this service provider was originally created (in UTC time)';
+COMMENT ON COLUMN database_service_providers.updated IS 'When this service provider was last updated (in UTC time)';
+COMMENT ON COLUMN database_service_providers.owner IS 'The owner of the database service provider. This is the user or service provider who has administrative rights on the database service provider';
+COMMENT ON COLUMN database_service_providers.service_provider_metadata IS 'Metadata, as a JSON document, tied to this service provider, especially tags categorizing it';
+COMMENT ON COLUMN database_service_providers.configuration_references IS 'JSON document with all attributes referencing an item in the configuration';
+COMMENT ON COLUMN database_service_providers.attributes IS 'Canonical object representing this service provider';
+
+CREATE INDEX IF NOT EXISTS IDX_DBSP_PROFILE_ID ON database_service_providers (profile_id);
+CREATE INDEX IF NOT EXISTS IDX_DBSP_SERVICE_PROVIDER_NAME ON database_service_providers (service_provider_name);
+CREATE INDEX IF NOT EXISTS IDX_DBSP_OWNER ON database_service_providers (owner);
+
 --
 -- Restore the test user account and its password credential
 --
-
 COPY accounts (account_id, username, password, email, phone, attributes, active, created, updated) FROM stdin;
 79b6852c-8062-403b-b0a9-3b19d7175233	demouser	\N	demo@user.com	07711	{"name": {"givenName": "Demo", "familyName": "User"}, "emails": [{"value": "demo@user.com", "primary": true}], "agreeToTerms": "on", "phoneNumbers": [{"value": "07711", "primary": true}], "urn:se:curity:scim:2.0:Devices": []}	1	1708008810	1708008810
 \.
-
 COPY credentials (id, subject, password, attributes, created, updated) FROM stdin;
 6a273e20-6015-4243-8117-44379cadf582	demouser	$5$rounds=20000$p32Fp4ecezzC0BSk$kaqe1ol1ShkqespXd9QiX.NNRasd0nOOQiC6ES1wOiB	{}	2024-02-15 14:53:30.623009	2024-02-15 14:53:30.623009
 \.

deployments/financial/docker-compose.yml

@@ -134,7 +134,7 @@ services:
   # A SQL database used by the Curity Identity Server
   #
   curity-data:
-    image: postgres:17.4
+    image: postgres:18.1
     hostname: dbserver
     volumes:
       - ./components/idsvr/data-backup.sql:/docker-entrypoint-initdb.d/data-backup.sql

deployments/standard/components/idsvr/data-backup.sql

@@ -11,6 +11,7 @@ CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
 
 CREATE TABLE delegations (
   id                          VARCHAR(40)   PRIMARY KEY,
+  tenant_id                   VARCHAR(64)   NULL,
   owner                       VARCHAR(128)  NOT NULL,
   created                     BIGINT        NOT NULL,
   expires                     BIGINT        NOT NULL,
@@ -31,6 +32,7 @@ CREATE INDEX IDX_DELEGATIONS_OWNER                   ON delegations (owner ASC);
 CREATE INDEX IDX_DELEGATIONS_AUTHORIZATION_CODE_HASH ON delegations (authorization_code_hash ASC);
 
 COMMENT ON COLUMN delegations.id IS 'Unique identifier';
+COMMENT ON COLUMN delegations.tenant_id IS 'The tenant ID of this delegation';
 COMMENT ON COLUMN delegations.owner IS 'Subject for whom the delegation is issued';
 COMMENT ON COLUMN delegations.expires IS 'Moment when delegation expires, as measured in number of seconds since epoch';
 COMMENT ON COLUMN delegations.scope IS 'Space delimited list of scope values';
@@ -360,14 +362,42 @@ COMMENT ON COLUMN buckets.attributes IS 'All attributes stored for this subject/
 COMMENT ON COLUMN buckets.created IS 'When this bucket was created';
 COMMENT ON COLUMN buckets.updated IS 'When this bucket was last updated';
 
+CREATE TABLE IF NOT EXISTS database_service_providers
+(
+    id                          VARCHAR(64)       NOT NULL,
+    profile_id                  VARCHAR(64)       NOT NULL,
+    service_provider_name       VARCHAR(128)      NULL,
+    created                     TIMESTAMP         NOT NULL,
+    updated                     TIMESTAMP         NOT NULL,
+    owner                       VARCHAR(128)      NOT NULL,
+    enabled                     VARCHAR(16)       NOT NULL DEFAULT 'enabled',
+    service_provider_metadata   JSONB             NOT NULL DEFAULT '{}',
+    configuration_references    JSONB             NOT NULL DEFAULT '{}',
+    attributes                  JSONB             NOT NULL DEFAULT '{}',
+
+    PRIMARY KEY (id, profile_id)
+    );
+
+COMMENT ON COLUMN database_service_providers.id IS 'The service provider ID of this service provider instance';
+COMMENT ON COLUMN database_service_providers.profile_id IS 'The profile ID owning this service provider instance';
+COMMENT ON COLUMN database_service_providers.service_provider_name IS 'The optional database service provider display name';
+COMMENT ON COLUMN database_service_providers.created IS 'When this service provider was originally created (in UTC time)';
+COMMENT ON COLUMN database_service_providers.updated IS 'When this service provider was last updated (in UTC time)';
+COMMENT ON COLUMN database_service_providers.owner IS 'The owner of the database service provider. This is the user or service provider who has administrative rights on the database service provider';
+COMMENT ON COLUMN database_service_providers.service_provider_metadata IS 'Metadata, as a JSON document, tied to this service provider, especially tags categorizing it';
+COMMENT ON COLUMN database_service_providers.configuration_references IS 'JSON document with all attributes referencing an item in the configuration';
+COMMENT ON COLUMN database_service_providers.attributes IS 'Canonical object representing this service provider';
+
+CREATE INDEX IF NOT EXISTS IDX_DBSP_PROFILE_ID ON database_service_providers (profile_id);
+CREATE INDEX IF NOT EXISTS IDX_DBSP_SERVICE_PROVIDER_NAME ON database_service_providers (service_provider_name);
+CREATE INDEX IF NOT EXISTS IDX_DBSP_OWNER ON database_service_providers (owner);
+
 --
 -- Restore the test user account and its password credential
 --
-
 COPY accounts (account_id, username, password, email, phone, attributes, active, created, updated) FROM stdin;
 79b6852c-8062-403b-b0a9-3b19d7175233	demouser	\N	demo@user.com	07711	{"name": {"givenName": "Demo", "familyName": "User"}, "emails": [{"value": "demo@user.com", "primary": true}], "agreeToTerms": "on", "phoneNumbers": [{"value": "07711", "primary": true}], "urn:se:curity:scim:2.0:Devices": []}	1	1708008810	1708008810
 \.
-
 COPY credentials (id, subject, password, attributes, created, updated) FROM stdin;
 6a273e20-6015-4243-8117-44379cadf582	demouser	$5$rounds=20000$p32Fp4ecezzC0BSk$kaqe1ol1ShkqespXd9QiX.NNRasd0nOOQiC6ES1wOiB	{}	2024-02-15 14:53:30.623009	2024-02-15 14:53:30.623009
 \.

deployments/standard/docker-compose.yml

@@ -102,7 +102,7 @@ services:
   # A SQL database used by the Curity Identity Server
   #
   curity-data:
-    image: postgres:17.4
+    image: postgres:18.1
     hostname: dbserver
     volumes:
       - ./components/idsvr/data-backup.sql:/docker-entrypoint-initdb.d/data-backup.sql

doc/Financial.md

@@ -23,7 +23,7 @@ Add these entries to your /etc/hosts file:
 
 Ensure that these tools are installed locally:
 
-- [Node.js 20 or later](https://nodejs.org/en/download/)
+- [Node.js 22 or later](https://nodejs.org/en/download/)
 - [Java 17 or later](https://openjdk.java.net/projects/jdk/17/)
 - [Docker](https://www.docker.com/products/docker-desktop)
 - [openssl](https://www.openssl.org/source/)
@@ -120,15 +120,6 @@ API_GATEWAY_CONTAINER_ID=$(docker container ls | grep api-gateway | awk '{print
 docker logs -f $API_GATEWAY_CONTAINER_ID
 ```
 
-## Run UI Tests
-
-If required, run the SPA's [automated UI tests](Cypress.md) for login related operations:
-
-```bash
-cd spa
-npm run uitests
-```
-
 ## Free Resources
 
 When finished with your development session, run the following script to free resources:

doc/Standard.md

@@ -22,7 +22,7 @@ Add these entries to your /etc/hosts file:
 
 Ensure that these tools are installed locally:
 
-- [Node.js 20 or later](https://nodejs.org/en/download/)
+- [Node.js 22 or later](https://nodejs.org/en/download/)
 - [Docker](https://www.docker.com/products/docker-desktop)
 - [jq](https://stedolan.github.io/jq/download/)
 - [envsubst](https://www.gnu.org/software/gettext/)
@@ -61,7 +61,7 @@ OAUTH_AGENT supported values:
 
 OAUTH_PROXY supported values:
   - KONG (default)
-  - NGINX
+  - NGINX (only supported for x64 host computers)
   - OPENRESTY
 
 ## Deploy the System
@@ -121,15 +121,6 @@ API_GATEWAY_CONTAINER_ID=$(docker container ls | grep api-gateway | awk '{print
 docker logs -f $API_GATEWAY_CONTAINER_ID
 ```
 
-## Run UI Tests
-
-If required, run the SPA's [automated UI tests](Cypress.md) for login related operations:
-
-```bash
-cd spa
-npm run uitests
-```
-
 ## Free Resources
 
 When finished with your development session, run the following script to free resources: