Deprecate getOriginalXmlWithIds()

[shunkica]

As per the discussion in issue #512 , this PR removes the internal usages of the getOriginalXmlWithIds() function and marks it deprecated.

Summary by CodeRabbit

• Documentation
  • Marked the method for retrieving original XML with ID attributes as deprecated, added guidance to use the configuration that controls signature placement, and noted future removal.
• Public API
  • Primary retrieval API for signed XML was updated—please migrate to the newer retrieval method.
• Tests
  • Test assertions updated to validate the new signed-XML output and to target element attributes excluding signature-related attributes.

[coderabbitai]

Walkthrough

Deprecates SignedXml.getOriginalXmlWithIds (replacing the method with a deprecate-wrapped property), updates README deprecation guidance, adjusts exported declarations, and migrates tests to use getSignedXml with narrowed XPath assertions.

Changes

Cohort / File(s)	Summary
Documentation & Guidance README.md	Marked getOriginalXmlWithIds() as deprecated, noted future removal, and advised using ComputeSignatureOptionsLocation to control signature placement.
API Deprecation src/signed-xml.ts	Replaced the getOriginalXmlWithIds() method with a property assigned to a deprecate(() => string, ...) wrapper; JSDoc updated with a deprecation note; runtime return unchanged.
Public API Declaration src/index.ts	Updated exported/public declarations to reflect the API change (removal of getOriginalXmlWithIds() method surface, continued exposure of getSignedXml() where applicable).
Test Migration test/signature-unit-tests.spec.ts	Replaced calls to getOriginalXmlWithIds() with getSignedXml(); narrowed XPath attribute queries to the x element (//*[local-name(.)='x']/@*); updated assertions to validate IDs on signed XML.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Potential review focus:

• src/signed-xml.ts: ensure the deprecate wrapper preserves behavior, return value, and typings.
• src/index.ts: confirm public exports match the updated declarations.
• test/signature-unit-tests.spec.ts: verify XPath changes and replacements correctly assert intended values.

Possibly related PRs

• Add support for inserting and signing Object elements inside the Signature #506 — modifies how SignedXml captures/returns the "original XML with IDs", related to this PR's API/behavior change.

Suggested labels

enhancement

Suggested reviewers

• cjbarth

Poem

🐰
I nudged a method, soft and sly,
Wrapped it in deprecate — not goodbye.
Tests hopped to signed paths, tidy and spry,
Docs point where signatures now lie.
A tiny hop forward — carrot in my eye.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: deprecating the getOriginalXmlWithIds() method, which is the primary objective of the PR.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d77d0fc and be80e81.

📒 Files selected for processing (3)

• README.md (1 hunks)
• src/signed-xml.ts (1 hunks)
• test/signature-unit-tests.spec.ts (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: shunkica
Repo: node-saml/xml-crypto PR: 506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T20:36:00.758Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) prefers to address the ref.uri mutation inside addAllReferences in a separate PR; removing the in-loop assignment is the desired fix but may be treated as a breaking change. Future guidance: avoid behavioral changes to ref.uri in the current PR.

Learnt from: shunkica
Repo: node-saml/xml-crypto PR: 506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T21:03:38.354Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) requested an issue to separate the overloaded Reference interface into distinct SigningReference and ValidationReference types. Initial hypothesis: signing-only (xpath, isEmptyUri, id, type), validation-only (uri, digestValue, validationError, signedReference), shared (transforms, digestAlgorithm, inclusiveNamespacesPrefixList). This should be proposed and designed in a follow-up, not altered in the current PR.

Learnt from: shunkica
Repo: node-saml/xml-crypto PR: 0
File: :0-0
Timestamp: 2025-10-22T21:50:05.454Z
Learning: In src/signed-xml.ts Line 1099, createReferences mutates ref.uri = id during signing. Maintain this behavior for now; remove/refactor in a separate PR as previously requested by the maintainer.

Learnt from: shunkica
Repo: node-saml/xml-crypto PR: 519
File: example/new-api-example.js:1-9
Timestamp: 2025-10-25T14:41:13.728Z
Learning: Example files in the node-saml/xml-crypto repository should use `require("xml-crypto")` (the package name) rather than relative paths to build artifacts, since they demonstrate usage from an end-user's perspective.

📚 Learning: 2025-10-22T21:50:05.454Z

Learnt from: shunkica
Repo: node-saml/xml-crypto PR: 0
File: :0-0
Timestamp: 2025-10-22T21:50:05.454Z
Learning: In src/signed-xml.ts Line 1099, createReferences mutates ref.uri = id during signing. Maintain this behavior for now; remove/refactor in a separate PR as previously requested by the maintainer.

Applied to files:

• test/signature-unit-tests.spec.ts
• src/signed-xml.ts

📚 Learning: 2025-10-22T21:03:38.354Z

Learnt from: shunkica
Repo: node-saml/xml-crypto PR: 506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T21:03:38.354Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) requested an issue to separate the overloaded Reference interface into distinct SigningReference and ValidationReference types. Initial hypothesis: signing-only (xpath, isEmptyUri, id, type), validation-only (uri, digestValue, validationError, signedReference), shared (transforms, digestAlgorithm, inclusiveNamespacesPrefixList). This should be proposed and designed in a follow-up, not altered in the current PR.

Applied to files:

• test/signature-unit-tests.spec.ts

📚 Learning: 2025-10-25T14:41:13.728Z

Learnt from: shunkica
Repo: node-saml/xml-crypto PR: 519
File: example/new-api-example.js:1-9
Timestamp: 2025-10-25T14:41:13.728Z
Learning: Example files in the node-saml/xml-crypto repository should use `require("xml-crypto")` (the package name) rather than relative paths to build artifacts, since they demonstrate usage from an end-user's perspective.

Applied to files:

• test/signature-unit-tests.spec.ts

🧬 Code graph analysis (1)

test/signature-unit-tests.spec.ts (1)

example/example.js (4)

• signedXml (39-39)
• sig (9-9)
• sig (22-22)
• doc (17-17)

🔇 Additional comments (5)

src/signed-xml.ts (1)

1411-1413: Deprecation correctly implemented.

The conversion from method to property using deprecate() preserves backward compatibility while warning users. The arrow function syntax is unconventional but acceptable for a deprecated API scheduled for removal.

test/signature-unit-tests.spec.ts (4)

112-112: LGTM: Test correctly migrated to new API.

The change from getOriginalXmlWithIds() to getSignedXml() aligns with the deprecation. The signed XML includes the signature element, which is the expected final output.

---

175-180: LGTM: XPath correctly narrowed to target element.

The comment and XPath change appropriately address that getSignedXml() includes signature attributes. Selecting only //*[local-name(.)='x']/@* avoids counting signature-related attributes, maintaining the original test intent.

---

539-549: LGTM: Explicit ID verification maintains test coverage.

This verification block explicitly checks that IDs were added to signed elements, maintaining the coverage that was previously implicit when using getOriginalXmlWithIds(). The assertions correctly validate the expected ID values.

---

710-720: LGTM: Consistent verification for prefixed test case.

The ID verification follows the same pattern as lines 539-549, appropriately covering the prefixed signature variant. This maintains consistent test coverage across both test cases.

Tip

📝 Customizable high-level summaries are now available!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide custom instructions to shape the summary (bullet lists, tables, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example:

"Create a concise high-level summary as a bullet-point list. Then include a Markdown table showing lines added and removed by each contributing author."

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/signed-xml.ts (1)

1281-1283: Consider keeping it as a method to avoid per-instance overhead.

While the current implementation maintains backward compatibility, converting the method to a class field has memory implications: each SignedXml instance now allocates its own deprecate-wrapped function. Additionally, as a property, it could be inadvertently reassigned.

Consider this alternative that preserves the method signature:

  /**
   * Returns the original xml with Id attributes added on relevant elements, must be called only after {@link computeSignature}
   *
   * @returns The original XML with IDs.
   * @deprecated This function is deprecated and will be removed in a future version. Use ComputeSignatureOptionsLocation to control where the signature will be placed in the original XML.
   */
-  getOriginalXmlWithIds = deprecate((): string => {
+  getOriginalXmlWithIds(): string {
+    this.logDeprecation();
     return this.originalXmlWithIds;
-  }, "`getOriginalXmlWithIds()` is deprecated and will be removed in a future version. Use ComputeSignatureOptionsLocation to control where the signature will be placed in the original XML.");
+  }
+
+  private logDeprecation = deprecate(() => {}, "`getOriginalXmlWithIds()` is deprecated and will be removed in a future version. Use ComputeSignatureOptionsLocation to control where the signature will be placed in the original XML.");

This approach:

• Keeps it as a method (avoiding per-instance function allocation)
• Prevents reassignment
• Maintains TypeScript method types
• Still emits the deprecation warning when called

Alternatively, if the current pattern is preferred, it's functional and the memory overhead may be acceptable depending on instance count.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 02a405a and b25ea5a.

📒 Files selected for processing (3)

• README.md (1 hunks)
• src/signed-xml.ts (1 hunks)
• test/signature-unit-tests.spec.ts (4 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

test/signature-unit-tests.spec.ts (1)

example/example.js (4)

• signedXml (39-39)
• sig (9-9)
• sig (22-22)
• doc (17-17)

🔇 Additional comments (5)

README.md (1)

285-285: LGTM! Clear deprecation notice with migration guidance.

The deprecation documentation is well-written and provides users with a clear alternative approach using ComputeSignatureOptionsLocation.

test/signature-unit-tests.spec.ts (4)

112-113: LGTM! Correct migration to the new API.

The test correctly migrates from the deprecated getOriginalXmlWithIds() to getSignedXml().

---

175-180: LGTM! Correctly adjusted XPath query for the new API.

The XPath change to target only the 'x' element's attributes is appropriate since getSignedXml() returns the complete signed document including the Signature element, which has its own attributes. This prevents false positives in the attribute count.

---

539-549: LGTM! Verification ensures IDs are added correctly.

The new verification block properly validates that ID attributes are added to the signed elements in the output XML, maintaining test coverage for functionality previously verified through getOriginalXmlWithIds().

---

710-720: LGTM! Consistent ID verification pattern.

This verification block follows the same pattern as the earlier one, ensuring comprehensive test coverage for ID attribute addition.

[cjbarth]

Generally I'm on board with reducing code, however, I figured I'd check to see if this API were used elsewhere before I proceeded with this and I found the following (in part):

• https://github.com/Enflick/samljs/blob/800ad1129e25540f2ede3090204f15f0f480acad/lib/util.js#L100
• https://github.com/p-dealwis/ws.js/blob/24fb42befd4a4e5d8602d2a7331877d9a2153983/lib/handlers/client/security/signature.js#L40
• https://github.com/nnarhinen/ws.js/blob/8f75cc2d18645c687ba122f665b33288a67c36b8/lib/handlers/client/security/signature.js#L41
• https://github.com/metodika/node-soap/blob/42dda253782b7eb7e42675bd66888be06e60986b/src/security/WSSecurityCert.ts#L203
• https://github.com/unilynx/node-soap/blob/1c5c857f8b0761ad52a757735c86fa2ddc1c65c7/src/security/WSSecurityCert.ts#L200
• https://github.com/Mindflash/samljs/blob/009c75d268f983c99b25cad2ea1ea1c48d15957c/lib/util.js#L100
• https://github.com/smart-classic/dm-semantic-service/blob/f9a4a68216692fa31c9949c1a156cce5461e1083/ecrs.js#L87
• https://github.com/vpulim/node-soap/blob/a3124628917138eace923112b8f21578f721f090/src/security/WSSecurityCert.ts#L217

Some of these projects are very active (>500,000 downloads/week). So, it seems we might need to touch base with them to see what impact deprecating this might have on them.

[shunkica]

This just seems like the users are not aware how the signature location can be used within the computeSignature function.

[shunkica]

The biggest of these libraries vpulim/node-soap can just refactor from:

    this.signer.computeSignature(xmlWithSec, this.signerOptions);
    const originalXmlWithIds = this.signer.getOriginalXmlWithIds();
    const signatureXml = this.signer.getSignatureXml();
    return insertStr(signatureXml, originalXmlWithIds, originalXmlWithIds.indexOf('</wsse:Security>'));

to

    const computeOptions = {
      ...this.signerOptions,
      location: {
        reference: "//wsse:Security",
        action: "append"
      }
    };
    this.signer.computeSignature(xmlWithSec, computeOptions);
    return this.signer.getSignedXml();

I haven't tested if of course this is just off the cuff.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b25ea5a and 063b976.

📒 Files selected for processing (3)

• README.md (1 hunks)
• src/signed-xml.ts (1 hunks)
• test/signature-unit-tests.spec.ts (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/signed-xml.ts

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: shunkica
PR: node-saml/xml-crypto#506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T20:36:00.734Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) prefers to address the ref.uri mutation inside addAllReferences in a separate PR; removing the in-loop assignment is the desired fix but may be treated as a breaking change. Future guidance: avoid behavioral changes to ref.uri in the current PR.

Learnt from: shunkica
PR: node-saml/xml-crypto#506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T21:03:38.309Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) requested an issue to separate the overloaded Reference interface into distinct SigningReference and ValidationReference types. Initial hypothesis: signing-only (xpath, isEmptyUri, id, type), validation-only (uri, digestValue, validationError, signedReference), shared (transforms, digestAlgorithm, inclusiveNamespacesPrefixList). This should be proposed and designed in a follow-up, not altered in the current PR.

📚 Learning: 2025-10-22T21:50:05.441Z

Learnt from: shunkica
PR: node-saml/xml-crypto#0
File: :0-0
Timestamp: 2025-10-22T21:50:05.441Z
Learning: In src/signed-xml.ts Line 1099, createReferences mutates ref.uri = id during signing. Maintain this behavior for now; remove/refactor in a separate PR as previously requested by the maintainer.

Applied to files:

• test/signature-unit-tests.spec.ts

🔇 Additional comments (4)

test/signature-unit-tests.spec.ts (4)

112-113: LGTM!

The migration from getOriginalXmlWithIds() to getSignedXml() is correct. Both contain the added ID attributes, which is what this test verifies.

---

175-180: Excellent XPath fix with clear documentation.

The updated XPath //*[local-name(.)='x']/@* correctly isolates the 'x' element's attributes, preventing the count from including signature attributes introduced by getSignedXml(). The explanatory comment is helpful.

---

539-549: LGTM!

The ID verification logic correctly migrates to use getSignedXml(). The XPath queries properly locate ID attributes on the signed elements, and the assertions verify the expected incremental ID values.

---

710-720: LGTM!

Consistent with the earlier ID verification block at lines 539-549. The migration correctly verifies ID attributes in the signed XML for the prefixed signature test case.

[shunkica]

I ran some benchmarks with and without originalXmlWithIds. The speed difference is negligible, but the memory difference is significant.
I could create a separate branch for the benchmark etc. but I don't think it is necessary since it is very clear where these numbers are coming from.
The larger the XML file is the more relative impact this has.

#	File	Size	Time Impact	Abs Time Overhead	Memory Impact	Abs Mem Overhead	WITH Time	WITHOUT Time	WITH Mem	WITHOUT Mem
0	small-100kb	100KB	+15.56%	+4.56ms	+12.35%	0.09 MB	33.89ms	29.33ms	0.86 MB	0.76 MB
1	medium-1mb	1024KB	+2.08%	+2.61ms	+26.68%	1.00 MB	128.37ms	125.76ms	4.75 MB	3.75 MB
2	large-10mb	10240KB	+8.07%	+62.19ms	+31.07%	10.00 MB	832.39ms	770.20ms	42.18 MB	32.18 MB

[cjbarth]

Honestly, getting rid of foot-guns (must be called after...) is a really good idea. I'd like to expand the README example section a little to cover some of the cases I found already existing on GitHub.

Also, a 5% increase in speed is nothing to sneeze at either. Did you just comment out the code that calls .toString() on doc to get these numbers?

[shunkica]

Honestly, getting rid of foot-guns (must be called after...) is a really good idea. I'd like to expand the README example section a little to cover some of the cases I found already existing on GitHub.

Also, a 5% increase in speed is nothing to sneeze at either. Did you just comment out the code that calls .toString() on doc to get these numbers?

Basically yes. I added a options flag to skip assigning it it so I could run all the benchmarks at once.

[cjbarth]

@shunkica , I'm ready to land this if you're good with it.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.46%. Comparing base (627d83f) to head (be80e81).
⚠️ Report is 14 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #516      +/-   ##
==========================================
+ Coverage   73.05%   75.46%   +2.40%     
==========================================
  Files           9        9              
  Lines         902     1031     +129     
  Branches      239      268      +29     
==========================================
+ Hits          659      778     +119     
- Misses        143      145       +2     
- Partials      100      108       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shunkica]

@cjbarth The only other thing I can think of is putting some migration guide ( eg: #516 (comment) ) in the readme.