Why
The account-pane (#12 / PR #13) preflights with an unauthenticated `PUT /idp/credentials` to detect whether the dedicated handler exists (only added in JSS 0.0.165). On a JSS <0.0.165 server with a world-writable ACL on `/idp/credentials`, the wildcard could create an empty file at that path before the pane bails.
WAC normally rejects unauth PUT before the wildcard runs (#13 conversation), so this is theoretical, but it's residual risk worth eliminating.
Proposed fix
Two-part change:
Server (JSS)
Extend `handleCredentialsInfo` (`src/idp/credentials.js`) to enumerate supported methods:
```diff
export function handleCredentialsInfo(request, reply, issuer) {
return {
endpoint: `${issuer}/idp/credentials`,
- methods: ['GET', 'POST', 'PUT'], // PUT only on 0.0.165+
description: '...',
...
};
}
```
Bump JSS to 0.0.166. The new `methods` field declares feature support without touching any state.
Client (this repo)
Replace the PUT-probe with a GET to `/idp/credentials`:
```js
async function preflight() {
try {
var res = await fetch(endpoint)
if (res.status !== 200) return false
var info = await res.json().catch(() => null)
return !!(info && Array.isArray(info.methods) && info.methods.includes('PUT'))
} catch (e) { return false }
}
```
GET is idempotent — zero mutation risk regardless of WAC config or JSS version.
Acceptance
Out of scope
- Pure-OPTIONS-based discovery (less reliable, JSS's CORS plugin returns the same Allow regardless of dedicated routes)
- Removing the preflight entirely — even with this fix, a server that omits the `methods` field should fail closed
Why
The account-pane (#12 / PR #13) preflights with an unauthenticated `PUT /idp/credentials` to detect whether the dedicated handler exists (only added in JSS 0.0.165). On a JSS <0.0.165 server with a world-writable ACL on `/idp/credentials`, the wildcard could create an empty file at that path before the pane bails.
WAC normally rejects unauth PUT before the wildcard runs (#13 conversation), so this is theoretical, but it's residual risk worth eliminating.
Proposed fix
Two-part change:
Server (JSS)
Extend `handleCredentialsInfo` (`src/idp/credentials.js`) to enumerate supported methods:
```diff
export function handleCredentialsInfo(request, reply, issuer) {
return {
endpoint: `${issuer}/idp/credentials`,
description: '...',
...
};
}
```
Bump JSS to 0.0.166. The new `methods` field declares feature support without touching any state.
Client (this repo)
Replace the PUT-probe with a GET to `/idp/credentials`:
```js
async function preflight() {
try {
var res = await fetch(endpoint)
if (res.status !== 200) return false
var info = await res.json().catch(() => null)
return !!(info && Array.isArray(info.methods) && info.methods.includes('PUT'))
} catch (e) { return false }
}
```
GET is idempotent — zero mutation risk regardless of WAC config or JSS version.
Acceptance
Out of scope