Merge branch 'development' into patch-1

Author: chrisfranko

.github/workflows/codeql-analysis.yml

@@ -14,6 +14,7 @@ name: "CodeQL Semantic Analysis"
 on:
   push: # all pushes
   pull_request: # all PR
+    types: [review_requested, ready_for_review] # only non-draft PR
   schedule:
     - cron: '0 2 * * *' # every night at 2am
 

.github/workflows/tests-release.yml

@@ -0,0 +1,149 @@
+name: Tests for Release
+
+on:
+  push:
+    branches:
+      - release-* # all release-<version> branches
+  pull_request:
+    # only non-draft PR and when there are "pushes" to the open PR
+    types: [review_requested, ready_for_review, synchronize]
+    branches:
+      - release-* # all release-<version> branches
+
+
+jobs:
+  # STEP 1 - NPM Audit
+
+  # Before we even test a thing we want to have a clean audit! Since this is
+  # sufficient to be done using the lowest node version, we can easily use
+  # a fixed one:
+
+  audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        node-version: '12'
+    - run: npm audit --production # no audit for dev dependencies
+
+  # STEP 2 - basic unit tests
+
+  # This is the standard unit tests as we do in the basic tests for every PR
+  unittest:
+    name: Basic unit tests
+    runs-on: ubuntu-latest
+    needs: [audit]
+    strategy:
+      matrix:
+        node: [12, 14, 16]
+    steps:
+    - name: Checkout ${{ matrix.node }}
+      uses: actions/checkout@v2
+
+    - name: Setup node ${{ matrix.node }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node }}
+
+    - name: Cache dependencies ${{ matrix.node }}
+      uses: actions/cache@v1
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ matrix.node }}
+
+    # for this workflow we also require npm audit to pass
+    - run: npm ci
+    - run: npm run test:coverage
+
+    # with the following action we enforce PRs to have a high coverage
+    # and ensure, changes are tested well enough so that coverage won't fail
+    - name: check coverage
+      uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
+      with:
+        path: './coverage/lcov.info'
+        min_coverage: 95
+
+  # STEP 3 - Integration tests
+
+  # Since our release may affect several packages that depend on it we need to
+  # cover the closest ones, like adapters and examples.
+
+  integrationtests:
+    name: Extended integration tests
+    runs-on: ubuntu-latest
+    needs: [unittest]
+    strategy:
+      matrix:
+        node: [12, 14] # TODO get running for node 16
+    steps:
+    # checkout this repo
+    - name: Checkout ${{ matrix.node }}
+      uses: actions/checkout@v2
+
+    # checkout express-adapter repo
+    - name: Checkout express-adapter ${{ matrix.node }}
+      uses: actions/checkout@v2
+      with:
+        repository:  node-oauth/express-oauth-server
+        path: github/testing/express
+
+    - name: Setup node ${{ matrix.node }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node }}
+
+    - name: Cache dependencies ${{ matrix.node }}
+      uses: actions/cache@v1
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server
+
+    # in order to test the adapter we need to use the current checkout
+    # and install it as local dependency
+    # we just cloned and install it as local dependency
+    - run: |
+        cd github/testing/express
+        npm ci
+        npm install ../../../
+        npm run test
+
+    # todo repeat with other adapters
+
+  publish-npm-dry:
+    runs-on: ubuntu-latest
+    needs: [integrationtests]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 12
+          registry-url: https://registry.npmjs.org/
+      - run: npm ci
+      - run: npm publish --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.npm_token}}
+
+  publish-github-dry:
+    needs: [integrationtests]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        # we always publish targeting the lowest supported node version
+        node-version: 12
+        registry-url: $registry-url(npm)
+    - run: npm ci
+    - run: npm publish --dry-run
+      env:
+        NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/tests.yml

@@ -1,44 +1,21 @@
-name: Test suite
+name: Tests
+
+# This workflow runs standard unit tests to ensure basic integrity and avoid
+# regressions on pull-requests (and pushes)
 
 on:
   push:
     branches:
-      - master # allthough  master is push protected we still keep it
+      - master    # allthough  master is push protected we still keep it
       - development
-  pull_request: # runs on all PR
+  pull_request:   # runs on all PR
+    branches-ignore:
+      - release-* # on release we run an extended workflow so no need for this
 
 jobs:
-  # ----------------------------------
-  # uncomment when a linter is added
-  # ----------------------------------
-  
-  # lintjs:
-  #   name: Javascript lint
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #   - name: checkout
-  #     uses: actions/checkout@v2
-  # 
-  #   - name: setup node
-  #     uses: actions/setup-node@v1
-  #     with:
-  #       node-version: '12.x'
-  # 
-  #   - name: cache dependencies
-  #     uses: actions/cache@v1
-  #     with:
-  #       path: ~/.npm
-  #       key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-  #       restore-keys: |
-  #         ${{ runner.os }}-node-
-  #   - run: npm ci
-  #   - run: npm run lint
-
   unittest:
     name: unit tests
     runs-on: ubuntu-latest
-    # uncomment when a linter is added
-    # needs: [lintjs]
     strategy:
       matrix:
         node: [12, 14, 16]
@@ -61,15 +38,10 @@ jobs:
     - run: npm ci
     - run: npm run test:coverage
 
-    # ----------------------------------
-    # uncomment when a linter is added
-    # ----------------------------------
-  
-    # - name: check coverage
-    #   uses: devmasx/coverage-check-action@v1.2.0
-    #   with:
-    #     type: lcov
-    #     result_path: coverage/lcov.info
-    #     min_coverage: 90
-    #     token: ${{github.token}}
-    
+    # with the following action we enforce PRs to have a high coverage
+    # and ensure, changes are tested well enough so that coverage won't fail
+    - name: check coverage
+      uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
+      with:
+        path: './coverage/lcov.info'
+        min_coverage: 95

docs/model/overview.rst

@@ -37,6 +37,7 @@ Model functions used by the authorization code grant:
 - :ref:`Model#saveAuthorizationCode`
 - :ref:`Model#revokeAuthorizationCode`
 - :ref:`Model#validateScope`
+- :ref:`Model#validateRedirectUri`
 
 --------
 

docs/model/spec.rst

@@ -214,7 +214,7 @@ An ``Object`` representing the access token and associated data.
 
   function getAccessToken(accessToken) {
     // imaginary DB queries
-    db.queryAccessToken({access_token: accessToken})
+    return db.queryAccessToken({access_token: accessToken})
       .then(function(token) {
         return Promise.all([
           token,
@@ -288,7 +288,7 @@ An ``Object`` representing the refresh token and associated data.
 
   function getRefreshToken(refreshToken) {
     // imaginary DB queries
-    db.queryRefreshToken({refresh_token: refreshToken})
+    return db.queryRefreshToken({refresh_token: refreshToken})
       .then(function(token) {
         return Promise.all([
           token,
@@ -364,7 +364,7 @@ An ``Object`` representing the authorization code and associated data.
 
   function getAuthorizationCode(authorizationCode) {
     // imaginary DB queries
-    db.queryAuthorizationCode({authorization_code: authorizationCode})
+    return db.queryAuthorizationCode({authorization_code: authorizationCode})
       .then(function(code) {
         return Promise.all([
           code,
@@ -446,7 +446,7 @@ The return value (``client``) can carry additional properties that will be ignor
     if (clientSecret) {
       params.client_secret = clientSecret;
     }
-    db.queryClient(params)
+    return db.queryClient(params)
       .then(function(client) {
         return {
           id: client.id,
@@ -985,3 +985,44 @@ Returns ``true`` if the access token passes, ``false`` otherwise.
     return requestedScopes.every(s => authorizedScopes.indexOf(s) >= 0);
   }
 
+--------
+
+.. _Model#validateRedirectUri:
+
+``validateRedirectUri(redirectUri, client, [callback])``
+================================================================
+
+Invoked to check if the provided ``redirectUri`` is valid for a particular ``client``.
+
+This model function is **optional**. If not implemented, the ``redirectUri`` should be included in the provided ``redirectUris`` of the client.
+
+**Invoked during:**
+
+- ``authorization_code`` grant
+
+**Arguments:**
+
++-----------------+----------+---------------------------------------------------------------------+
+| Name            | Type     | Description                                                         |
++=================+==========+=====================================================================+
+| redirect_uri    | String   | The redirect URI to validate.                                       |
++-----------------+----------+---------------------------------------------------------------------+
+| client          | Object   | The associated client.                                              |
++-----------------+----------+---------------------------------------------------------------------+
+
+**Return value:**
+
+Returns ``true`` if the ``redirectUri`` is valid, ``false`` otherwise.
+
+**Remarks:**
+When implementing this method you should take care of possible security risks related to ``redirectUri``.
+.. _rfc6819: https://datatracker.ietf.org/doc/html/rfc6819
+
+Section-5.2.3.5 is implemented by default.
+.. _Section-5.2.3.5: https://datatracker.ietf.org/doc/html/rfc6819#section-5.2.3.5
+
+::
+
+  function validateRedirectUri(redirectUri, client) {
+    return client.redirectUris.includes(redirectUri);
+  }

lib/grant-types/abstract-grant-type.js

@@ -8,7 +8,7 @@ const InvalidArgumentError = require('../errors/invalid-argument-error');
 const InvalidScopeError = require('../errors/invalid-scope-error');
 const Promise = require('bluebird');
 const promisify = require('promisify-any').use(Promise);
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 const tokenUtil = require('../utils/token-util');
 
 /**
@@ -83,7 +83,7 @@ AbstractGrantType.prototype.getRefreshTokenExpiresAt = function() {
  */
 
 AbstractGrantType.prototype.getScope = function(request) {
-  if (!is.nqschar(request.body.scope)) {
+  if (!isFormat.nqschar(request.body.scope)) {
     throw new InvalidArgumentError('Invalid parameter: `scope`');
   }
 

lib/grant-types/authorization-code-grant-type.js

@@ -11,7 +11,7 @@ const InvalidRequestError = require('../errors/invalid-request-error');
 const Promise = require('bluebird');
 const promisify = require('promisify-any').use(Promise);
 const ServerError = require('../errors/server-error');
-const is = require('../validator/is');
+const isFormat = require('@node-oauth/formats');
 const util = require('util');
 
 /**
@@ -85,7 +85,7 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
     throw new InvalidRequestError('Missing parameter: `code`');
   }
 
-  if (!is.vschar(request.body.code)) {
+  if (!isFormat.vschar(request.body.code)) {
     throw new InvalidRequestError('Invalid parameter: `code`');
   }
   return promisify(this.model.getAuthorizationCode, 1).call(this.model, request.body.code)
@@ -114,7 +114,7 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
         throw new InvalidGrantError('Invalid grant: authorization code has expired');
       }
 
-      if (code.redirectUri && !is.uri(code.redirectUri)) {
+      if (code.redirectUri && !isFormat.uri(code.redirectUri)) {
         throw new InvalidGrantError('Invalid grant: `redirect_uri` is not a valid URI');
       }
 
@@ -140,7 +140,7 @@ AuthorizationCodeGrantType.prototype.validateRedirectUri = function(request, cod
 
   const redirectUri = request.body.redirect_uri || request.query.redirect_uri;
 
-  if (!is.uri(redirectUri)) {
+  if (!isFormat.uri(redirectUri)) {
     throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
   }