From f6d2da9dafba60b625be5c0dd9a3122efa363dac Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Fri, 3 Jun 2022 13:25:01 +0200 Subject: [PATCH 1/5] fix(build): pin versions in package.json --- package.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 7e6000c..7889cf6 100644 --- a/package.json +++ b/package.json @@ -24,18 +24,18 @@ "lib" ], "dependencies": { - "@node-oauth/formats": "^1.0.0", + "@node-oauth/formats": "1.0.0", "basic-auth": "2.0.1", "bluebird": "3.7.2", "promisify-any": "2.0.1", "type-is": "1.6.18" }, "devDependencies": { - "chai": "^4.3.4", - "eslint": "^8.0.0", - "mocha": "^9.1.2", - "nyc": "^15.1.0", - "sinon": "^12.0.1" + "chai": "4.3.4", + "eslint": "8.4.1", + "mocha": "9.2.2", + "nyc": "15.1.0", + "sinon": "12.0.1" }, "license": "MIT", "engines": { From 056bf75579ae55e10205523b3b8684dd3bbd13cc Mon Sep 17 00:00:00 2001 From: jmakhack Date: Mon, 3 Oct 2022 03:22:14 -0700 Subject: [PATCH 2/5] docs: add badges to README #163 --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 95a4805..1358470 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,14 @@ Complete, compliant and well tested module for implementing an OAuth2 server in [Node.js](https://nodejs.org). +[![Tests](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests.yml/badge.svg)](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests.yml) +[![CodeQL Semantic Analysis](https://github.com/node-oauth/node-oauth2-server/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/node-oauth/node-oauth2-server/actions/workflows/codeql-analysis.yml) +[![Tests for Release](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests-release.yml/badge.svg)](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests-release.yml) +[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) +![npm Version](https://img.shields.io/npm/v/@node-oauth/oauth2-server?label=version) +![npm Downloads/Week](https://img.shields.io/npm/dw/@node-oauth/oauth2-server) +![GitHub License](https://img.shields.io/github/license/node-oauth/node-oauth2-server) + NOTE: This project has been forked from [oauthjs/node-oauth2-server](https://github.com/oauthjs/node-oauth2-server) and is a continuation due to the project appearing to be abandoned. Please see [our issue board](https://github.com/node-oauth/node-oauth2-server/issues) to talk about next steps and the future of this project. ## Installation From f8254c56f528e649262aabc75e0a455348de71eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20K=C3=BCster?= Date: Mon, 31 Oct 2022 16:13:54 +0100 Subject: [PATCH 3/5] ci: update GitHub core actions to latest versions Merge pull request #168 from node-oauth/ci-update-core-actions --- .github/workflows/tests-release.yml | 40 +++++++++++++------------ .github/workflows/tests.yml | 31 ++++++++++++++++--- CHANGELOG.md | 34 +++++++++++++++++++++ docs/misc/extension-grants.rst | 46 ++++++++++++++++++++++++++++- package.json | 4 +-- 5 files changed, 129 insertions(+), 26 deletions(-) diff --git a/.github/workflows/tests-release.yml b/.github/workflows/tests-release.yml index 03922a7..0de1834 100644 --- a/.github/workflows/tests-release.yml +++ b/.github/workflows/tests-release.yml @@ -23,11 +23,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: - node-version: '12' - - run: npm audit --production # no audit for dev dependencies + node-version: 16 + # install to create local package-lock.json but don't cache the files + # also: no audit for dev dependencies + - run: npm i --package-lock-only && npm audit --production # STEP 2 - basic unit tests @@ -38,18 +40,18 @@ jobs: needs: [audit] strategy: matrix: - node: [12, 14, 16] + node: [14, 16, 18] steps: - name: Checkout ${{ matrix.node }} - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup node ${{ matrix.node }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node }} - name: Cache dependencies ${{ matrix.node }} - uses: actions/cache@v1 + uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }} @@ -79,26 +81,26 @@ jobs: needs: [unittest] strategy: matrix: - node: [12, 14] # TODO get running for node 16 + node: [14, 16, 18] # TODO get running for node 16+ steps: # checkout this repo - name: Checkout ${{ matrix.node }} - uses: actions/checkout@v2 + uses: actions/checkout@v3 # checkout express-adapter repo - name: Checkout express-adapter ${{ matrix.node }} - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: repository: node-oauth/express-oauth-server path: github/testing/express - name: Setup node ${{ matrix.node }} - uses: actions/setup-node@v2 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node }} - name: Cache dependencies ${{ matrix.node }} - uses: actions/cache@v1 + uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }} @@ -120,10 +122,10 @@ jobs: runs-on: ubuntu-latest needs: [integrationtests] steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: - node-version: 12 + node-version: 16 registry-url: https://registry.npmjs.org/ - run: npm i - run: npm publish --dry-run @@ -137,11 +139,11 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: # we always publish targeting the lowest supported node version - node-version: 12 + node-version: 16 registry-url: $registry-url(npm) - run: npm i - run: npm publish --dry-run diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4726c73..4fb03f1 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -13,23 +13,46 @@ on: - release-* # on release we run an extended workflow so no need for this jobs: + lint: + name: Javascript standard lint + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v3 + + - name: setup node + uses: actions/setup-node@v3 + with: + node-version: 16 + + - name: cache dependencies + uses: actions/cache@v3 + with: + path: ~/.npm + key: ${{ runner.os }}-node-16-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- + - run: npm install + - run: npm run lint + unittest: name: unit tests runs-on: ubuntu-latest + needs: [lint] strategy: matrix: - node: [12, 14, 16] + node: [14, 16, 18] steps: - name: Checkout ${{ matrix.node }} - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Setup node ${{ matrix.node }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v3 with: node-version: ${{ matrix.node }} - name: Cache dependencies ${{ matrix.node }} - uses: actions/cache@v1 + uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }} diff --git a/CHANGELOG.md b/CHANGELOG.md index e258b2a..f85f845 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,39 @@ ## Changelog +## 4.2.0 +### Fixed +- fix(core): Bearer regular expression matching in authenticate handler #105 +- fix(request): set WWW-Authenticate header for invalid requests #96 oauthjs#646 +- fix(handler): deny access when body.allowed is 'false' (#94) +- fix(handlers): skip varcheck for state when allowEmptyState #89 #93 + +### Added +- supported custom validateRedirectUri +- feature: Supported state in case of denialMerge #99 +- Bearer regular expression matching in authenticate handler +- docs: Update extension-grants.rst with example #92 +- feature(core): extract is.js into standalone package @node-oauth/formats #55 +- feature(authorize): allow custom implementations of validateRedirectUri via model #89 p.4 + - support custom validateRedirectUri() + - allow to implement model.validateRedirectUri + - updated AuthorizeHandler + - default conforms with RFC 6819 Section-5.2.3.5 + +### Tests +- Integration test password grant (#100) + * test example + * created db & model factories + * added refresh_token grant type test + * removed failing test, not implemented feature + * add reference to issue + * client authentication test + * random client credentials in test + * replace math.random by crypto.randomBytes + +### CI +- refactor(ci): remove unused ci workflow +- fix(ci): use node-oauth/express-oauth-server for integration test + ## 4.1.1 ### Added diff --git a/docs/misc/extension-grants.rst b/docs/misc/extension-grants.rst index 5d454d9..1fbe55a 100644 --- a/docs/misc/extension-grants.rst +++ b/docs/misc/extension-grants.rst @@ -2,7 +2,51 @@ Extension Grants ================== -.. todo:: Describe how to implement extension grants. +Create a subclass of ``AbstractGrantType`` and create methods `handle` and `saveToken` along with other required methods according to your needs: + +.. code-block:: js + + const OAuth2Server = require('oauth2-server'); + const AbstractGrantType = OAuth2Server.AbstractGrantType; + const InvalidArgumentError = OAuth2Server.InvalidArgumentError; + const InvalidRequestError = OAuth2Server.InvalidRequestError; + + class MyCustomGrantType extends AbstractGrantType { + constructor(opts) { + super(opts); + } + + async handle(request, client) { + if (!request) throw new InvalidArgumentError('Missing `request`'); + if (!client) throw new InvalidArgumentError('Missing `client`'); + + let scope = this.getScope(request); + let user = await this.getUserBySomething(request); + + return this.saveToken(user, client, scope); + } + + async saveToken(user, client, scope) { + this.validateScope(user, client, scope); + + let token = { + accessToken: await this.generateAccessToken(client, user, scope), + accessTokenExpiresAt: this.getAccessTokenExpiresAt(), + refreshToken: await this.generateRefreshToken(client, user, scope), + refreshTokenExpiresAt: this.getRefreshTokenExpiresAt(), + scope: scope + }; + + return this.model.saveToken(token, client, user); + } + + async getUserBySomething(request) { + //Get user's data by corresponding data (FB User ID, Google, etc.), etc. + } + } + + module.exports = MyCustomGrantType; Extension grants are registered through :ref:`OAuth2Server#token() ` (``options.extendedGrantTypes``). +This might require you to approve the new ``grant_type`` for a particular ``client`` if you do checks on valid grant types. diff --git a/package.json b/package.json index 7889cf6..7eebeec 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "4.1.1", + "version": "4.2.0", "keywords": [ "oauth", "oauth2" @@ -35,7 +35,7 @@ "eslint": "8.4.1", "mocha": "9.2.2", "nyc": "15.1.0", - "sinon": "12.0.1" + "sinon": "13.0.1" }, "license": "MIT", "engines": { From 0645a0232870a63978f734dae36f450931092d2d Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 30 May 2023 10:07:49 +0200 Subject: [PATCH 4/5] github: add FUNDING.yml --- .github/FUNDING.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..cabdb58 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,15 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] + - jankapunkt +patreon: # Replace with a single Patreon username +open_collective: # Replace with a single Open Collective username +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +otechie: # Replace with a single Otechie username +lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] + - https://paypal.me/kuesterjan From 9edfa2d313f3ab8022d243d917f46ffead08afdf Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 30 May 2023 10:11:48 +0200 Subject: [PATCH 5/5] docs: correct all links in the README --- README.md | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 1358470..1b14f03 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ Complete, compliant and well tested module for implementing an OAuth2 server in [![Tests](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests.yml/badge.svg)](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests.yml) [![CodeQL Semantic Analysis](https://github.com/node-oauth/node-oauth2-server/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/node-oauth/node-oauth2-server/actions/workflows/codeql-analysis.yml) [![Tests for Release](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests-release.yml/badge.svg)](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests-release.yml) +[![Documentation Status](https://readthedocs.org/projects/node-oauthoauth2-server/badge/?version=latest)](https://node-oauthoauth2-server.readthedocs.io/en/latest/?badge=latest) [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) ![npm Version](https://img.shields.io/npm/v/@node-oauth/oauth2-server?label=version) ![npm Downloads/Week](https://img.shields.io/npm/dw/@node-oauth/oauth2-server) @@ -19,7 +20,8 @@ NOTE: This project has been forked from [oauthjs/node-oauth2-server](https://git npm install @node-oauth/oauth2-server ``` -The *@node-oauth/oauth2-server* module is framework-agnostic but there are several officially supported wrappers available for popular HTTP server frameworks such as [Express](https://npmjs.org/package/express-oauth-server) and [Koa](https://npmjs.org/package/koa-oauth-server). If you're using one of those frameworks it is strongly recommended to use the respective wrapper module instead of rolling your own. +The `@node-oauth/oauth2-server` module is framework-agnostic but there are several officially supported wrappers available for popular HTTP server frameworks such as [Express](https://www.npmjs.com/package/@node-oauth/express-oauth-server) and [Koa (not maintained by us)](https://npmjs.org/package/koa-oauth-server). +If you're using one of those frameworks it is strongly recommended to use the respective wrapper module instead of rolling your own. ## Features @@ -28,25 +30,28 @@ The *@node-oauth/oauth2-server* module is framework-agnostic but there are sever - Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)). - Fully [RFC 6749](https://tools.ietf.org/html/rfc6749.html) and [RFC 6750](https://tools.ietf.org/html/rfc6750.html) compliant. - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc. +- Support for PKCE - Complete [test suite](https://github.com/node-oauth/node-oauth2-server/tree/master/test). - ## Documentation -[Documentation](https://oauth2-server.readthedocs.io) is hosted on Read the Docs. - +[Documentation](https://node-oauthoauth2-server.readthedocs.io/en/latest/) is hosted on Read the Docs. +Please leave an issue if something is confusing or missing in the docs. ## Examples -Most users should refer to our [Express](https://github.com/oauthjs/express-oauth-server/tree/master/examples) or [Koa](https://github.com/oauthjs/koa-oauth-server/tree/master/examples) examples. +Most users should refer to our [Express (active)](https://github.com/node-oauth/express-oauth-server) or +[Koa (not maintained by us)](https://github.com/oauthjs/koa-oauth-server/tree/master/examples) examples. More examples can be found here: https://github.com/14gasher/oauth-example -## Upgrading from 2.x +## Migrating from OAuthJs and 3.x -This module has been rewritten using a promise-based approach, introducing changes to the API and model specification. v2.x is no longer supported. +Version 4.x should not be hard-breaking, however, there were many improvements and fixes that may +be incompatible with specific behaviour in <= 3.x -Please refer to our [3.0 migration guide](https://oauth2-server.readthedocs.io/en/latest/misc/migrating-v2-to-v3.html) for more information. +For more info, please read the [changelog](./CHANGELOG.md) or open an issue, if you think something +is unexpectedly not working. ## Supported NodeJs versions