Merge pull request #194 from node-oauth/release-5.0.0

Release 5.0.0

.github/workflows/tests-release.yml

@@ -10,7 +10,6 @@ on:
     branches:
       - release-* # all release-<version> branches
 
-
 jobs:
   # STEP 1 - NPM Audit
 
@@ -23,13 +22,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-node@v3
-      with:
-        node-version: 20
-    # install to create local package-lock.json but don't cache the files
-    # also: no audit for dev dependencies
-    - run: npm i --package-lock-only  && npm audit --production
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      # install to create local package-lock.json but don't cache the files
+      # also: no audit for dev dependencies
+      - run: npm i --package-lock-only  && npm audit --production
 
   # STEP 2 - basic unit tests
 
@@ -40,34 +39,34 @@ jobs:
     needs: [audit]
     strategy:
       matrix:
-        node: [14, 16, 18]
+        node: [16, 18, 20]
     steps:
-    - name: Checkout ${{ matrix.node }}
-      uses: actions/checkout@v3
-
-    - name: Setup node ${{ matrix.node }}
-      uses: actions/setup-node@v3
-      with:
-        node-version: ${{ matrix.node }}
-
-    - name: Cache dependencies ${{ matrix.node }}
-      uses: actions/cache@v3
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-${{ matrix.node }}
-    # for this workflow we also require npm audit to pass
-    - run: npm i
-    - run: npm run test:coverage
-
-    # with the following action we enforce PRs to have a high coverage
-    # and ensure, changes are tested well enough so that coverage won't fail
-    - name: check coverage
-      uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
-      with:
-        path: './coverage/lcov.info'
-        min_coverage: 95
+      - name: Checkout ${{ matrix.node }}
+        uses: actions/checkout@v3
+
+      - name: Setup node ${{ matrix.node }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node }}
+
+      - name: Cache dependencies ${{ matrix.node }}
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ matrix.node }}
+      # for this workflow we also require npm audit to pass
+      - run: npm i
+      - run: npm run test:coverage
+
+      # with the following action we enforce PRs to have a high coverage
+      # and ensure, changes are tested well enough so that coverage won't fail
+      - name: check coverage
+        uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
+        with:
+          path: './coverage/lcov.info'
+          min_coverage: 95
 
   # STEP 3 - Integration tests
 
@@ -80,41 +79,41 @@ jobs:
     needs: [unittest]
     strategy:
       matrix:
-        node: [14, 16, 18] # TODO get running for node 16+
+        node: [16, 18, 20] # TODO get running for node 16+
     steps:
-    # checkout this repo
-    - name: Checkout ${{ matrix.node }}
-      uses: actions/checkout@v3
-
-    # checkout express-adapter repo
-    - name: Checkout express-adapter ${{ matrix.node }}
-      uses: actions/checkout@v3
-      with:
-        repository:  node-oauth/express-oauth-server
-        path: github/testing/express
-
-    - name: Setup node ${{ matrix.node }}
-      uses: actions/setup-node@v3
-      with:
-        node-version: ${{ matrix.node }}
-
-    - name: Cache dependencies ${{ matrix.node }}
-      uses: actions/cache@v3
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server
-
-    # in order to test the adapter we need to use the current checkout
-    # and install it as local dependency
-    # we just cloned and install it as local dependency
-    # xxx: added bluebird as explicit dependency
-    - run: |
-        cd github/testing/express
-        npm i
-        npm install ../../../
-        npm run test
+      # checkout this repo
+      - name: Checkout ${{ matrix.node }}
+        uses: actions/checkout@v3
+
+      # checkout express-adapter repo
+      - name: Checkout express-adapter ${{ matrix.node }}
+        uses: actions/checkout@v3
+        with:
+          repository: node-oauth/express-oauth-server
+          path: github/testing/express
+
+      - name: Setup node ${{ matrix.node }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node }}
+
+      - name: Cache dependencies ${{ matrix.node }}
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server
+
+      # in order to test the adapter we need to use the current checkout
+      # and install it as local dependency
+      # we just cloned and install it as local dependency
+      # xxx: added bluebird as explicit dependency
+      - run: |
+          cd github/testing/express
+          npm i
+          npm install https://github.com/node-oauth/node-oauth2-server.git#${{ github.ref_name }}
+          npm run test
 
     # todo repeat with other adapters
 
@@ -139,13 +138,13 @@ jobs:
       contents: read
       packages: write
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-node@v3
-      with:
-        # we always publish targeting the lowest supported node version
-        node-version: 16
-        registry-url: $registry-url(npm)
-    - run: npm i
-    - run: npm publish --dry-run
-      env:
-        NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          # we always publish targeting the lowest supported node version
+          node-version: 16
+          registry-url: $registry-url(npm)
+      - run: npm i
+      - run: npm publish --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.readthedocs.yml

@@ -0,0 +1,22 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Set the version of Python and other tools you might need
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+# Build documentation in the docs/ directory with Sphinx
+sphinx:
+  configuration: docs/conf.py
+
+# We recommend specifying your dependencies to enable reproducible builds:
+# https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html
+python:
+  install:
+    - requirements: docs/requirements.txt

CHANGELOG.md

@@ -2,11 +2,21 @@
 
 ## 5.0.0
 
+This release contains several breaking changes.
+Please carefully consult the documentation while updating.
+
 - removed `bluebird` and `promisify-any`
 - uses native Promises and `async/await` everywhere
 - drop support for Node 14 (EOL), setting Node 16 as `engine` in `package.json`
 - this is a breaking change, because **it removes callback support** for
   `OAuthServer` and your model implementation.
+- fixed missing await in calling generateAuthorizationCode in AuthorizeHandler
+- fix scope validation bug
+- revoke code before validating redirect URI
+- improved Bearer token validation
+- validate scope as an array of strings (breaking change)
+- model support for retrieving user based on client
+- more tests added; test coverage improved 
 
 ## 4.2.0
 ### Fixed
@@ -51,7 +61,7 @@
 - Upgrades all code from ES5 to ES6, where possible.
 
 ## 4.1.0
-### Changed 
+### Changed
 * Bump dev dependencies to resolve vulnerabilities
 * Replaced jshint with eslint along with should and chai
 * Use sha256 when generating tokens

README.md

@@ -27,15 +27,19 @@ If you're using one of those frameworks it is strongly recommended to use the re
 ## Features
 
 - Supports `authorization_code`, `client_credentials`, `refresh_token` and `password` grant, as well as *extension grants*, with scopes.
-- Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)).
+- Can be used with *promises*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)).
 - Fully [RFC 6749](https://tools.ietf.org/html/rfc6749.html) and [RFC 6750](https://tools.ietf.org/html/rfc6750.html) compliant.
 - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc.
 - Support for PKCE
 - Complete [test suite](https://github.com/node-oauth/node-oauth2-server/tree/master/test).
 
 ## Documentation
 
-[Documentation](https://node-oauthoauth2-server.readthedocs.io/en/latest/) is hosted on Read the Docs.
+Documentation is hosted on Read the Docs. We have multiple versions of the docs available:
+
+- [stable](https://node-oauthoauth2-server.readthedocs.io/en/master/) (master branch)
+- [development](https://node-oauthoauth2-server.readthedocs.io/en/development/) (development branch)
+
 Please leave an issue if something is confusing or missing in the docs.
 
 ## Examples

docs/api/errors/access-denied-error.rst

@@ -6,7 +6,7 @@ The resource owner or authorization server denied the request. See :rfc:`Section
 
 ::
 
-  const AccessDeniedError = require('oauth2-server/lib/errors/access-denied-error');
+  const AccessDeniedError = require('@node-oauth/oauth2-server/lib/errors/access-denied-error');
 
 --------
 

docs/api/errors/insufficient-scope-error.rst

@@ -6,7 +6,7 @@ The request requires higher privileges than provided by the access token. See :r
 
 ::
 
-  const InsufficientScopeError = require('oauth2-server/lib/errors/insufficient-scope-error');
+  const InsufficientScopeError = require('@node-oauth/oauth2-server/lib/errors/insufficient-scope-error');
 
 --------
 

docs/api/errors/invalid-argument-error.rst

@@ -6,7 +6,7 @@ An invalid argument was encountered.
 
 ::
 
-  const InvalidArgumentError = require('oauth2-server/lib/errors/invalid-argument-error');
+  const InvalidArgumentError = require('@node-oauth/oauth2-server/lib/errors/invalid-argument-error');
 
 .. note:: This error indicates that the module is used incorrectly (i.e., there is a programming error) and should never be seen because of external errors (like invalid data sent by a client).
 

docs/api/errors/invalid-client-error.rst

@@ -6,7 +6,7 @@ Client authentication failed (e.g., unknown client, no client authentication inc
 
 ::
 
-  const InvalidClientError = require('oauth2-server/lib/errors/invalid-client-error');
+  const InvalidClientError = require('@node-oauth/oauth2-server/lib/errors/invalid-client-error');
 
 --------
 

docs/api/errors/invalid-grant-error.rst

@@ -6,7 +6,7 @@ The provided authorization grant (e.g., authorization code, resource owner crede
 
 ::
 
-  const InvalidGrantError = require('oauth2-server/lib/errors/invalid-grant-error');
+  const InvalidGrantError = require('@node-oauth/oauth2-server/lib/errors/invalid-grant-error');
 
 --------
 

docs/api/errors/invalid-request-error.rst

@@ -6,7 +6,7 @@ The request is missing a required parameter, includes an invalid parameter value
 
 ::
 
-  const InvalidRequestError = require('oauth2-server/lib/errors/invalid-request-error');
+  const InvalidRequestError = require('@node-oauth/oauth2-server/lib/errors/invalid-request-error');
 
 --------
 

docs/api/errors/invalid-scope-error.rst

@@ -6,7 +6,7 @@ The requested scope is invalid, unknown, or malformed. See :rfc:`Section 4.1.2.1
 
 ::
 
-  const InvalidScopeError = require('oauth2-server/lib/errors/invalid-scope-error');
+  const InvalidScopeError = require('@node-oauth/oauth2-server/lib/errors/invalid-scope-error');
 
 --------
 

docs/api/errors/invalid-token-error.rst

@@ -6,7 +6,7 @@ The access token provided is expired, revoked, malformed, or invalid for other r
 
 ::
 
-  const InvalidTokenError = require('oauth2-server/lib/errors/invalid-token-error');
+  const InvalidTokenError = require('@node-oauth/oauth2-server/lib/errors/invalid-token-error');
 
 --------
 

docs/api/errors/oauth-error.rst

@@ -6,7 +6,7 @@ Base class for all errors returned by this module.
 
 ::
 
-  const OAuthError = require('oauth2-server/lib/errors/oauth-error');
+  const OAuthError = require('@node-oauth/oauth2-server/lib/errors/oauth-error');
 
 --------
 

docs/api/errors/server-error.rst

@@ -6,7 +6,7 @@ The authorization server encountered an unexpected condition that prevented it f
 
 ::
 
-  const ServerError = require('oauth2-server/lib/errors/server-error');
+  const ServerError = require('@node-oauth/oauth2-server/lib/errors/server-error');
 
 ``ServerError`` is used to wrap unknown exceptions encountered during request processing.
 

docs/api/errors/unauthorized-client-error.rst

@@ -6,7 +6,7 @@ The authenticated client is not authorized to use this authorization grant type.
 
 ::
 
-  const UnauthorizedClientError = require('oauth2-server/lib/errors/unauthorized-client-error');
+  const UnauthorizedClientError = require('@node-oauth/oauth2-server/lib/errors/unauthorized-client-error');
 
 --------
 

docs/api/errors/unauthorized-request-error.rst

@@ -6,7 +6,7 @@ The request lacked any authentication information or the client attempted to use
 
 ::
 
-  const UnauthorizedRequestError = require('oauth2-server/lib/errors/unauthorized-request-error');
+  const UnauthorizedRequestError = require('@node-oauth/oauth2-server/lib/errors/unauthorized-request-error');
 
 According to :rfc:`Section 3.1 of RFC 6750 <6750#section-3.1>` you should just fail the request with ``401 Unauthorized`` and not send any error information in the body if this error occurs:
 

docs/api/errors/unsupported-grant-type-error.rst

@@ -6,7 +6,7 @@ The authorization grant type is not supported by the authorization server. See :
 
 ::
 
-  const UnsupportedGrantTypeError = require('oauth2-server/lib/errors/unsupported-grant-type-error');
+  const UnsupportedGrantTypeError = require('@node-oauth/oauth2-server/lib/errors/unsupported-grant-type-error');
 
 --------
 

docs/api/errors/unsupported-response-type-error.rst

@@ -6,7 +6,7 @@ The authorization server does not supported obtaining an authorization code usin
 
 ::
 
-  const UnsupportedResponseTypeError = require('oauth2-server/lib/errors/unsupported-response-type-error');
+  const UnsupportedResponseTypeError = require('@node-oauth/oauth2-server/lib/errors/unsupported-response-type-error');
 
 --------