Www authenticate

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: thomseddon
+

.gitignore

@@ -2,4 +2,35 @@ node_modules/
 docs/_build/
 __pycache__/
 *.pyc
+lib-cov
+*.seed
+*.log
+*.csv
+*.dat
+*.out
+*.pid
+*.gz
+*.iml
 
+.idea
+.jshint
+.DS_Store
+
+pids
+logs
+results
+
+lib/dockerImage/keys
+coverage
+npm-debug.log*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+
+# Org-mode
+.org-id-locations
+*_archive

.travis.yml

@@ -2,12 +2,11 @@ language: node_js
 
 node_js:
   - 4
-  - 4.0
   - 6
-  - 6.0
-  - 7
-  - 7.0
   - 8
-  - 8.0
+  - 10
+  - 12
+  - 13
+  - 14
 
 sudo: false

CHANGELOG.md

@@ -1,6 +1,28 @@
 ## Changelog
 
-### 3.0.0
+### 3.1.0
+* new: .npmignore tests
+* fix: validate requested scope on authorize request
+* fix: always issue correct expiry dates for tokens
+* fix: set numArgs for promisify of generateAuthorizationCode
+* fix: Changed 'hasOwnProperty' call in Response
+* docs: Ensure accessTokenExpiresAt is required
+* docs: Add missing notice of breaking change for accessExpireLifetime to migration guide
+* docs: Correct tokens time scale for 2.x to 3.x  migration guide
+* readme: Update Slack badge and link
+* readme: Fix link to RFC6750 standard
+
+### 3.0.2 (24/05/2020)
+
+* Update all dependencies 🎉
+
+### 3.0.1 (27/08/2018)
+
+* Doc fixes
+
+Tag never released on npm
+
+### 3.0.0 (04/08/2017)
 * Complete re-write, with Promises and callback support
 * Dropped support for node v0.8, v0.10, v0.12
 * Supports Node v4, v6, v7, and v8.  Will continue support for node current and active LTS versions

README.md

@@ -1,6 +1,3 @@
-# This project is seeking maintainer(s)
-
-## This is a popular project in need of maintenance, please contact @thomseddon on GitHub if you are interested in contributing to this project.
 
 # oauth2-server
 
@@ -12,6 +9,7 @@
 
 Complete, compliant and well tested module for implementing an OAuth2 server in [Node.js](https://nodejs.org).
 
+Note: After a period of hiatus, this project is now back under active maintenance. Dependencies have been updated and bug fixes will land in v3 (current master). v4 will be _mostly backwards compatible_ with no code changes required for users using a supported node release. More details in [#621](https://github.com/oauthjs/node-oauth2-server/issues/621).
 
 ## Installation
 
@@ -40,7 +38,7 @@ The *oauth2-server* module is framework-agnostic but there are several officiall
 
 Most users should refer to our [Express](https://github.com/oauthjs/express-oauth-server/tree/master/examples) or [Koa](https://github.com/oauthjs/koa-oauth-server/tree/master/examples) examples.
 
-Examples for v3 are yet to be made. 
+More examples can be found here: https://github.com/14gasher/oauth-example
 
 ## Upgrading from 2.x
 
@@ -67,6 +65,6 @@ npm test
 [travis-url]: https://travis-ci.org/oauthjs/node-oauth2-server
 [license-image]: https://img.shields.io/badge/license-MIT-blue.svg
 [license-url]: https://raw.githubusercontent.com/oauthjs/node-oauth2-server/master/LICENSE
-[slack-image]: https://img.shields.io/badge/slack-join-E01563.svg
-[slack-url]: https://oauthjs.slack.com
+[slack-image]: https://slack.oauthjs.org/badge.svg
+[slack-url]: https://slack.oauthjs.org
 

docs/misc/migrating-v2-to-v3.rst

@@ -28,17 +28,17 @@ The naming of the exposed middlewares has changed to match the OAuth2 _RFC_ more
 Server options
 --------------
 
-The following server options can be set when instantiating the OAuth service:  
+The following server options can be set when instantiating the OAuth service:
 
 * `addAcceptedScopesHeader`: **default true** Add the `X-Accepted-OAuth-Scopes` header with a list of scopes that will be accepted
 * `addAuthorizedScopesHeader`: **default true** Add the `X-OAuth-Scopes` header with a list of scopes that the user is authorized for
 * `allowBearerTokensInQueryString`: **default false** Determine if the bearer token can be included in the query string (i.e. `?access_token=`) for validation calls
 * `allowEmptyState`: **default false** If true, `state` can be empty or not passed.  If false, `state` is required.
-* `authorizationCodeLifetime`: **default 300** Default number of milliseconds that the authorization code is active for
-* `accessTokenLifetime`: **default 3600** Default number of milliseconds that an access token is valid for
-* `refreshTokenLifetime`: **default 1209600** Default number of milliseconds that a refresh token is valid for
+* `authorizationCodeLifetime`: **default 300** Default number of seconds that the authorization code is active for
+* `accessTokenLifetime`: **default 3600** Default number of seconds that an access token is valid for
+* `refreshTokenLifetime`: **default 1209600** Default number of seconds that a refresh token is valid for
 * `allowExtendedTokenAttributes`: **default false** Allows additional attributes (such as `id_token`) to be included in token responses.
-* `requireClientAuthentication`: **default true for all grant types** Allow ability to set client/secret authentication to `false` for a specific grant type.   
+* `requireClientAuthentication`: **default true for all grant types** Allow ability to set client/secret authentication to `false` for a specific grant type.
 
 The following server options have changed behavior in v3.0.0:
 
@@ -60,7 +60,7 @@ Model specification
 * `generateAuthorizationCode()` is **optional** and should return a `String`.
 * `generateRefreshToken(client, user, scope)` is **optional** and should return a `String`.
 * `getAccessToken(token)` should return an object with:
-    
+
   * `accessToken` (`String`)
   * `accessTokenExpiresAt` (`Date`)
   * `client` (`Object`),  containing at least an `id` property that matches the supplied client
@@ -75,7 +75,7 @@ Model specification
   * `user` (`Object`)
 
 * `getClient(clientId, clientSecret)` should return an object with, at minimum:
-  
+
   * `redirectUris` (`Array`)
   * `grants` (`Array`)
 
@@ -88,11 +88,11 @@ Model specification
   * `user` (`Object`)
 
 * `getUser(username, password)` should return an object:
- 
+
   * No longer requires that `id` be returned.
 
 * `getUserFromClient(client)` should return an object:
-    
+
   * No longer requires that `id` be returned.
 
 * `grantTypeAllowed()` was **removed**. You can instead:

docs/model/spec.rst

@@ -195,7 +195,7 @@ An ``Object`` representing the access token and associated data.
 +------------------------------+--------+--------------------------------------------------+
 | token.accessToken            | String | The access token passed to ``getAccessToken()``. |
 +------------------------------+--------+--------------------------------------------------+
-| [token.accessTokenExpiresAt] | Date   | The expiry time of the access token.             |
+| token.accessTokenExpiresAt   | Date   | The expiry time of the access token.             |
 +------------------------------+--------+--------------------------------------------------+
 | [token.scope]                | String | The authorized scope of the access token.        |
 +------------------------------+--------+--------------------------------------------------+

lib/grant-types/abstract-grant-type.js

@@ -67,23 +67,15 @@ AbstractGrantType.prototype.generateRefreshToken = function(client, user, scope)
  */
 
 AbstractGrantType.prototype.getAccessTokenExpiresAt = function() {
-  var expires = new Date();
-
-  expires.setSeconds(expires.getSeconds() + this.accessTokenLifetime);
-
-  return expires;
+  return new Date(Date.now() + this.accessTokenLifetime * 1000);
 };
 
 /**
  * Get refresh token expiration date.
  */
 
 AbstractGrantType.prototype.getRefreshTokenExpiresAt = function() {
-  var expires = new Date();
-
-  expires.setSeconds(expires.getSeconds() + this.refreshTokenLifetime);
-
-  return expires;
+  return new Date(Date.now() + this.refreshTokenLifetime * 1000);
 };
 
 /**

lib/handlers/authenticate-handler.js

@@ -90,6 +90,12 @@ AuthenticateHandler.prototype.handle = function(request, response) {
       // @see https://tools.ietf.org/html/rfc6750#section-3.1
       if (e instanceof UnauthorizedRequestError) {
         response.set('WWW-Authenticate', 'Bearer realm="Service"');
+      } else if (e instanceof InvalidRequestError) {
+        response.set('WWW-Authenticate', 'Bearer realm="Service",error="invalid_request"');
+      } else if (e instanceof InvalidTokenError) {
+        response.set('WWW-Authenticate', 'Bearer realm="Service",error="invalid_token"');
+      } else if (e instanceof InsufficientScopeError) {
+        response.set('WWW-Authenticate', 'Bearer realm="Service",error="insufficient_scope"');
       }
 
       if (!(e instanceof OAuthError)) {

lib/handlers/authorize-handler.js

@@ -97,11 +97,16 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       var ResponseType;
 
       return Promise.bind(this)
-	.then(function() {
-          scope = this.getScope(request);
+        .then(function() {
+          var requestedScope = this.getScope(request);
 
-	  return this.generateAuthorizationCode(client, user, scope);
-	})
+          return this.validateScope(user, client, requestedScope);
+        })
+        .then(function(validScope) {
+          scope = validScope;
+
+          return this.generateAuthorizationCode(client, user, scope);
+        })
         .then(function(authorizationCode) {
           state = this.getState(request);
           ResponseType = this.getResponseType(request);
@@ -135,7 +140,7 @@ AuthorizeHandler.prototype.handle = function(request, response) {
 
 AuthorizeHandler.prototype.generateAuthorizationCode = function(client, user, scope) {
   if (this.model.generateAuthorizationCode) {
-    return promisify(this.model.generateAuthorizationCode).call(this.model, client, user, scope);
+    return promisify(this.model.generateAuthorizationCode, 3).call(this.model, client, user, scope);
   }
   return tokenUtil.generateRandomToken();
 };
@@ -196,6 +201,24 @@ AuthorizeHandler.prototype.getClient = function(request) {
     });
 };
 
+/**
+ * Validate requested scope.
+ */
+AuthorizeHandler.prototype.validateScope = function(user, client, scope) {
+  if (this.model.validateScope) {
+    return promisify(this.model.validateScope, 3).call(this.model, user, client, scope)
+      .then(function (scope) {
+        if (!scope) {
+          throw new InvalidScopeError('Invalid scope: Requested scope is invalid');
+        }
+
+        return scope;
+      });
+  } else {
+    return Promise.resolve(scope);
+  }
+};
+
 /**
  * Get scope from the request.
  */

lib/request.js

@@ -33,14 +33,14 @@ function Request(options) {
 
   // Store the headers in lower case.
   for (var field in options.headers) {
-    if (options.headers.hasOwnProperty(field)) {
+    if (Object.prototype.hasOwnProperty.call(options.headers, field)) {
       this.headers[field.toLowerCase()] = options.headers[field];
     }
   }
 
   // Store additional properties of the request object passed in
   for (var property in options) {
-    if (options.hasOwnProperty(property) && !this[property]) {
+    if (Object.prototype.hasOwnProperty.call(options, property) && !this[property]) {
       this[property] = options[property];
     }
   }

lib/response.js

@@ -13,14 +13,14 @@ function Response(options) {
 
   // Store the headers in lower case.
   for (var field in options.headers) {
-    if (options.headers.hasOwnProperty(field)) {
+    if (Object.prototype.hasOwnProperty.call(options.headers, field)) {
       this.headers[field.toLowerCase()] = options.headers[field];
     }
   }
 
   // Store additional properties of the response object passed in
   for (var property in options) {
-    if (options.hasOwnProperty(property) && !this[property]) {
+    if (Object.prototype.hasOwnProperty.call(options, property) && !this[property]) {
       this[property] = options[property];
     }
   }