From 9b687233329b3999502341fda4030d4093da7666 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Thu, 22 Jun 2023 12:54:52 +0200 Subject: [PATCH 01/47] relase(pre): 5.0.0-rc.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index c3bd5e8a..63d03ab6 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "4.3.0", + "version": "5.0.0-rc.0", "keywords": [ "oauth", "oauth2" From 8dd11feddd63c653a5a5b357a3ee4b5b9fa59b58 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 10 Jul 2023 15:14:41 +0200 Subject: [PATCH 02/47] fix(pkce): get code_challenge and _method from query if not present in body --- lib/handlers/authorize-handler.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index 75d1b2e6..471cdfb1 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -369,7 +369,7 @@ AuthorizeHandler.prototype.updateResponse = function(response, redirectUri, stat }; AuthorizeHandler.prototype.getCodeChallenge = function(request) { - return request.body.code_challenge; + return request.body.code_challenge || request.query.code_challenge; }; /** @@ -380,7 +380,7 @@ AuthorizeHandler.prototype.getCodeChallenge = function(request) { * (see https://www.rfc-editor.org/rfc/rfc7636#section-4.4) */ AuthorizeHandler.prototype.getCodeChallengeMethod = function(request) { - const algorithm = request.body.code_challenge_method; + const algorithm = request.body.code_challenge_method || request.query.code_challenge_method; if (algorithm && !pkce.isValidMethod(algorithm)) { throw new InvalidRequestError(`Invalid request: transform algorithm '${algorithm}' not supported`); From 69cdd2c1e9ebe83056bf50ff72e692626044ccc5 Mon Sep 17 00:00:00 2001 From: Maximilian Gaedig <38767445+MaximilianGaedig@users.noreply.github.com> Date: Wed, 2 Aug 2023 13:17:59 +0200 Subject: [PATCH 03/47] Fix generateAuthorizationCode not being awaited --- lib/handlers/authorize-handler.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index 471cdfb1..65168324 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -93,7 +93,7 @@ AuthorizeHandler.prototype.handle = async function(request, response) { const requestedScope = this.getScope(request); const validScope = await this.validateScope(user, client, requestedScope); - const authorizationCode = this.generateAuthorizationCode(client, user, validScope); + const authorizationCode = await this.generateAuthorizationCode(client, user, validScope); const ResponseType = this.getResponseType(request); const codeChallenge = this.getCodeChallenge(request); From f198623a91e1d1c877a08c43793209708863fa80 Mon Sep 17 00:00:00 2001 From: Maximilian Gaedig Date: Wed, 2 Aug 2023 15:54:07 +0200 Subject: [PATCH 04/47] Update authorization_code test --- test/integration/handlers/authorize-handler_test.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js index 5da1b393..17df3160 100644 --- a/test/integration/handlers/authorize-handler_test.js +++ b/test/integration/handlers/authorize-handler_test.js @@ -563,8 +563,9 @@ describe('AuthorizeHandler integration', function() { getClient: function() { return client; }, - saveAuthorizationCode: function() { - return { authorizationCode: 12345, client: client }; + generateAuthorizationCode: async () => 'some-code', + saveAuthorizationCode: async function(code) { + return { authorizationCode: code.authorizationCode, client: client }; } }; const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); @@ -586,7 +587,7 @@ describe('AuthorizeHandler integration', function() { return handler.handle(request, response) .then(function(data) { data.should.eql({ - authorizationCode: 12345, + authorizationCode: 'some-code', client: client }); }) From f869d3976fad97847a46fbdcd22982f78d0d0b0f Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Wed, 2 Aug 2023 16:14:17 +0200 Subject: [PATCH 05/47] fix(ci): install oauth2-server from current ref in actions --- .github/workflows/tests-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-release.yml b/.github/workflows/tests-release.yml index da006a27..31db09b2 100644 --- a/.github/workflows/tests-release.yml +++ b/.github/workflows/tests-release.yml @@ -113,7 +113,7 @@ jobs: - run: | cd github/testing/express npm i - npm install ../../../ + npm install https://github.com/node-oauth/node-oauth2-server.git#${{ github.ref_name }} npm run test # todo repeat with other adapters From aeffa489f1d6b9556466663db1604277d194ac3a Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Wed, 2 Aug 2023 16:38:28 +0200 Subject: [PATCH 06/47] docs: update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 608cb59c..81b82f07 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - drop support for Node 14 (EOL), setting Node 16 as `engine` in `package.json` - this is a breaking change, because **it removes callback support** for `OAuthServer` and your model implementation. +- fixed missing await in calling generateAuthorizationCode in AuthorizeHandler ## 4.2.0 ### Fixed From 7ebf3aa50983f8832ecb3e8e1a861638f20b65e0 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Wed, 2 Aug 2023 16:38:48 +0200 Subject: [PATCH 07/47] types: update supported version to 5.0.0 --- index.d.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.d.ts b/index.d.ts index 777bda80..0892195c 100644 --- a/index.d.ts +++ b/index.d.ts @@ -1,4 +1,4 @@ -// Type definitions for Node OAuth2 Server 4.0 +// Type definitions for Node OAuth2 Server 5.0 // Definitions by: Robbie Van Gorkom , // Charles Irick , // Daniel Fischer , From 471af8833804a4052761f8aea70ca55e5253c979 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Wed, 2 Aug 2023 17:00:01 +0200 Subject: [PATCH 08/47] release: 5.0.0-rc.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 63d03ab6..1d548630 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "5.0.0-rc.0", + "version": "5.0.0-rc.1", "keywords": [ "oauth", "oauth2" From 3bffe8bf192e9b06ff865563c3997bca4d316d21 Mon Sep 17 00:00:00 2001 From: Shrihari Prakash Date: Fri, 4 Aug 2023 14:13:03 +0530 Subject: [PATCH 09/47] Removed callback support in typings. --- index.d.ts | 54 +++++++++++++++++++++++------------------------------- 1 file changed, 23 insertions(+), 31 deletions(-) diff --git a/index.d.ts b/index.d.ts index 0892195c..ae50814d 100644 --- a/index.d.ts +++ b/index.d.ts @@ -23,8 +23,7 @@ declare class OAuth2Server { authenticate( request: OAuth2Server.Request, response: OAuth2Server.Response, - options?: OAuth2Server.AuthenticateOptions, - callback?: OAuth2Server.Callback + options?: OAuth2Server.AuthenticateOptions ): Promise; /** @@ -33,8 +32,7 @@ declare class OAuth2Server { authorize( request: OAuth2Server.Request, response: OAuth2Server.Response, - options?: OAuth2Server.AuthorizeOptions, - callback?: OAuth2Server.Callback + options?: OAuth2Server.AuthorizeOptions ): Promise; /** @@ -43,8 +41,7 @@ declare class OAuth2Server { token( request: OAuth2Server.Request, response: OAuth2Server.Response, - options?: OAuth2Server.TokenOptions, - callback?: OAuth2Server.Callback + options?: OAuth2Server.TokenOptions ): Promise; } @@ -238,11 +235,6 @@ declare namespace OAuth2Server { extendedGrantTypes?: { [key: string]: typeof AbstractGrantType } | undefined; } - /** - * Represents a generic callback structure for model callbacks - */ - type Callback = (err?: any, result?: T) => void; - /** * For returning falsey parameters in cases of failure */ @@ -253,19 +245,19 @@ declare namespace OAuth2Server { * Invoked to generate a new access token. * */ - generateAccessToken?(client: Client, user: User, scope: string | string[], callback?: Callback): Promise; + generateAccessToken?(client: Client, user: User, scope: string | string[]): Promise; /** * Invoked to retrieve a client using a client id or a client id/client secret combination, depending on the grant type. * */ - getClient(clientId: string, clientSecret: string, callback?: Callback): Promise; + getClient(clientId: string, clientSecret: string): Promise; /** * Invoked to save an access token and optionally a refresh token, depending on the grant type. * */ - saveToken(token: Token, client: Client, user: User, callback?: Callback): Promise; + saveToken(token: Token, client: Client, user: User): Promise; } interface RequestAuthenticationModel { @@ -273,13 +265,13 @@ declare namespace OAuth2Server { * Invoked to retrieve an existing access token previously saved through Model#saveToken(). * */ - getAccessToken(accessToken: string, callback?: Callback): Promise; + getAccessToken(accessToken: string): Promise; /** * Invoked during request authentication to check if the provided access token was authorized the requested scopes. * */ - verifyScope(token: Token, scope: string | string[], callback?: Callback): Promise; + verifyScope(token: Token, scope: string | string[]): Promise; } interface AuthorizationCodeModel extends BaseModel, RequestAuthenticationModel { @@ -287,19 +279,19 @@ declare namespace OAuth2Server { * Invoked to generate a new refresh token. * */ - generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback): Promise; + generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise; /** * Invoked to generate a new authorization code. * */ - generateAuthorizationCode?(client: Client, user: User, scope: string | string[], callback?: Callback): Promise; + generateAuthorizationCode?(client: Client, user: User, scope: string | string[]): Promise; /** * Invoked to retrieve an existing authorization code previously saved through Model#saveAuthorizationCode(). * */ - getAuthorizationCode(authorizationCode: string, callback?: Callback): Promise; + getAuthorizationCode(authorizationCode: string): Promise; /** * Invoked to save an authorization code. @@ -308,20 +300,20 @@ declare namespace OAuth2Server { saveAuthorizationCode( code: Pick, client: Client, - user: User, - callback?: Callback): Promise; + user: User + ): Promise; /** * Invoked to revoke an authorization code. * */ - revokeAuthorizationCode(code: AuthorizationCode, callback?: Callback): Promise; + revokeAuthorizationCode(code: AuthorizationCode): Promise; /** * Invoked to check if the requested scope is valid for a particular client/user combination. * */ - validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback): Promise; + validateScope?(user: User, client: Client, scope: string | string[]): Promise; /** * Invoked to check if the provided `redirectUri` is valid for a particular `client`. @@ -335,19 +327,19 @@ declare namespace OAuth2Server { * Invoked to generate a new refresh token. * */ - generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback): Promise; + generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise; /** * Invoked to retrieve a user using a username/password combination. * */ - getUser(username: string, password: string, callback?: Callback): Promise; + getUser(username: string, password: string): Promise; /** * Invoked to check if the requested scope is valid for a particular client/user combination. * */ - validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback): Promise; + validateScope?(user: User, client: Client, scope: string | string[]): Promise; } interface RefreshTokenModel extends BaseModel, RequestAuthenticationModel { @@ -355,19 +347,19 @@ declare namespace OAuth2Server { * Invoked to generate a new refresh token. * */ - generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback): Promise; + generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise; /** * Invoked to retrieve an existing refresh token previously saved through Model#saveToken(). * */ - getRefreshToken(refreshToken: string, callback?: Callback): Promise; + getRefreshToken(refreshToken: string): Promise; /** * Invoked to revoke a refresh token. * */ - revokeToken(token: RefreshToken | Token, callback?: Callback): Promise; + revokeToken(token: RefreshToken | Token): Promise; } interface ClientCredentialsModel extends BaseModel, RequestAuthenticationModel { @@ -375,13 +367,13 @@ declare namespace OAuth2Server { * Invoked to retrieve the user associated with the specified client. * */ - getUserFromClient(client: Client, callback?: Callback): Promise; + getUserFromClient(client: Client): Promise; /** * Invoked to check if the requested scope is valid for a particular client/user combination. * */ - validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback): Promise; + validateScope?(user: User, client: Client, scope: string | string[]): Promise; } interface ExtensionModel extends BaseModel, RequestAuthenticationModel {} From f6db51a36c82b5ce808e8c779bbb54720e43ec4b Mon Sep 17 00:00:00 2001 From: Shrihari Prakash Date: Tue, 15 Aug 2023 13:53:13 +0530 Subject: [PATCH 10/47] Fixed getUserFromClient not awaited. --- lib/grant-types/client-credentials-grant-type.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/grant-types/client-credentials-grant-type.js b/lib/grant-types/client-credentials-grant-type.js index e2db3f7c..211628d3 100644 --- a/lib/grant-types/client-credentials-grant-type.js +++ b/lib/grant-types/client-credentials-grant-type.js @@ -45,7 +45,7 @@ class ClientCredentialsGrantType extends AbstractGrantType { } const scope = this.getScope(request); - const user = this.getUserFromClient(client); + const user = await this.getUserFromClient(client); return this.saveToken(user, client, scope); } From bfc4e8fa16c777f9ca142437f3890bb786a5a03f Mon Sep 17 00:00:00 2001 From: Shrihari Prakash Date: Tue, 15 Aug 2023 17:05:24 +0530 Subject: [PATCH 11/47] Added tests. --- .../client-credentials-grant-type_test.js | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/test/integration/grant-types/client-credentials-grant-type_test.js b/test/integration/grant-types/client-credentials-grant-type_test.js index 83de9f9a..1a70874e 100644 --- a/test/integration/grant-types/client-credentials-grant-type_test.js +++ b/test/integration/grant-types/client-credentials-grant-type_test.js @@ -93,14 +93,21 @@ describe('ClientCredentialsGrantType integration', function() { it('should return a token', function() { const token = {}; const model = { - getUserFromClient: function() { return {}; }, - saveToken: function() { return token; }, + getUserFromClient: async function(client) { + client.foo.should.equal('bar'); + return { id: '123'}; + }, + saveToken: async function(_token, client, user) { + client.foo.should.equal('bar'); + user.id.should.equal('123'); + return token; + }, validateScope: function() { return 'foo'; } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); - return grantType.handle(request, {}) + return grantType.handle(request, { foo: 'bar' }) .then(function(data) { data.should.equal(token); }) From c6682a62835086a7ac0a11990fe0ac087358ceeb Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 15 Aug 2023 14:04:07 +0200 Subject: [PATCH 12/47] publish 5.0.0-rc.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 1d548630..c11f9a15 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "5.0.0-rc.1", + "version": "5.0.0-rc.2", "keywords": [ "oauth", "oauth2" From 704d917c95661c65a555f9f55570b6751c63ea9b Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Thu, 17 Aug 2023 13:53:56 +0200 Subject: [PATCH 13/47] tests(compliance): added client credential workflow compliance tests --- .../client-credential-workflow_test.js | 142 ++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 test/compliance/client-credential-workflow_test.js diff --git a/test/compliance/client-credential-workflow_test.js b/test/compliance/client-credential-workflow_test.js new file mode 100644 index 00000000..6b7a2898 --- /dev/null +++ b/test/compliance/client-credential-workflow_test.js @@ -0,0 +1,142 @@ +/** + * 4.4. Client Credentials Grant + * + * The client can request an access token using only its client + * credentials (or other supported means of authentication) when the + * client is requesting access to the protected resources under its + * control, or those of another resource owner that have been previously + * arranged with the authorization server (the method of which is beyond + * the scope of this specification). + * + * The client credentials grant type MUST only be used by confidential + * clients. + * + * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.4 + */ + +const OAuth2Server = require('../..'); +const DB = require('../helpers/db'); +const createModel = require('../helpers/model'); +const createRequest = require('../helpers/request'); +const Response = require('../../lib/response'); + +require('chai').should(); + +const db = new DB(); +// this user represents requests in the name of an external server +// TODO: we should discuss, if we can make user optional for client credential workflows +// as it's not desired to have an extra fake-user representing a server just to pass validation +const userDoc = { id: 'machine2-123456789', name: 'machine2' }; +db.saveUser(userDoc); + +const oAuth2Server = new OAuth2Server({ + model: { + ...createModel(db), + getUserFromClient: async function (_client) { + // in a machine2machine setup we might not have a dedicated "user" + // but we need to return a truthy response to + const client = db.findClient(_client.id, _client.secret); + return client && { ...userDoc }; + } + } +}); + +const clientDoc = db.saveClient({ + id: 'client-credential-test-client', + secret: 'client-credential-test-secret', + grants: ['client_credentials'] +}); + +const enabledScope = 'read write'; + +describe('ClientCredentials Workflow Compliance (4.4)', function () { + describe('Access Token Request (4.4.1)', function () { + /** + * 4.4.2. Access Token Request + * + * The client makes a request to the token endpoint by adding the + * following parameters using the "application/x-www-form-urlencoded" + * format per Appendix B with a character encoding of UTF-8 in the HTTP + * request entity-body: + * + * grant_type + * REQUIRED. Value MUST be set to "client_credentials". + * + * scope + * OPTIONAL. The scope of the access request as described by + * Section 3.3. + * + * The client MUST authenticate with the authorization server as + * described in Section 3.2.1. + */ + it('authenticates the client with valid credentials', async function () { + const response = new Response(); + const request = createRequest({ + body: { + grant_type: 'client_credentials', + scope: enabledScope + }, + headers: { + 'authorization': 'Basic ' + Buffer.from(clientDoc.id + ':' + clientDoc.secret).toString('base64'), + 'content-type': 'application/x-www-form-urlencoded' + }, + method: 'POST', + }); + + const token = await oAuth2Server.token(request, response); + + response.status.should.equal(200); + response.headers.should.deep.equal( { 'cache-control': 'no-store', pragma: 'no-cache' }); + response.body.token_type.should.equal('Bearer'); + response.body.access_token.should.equal(token.accessToken); + response.body.expires_in.should.be.a('number'); + response.body.scope.should.equal(enabledScope); + ('refresh_token' in response.body).should.equal(false); + + token.accessToken.should.be.a('string'); + token.accessTokenExpiresAt.should.be.a('date'); + ('refreshToken' in token).should.equal(false); + ('refreshTokenExpiresAt' in token).should.equal(false); + token.scope.should.equal(enabledScope); + + db.accessTokens.has(token.accessToken).should.equal(true); + db.refreshTokens.has(token.refreshToken).should.equal(false); + }); + + /** + * 7. Accessing Protected Resources + * + * The client accesses protected resources by presenting the access + * token to the resource server. The resource server MUST validate the + * access token and ensure that it has not expired and that its scope + * covers the requested resource. The methods used by the resource + * server to validate the access token (as well as any error responses) + * are beyond the scope of this specification but generally involve an + * interaction or coordination between the resource server and the + * authorization server. + */ + it('enables an authenticated request using the access token', async function () { + const [accessToken] = [...db.accessTokens.entries()][0]; + const response = new Response(); + const request = createRequest({ + query: {}, + headers: { + 'authorization': `Bearer ${accessToken}` + }, + method: 'GET', + }); + + const token = await oAuth2Server.authenticate(request, response); + token.accessToken.should.equal(accessToken); + token.user.should.deep.equal(userDoc); + token.client.should.deep.equal(clientDoc); + token.scope.should.equal(enabledScope); + + response.status.should.equal(200); + // there should be no information in the response as it + // should only add information, if permission is denied + response.body.should.deep.equal({}); + response.headers.should.deep.equal({}); + }); + }); +}); \ No newline at end of file From f0259dbbcc1fb3c6d645fc51d3c6d327e5da70e7 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Thu, 17 Aug 2023 13:54:43 +0200 Subject: [PATCH 14/47] tests(integration): grant types integration tests model integration covered --- lib/grant-types/abstract-grant-type.js | 10 +- .../authorization-code-grant-type.js | 10 +- .../client-credentials-grant-type.js | 4 +- lib/grant-types/password-grant-type.js | 8 +- .../grant-types/abstract-grant-type_test.js | 115 ++++-- .../authorization-code-grant-type_test.js | 383 +++++++++++------- .../client-credentials-grant-type_test.js | 71 ++-- .../grant-types/password-grant-type_test.js | 183 +++++---- test/integration/server_test.js | 18 +- test/unit/errors/oauth-error_test.js | 23 +- test/unit/request_test.js | 19 + 11 files changed, 544 insertions(+), 300 deletions(-) diff --git a/lib/grant-types/abstract-grant-type.js b/lib/grant-types/abstract-grant-type.js index 4fd02437..033fba36 100644 --- a/lib/grant-types/abstract-grant-type.js +++ b/lib/grant-types/abstract-grant-type.js @@ -36,8 +36,9 @@ function AbstractGrantType(options) { AbstractGrantType.prototype.generateAccessToken = async function(client, user, scope) { if (this.model.generateAccessToken) { - const accessToken = await this.model.generateAccessToken(client, user, scope); - return accessToken || tokenUtil.generateRandomToken(); + // We should not fall back to a random accessToken, if the model did not + // return a token, in order to prevent unintended token-issuing. + return this.model.generateAccessToken(client, user, scope); } return tokenUtil.generateRandomToken(); @@ -49,8 +50,9 @@ AbstractGrantType.prototype.generateAccessToken = async function(client, user, s AbstractGrantType.prototype.generateRefreshToken = async function(client, user, scope) { if (this.model.generateRefreshToken) { - const refreshToken = await this.model.generateRefreshToken(client, user, scope); - return refreshToken || tokenUtil.generateRandomToken(); + // We should not fall back to a random refreshToken, if the model did not + // return a token, in order to prevent unintended token-issuing. + return this.model.generateRefreshToken(client, user, scope); } return tokenUtil.generateRandomToken(); diff --git a/lib/grant-types/authorization-code-grant-type.js b/lib/grant-types/authorization-code-grant-type.js index 2101462b..8b766bfc 100644 --- a/lib/grant-types/authorization-code-grant-type.js +++ b/lib/grant-types/authorization-code-grant-type.js @@ -195,11 +195,11 @@ class AuthorizationCodeGrantType extends AbstractGrantType { const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt(); const token = { - accessToken: accessToken, - authorizationCode: authorizationCode, - accessTokenExpiresAt: accessTokenExpiresAt, - refreshToken: refreshToken, - refreshTokenExpiresAt: refreshTokenExpiresAt, + accessToken, + authorizationCode, + accessTokenExpiresAt, + refreshToken, + refreshTokenExpiresAt, scope: validatedScope, }; diff --git a/lib/grant-types/client-credentials-grant-type.js b/lib/grant-types/client-credentials-grant-type.js index 211628d3..c348e5cf 100644 --- a/lib/grant-types/client-credentials-grant-type.js +++ b/lib/grant-types/client-credentials-grant-type.js @@ -73,8 +73,8 @@ class ClientCredentialsGrantType extends AbstractGrantType { const accessToken = await this.generateAccessToken(client, user, scope); const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(client, user, scope); const token = { - accessToken: accessToken, - accessTokenExpiresAt: accessTokenExpiresAt, + accessToken, + accessTokenExpiresAt, scope: validatedScope, }; diff --git a/lib/grant-types/password-grant-type.js b/lib/grant-types/password-grant-type.js index f13b68aa..f483e188 100644 --- a/lib/grant-types/password-grant-type.js +++ b/lib/grant-types/password-grant-type.js @@ -94,10 +94,10 @@ class PasswordGrantType extends AbstractGrantType { const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt(); const token = { - accessToken: accessToken, - accessTokenExpiresAt: accessTokenExpiresAt, - refreshToken: refreshToken, - refreshTokenExpiresAt: refreshTokenExpiresAt, + accessToken, + accessTokenExpiresAt, + refreshToken, + refreshTokenExpiresAt, scope: validatedScope, }; diff --git a/test/integration/grant-types/abstract-grant-type_test.js b/test/integration/grant-types/abstract-grant-type_test.js index e874509f..22247d7a 100644 --- a/test/integration/grant-types/abstract-grant-type_test.js +++ b/test/integration/grant-types/abstract-grant-type_test.js @@ -7,6 +7,7 @@ const AbstractGrantType = require('../../../lib/grant-types/abstract-grant-type'); const InvalidArgumentError = require('../../../lib/errors/invalid-argument-error'); const Request = require('../../../lib/request'); +const InvalidScopeError = require('../../../lib/errors/invalid-scope-error'); const should = require('chai').should(); /** @@ -44,7 +45,7 @@ describe('AbstractGrantType integration', function() { }); it('should set the `model`', function() { - const model = {}; + const model = { async generateAccessToken () {} }; const grantType = new AbstractGrantType({ accessTokenLifetime: 123, model: model }); grantType.model.should.equal(model); @@ -58,70 +59,62 @@ describe('AbstractGrantType integration', function() { }); describe('generateAccessToken()', function() { - it('should return an access token', function() { + it('should return an access token', async function() { const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 }); - - return handler.generateAccessToken() - .then(function(data) { - data.should.be.a.sha256(); - }) - .catch(should.fail); + const accessToken = await handler.generateAccessToken(); + accessToken.should.be.a.sha256(); }); - it('should support promises', function() { + it('should support promises', async function() { const model = { generateAccessToken: async function() { - return {}; + return 'long-hash-foo-bar'; } }; const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 }); - - handler.generateAccessToken().should.be.an.instanceOf(Promise); + const accessToken = await handler.generateAccessToken(); + accessToken.should.equal('long-hash-foo-bar'); }); - it('should support non-promises', function() { + it('should support non-promises', async function() { const model = { generateAccessToken: function() { - return {}; + return 'long-hash-foo-bar'; } }; const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 }); - - handler.generateAccessToken().should.be.an.instanceOf(Promise); + const accessToken = await handler.generateAccessToken(); + accessToken.should.equal('long-hash-foo-bar'); }); }); describe('generateRefreshToken()', function() { - it('should return a refresh token', function() { + it('should return a refresh token', async function() { const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 }); - - return handler.generateRefreshToken() - .then(function(data) { - data.should.be.a.sha256(); - }) - .catch(should.fail); + const refreshToken = await handler.generateRefreshToken(); + refreshToken.should.be.a.sha256(); }); - it('should support promises', function() { + it('should support promises', async function() { const model = { generateRefreshToken: async function() { - return {}; + return 'long-hash-foo-bar'; } }; const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 }); - - handler.generateRefreshToken().should.be.an.instanceOf(Promise); + const refreshToken = await handler.generateRefreshToken(); + refreshToken.should.equal('long-hash-foo-bar'); }); - it('should support non-promises', function() { + it('should support non-promises', async function() { const model = { generateRefreshToken: function() { - return {}; + return 'long-hash-foo-bar'; } }; const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: model, refreshTokenLifetime: 456 }); - - handler.generateRefreshToken().should.be.an.instanceOf(Promise); + const refreshToken = await handler.generateRefreshToken(); + refreshToken.should.equal('long-hash-foo-bar'); }); }); @@ -170,4 +163,64 @@ describe('AbstractGrantType integration', function() { handler.getScope(request).should.equal('foo'); }); }); + + describe('validateScope()', function () { + it('accepts the scope, if the model does not implement it', async function () { + const scope = 'some,scope,this,that'; + const user = { id: 123 }; + const client = { id: 456 }; + const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 }); + const validated = await handler.validateScope(user, client, scope); + validated.should.equal(scope); + }); + + it('accepts the scope, if the model accepts it', async function () { + const scope = 'some,scope,this,that'; + const user = { id: 123 }; + const client = { id: 456 }; + + const model = { + async validateScope (_user, _client, _scope) { + // make sure the model received the correct args + _user.should.deep.equal(user); + _client.should.deep.equal(_client); + _scope.should.equal(scope); + + return scope; + } + }; + const handler = new AbstractGrantType({ accessTokenLifetime: 123, model, refreshTokenLifetime: 456 }); + const validated = await handler.validateScope(user, client, scope); + validated.should.equal(scope); + }); + + it('throws if the model rejects the scope', async function () { + const scope = 'some,scope,this,that'; + const user = { id: 123 }; + const client = { id: 456 }; + const returnTypes = [undefined, null, false, 0, '']; + + for (const type of returnTypes) { + const model = { + async validateScope (_user, _client, _scope) { + // make sure the model received the correct args + _user.should.deep.equal(user); + _client.should.deep.equal(_client); + _scope.should.equal(scope); + + return type; + } + }; + const handler = new AbstractGrantType({ accessTokenLifetime: 123, model, refreshTokenLifetime: 456 }); + + try { + await handler.validateScope(user, client, scope); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidScopeError); + e.message.should.equal('Invalid scope: Requested scope is invalid'); + } + } + }); + }); }); diff --git a/test/integration/grant-types/authorization-code-grant-type_test.js b/test/integration/grant-types/authorization-code-grant-type_test.js index a4d69c40..f4598bde 100644 --- a/test/integration/grant-types/authorization-code-grant-type_test.js +++ b/test/integration/grant-types/authorization-code-grant-type_test.js @@ -75,9 +75,9 @@ describe('AuthorizationCodeGrantType integration', function() { describe('handle()', function() { it('should throw an error if `request` is missing', async function() { const model = { - getAuthorizationCode: function() {}, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: () => should.fail(), + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); @@ -89,30 +89,33 @@ describe('AuthorizationCodeGrantType integration', function() { } }); - it('should throw an error if `client` is invalid', function() { - const client = {}; + it('should throw an error if `client` is invalid (not in code)', async function() { + const client = { id: 1234 }; const model = { - getAuthorizationCode: function() { return { authorizationCode: 12345, expiresAt: new Date(new Date() * 2), user: {} }; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: function(code) { + code.should.equal(123456789); + return { authorizationCode: 12345, expiresAt: new Date(new Date() * 2), user: {} }; + }, + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); - const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); + const request = new Request({ body: { code: 123456789 }, headers: {}, method: {}, query: {} }); - return grantType.handle(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(ServerError); - e.message.should.equal('Server error: `getAuthorizationCode()` did not return a `client` object'); - }); + try { + await grantType.handle(request, client); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); + e.message.should.equal('Server error: `getAuthorizationCode()` did not return a `client` object'); + } }); it('should throw an error if `client` is missing', function() { - const model = { - getAuthorizationCode: function() { return { authorizationCode: 12345, expiresAt: new Date(new Date() * 2), user: {} }; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: () => should.fail(), + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); @@ -128,18 +131,64 @@ describe('AuthorizationCodeGrantType integration', function() { it('should return a token', async function() { const client = { id: 'foobar' }; - const token = {}; + const scope = 'fooscope'; + const user = { name: 'foouser' }; + const codeDoc = { + authorizationCode: 12345, + expiresAt: new Date(new Date() * 2), + client, + user, + scope + }; const model = { - getAuthorizationCode: function() { return { authorizationCode: 12345, client: { id: 'foobar' }, expiresAt: new Date(new Date() * 2), user: {} }; }, - revokeAuthorizationCode: function() { return true; }, - saveToken: function() { return token; }, - validateScope: function() { return 'foo'; } + getAuthorizationCode: async function (code) { + code.should.equal('code-1234'); + + return codeDoc; + }, + revokeAuthorizationCode: async function (_codeDoc) { + _codeDoc.should.deep.equal(codeDoc); + return true; + }, + validateScope: async function (_user, _client, _scope) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _scope.should.equal(scope); + return scope; + }, + generateAccessToken: async function (_client, _user, _scope) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _scope.should.equal(scope); + return 'long-access-token-hash'; + }, + generateRefreshToken: async function (_client, _user, _scope) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _scope.should.equal(scope); + return 'long-refresh-token-hash'; + }, + saveToken: async function (_token, _client, _user) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _token.accessToken.should.equal('long-access-token-hash'); + _token.refreshToken.should.equal('long-refresh-token-hash'); + _token.authorizationCode.should.equal(codeDoc.authorizationCode); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshTokenExpiresAt.should.be.instanceOf(Date); + return _token; + }, }; - const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); - const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - const data = await grantType.handle(request, client); - data.should.equal(token); + const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); + const request = new Request({ body: { code: 'code-1234' }, headers: {}, method: {}, query: {} }); + + const token = await grantType.handle(request, client); + token.accessToken.should.equal('long-access-token-hash'); + token.refreshToken.should.equal('long-refresh-token-hash'); + token.authorizationCode.should.equal(codeDoc.authorizationCode); + token.accessTokenExpiresAt.should.be.instanceOf(Date); + token.refreshTokenExpiresAt.should.be.instanceOf(Date); }); it('should support promises', function() { @@ -173,9 +222,9 @@ describe('AuthorizationCodeGrantType integration', function() { it('should throw an error if the request body does not contain `code`', async function() { const client = {}; const model = { - getAuthorizationCode: function() {}, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: () => should.fail(), + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); @@ -191,9 +240,9 @@ describe('AuthorizationCodeGrantType integration', function() { it('should throw an error if `code` is invalid', async function() { const client = {}; const model = { - getAuthorizationCode: function() {}, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: () => should.fail(), + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 'ø倣‰' }, headers: {}, method: {}, query: {} }); @@ -210,9 +259,9 @@ describe('AuthorizationCodeGrantType integration', function() { it('should throw an error if `authorizationCode` is missing', async function() { const client = {}; const model = { - getAuthorizationCode: function() {}, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: async function() {}, + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); @@ -226,136 +275,150 @@ describe('AuthorizationCodeGrantType integration', function() { } }); - it('should throw an error if `authorizationCode.client` is missing', function() { + it('should throw an error if `authorizationCode.client` is missing', async function() { const client = {}; const model = { - getAuthorizationCode: function() { return { authorizationCode: 12345 }; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: async function() { return { authorizationCode: 12345 }; }, + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getAuthorizationCode(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(ServerError); - e.message.should.equal('Server error: `getAuthorizationCode()` did not return a `client` object'); - }); + try { + await grantType.getAuthorizationCode(request, client); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); + e.message.should.equal('Server error: `getAuthorizationCode()` did not return a `client` object'); + } }); - it('should throw an error if `authorizationCode.expiresAt` is missing', function() { + it('should throw an error if `authorizationCode.expiresAt` is missing', async function() { const client = {}; const model = { - getAuthorizationCode: function() { return { authorizationCode: 12345, client: {}, user: {} }; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: async function() { + return { authorizationCode: 12345, client: {}, user: {} }; + }, + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getAuthorizationCode(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(ServerError); - e.message.should.equal('Server error: `expiresAt` must be a Date instance'); - }); + try { + await grantType.getAuthorizationCode(request, client); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); + e.message.should.equal('Server error: `expiresAt` must be a Date instance'); + } }); - it('should throw an error if `authorizationCode.user` is missing', function() { + it('should throw an error if `authorizationCode.user` is missing', async function() { const client = {}; const model = { - getAuthorizationCode: function() { return { authorizationCode: 12345, client: {}, expiresAt: new Date() }; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: async function() { + return { authorizationCode: 12345, client: {}, expiresAt: new Date() }; + }, + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getAuthorizationCode(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(ServerError); - e.message.should.equal('Server error: `getAuthorizationCode()` did not return a `user` object'); - }); + try { + await grantType.getAuthorizationCode(request, client); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); + e.message.should.equal('Server error: `getAuthorizationCode()` did not return a `user` object'); + } }); - it('should throw an error if the client id does not match', function() { + it('should throw an error if the client id does not match', async function() { const client = { id: 123 }; const model = { - getAuthorizationCode: function() { + getAuthorizationCode: async function() { return { authorizationCode: 12345, expiresAt: new Date(), client: { id: 456 }, user: {} }; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getAuthorizationCode(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: authorization code is invalid'); - }); + try { + await grantType.getAuthorizationCode(request, client); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: authorization code is invalid'); + } }); - it('should throw an error if the auth code is expired', function() { + it('should throw an error if the auth code is expired', async function() { const client = { id: 123 }; const date = new Date(new Date() / 2); const model = { - getAuthorizationCode: function() { + getAuthorizationCode: async function() { return { authorizationCode: 12345, client: { id: 123 }, expiresAt: date, user: {} }; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getAuthorizationCode(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: authorization code has expired'); - }); + try { + await grantType.getAuthorizationCode(request, client); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: authorization code has expired'); + } }); - it('should throw an error if the `redirectUri` is invalid', function() { + it('should throw an error if the `redirectUri` is invalid (format)', async function() { const authorizationCode = { authorizationCode: 12345, client: { id: 'foobar' }, expiresAt: new Date(new Date() * 2), redirectUri: 'foobar', user: {} }; const client = { id: 'foobar' }; const model = { - getAuthorizationCode: function() { return authorizationCode; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: async function() { return authorizationCode; }, + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getAuthorizationCode(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: `redirect_uri` is not a valid URI'); - }); + try { + await grantType.getAuthorizationCode(request, client); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: `redirect_uri` is not a valid URI'); + } }); - it('should return an auth code', function() { - const authorizationCode = { authorizationCode: 12345, client: { id: 'foobar' }, expiresAt: new Date(new Date() * 2), user: {} }; + it('should return an auth code', async function() { + const authorizationCode = { + authorizationCode: 1234567, + client: { id: 'foobar' }, + expiresAt: new Date(new Date() * 2), user: {} + }; const client = { id: 'foobar' }; const model = { - getAuthorizationCode: function() { return authorizationCode; }, - revokeAuthorizationCode: function() {}, - saveToken: function() {} + getAuthorizationCode: async function(_code) { + _code.should.equal(12345); + return authorizationCode; + }, + revokeAuthorizationCode: () => should.fail(), + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); const request = new Request({ body: { code: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getAuthorizationCode(request, client) - .then(function(data) { - data.should.equal(authorizationCode); - }) - .catch(should.fail); + const code = await grantType.getAuthorizationCode(request, client); + code.should.deep.equal(authorizationCode); }); it('should support promises', function() { @@ -427,85 +490,113 @@ describe('AuthorizationCodeGrantType integration', function() { e.message.should.equal('Invalid request: `redirect_uri` is invalid'); } }); - }); - - describe('revokeAuthorizationCode()', function() { - it('should revoke the auth code', function() { - const authorizationCode = { authorizationCode: 12345, client: {}, expiresAt: new Date(new Date() / 2), user: {} }; + it('returns undefined and does not throw if `redirectUri` is valid', async function () { + const authorizationCode = { authorizationCode: 12345, client: {}, expiresAt: new Date(new Date() / 2), redirectUri: 'http://foo.bar', user: {} }; const model = { getAuthorizationCode: function() {}, revokeAuthorizationCode: function() { return true; }, saveToken: function() {} }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); - - return grantType.revokeAuthorizationCode(authorizationCode) - .then(function(data) { - data.should.equal(authorizationCode); - }) - .catch(should.fail); + const request = new Request({ body: { code: 12345, redirect_uri: 'http://foo.bar' }, headers: {}, method: {}, query: {} }); + const value = grantType.validateRedirectUri(request, authorizationCode); + const isUndefined = value === undefined; + isUndefined.should.equal(true); }); + }); - it('should throw an error when the auth code is invalid', function() { + describe('revokeAuthorizationCode()', function() { + it('should revoke the auth code', async function() { const authorizationCode = { authorizationCode: 12345, client: {}, expiresAt: new Date(new Date() / 2), user: {} }; const model = { - getAuthorizationCode: function() {}, - revokeAuthorizationCode: function() { return false; }, - saveToken: function() {} + getAuthorizationCode: () => should.fail(), + revokeAuthorizationCode: async function(_code) { + _code.should.equal(authorizationCode); + return true; + }, + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); - return grantType.revokeAuthorizationCode(authorizationCode) - .then(function(data) { - data.should.equal(authorizationCode); - }) - .catch(function(e) { + const data = await grantType.revokeAuthorizationCode(authorizationCode); + data.should.deep.equal(authorizationCode); + }); + + it('should throw an error when the auth code is invalid', async function() { + const authorizationCode = { authorizationCode: 12345, client: {}, expiresAt: new Date(new Date() / 2), user: {} }; + const returnTypes = [false, null, undefined, 0, '']; + + for (const type of returnTypes) { + const model = { + getAuthorizationCode: () => should.fail(), + revokeAuthorizationCode: async function(_code) { + _code.should.equal(authorizationCode); + return type; + }, + saveToken: () => should.fail() + }; + const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); + + try { + await grantType.revokeAuthorizationCode(authorizationCode); + should.fail(); + } catch (e) { e.should.be.an.instanceOf(InvalidGrantError); e.message.should.equal('Invalid grant: authorization code is invalid'); - }); + } + } }); it('should support promises', function() { const authorizationCode = { authorizationCode: 12345, client: {}, expiresAt: new Date(new Date() / 2), user: {} }; const model = { - getAuthorizationCode: function() {}, + getAuthorizationCode: () => should.fail(), revokeAuthorizationCode: async function() { return true; }, - saveToken: function() {} + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); - grantType.revokeAuthorizationCode(authorizationCode).should.be.an.instanceOf(Promise); }); it('should support non-promises', function() { const authorizationCode = { authorizationCode: 12345, client: {}, expiresAt: new Date(new Date() / 2), user: {} }; const model = { - getAuthorizationCode: function() {}, + getAuthorizationCode: () => should.fail(), revokeAuthorizationCode: function() { return authorizationCode; }, - saveToken: function() {} + saveToken: () => should.fail() }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); - grantType.revokeAuthorizationCode(authorizationCode).should.be.an.instanceOf(Promise); }); }); describe('saveToken()', function() { - it('should save the token', function() { - const token = {}; + it('should save the token', async function() { + const token = { foo: 'bar' }; const model = { - getAuthorizationCode: function() {}, - revokeAuthorizationCode: function() {}, - saveToken: function() { return token; }, - validateScope: function() { return 'foo'; } + getAuthorizationCode: () => should.fail(), + revokeAuthorizationCode: () => should.fail(), + saveToken: function(_token, _client= 'fallback', _user= 'fallback') { + _token.accessToken.should.be.a.sha256(); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshToken.should.be.a.sha256(); + _token.scope.should.equal('foo'); + (_token.authorizationCode === undefined).should.equal(true); + _user.should.equal('fallback'); + _client.should.equal('fallback'); + return token; + }, + validateScope: function(_user= 'fallback', _client= 'fallback', _scope = 'fallback') { + _user.should.equal('fallback'); + _client.should.equal('fallback'); + _scope.should.equal('fallback'); + return 'foo'; + } }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); - - return grantType.saveToken(token) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const data = await grantType.saveToken(); + data.should.equal(token); }); it('should support promises', function() { diff --git a/test/integration/grant-types/client-credentials-grant-type_test.js b/test/integration/grant-types/client-credentials-grant-type_test.js index 1a70874e..a21b1a13 100644 --- a/test/integration/grant-types/client-credentials-grant-type_test.js +++ b/test/integration/grant-types/client-credentials-grant-type_test.js @@ -90,35 +90,50 @@ describe('ClientCredentialsGrantType integration', function() { } }); - it('should return a token', function() { + it('should return a token', async function() { const token = {}; + const client = { foo: 'bar' }; + const user = { name: 'foo' }; + const scope = 'fooscope'; + const model = { - getUserFromClient: async function(client) { - client.foo.should.equal('bar'); - return { id: '123'}; + getUserFromClient: async function(_client) { + _client.should.deep.equal(client); + return { ...user }; }, - saveToken: async function(_token, client, user) { - client.foo.should.equal('bar'); - user.id.should.equal('123'); + saveToken: async function(_token, _client, _user) { + _client.should.deep.equal(client); + _user.should.deep.equal(user); + _token.accessToken.should.equal('long-access-token-hash'); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.scope.should.equal(scope); return token; }, - validateScope: function() { return 'foo'; } + validateScope: async function (_user, _client, _scope) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _scope.should.equal(scope); + return scope; + }, + generateAccessToken: async function (_client, _user, _scope) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _scope.should.equal(scope); + return 'long-access-token-hash'; + } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); - const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); + const request = new Request({ body: { scope }, headers: {}, method: {}, query: {} }); - return grantType.handle(request, { foo: 'bar' }) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const data = await grantType.handle(request, client); + data.should.equal(token); }); it('should support promises', function() { const token = {}; const model = { - getUserFromClient: function() { return {}; }, - saveToken: function() { return token; } + getUserFromClient: async function() { return {}; }, + saveToken: async function() { return token; } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); @@ -143,7 +158,7 @@ describe('ClientCredentialsGrantType integration', function() { it('should throw an error if `user` is missing', function() { const model = { getUserFromClient: function() {}, - saveToken: function() {} + saveToken: () => should.fail() }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); @@ -160,7 +175,7 @@ describe('ClientCredentialsGrantType integration', function() { const user = { email: 'foo@bar.com' }; const model = { getUserFromClient: function() { return user; }, - saveToken: function() {} + saveToken: () => should.fail() }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); @@ -176,7 +191,7 @@ describe('ClientCredentialsGrantType integration', function() { const user = { email: 'foo@bar.com' }; const model = { getUserFromClient: async function() { return user; }, - saveToken: function() {} + saveToken: () => should.fail() }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); @@ -188,7 +203,7 @@ describe('ClientCredentialsGrantType integration', function() { const user = { email: 'foo@bar.com' }; const model = { getUserFromClient: function() {return user; }, - saveToken: function() {} + saveToken: () => should.fail() }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); @@ -198,26 +213,22 @@ describe('ClientCredentialsGrantType integration', function() { }); describe('saveToken()', function() { - it('should save the token', function() { + it('should save the token', async function() { const token = {}; const model = { - getUserFromClient: function() {}, + getUserFromClient: () => should.fail(), saveToken: function() { return token; }, validateScope: function() { return 'foo'; } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 123, model: model }); - - return grantType.saveToken(token) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const data = await grantType.saveToken(token); + data.should.equal(token); }); it('should support promises', function() { const token = {}; const model = { - getUserFromClient: function() {}, + getUserFromClient:() => should.fail(), saveToken: async function() { return token; } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 123, model: model }); @@ -228,7 +239,7 @@ describe('ClientCredentialsGrantType integration', function() { it('should support non-promises', function() { const token = {}; const model = { - getUserFromClient: function() {}, + getUserFromClient: () => should.fail(), saveToken: function() { return token; } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 123, model: model }); diff --git a/test/integration/grant-types/password-grant-type_test.js b/test/integration/grant-types/password-grant-type_test.js index 04452ee0..df1db899 100644 --- a/test/integration/grant-types/password-grant-type_test.js +++ b/test/integration/grant-types/password-grant-type_test.js @@ -45,7 +45,7 @@ describe('PasswordGrantType integration', function() { getUser: function() {} }; - new PasswordGrantType({ model: model }); + new PasswordGrantType({ model }); should.fail(); } catch (e) { @@ -58,10 +58,10 @@ describe('PasswordGrantType integration', function() { describe('handle()', function() { it('should throw an error if `request` is missing', async function() { const model = { - getUser: function() {}, - saveToken: function() {} + getUser: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); try { await grantType.handle(); @@ -75,10 +75,10 @@ describe('PasswordGrantType integration', function() { it('should throw an error if `client` is missing', async function() { const model = { - getUser: function() {}, - saveToken: function() {} + getUser: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); try { await grantType.handle({}); @@ -90,32 +90,66 @@ describe('PasswordGrantType integration', function() { } }); - it('should return a token', function() { + it('should return a token', async function() { const client = { id: 'foobar' }; + const scope = 'baz'; const token = {}; + const user = { + id: 123456, + username: 'foo', + email: 'foo@example.com' + }; + const model = { - getUser: function() { return {}; }, - saveToken: function() { return token; }, - validateScope: function() { return 'baz'; } + getUser: async function(username, password) { + username.should.equal('foo'); + password.should.equal('bar'); + return user; + }, + validateScope: async function(_user, _client, _scope) { + _client.should.equal(client); + _user.should.equal(user); + _scope.should.equal(scope); + return scope; + }, + generateAccessToken: async function (_client, _user, _scope) { + _client.should.equal(client); + _user.should.equal(user); + _scope.should.equal(scope); + return 'long-access-token-hash'; + }, + generateRefreshToken: async function (_client, _user, _scope) { + _client.should.equal(client); + _user.should.equal(user); + _scope.should.equal(scope); + return 'long-refresh-token-hash'; + }, + saveToken: async function(_token, _client, _user) { + _client.should.equal(client); + _user.should.equal(user); + _token.accessToken.should.equal('long-access-token-hash'); + _token.refreshToken.should.equal('long-refresh-token-hash'); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshTokenExpiresAt.should.be.instanceOf(Date); + return token; + } }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar', scope: 'baz' }, headers: {}, method: {}, query: {} }); - return grantType.handle(request, client) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const data = await grantType.handle(request, client); + data.should.equal(token); }); it('should support promises', async function() { const client = { id: 'foobar' }; const token = {}; const model = { - getUser: function() { return {}; }, + getUser: async function() { return {}; }, saveToken: async function() { return token; } }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); const result = await grantType.handle(request, client); @@ -129,7 +163,7 @@ describe('PasswordGrantType integration', function() { getUser: function() { return {}; }, saveToken: function() { return token; } }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); const result = await grantType.handle(request, client); @@ -140,10 +174,10 @@ describe('PasswordGrantType integration', function() { describe('getUser()', function() { it('should throw an error if the request body does not contain `username`', async function() { const model = { - getUser: function() {}, - saveToken: function() {} + getUser: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); try { @@ -158,10 +192,10 @@ describe('PasswordGrantType integration', function() { it('should throw an error if the request body does not contain `password`', async function() { const model = { - getUser: function() {}, - saveToken: function() {} + getUser: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo' }, headers: {}, method: {}, query: {} }); try { @@ -176,10 +210,10 @@ describe('PasswordGrantType integration', function() { it('should throw an error if `username` is invalid', async function() { const model = { - getUser: function() {}, - saveToken: function() {} + getUser: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: '\r\n', password: 'foobar' }, headers: {}, method: {}, query: {} }); try { @@ -194,10 +228,10 @@ describe('PasswordGrantType integration', function() { it('should throw an error if `password` is invalid', async function() { const model = { - getUser: function() {}, - saveToken: function() {} + getUser: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foobar', password: '\r\n' }, headers: {}, method: {}, query: {} }); try { @@ -210,45 +244,47 @@ describe('PasswordGrantType integration', function() { } }); - it('should throw an error if `user` is missing', function() { + it('should throw an error if `user` is missing', async function() { const model = { - getUser: function() {}, - saveToken: function() {} + getUser: async () => undefined, + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); - return grantType.getUser(request) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: user credentials are invalid'); - }); + try { + await grantType.getUser(request); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: user credentials are invalid'); + } }); - it('should return a user', function() { + it('should return a user', async function() { const user = { email: 'foo@bar.com' }; const model = { - getUser: function() { return user; }, - saveToken: function() {} + getUser: function(username, password) { + username.should.equal('foo'); + password.should.equal('bar'); + return user; + }, + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); - return grantType.getUser(request) - .then(function(data) { - data.should.equal(user); - }) - .catch(should.fail); + const data = await grantType.getUser(request); + data.should.equal(user); }); it('should support promises', function() { const user = { email: 'foo@bar.com' }; const model = { getUser: async function() { return user; }, - saveToken: function() {} + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); grantType.getUser(request).should.be.an.instanceOf(Promise); @@ -258,9 +294,9 @@ describe('PasswordGrantType integration', function() { const user = { email: 'foo@bar.com' }; const model = { getUser: function() { return user; }, - saveToken: function() {} + saveToken: () => should.fail() }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); grantType.getUser(request).should.be.an.instanceOf(Promise); @@ -268,29 +304,38 @@ describe('PasswordGrantType integration', function() { }); describe('saveToken()', function() { - it('should save the token', function() { + it('should save the token', async function() { const token = {}; const model = { - getUser: function() {}, - saveToken: function() { return token; }, - validateScope: function() { return 'foo'; } + getUser: () => should.fail(), + saveToken: async function(_token, _client = 'fallback', _user = 'fallback') { + _token.accessToken.should.be.a.sha256(); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshToken.should.be.a.sha256(); + _token.scope.should.equal('foo'); + _client.should.equal('fallback'); + _user.should.equal('fallback'); + return token; + }, + validateScope: async function(_scope = 'fallback') { + _scope.should.equal('fallback'); + return 'foo'; + } }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); - return grantType.saveToken(token) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const data = await grantType.saveToken(); + data.should.equal(token); }); it('should support promises', function() { const token = {}; const model = { - getUser: function() {}, + getUser: () => should.fail(), saveToken: async function() { return token; } }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); grantType.saveToken(token).should.be.an.instanceOf(Promise); }); @@ -298,10 +343,10 @@ describe('PasswordGrantType integration', function() { it('should support non-promises', function() { const token = {}; const model = { - getUser: function() {}, + getUser: () => should.fail(), saveToken: function() { return token; } }; - const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); grantType.saveToken(token).should.be.an.instanceOf(Promise); }); diff --git a/test/integration/server_test.js b/test/integration/server_test.js index cb717c76..aad03356 100644 --- a/test/integration/server_test.js +++ b/test/integration/server_test.js @@ -17,14 +17,16 @@ const should = require('chai').should(); describe('Server integration', function() { describe('constructor()', function() { it('should throw an error if `model` is missing', function() { - try { - new Server({}); - - should.fail(); - } catch (e) { - e.should.be.an.instanceOf(InvalidArgumentError); - e.message.should.equal('Missing parameter: `model`'); - } + [null, undefined, {}].forEach(options => { + try { + new Server(options); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Missing parameter: `model`'); + } + }); }); it('should set the `model`', function() { diff --git a/test/unit/errors/oauth-error_test.js b/test/unit/errors/oauth-error_test.js index bad86f65..6d68a299 100644 --- a/test/unit/errors/oauth-error_test.js +++ b/test/unit/errors/oauth-error_test.js @@ -16,7 +16,7 @@ describe('OAuthError', function() { describe('constructor()', function() { it('should get `captureStackTrace`', function() { - const errorFn = function () { throw new OAuthError('test', {name: 'test_error'}); }; + const errorFn = function () { throw new OAuthError('test', {name: 'test_error', foo: 'bar'}); }; try { errorFn(); @@ -25,6 +25,8 @@ describe('OAuthError', function() { } catch (e) { e.should.be.an.instanceOf(OAuthError); + e.name.should.equal('test_error'); + e.foo.should.equal('bar'); e.message.should.equal('test'); e.code.should.equal(500); e.stack.should.not.be.null; @@ -34,4 +36,23 @@ describe('OAuthError', function() { } }); }); + it('supports undefined properties', function () { + const errorFn = function () { throw new OAuthError('test'); }; + + try { + errorFn(); + + should.fail(); + } catch (e) { + + e.should.be.an.instanceOf(OAuthError); + e.name.should.equal('Error'); + e.message.should.equal('test'); + e.code.should.equal(500); + e.stack.should.not.be.null; + e.stack.should.not.be.undefined; + e.stack.should.include('oauth-error_test.js'); + e.stack.should.include('40'); //error lineNUmber + } + }); }); diff --git a/test/unit/request_test.js b/test/unit/request_test.js index f292e2b4..0e23a419 100644 --- a/test/unit/request_test.js +++ b/test/unit/request_test.js @@ -5,6 +5,7 @@ */ const Request = require('../../lib/request'); +const InvalidArgumentError = require('../../lib/errors/invalid-argument-error'); const should = require('chai').should(); /** @@ -27,6 +28,24 @@ function generateBaseRequest() { } describe('Request', function() { + it('should throw on missing args', function () { + const args = [ + [undefined, InvalidArgumentError, 'Missing parameter: `headers`'], + [null, InvalidArgumentError, 'Missing parameter: `headers`'], + [{}, InvalidArgumentError, 'Missing parameter: `headers`'], + [{ headers: { }}, InvalidArgumentError, 'Missing parameter: `method`'], + [{ headers: {}, method: 'GET' }, InvalidArgumentError, 'Missing parameter: `query`'], + ]; + + args.forEach(([value, error, message]) => { + try { + new Request(value); + } catch (e) { + e.should.be.instanceOf(error); + e.message.should.equal(message); + } + }); + }); it('should instantiate with a basic request', function() { const originalRequest = generateBaseRequest(); From 9bf64c4b7d62541b6b1eac9baaf71c4d0c0bd889 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 22 Aug 2023 09:00:02 +0200 Subject: [PATCH 15/47] tests(integration): deep cover refresh-token grant type --- lib/grant-types/refresh-token-grant-type.js | 4 +- .../refresh-token-grant-type_test.js | 427 ++++++++++-------- 2 files changed, 249 insertions(+), 182 deletions(-) diff --git a/lib/grant-types/refresh-token-grant-type.js b/lib/grant-types/refresh-token-grant-type.js index b9e89a27..5b5b6fd2 100644 --- a/lib/grant-types/refresh-token-grant-type.js +++ b/lib/grant-types/refresh-token-grant-type.js @@ -130,8 +130,8 @@ class RefreshTokenGrantType extends AbstractGrantType { const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(); const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt(); const token = { - accessToken: accessToken, - accessTokenExpiresAt: accessTokenExpiresAt, + accessToken, + accessTokenExpiresAt, scope: scope, }; diff --git a/test/integration/grant-types/refresh-token-grant-type_test.js b/test/integration/grant-types/refresh-token-grant-type_test.js index fede3776..316b8064 100644 --- a/test/integration/grant-types/refresh-token-grant-type_test.js +++ b/test/integration/grant-types/refresh-token-grant-type_test.js @@ -43,10 +43,10 @@ describe('RefreshTokenGrantType integration', function() { it('should throw an error if the model does not implement `revokeToken()`', function() { try { const model = { - getRefreshToken: function() {} + getRefreshToken: () => should.fail() }; - new RefreshTokenGrantType({ model: model }); + new RefreshTokenGrantType({ model }); should.fail(); } catch (e) { @@ -58,11 +58,11 @@ describe('RefreshTokenGrantType integration', function() { it('should throw an error if the model does not implement `saveToken()`', function() { try { const model = { - getRefreshToken: function() {}, - revokeToken: function() {} + getRefreshToken: () => should.fail(), + revokeToken: () => should.fail() }; - new RefreshTokenGrantType({ model: model }); + new RefreshTokenGrantType({ model }); should.fail(); } catch (e) { @@ -75,11 +75,11 @@ describe('RefreshTokenGrantType integration', function() { describe('handle()', function() { it('should throw an error if `request` is missing', async function() { const model = { - getRefreshToken: function() {}, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: () => should.fail(), + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); try { await grantType.handle(); @@ -93,11 +93,11 @@ describe('RefreshTokenGrantType integration', function() { it('should throw an error if `client` is missing', async function() { const model = { - getRefreshToken: function() {}, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: () => should.fail(), + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); try { @@ -110,22 +110,51 @@ describe('RefreshTokenGrantType integration', function() { } }); - it('should return a token', function() { + it('should return a token', async function() { const client = { id: 123 }; - const token = { accessToken: 'foo', client: { id: 123 }, user: {} }; + const token = { + accessToken: 'foo', + client: { id: 123 }, + user: { name: 'foo' }, + scope: 'read write', + refreshTokenExpiresAt: new Date( new Date() * 2) + }; const model = { - getRefreshToken: function() { return token; }, - revokeToken: function() { return { accessToken: 'foo', client: { id: 123 }, refreshTokenExpiresAt: new Date(new Date() / 2), user: {} }; }, - saveToken: function() { return token; } + getRefreshToken: async function(_refreshToken) { + _refreshToken.should.equal('foobar_refresh'); + return token; + }, + revokeToken: async function(_token) { + _token.should.deep.equal(token); + return true; + }, + generateAccessToken: async function (_client, _user, _scope) { + _user.should.deep.equal({ name: 'foo' }); + _client.should.deep.equal({ id: 123 }); + _scope.should.equal('read write'); + return 'new-access-token'; + }, + generateRefreshToken: async function (_client, _user, _scope) { + _user.should.deep.equal({ name: 'foo' }); + _client.should.deep.equal({ id: 123 }); + _scope.should.equal('read write'); + return 'new-refresh-token'; + }, + saveToken: async function(_token, _client, _user) { + _user.should.deep.equal({ name: 'foo' }); + _client.should.deep.equal({ id: 123 }); + _token.accessToken.should.equal('new-access-token'); + _token.refreshToken.should.equal('new-refresh-token'); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshTokenExpiresAt.should.be.instanceOf(Date); + return token; + } }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); - const request = new Request({ body: { refresh_token: 'foobar' }, headers: {}, method: {}, query: {} }); - return grantType.handle(request, client) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); + const request = new Request({ body: { refresh_token: 'foobar_refresh' }, headers: {}, method: {}, query: {} }); + const data = await grantType.handle(request, client); + data.should.equal(token); }); it('should support promises', function() { @@ -135,7 +164,7 @@ describe('RefreshTokenGrantType integration', function() { revokeToken: async function() { return { accessToken: 'foo', client: {}, refreshTokenExpiresAt: new Date(new Date() / 2), user: {} }; }, saveToken: async function() { return { accessToken: 'foo', client: {}, user: {} }; } }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { refresh_token: 'foobar' }, headers: {}, method: {}, query: {} }); grantType.handle(request, client).should.be.an.instanceOf(Promise); @@ -144,11 +173,11 @@ describe('RefreshTokenGrantType integration', function() { it('should support non-promises', function() { const client = { id: 123 }; const model = { - getRefreshToken: function() { return { accessToken: 'foo', client: { id: 123 }, user: {} }; }, - revokeToken: function() { return { accessToken: 'foo', client: {}, refreshTokenExpiresAt: new Date(new Date() / 2), user: {} }; }, - saveToken: function() { return { accessToken: 'foo', client: {}, user: {} }; } + getRefreshToken: async function() { return { accessToken: 'foo', client: { id: 123 }, user: {} }; }, + revokeToken: async function() { return { accessToken: 'foo', client: {}, refreshTokenExpiresAt: new Date(new Date() / 2), user: {} }; }, + saveToken: async function() { return { accessToken: 'foo', client: {}, user: {} }; } }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { refresh_token: 'foobar' }, headers: {}, method: {}, query: {} }); grantType.handle(request, client).should.be.an.instanceOf(Promise); @@ -159,11 +188,11 @@ describe('RefreshTokenGrantType integration', function() { it('should throw an error if the `refreshToken` parameter is missing from the request body', async function() { const client = {}; const model = { - getRefreshToken: function() {}, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: () => should.fail(), + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); try { @@ -176,92 +205,100 @@ describe('RefreshTokenGrantType integration', function() { } }); - it('should throw an error if `refreshToken` is not found', function() { + it('should throw an error if `refreshToken` is not found', async function() { const client = { id: 123 }; const model = { - getRefreshToken: function() { return; }, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: async function() {} , + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: '12345' }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: refresh token is invalid'); - }); + try { + await grantType.getRefreshToken(request, client); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: refresh token is invalid'); + } }); - it('should throw an error if `refreshToken.client` is missing', function() { + it('should throw an error if `refreshToken.client` is missing', async function() { const client = {}; const model = { - getRefreshToken: function() { return {}; }, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: async function() { return {}; }, + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(ServerError); - e.message.should.equal('Server error: `getRefreshToken()` did not return a `client` object'); - }); + try { + await grantType.getRefreshToken(request, client); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); + e.message.should.equal('Server error: `getRefreshToken()` did not return a `client` object'); + } }); - it('should throw an error if `refreshToken.user` is missing', function() { + it('should throw an error if `refreshToken.user` is missing', async function() { const client = {}; const model = { - getRefreshToken: function() { + getRefreshToken: async function() { return { accessToken: 'foo', client: {} }; }, - revokeToken: function() {}, - saveToken: function() {} + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(ServerError); - e.message.should.equal('Server error: `getRefreshToken()` did not return a `user` object'); - }); + try { + await grantType.getRefreshToken(request, client); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); + e.message.should.equal('Server error: `getRefreshToken()` did not return a `user` object'); + } }); - it('should throw an error if the client id does not match', function() { + it('should throw an error if the client id does not match', async function() { const client = { id: 123 }; const model = { - getRefreshToken: function() { + getRefreshToken: async function() { return { accessToken: 'foo', client: { id: 456 }, user: {} }; }, - revokeToken: function() {}, - saveToken: function() {} + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: refresh token was issued to another client'); - }); + try { + await grantType.getRefreshToken(request, client); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: refresh token was issued to another client'); + } }); it('should throw an error if `refresh_token` contains invalid characters', async function() { const client = {}; const model = { - getRefreshToken: function() { + getRefreshToken: async function() { return { client: { id: 456 }, user: {} }; }, - revokeToken: function() {}, - saveToken: function() {} + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: 'ø倣‰' }, headers: {}, method: {}, query: {} }); try { @@ -274,83 +311,100 @@ describe('RefreshTokenGrantType integration', function() { } }); - it('should throw an error if `refresh_token` is missing', function() { + it('should throw an error if `refresh_token` is missing', async function() { const client = {}; const model = { - getRefreshToken: function() { + getRefreshToken: async function() { return { accessToken: 'foo', client: { id: 456 }, user: {} }; }, - revokeToken: function() {}, - saveToken: function() {} + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: refresh token was issued to another client'); - }); + try { + await grantType.getRefreshToken(request, client); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: refresh token was issued to another client'); + } }); - it('should throw an error if `refresh_token` is expired', function() { + it('should throw an error if `refresh_token` is expired', async function() { const client = { id: 123 }; const date = new Date(new Date() / 2); const model = { - getRefreshToken: function() { + getRefreshToken: async function() { return { accessToken: 'foo', client: { id: 123 }, refreshTokenExpiresAt: date, user: {} }; }, - revokeToken: function() {}, - saveToken: function() {} + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: refresh token has expired'); - }); + try { + await grantType.getRefreshToken(request, client); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: refresh token has expired'); + } }); - it('should throw an error if `refreshTokenExpiresAt` is not a date value', function() { + it('should throw an error if `refreshTokenExpiresAt` is not a date value', async function() { const client = { id: 123 }; const model = { - getRefreshToken: function() { + getRefreshToken: async function() { return { accessToken: 'foo', client: { id: 123 }, refreshTokenExpiresAt: 'stringvalue', user: {} }; }, - revokeToken: function() {}, - saveToken: function() {} + revokeToken: () => should.fail(), + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); const request = new Request({ body: { refresh_token: 12345 }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(should.fail) - .catch(function(e) { - e.should.be.an.instanceOf(ServerError); - e.message.should.equal('Server error: `refreshTokenExpiresAt` must be a Date instance'); - }); + try { + await grantType.getRefreshToken(request, client); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); + e.message.should.equal('Server error: `refreshTokenExpiresAt` must be a Date instance'); + } }); - it('should return a token', function() { + it('should return a token', async function() { const client = { id: 123 }; - const token = { accessToken: 'foo', client: { id: 123 }, user: {} }; + const token = { accessToken: 'foo', client: { id: 123 }, user: { name: 'foobar' } }; const model = { - getRefreshToken: function() { return token; }, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: async function(_refreshToken) { + _refreshToken.should.equal('foobar_refresh'); + return token; + }, + revokeToken: async function(_token) { + _token.should.deep.equal(token); + return true; + }, + saveToken: async function(_token, _client, _user) { + _user.should.deep.equal(token.user); + _client.should.deep.equal(client); + _token.accessToken.should.be.a.sha256(); + _token.refreshToken.should.be.a.sha256(); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshTokenExpiresAt.should.be.instanceOf(Date); + return token; + } }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); - const request = new Request({ body: { refresh_token: 'foobar' }, headers: {}, method: {}, query: {} }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); + const request = new Request({ body: { refresh_token: 'foobar_refresh' }, headers: {}, method: {}, query: {} }); - return grantType.getRefreshToken(request, client) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const data = await grantType.getRefreshToken(request, client); + data.should.equal(token); }); it('should support promises', function() { @@ -358,10 +412,10 @@ describe('RefreshTokenGrantType integration', function() { const token = { accessToken: 'foo', client: { id: 123 }, user: {} }; const model = { getRefreshToken: async function() { return token; }, - revokeToken: function() {}, - saveToken: function() {} + revokeToken: async function() {}, + saveToken: async function() {} }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { refresh_token: 'foobar' }, headers: {}, method: {}, query: {} }); grantType.getRefreshToken(request, client).should.be.an.instanceOf(Promise); @@ -371,11 +425,11 @@ describe('RefreshTokenGrantType integration', function() { const client = { id: 123 }; const token = { accessToken: 'foo', client: { id: 123 }, user: {} }; const model = { - getRefreshToken: function() { return token; }, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: async function() { return token; }, + revokeToken: async function() {}, + saveToken: async function() {} }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { refresh_token: 'foobar' }, headers: {}, method: {}, query: {} }); grantType.getRefreshToken(request, client).should.be.an.instanceOf(Promise); @@ -383,46 +437,47 @@ describe('RefreshTokenGrantType integration', function() { }); describe('revokeToken()', function() { - it('should throw an error if the `token` is invalid', function() { + it('should throw an error if the `token` is invalid', async function() { const model = { - getRefreshToken: function() {}, - revokeToken: function() {}, - saveToken: function() {} + getRefreshToken: () => should.fail(), + revokeToken: async () => {}, + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model: model }); - - grantType.revokeToken({}) - .then(should.fail) - .catch(function (e) { - e.should.be.an.instanceOf(InvalidGrantError); - e.message.should.equal('Invalid grant: refresh token is invalid'); - }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 120, model }); + + try { + await grantType.revokeToken({}); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidGrantError); + e.message.should.equal('Invalid grant: refresh token is invalid or could not be revoked'); + } }); - it('should revoke the token', function() { + it('should revoke the token', async function() { const token = { accessToken: 'foo', client: {}, refreshTokenExpiresAt: new Date(new Date() / 2), user: {} }; const model = { - getRefreshToken: function() {}, - revokeToken: function() { return token; }, - saveToken: function() {} + getRefreshToken: () => should.fail(), + revokeToken: async function(_token) { + _token.should.deep.equal(token); + return token; + }, + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); - return grantType.revokeToken(token) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const data = await grantType.revokeToken(token); + data.should.equal(token); }); it('should support promises', function() { const token = { accessToken: 'foo', client: {}, refreshTokenExpiresAt: new Date(new Date() / 2), user: {} }; const model = { - getRefreshToken: function() {}, + getRefreshToken: () => should.fail(), revokeToken: async function() { return token; }, - saveToken: function() {} + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); grantType.revokeToken(token).should.be.an.instanceOf(Promise); }); @@ -430,41 +485,53 @@ describe('RefreshTokenGrantType integration', function() { it('should support non-promises', function() { const token = { accessToken: 'foo', client: {}, refreshTokenExpiresAt: new Date(new Date() / 2), user: {} }; const model = { - getRefreshToken: function() {}, + getRefreshToken: () => should.fail(), revokeToken: function() { return token; }, - saveToken: function() {} + saveToken: () => should.fail() }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); grantType.revokeToken(token).should.be.an.instanceOf(Promise); }); }); describe('saveToken()', function() { - it('should save the token', function() { - const token = {}; + it('should save the token', async function() { + const user = { name: 'foo' }; + const client = { id: 123465 }; + const scope = ['foo', 'bar']; const model = { - getRefreshToken: function() {}, - revokeToken: function() {}, - saveToken: function() { return token; } + getRefreshToken: () => should.fail(), + revokeToken: () => should.fail(), + saveToken: async function(_token, _client, _user) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _token.scope.should.deep.equal(scope); + _token.accessToken.should.be.a.sha256(); + _token.refreshToken.should.be.a.sha256(); + _token.accessTokenExpiresAt.should.be.instanceOf(Date); + _token.refreshTokenExpiresAt.should.be.instanceOf(Date); + return { ..._token }; + } }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); - - return grantType.saveToken(token) - .then(function(data) { - data.should.equal(token); - }) - .catch(should.fail); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); + + const data = await grantType.saveToken(user, client, scope); + data.accessToken.should.be.a.sha256(); + data.refreshToken.should.be.a.sha256(); + data.accessTokenExpiresAt.should.be.instanceOf(Date); + data.refreshTokenExpiresAt.should.be.instanceOf(Date); + data.scope.should.deep.equal(scope); }); it('should support promises', function() { const token = {}; const model = { - getRefreshToken: function() {}, - revokeToken: function() {}, + getRefreshToken: () => should.fail(), + revokeToken: () => should.fail(), saveToken: async function() { return token; } }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); grantType.saveToken(token).should.be.an.instanceOf(Promise); }); @@ -472,11 +539,11 @@ describe('RefreshTokenGrantType integration', function() { it('should support non-promises', function() { const token = {}; const model = { - getRefreshToken: function() {}, - revokeToken: function() {}, + getRefreshToken: () => should.fail(), + revokeToken: () => should.fail(), saveToken: function() { return token; } }; - const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model: model }); + const grantType = new RefreshTokenGrantType({ accessTokenLifetime: 123, model }); grantType.saveToken(token).should.be.an.instanceOf(Promise); }); From 92cc613a7c5a6e73b63d4e11461aeb58f1044dac Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 22 Aug 2023 09:02:18 +0200 Subject: [PATCH 16/47] tests(integration): deep cover authenticte handler --- .../handlers/authenticate-handler_test.js | 38 +++++++++++++++---- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/test/integration/handlers/authenticate-handler_test.js b/test/integration/handlers/authenticate-handler_test.js index c069ed9f..712dd7cd 100644 --- a/test/integration/handlers/authenticate-handler_test.js +++ b/test/integration/handlers/authenticate-handler_test.js @@ -101,16 +101,38 @@ describe('AuthenticateHandler integration', function() { }); describe('handle()', function() { - it('should throw an error if `request` is missing', async function() { - const handler = new AuthenticateHandler({ model: { getAccessToken: function() {} } }); + it('should throw an error if `request` is missing or not a Request instance', async function() { + class Request {} // intentionally fake + const values = [undefined, null, {}, [], new Date(), new Request()]; + for (const request of values) { + const handler = new AuthenticateHandler({ model: { getAccessToken: function() {} } }); + + try { + await handler.handle(request); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Invalid argument: `request` must be an instance of Request'); + } + } + }); - try { - await handler.handle(); + it('should throw an error if `response` is missing or not a Response instance', async function() { + class Response {} // intentionally fake + const values = [undefined, null, {}, [], new Date(), new Response()]; + const request = new Request({ body: {}, headers: { 'Authorization': 'Bearer foo' }, method: {}, query: {} }); - should.fail(); - } catch (e) { - e.should.be.an.instanceOf(InvalidArgumentError); - e.message.should.equal('Invalid argument: `request` must be an instance of Request'); + for (const response of values) { + const handler = new AuthenticateHandler({ model: { getAccessToken: function() {} } }); + try { + await handler.handle(request, response); + + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Invalid argument: `response` must be an instance of Response'); + } } }); From 323c91b03a8ebce4593b753173ae0441d4c2b9cf Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 22 Aug 2023 09:02:40 +0200 Subject: [PATCH 17/47] tests(unit): improve coverage for TokenModel --- test/unit/models/token-model_test.js | 96 ++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/test/unit/models/token-model_test.js b/test/unit/models/token-model_test.js index 7dcac615..e9039386 100644 --- a/test/unit/models/token-model_test.js +++ b/test/unit/models/token-model_test.js @@ -1,4 +1,5 @@ const TokenModel = require('../../../lib/models/token-model'); +const InvalidArgumentError = require('../../../lib/errors/invalid-argument-error'); const should = require('chai').should(); /** * Test `Server`. @@ -6,6 +7,101 @@ const should = require('chai').should(); describe('Model', function() { describe('constructor()', function() { + it('throws, if data is empty', function () { + try { + new TokenModel(); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Missing parameter: `accessToken`'); + } + }); + it('throws, if `accessToken` is missing', function () { + const atExpiresAt = new Date(); + atExpiresAt.setHours(new Date().getHours() + 1); + + const data = { + client: 'bar', + user: 'tar', + accessTokenExpiresAt: atExpiresAt + }; + + try { + new TokenModel(data); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Missing parameter: `accessToken`'); + } + }); + it('throws, if `client` is missing', function () { + const atExpiresAt = new Date(); + atExpiresAt.setHours(new Date().getHours() + 1); + + const data = { + accessToken: 'foo', + user: 'tar', + accessTokenExpiresAt: atExpiresAt + }; + + try { + new TokenModel(data); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Missing parameter: `client`'); + } + }); + it('throws, if `user` is missing', function () { + const atExpiresAt = new Date(); + atExpiresAt.setHours(new Date().getHours() + 1); + + const data = { + accessToken: 'foo', + client: 'bar', + accessTokenExpiresAt: atExpiresAt + }; + + try { + new TokenModel(data); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Missing parameter: `user`'); + } + }); + it('throws, if `accessTokenExpiresAt` is not a Date', function () { + const data = { + accessToken: 'foo', + client: 'bar', + user: 'tar', + accessTokenExpiresAt: '11/10/2023' + }; + + try { + new TokenModel(data); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Invalid parameter: `accessTokenExpiresAt`'); + } + }); + it('throws, if `refreshTokenExpiresAt` is not a Date', function () { + const data = { + accessToken: 'foo', + client: 'bar', + user: 'tar', + refreshTokenExpiresAt: '11/10/2023' + }; + + try { + new TokenModel(data); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Invalid parameter: `refreshTokenExpiresAt`'); + } + }); it('should calculate `accessTokenLifetime` if `accessTokenExpiresAt` is set', function() { const atExpiresAt = new Date(); atExpiresAt.setHours(new Date().getHours() + 1); From fde0915bdef4f30955a566dbd19f6950c946c69b Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 22 Aug 2023 15:55:14 +0200 Subject: [PATCH 18/47] tests(unit): improve coverage for crypto util --- test/unit/utils/crypto-util_test.js | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 test/unit/utils/crypto-util_test.js diff --git a/test/unit/utils/crypto-util_test.js b/test/unit/utils/crypto-util_test.js new file mode 100644 index 00000000..7c3057e0 --- /dev/null +++ b/test/unit/utils/crypto-util_test.js @@ -0,0 +1,18 @@ +const cryptoUtil = require('../../../lib/utils/crypto-util'); +require('chai').should(); + +describe(cryptoUtil.createHash.name, function () { + it('creates a hash by given algorithm', function () { + const data = 'client-credentials-grant'; + const hash = cryptoUtil.createHash({ data, encoding: 'hex' }); + hash.should.equal('072726830f0aadd2d91f86f53e3a7ef40018c2626438152dd576e272bf2b8e60'); + }); + it('should throw if data is missing', function () { + try { + cryptoUtil.createHash({}); + } catch (e) { + e.should.be.instanceOf(TypeError); + e.message.should.include('he "data" argument must be of type string or an instance of Buffer, TypedArray, or DataView.'); + } + }); +}); From c0593ef7d53874130317e9538296973cb2646ad6 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Tue, 22 Aug 2023 15:55:47 +0200 Subject: [PATCH 19/47] tests(integration): deep-cover model integration in AuthorizeHandler tests --- lib/handlers/authorize-handler.js | 1 + .../handlers/authorize-handler_test.js | 634 +++++++++++------- 2 files changed, 398 insertions(+), 237 deletions(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index 65168324..19922ed5 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -347,6 +347,7 @@ AuthorizeHandler.prototype.buildErrorRedirectUri = function(redirectUri, error) error: error.name }; + if (error.message) { uri.query.error_description = error.message; } diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js index 17df3160..1e4a515d 100644 --- a/test/integration/handlers/authorize-handler_test.js +++ b/test/integration/handlers/authorize-handler_test.js @@ -20,6 +20,15 @@ const UnauthorizedClientError = require('../../../lib/errors/unauthorized-client const should = require('chai').should(); const url = require('url'); +const createModel = (model = {}) => { + return { + getAccessToken: () => should.fail(), + getClient: () => should.fail(), + saveAuthorizationCode: () => should.fail(), + ...model + }; +}; + /** * Test `AuthorizeHandler` integration. */ @@ -29,7 +38,6 @@ describe('AuthorizeHandler integration', function() { it('should throw an error if `options.authorizationCodeLifetime` is missing', function() { try { new AuthorizeHandler(); - should.fail(); } catch (e) { e.should.be.an.instanceOf(InvalidArgumentError); @@ -40,7 +48,6 @@ describe('AuthorizeHandler integration', function() { it('should throw an error if `options.model` is missing', function() { try { new AuthorizeHandler({ authorizationCodeLifetime: 120 }); - should.fail(); } catch (e) { e.should.be.an.instanceOf(InvalidArgumentError); @@ -51,7 +58,6 @@ describe('AuthorizeHandler integration', function() { it('should throw an error if the model does not implement `getClient()`', function() { try { new AuthorizeHandler({ authorizationCodeLifetime: 120, model: {} }); - should.fail(); } catch (e) { e.should.be.an.instanceOf(InvalidArgumentError); @@ -61,8 +67,7 @@ describe('AuthorizeHandler integration', function() { it('should throw an error if the model does not implement `saveAuthorizationCode()`', function() { try { - new AuthorizeHandler({ authorizationCodeLifetime: 120, model: { getClient: function() {} } }); - + new AuthorizeHandler({ authorizationCodeLifetime: 120, model: { getClient: () => should.fail() } }); should.fail(); } catch (e) { e.should.be.an.instanceOf(InvalidArgumentError); @@ -72,12 +77,12 @@ describe('AuthorizeHandler integration', function() { it('should throw an error if the model does not implement `getAccessToken()`', function() { const model = { - getClient: function() {}, - saveAuthorizationCode: function() {} + getClient: () => should.fail(), + saveAuthorizationCode: () => should.fail() }; try { - new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); should.fail(); } catch (e) { @@ -87,51 +92,58 @@ describe('AuthorizeHandler integration', function() { }); it('should set the `authorizationCodeLifetime`', function() { - const model = { - getAccessToken: function() {}, - getClient: function() {}, - saveAuthorizationCode: function() {} - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const model = createModel(); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.authorizationCodeLifetime.should.equal(120); }); - it('should set the `authenticateHandler`', function() { - const model = { - getAccessToken: function() {}, - getClient: function() {}, - saveAuthorizationCode: function() {} - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + it('should throw if the custom `authenticateHandler` does not implement a `handle` method', function () { + const model = createModel(); + const authenticateHandler = {}; // misses handle() method + + try { + new AuthorizeHandler({ authenticateHandler, authorizationCodeLifetime: 120, model }); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidArgumentError); + e.message.should.equal('Invalid argument: authenticateHandler does not implement `handle()`'); + } + }); + it('should set the default `authenticateHandler`, if no custom one is passed', function() { + const model = createModel(); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.authenticateHandler.should.be.an.instanceOf(AuthenticateHandler); }); - it('should set the `model`', function() { - const model = { - getAccessToken: function() {}, - getClient: function() {}, - saveAuthorizationCode: function() {} - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + it('should set the custom `authenticateHandler`, if valid', function () { + const model = createModel(); + + class CustomAuthenticateHandler { + async handle () {} + } + + const authenticateHandler = new CustomAuthenticateHandler(); + const handler = new AuthorizeHandler({ authenticateHandler, authorizationCodeLifetime: 120, model }); + handler.authenticateHandler.should.be.an.instanceOf(CustomAuthenticateHandler); + handler.authenticateHandler.should.not.be.an.instanceOf(AuthenticateHandler); + }); + it('should set the `model`', function() { + const model = createModel(); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.model.should.equal(model); }); }); describe('handle()', function() { it('should throw an error if `request` is missing', async function() { - const model = { - getAccessToken: function() {}, - getClient: function() {}, - saveAuthorizationCode: function() {} - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const model = createModel(); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); try { await handler.handle(); - should.fail(); } catch (e) { e.should.be.an.instanceOf(InvalidArgumentError); @@ -140,17 +152,12 @@ describe('AuthorizeHandler integration', function() { }); it('should throw an error if `response` is missing', async function() { - const model = { - getAccessToken: function() {}, - getClient: function() {}, - saveAuthorizationCode: function() {} - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const model = createModel(); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); try { await handler.handle(request); - should.fail(); } catch (e) { e.should.be.an.instanceOf(InvalidArgumentError); @@ -158,28 +165,35 @@ describe('AuthorizeHandler integration', function() { } }); - it('should redirect to an error response if user denied access', function() { - const model = { - getAccessToken: function() { + it('should redirect to an error response if user denied access', async function() { + const client = { + id: 'client-12345', + grants: ['authorization_code'], + redirectUris: ['http://example.com/cb'] + }; + const model = createModel({ + getAccessToken: async function(_token) { + _token.should.equal('foobarbazmootoken'); return { user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { - return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; - }, - saveAuthorizationCode: function() {} - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + getClient: async function(clientId, clientSecret) { + clientId.should.equal(client.id); + (clientSecret === null).should.equal(true); + return { ...client }; + } + }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { - client_id: 12345, + client_id: client.id, response_type: 'code' }, method: {}, headers: { - 'Authorization': 'Bearer foo' + 'Authorization': 'Bearer foobarbazmootoken' }, query: { state: 'foobar', @@ -188,29 +202,39 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=access_denied&error_description=Access%20denied%3A%20user%20denied%20access%20to%20application&state=foobar'); - }); + try { + await handler.handle(request, response); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(AccessDeniedError); + e.message.should.equal('Access denied: user denied access to application'); + response + .get('location') + .should + .equal('http://example.com/cb?error=access_denied&error_description=Access%20denied%3A%20user%20denied%20access%20to%20application&state=foobar'); + } }); - it('should redirect to an error response if a non-oauth error is thrown', function() { - const model = { - getAccessToken: function() { + it('should redirect to an error response if a non-oauth error is thrown', async function() { + const model = createModel({ + getAccessToken: async function() { return { user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { - return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; + getClient: async function() { + return { + grants: ['authorization_code'], + redirectUris: ['http://example.com/cb'] + }; }, - saveAuthorizationCode: function() { - throw new Error('Unhandled exception'); + saveAuthorizationCode: async function() { + throw new CustomError('Unhandled exception'); } - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + }); + class CustomError extends Error {} + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, @@ -226,29 +250,35 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=server_error&error_description=Unhandled%20exception&state=foobar'); - }); + try { + await handler.handle(request, response); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(ServerError); // non-oauth-errors are converted to ServerError + e.message.should.equal('Unhandled exception'); + response + .get('location') + .should + .equal('http://example.com/cb?error=server_error&error_description=Unhandled%20exception&state=foobar'); + } }); - it('should redirect to an error response if an oauth error is thrown', function() { - const model = { - getAccessToken: function() { + it('should redirect to an error response if an oauth error is thrown', async function() { + const model = createModel({ + getAccessToken: async function() { return { user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { + getClient: async function() { return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; }, - saveAuthorizationCode: function() { + saveAuthorizationCode: async function() { throw new AccessDeniedError('Cannot request this auth code'); } - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, @@ -264,69 +294,87 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=access_denied&error_description=Cannot%20request%20this%20auth%20code&state=foobar'); - }); + try { + await handler.handle(request, response); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(AccessDeniedError); + e.message.should.equal('Cannot request this auth code'); + response + .get('location') + .should + .equal('http://example.com/cb?error=access_denied&error_description=Cannot%20request%20this%20auth%20code&state=foobar'); + } }); - it('should redirect to a successful response with `code` and `state` if successful', function() { - const client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; - const model = { - getAccessToken: function() { + it('should redirect to a successful response with `code` and `state` if successful', async function() { + const client = { + id: 'client-12343434', + grants: ['authorization_code'], + redirectUris: ['http://example.com/cb'] + }; + const model = createModel({ + getAccessToken: async function(_token) { + _token.should.equal('foobarbaztokenmoo'); return { - client: client, + client, user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { - return client; + getClient: async function(clientId, clientSecret) { + clientId.should.equal(client.id); + (clientSecret === null).should.equal(true); + return { ...client }; }, - saveAuthorizationCode: function() { - return { authorizationCode: 12345, client: client }; + saveAuthorizationCode: async function() { + return { + authorizationCode: 'fooobar-long-authzcode-?', + client + }; } - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { - client_id: 12345, + client_id: client.id, response_type: 'code' }, headers: { - 'Authorization': 'Bearer foo' + 'Authorization': 'Bearer foobarbaztokenmoo' }, method: {}, query: { - state: 'foobar' + state: 'foobarbazstatemoo' } }); const response = new Response({ body: {}, headers: {} }); - - return handler.handle(request, response) - .then(function() { - response.get('location').should.equal('http://example.com/cb?code=12345&state=foobar'); - }) - .catch(should.fail); - }); - - it('should redirect to an error response if `scope` is invalid', function() { - const model = { - getAccessToken: function() { + const data = await handler.handle(request, response); + data.authorizationCode.should.equal('fooobar-long-authzcode-?'); + data.client.should.deep.equal(client); + response.status.should.equal(302); + response + .get('location') + .should + .equal('http://example.com/cb?code=fooobar-long-authzcode-%3F&state=foobarbazstatemoo'); + }); + + it('should redirect to an error response if `scope` is invalid', async function() { + const model = createModel({ + getAccessToken: async function() { return { user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { + getClient: async function() { return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; }, - saveAuthorizationCode: function() { + saveAuthorizationCode: async function() { return {}; } - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, @@ -343,14 +391,18 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20parameter%3A%20%60scope%60&state=foobar'); - }); + try { + await handler.handle(request, response); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidScopeError); + e.message.should.equal('Invalid parameter: `scope`'); + response.status.should.equal(302); + response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20parameter%3A%20%60scope%60&state=foobar'); + } }); - it('should redirect to a successful response if `model.validateScope` is not defined', function() { + it('should redirect to a successful response if `model.validateScope` is not defined', async function() { const client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; const model = { getAccessToken: function() { @@ -364,10 +416,10 @@ describe('AuthorizeHandler integration', function() { return client; }, saveAuthorizationCode: function() { - return { authorizationCode: 12345, client: client }; + return { authorizationCode: 'fooobar-long-authzcode-?', client }; } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, @@ -379,42 +431,44 @@ describe('AuthorizeHandler integration', function() { method: {}, query: { scope: 'read', - state: 'foobar' + state: 'foobarbazstatemoo' } }); const response = new Response({ body: {}, headers: {} }); - - return handler.handle(request, response) - .then(function(data) { - data.should.eql({ - authorizationCode: 12345, - client: client - }); - }) - .catch(should.fail); + const data = await handler.handle(request, response); + data.should.deep.equal({ + authorizationCode: 'fooobar-long-authzcode-?', + client: client + }); + response.status.should.equal(302); + response + .get('location') + .should + .equal('http://example.com/cb?code=fooobar-long-authzcode-%3F&state=foobarbazstatemoo'); }); - it('should redirect to an error response if `scope` is insufficient', function() { - const client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; + it('should redirect to an error response if `scope` is insufficient (validateScope)', async function() { + const client = { id: 12345, grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; const model = { - getAccessToken: function() { + getAccessToken: async function() { return { client: client, - user: {}, + user: { name: 'foouser' }, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { + getClient: async function() { return client; }, - saveAuthorizationCode: function() { - return { authorizationCode: 12345, client: client }; + saveAuthorizationCode: async function() { + return { authorizationCode: 12345, client }; }, - validateScope: function() { + validateScope: async function(_user, _client, _scope) { + _scope.should.equal('read'); return false; } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, @@ -431,29 +485,36 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20scope%3A%20Requested%20scope%20is%20invalid&state=foobar'); - }); + try { + await handler.handle(request, response); + should.fail(); + } catch(e) { + e.should.be.an.instanceOf(InvalidScopeError); + e.message.should.equal('Invalid scope: Requested scope is invalid'); + response.status.should.equal(302); + response + .get('location') + .should + .equal('http://example.com/cb?error=invalid_scope&error_description=Invalid%20scope%3A%20Requested%20scope%20is%20invalid&state=foobar'); + } }); - it('should redirect to an error response if `state` is missing', function() { - const model = { - getAccessToken: function() { + it('should redirect to an error response if `state` is missing', async function() { + const model = createModel({ + getAccessToken: async function() { return { user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { + getClient: async function() { return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; }, - saveAuthorizationCode: function() { + saveAuthorizationCode: async function() { throw new AccessDeniedError('Cannot request this auth code'); } - }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, @@ -467,29 +528,34 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=invalid_request&error_description=Missing%20parameter%3A%20%60state%60'); - }); + try { + await handler.handle(request, response); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(InvalidRequestError); + e.message.should.equal('Missing parameter: `state`'); + response.status.should.equal(302); + response + .get('location') + .should + .equal('http://example.com/cb?error=invalid_request&error_description=Missing%20parameter%3A%20%60state%60'); + } }); - it('should redirect to an error response if `response_type` is invalid', function() { + it('should redirect to an error response if `response_type` is invalid', async function() { const model = { - getAccessToken: function() { + getAccessToken: async function() { return { user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { + getClient: async function() { return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; }, - saveAuthorizationCode: function() { - return { authorizationCode: 12345, client: {} }; - } + saveAuthorizationCode: () => should.fail() // should fail before call }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, @@ -505,33 +571,43 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=unsupported_response_type&error_description=Unsupported%20response%20type%3A%20%60response_type%60%20is%20not%20supported&state=foobar'); - }); + try { + await handler.handle(request, response); + should.fail(); + } catch (e) { + e.should.be.an.instanceOf(UnsupportedResponseTypeError); + e.message.should.equal('Unsupported response type: `response_type` is not supported'); + response.status.should.equal(302); + response + .get('location') + .should + .equal('http://example.com/cb?error=unsupported_response_type&error_description=Unsupported%20response%20type%3A%20%60response_type%60%20is%20not%20supported&state=foobar'); + } }); - it('should fail on invalid `response_type` before calling model.saveAuthorizationCode()', function() { + it('should return the `code` if successful', async function() { + const client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; const model = { - getAccessToken: function() { + getAccessToken: async function() { return { + client: client, user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { - return { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; + getClient: async function() { + return client; }, - saveAuthorizationCode: function() { - throw new Error('must not be reached'); + generateAuthorizationCode: async () => 'some-code', + saveAuthorizationCode: async function(code) { + return { authorizationCode: code.authorizationCode, client: client }; } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, - response_type: 'test' + response_type: 'code' }, headers: { 'Authorization': 'Bearer foo' @@ -543,24 +619,111 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(should.fail) - .catch(function() { - response.get('location').should.equal('http://example.com/cb?error=unsupported_response_type&error_description=Unsupported%20response%20type%3A%20%60response_type%60%20is%20not%20supported&state=foobar'); - }); + const data = await handler.handle(request, response); + data.should.eql({ + authorizationCode: 'some-code', + client: client + }); }); - it('should return the `code` if successful', function() { + it('should return the `code` if successful (full model implementation)', async function () { + const user = { name: 'fooUser' }; + const state = 'fooobarstatebaz'; + const scope = 'read'; + const client = { + id: 'client-1322132131', + grants: ['authorization_code'], + redirectUris: ['http://example.com/cb'] + }; + const authorizationCode = 'long-authz-code-?'; + const accessTokenDoc = { + accessToken: 'some-access-token-code-?', + client, + user, + scope, + accessTokenExpiresAt: new Date(new Date().getTime() + 10000) + }; + const model = { + getClient: async function (clientId, clientSecret) { + clientId.should.equal(client.id); + (clientSecret === null).should.equal(true); + return { ...client }; + }, + getAccessToken: async function (_token) { + _token.should.equal(accessTokenDoc.accessToken); + return { ...accessTokenDoc }; + }, + verifyScope: async function (_tokenDoc, _scope) { + _tokenDoc.should.equal(accessTokenDoc); + _scope.should.equal(accessTokenDoc.scope); + return true; + }, + validateScope: async function (_user, _client, _scope) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _scope.should.equal(scope); + return _scope; + }, + generateAuthorizationCode: async function (_client, _user, _scope) { + _user.should.deep.equal(user); + _client.should.deep.equal(client); + _scope.should.equal(scope); + return authorizationCode; + }, + saveAuthorizationCode: async function (code, _client, _user) { + code.authorizationCode.should.equal(authorizationCode); + code.expiresAt.should.be.instanceOf(Date); + _user.should.deep.equal(user); + _client.should.deep.equal(client); + return { ...code, client, user }; + } + }; + + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); + const request = new Request({ + body: { + client_id: client.id, + response_type: 'code' + }, + headers: { + 'Authorization': `Bearer ${accessTokenDoc.accessToken}` + }, + method: {}, + query: { state, scope } + }); + + const response = new Response({ body: {}, headers: {} }); + const data = await handler.handle(request, response); + data.scope.should.equal(scope); + data.client.should.deep.equal(client); + data.user.should.deep.equal(user); + data.expiresAt.should.be.instanceOf(Date); + data.redirectUri.should.equal(client.redirectUris[0]); + response.status.should.equal(302); + response + .get('location') + .should + .equal('http://example.com/cb?code=long-authz-code-%3F&state=fooobarstatebaz'); + }); + + it('should support a custom `authenticateHandler`', async function () { + const user = { name: 'user1' }; + const authenticateHandler = { + handle: async function () { + // all good + return { ...user }; + } + }; const client = { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; const model = { - getAccessToken: function() { + getAccessToken: async function() { return { client: client, user: {}, accessTokenExpiresAt: new Date(new Date().getTime() + 10000) }; }, - getClient: function() { + getClient: async function() { return client; }, generateAuthorizationCode: async () => 'some-code', @@ -568,7 +731,7 @@ describe('AuthorizeHandler integration', function() { return { authorizationCode: code.authorizationCode, client: client }; } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model, authenticateHandler }); const request = new Request({ body: { client_id: 12345, @@ -584,14 +747,11 @@ describe('AuthorizeHandler integration', function() { }); const response = new Response({ body: {}, headers: {} }); - return handler.handle(request, response) - .then(function(data) { - data.should.eql({ - authorizationCode: 'some-code', - client: client - }); - }) - .catch(should.fail); + const data = await handler.handle(request, response); + data.should.eql({ + authorizationCode: 'some-code', + client: client + }); }); }); @@ -602,7 +762,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); return handler.generateAuthorizationCode() .then(function(data) { @@ -620,7 +780,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.generateAuthorizationCode().should.be.an.instanceOf(Promise); }); @@ -634,7 +794,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.generateAuthorizationCode().should.be.an.instanceOf(Promise); }); @@ -647,7 +807,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.getAuthorizationCodeLifetime().should.be.an.instanceOf(Date); }); @@ -661,7 +821,7 @@ describe('AuthorizeHandler integration', function() { saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.validateRedirectUri('http://example.com/a', { redirectUris: ['http://example.com/a'] }).should.be.an.instanceOf(Promise); }); @@ -676,7 +836,7 @@ describe('AuthorizeHandler integration', function() { } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.validateRedirectUri('http://example.com/a', { }).should.be.an.instanceOf(Promise); }); @@ -691,7 +851,7 @@ describe('AuthorizeHandler integration', function() { } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.validateRedirectUri('http://example.com/a', { }).should.be.an.instanceOf(Promise); }); @@ -704,7 +864,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { response_type: 'code' }, headers: {}, method: {}, query: {} }); try { @@ -723,7 +883,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 'ø倣‰', response_type: 'code' }, headers: {}, method: {}, query: {} }); try { @@ -742,7 +902,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, response_type: 'code', redirect_uri: 'foobar' }, headers: {}, method: {}, query: {} }); try { @@ -761,7 +921,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, response_type: 'code' }, headers: {}, method: {}, query: {} }); return handler.getClient(request) @@ -780,7 +940,7 @@ describe('AuthorizeHandler integration', function() { }, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, response_type: 'code' }, headers: {}, method: {}, query: {} }); return handler.getClient(request) @@ -799,7 +959,7 @@ describe('AuthorizeHandler integration', function() { }, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, response_type: 'code' }, headers: {}, method: {}, query: {} }); return handler.getClient(request) @@ -816,7 +976,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() { return { grants: ['authorization_code'] }; }, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, response_type: 'code' }, headers: {}, method: {}, query: {} }); return handler.getClient(request) @@ -835,7 +995,7 @@ describe('AuthorizeHandler integration', function() { }, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345, response_type: 'code', redirect_uri: 'https://foobar.com' }, headers: {}, method: {}, query: {} }); return handler.getClient(request) @@ -854,7 +1014,7 @@ describe('AuthorizeHandler integration', function() { }, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345 }, headers: {}, @@ -873,7 +1033,7 @@ describe('AuthorizeHandler integration', function() { }, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { client_id: 12345 }, headers: {}, @@ -894,7 +1054,7 @@ describe('AuthorizeHandler integration', function() { }, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { response_type: 'code' }, headers: {}, method: {}, query: { client_id: 12345 } }); return handler.getClient(request) @@ -913,7 +1073,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { scope: 'ø倣‰' }, headers: {}, method: {}, query: {} }); try { @@ -933,7 +1093,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { scope: 'foo' }, headers: {}, method: {}, query: {} }); handler.getScope(request).should.equal('foo'); @@ -947,7 +1107,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: { scope: 'foo' } }); handler.getScope(request).should.equal('foo'); @@ -962,7 +1122,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ allowEmptyState: false, authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ allowEmptyState: false, authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); try { @@ -981,7 +1141,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ allowEmptyState: true, authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ allowEmptyState: true, authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); const state = handler.getState(request); should.equal(state, undefined); @@ -993,7 +1153,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: { state: 'ø倣‰' } }); try { @@ -1013,7 +1173,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { state: 'foobar' }, headers: {}, method: {}, query: {} }); handler.getState(request).should.equal('foobar'); @@ -1027,7 +1187,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: { state: 'foobar' } }); handler.getState(request).should.equal('foobar'); @@ -1042,7 +1202,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authenticateHandler: authenticateHandler, authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authenticateHandler: authenticateHandler, authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); const response = new Response(); @@ -1066,7 +1226,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: { 'Authorization': 'Bearer foo' }, method: {}, query: {} }); const response = new Response({ body: {}, headers: {} }); @@ -1088,7 +1248,7 @@ describe('AuthorizeHandler integration', function() { return authorizationCode; } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); return handler.saveAuthorizationCode('foo', 'bar', 'biz', 'baz') .then(function(data) { @@ -1105,7 +1265,7 @@ describe('AuthorizeHandler integration', function() { return {}; } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.saveAuthorizationCode('foo', 'bar', 'biz', 'baz').should.be.an.instanceOf(Promise); }); @@ -1118,7 +1278,7 @@ describe('AuthorizeHandler integration', function() { return {}; } }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); handler.saveAuthorizationCode('foo', 'bar', 'biz', 'baz').should.be.an.instanceOf(Promise); }); @@ -1131,7 +1291,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); try { @@ -1150,7 +1310,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { response_type: 'foobar' }, headers: {}, method: {}, query: {} }); try { @@ -1170,7 +1330,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { response_type: 'code' }, headers: {}, method: {}, query: {} }); const ResponseType = handler.getResponseType(request); @@ -1185,7 +1345,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: { response_type: 'code' } }); const ResponseType = handler.getResponseType(request); @@ -1201,7 +1361,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const responseType = new CodeResponseType(12345); const redirectUri = handler.buildSuccessRedirectUri('http://example.com/cb', responseType); @@ -1217,7 +1377,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const redirectUri = handler.buildErrorRedirectUri('http://example.com/cb', error); url.format(redirectUri).should.equal('http://example.com/cb?error=invalid_client&error_description=foo%20bar'); @@ -1230,7 +1390,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const redirectUri = handler.buildErrorRedirectUri('http://example.com/cb', error); url.format(redirectUri).should.equal('http://example.com/cb?error=invalid_client&error_description=Bad%20Request'); @@ -1244,7 +1404,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const response = new Response({ body: {}, headers: {} }); const uri = url.parse('http://example.com/cb'); @@ -1261,7 +1421,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {code_challenge_method: 'S256'}, headers: {}, method: {}, query: {} }); const codeChallengeMethod = handler.getCodeChallengeMethod(request); @@ -1274,7 +1434,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {code_challenge_method: 'foo'}, headers: {}, method: {}, query: {} }); try { @@ -1294,7 +1454,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); const codeChallengeMethod = handler.getCodeChallengeMethod(request); @@ -1309,7 +1469,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {code_challenge: 'challenge'}, headers: {}, method: {}, query: {} }); const codeChallengeMethod = handler.getCodeChallenge(request); From 028e020558395263a83160db0d3a642d444069db Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Tue, 29 Aug 2023 09:29:51 +0200 Subject: [PATCH 20/47] update minimum nodejs version in release test workflow --- .github/workflows/tests-release.yml | 157 ++++++++++++++-------------- 1 file changed, 78 insertions(+), 79 deletions(-) diff --git a/.github/workflows/tests-release.yml b/.github/workflows/tests-release.yml index 31db09b2..2bd4e253 100644 --- a/.github/workflows/tests-release.yml +++ b/.github/workflows/tests-release.yml @@ -10,7 +10,6 @@ on: branches: - release-* # all release- branches - jobs: # STEP 1 - NPM Audit @@ -23,13 +22,13 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 - with: - node-version: 20 - # install to create local package-lock.json but don't cache the files - # also: no audit for dev dependencies - - run: npm i --package-lock-only && npm audit --production + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 20 + # install to create local package-lock.json but don't cache the files + # also: no audit for dev dependencies + - run: npm i --package-lock-only && npm audit --production # STEP 2 - basic unit tests @@ -40,34 +39,34 @@ jobs: needs: [audit] strategy: matrix: - node: [14, 16, 18] + node: [16, 18, 20] steps: - - name: Checkout ${{ matrix.node }} - uses: actions/checkout@v3 - - - name: Setup node ${{ matrix.node }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node }} - - - name: Cache dependencies ${{ matrix.node }} - uses: actions/cache@v3 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node-${{ matrix.node }} - # for this workflow we also require npm audit to pass - - run: npm i - - run: npm run test:coverage - - # with the following action we enforce PRs to have a high coverage - # and ensure, changes are tested well enough so that coverage won't fail - - name: check coverage - uses: VeryGoodOpenSource/very_good_coverage@v1.2.0 - with: - path: './coverage/lcov.info' - min_coverage: 95 + - name: Checkout ${{ matrix.node }} + uses: actions/checkout@v3 + + - name: Setup node ${{ matrix.node }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node }} + + - name: Cache dependencies ${{ matrix.node }} + uses: actions/cache@v3 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node-${{ matrix.node }} + # for this workflow we also require npm audit to pass + - run: npm i + - run: npm run test:coverage + + # with the following action we enforce PRs to have a high coverage + # and ensure, changes are tested well enough so that coverage won't fail + - name: check coverage + uses: VeryGoodOpenSource/very_good_coverage@v1.2.0 + with: + path: './coverage/lcov.info' + min_coverage: 95 # STEP 3 - Integration tests @@ -80,41 +79,41 @@ jobs: needs: [unittest] strategy: matrix: - node: [14, 16, 18] # TODO get running for node 16+ + node: [16, 18, 20] # TODO get running for node 16+ steps: - # checkout this repo - - name: Checkout ${{ matrix.node }} - uses: actions/checkout@v3 - - # checkout express-adapter repo - - name: Checkout express-adapter ${{ matrix.node }} - uses: actions/checkout@v3 - with: - repository: node-oauth/express-oauth-server - path: github/testing/express - - - name: Setup node ${{ matrix.node }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node }} - - - name: Cache dependencies ${{ matrix.node }} - uses: actions/cache@v3 - with: - path: ~/.npm - key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server - - # in order to test the adapter we need to use the current checkout - # and install it as local dependency - # we just cloned and install it as local dependency - # xxx: added bluebird as explicit dependency - - run: | - cd github/testing/express - npm i - npm install https://github.com/node-oauth/node-oauth2-server.git#${{ github.ref_name }} - npm run test + # checkout this repo + - name: Checkout ${{ matrix.node }} + uses: actions/checkout@v3 + + # checkout express-adapter repo + - name: Checkout express-adapter ${{ matrix.node }} + uses: actions/checkout@v3 + with: + repository: node-oauth/express-oauth-server + path: github/testing/express + + - name: Setup node ${{ matrix.node }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node }} + + - name: Cache dependencies ${{ matrix.node }} + uses: actions/cache@v3 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server + + # in order to test the adapter we need to use the current checkout + # and install it as local dependency + # we just cloned and install it as local dependency + # xxx: added bluebird as explicit dependency + - run: | + cd github/testing/express + npm i + npm install https://github.com/node-oauth/node-oauth2-server.git#${{ github.ref_name }} + npm run test # todo repeat with other adapters @@ -139,13 +138,13 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 - with: - # we always publish targeting the lowest supported node version - node-version: 16 - registry-url: $registry-url(npm) - - run: npm i - - run: npm publish --dry-run - env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + # we always publish targeting the lowest supported node version + node-version: 16 + registry-url: $registry-url(npm) + - run: npm i + - run: npm publish --dry-run + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} From a42dc06578447624c34650e3eb2eeb8f2f208bf0 Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Sat, 9 Sep 2023 23:24:49 +0200 Subject: [PATCH 21/47] rewrote the scope validation --- CHANGELOG.md | 3 +- docs/api/oauth2-server.rst | 2 +- docs/model/spec.rst | 226 +++++++++--------- index.d.ts | 36 +-- lib/grant-types/abstract-grant-type.js | 8 +- lib/grant-types/refresh-token-grant-type.js | 32 ++- lib/handlers/authenticate-handler.js | 10 +- lib/handlers/authorize-handler.js | 7 +- lib/server.js | 4 - lib/utils/scope-util.js | 16 ++ .../client-credential-workflow_test.js | 8 +- test/compliance/password-grant-type_test.js | 6 +- .../refresh-token-grant-type_test.js | 74 ++++-- test/helpers/model.js | 6 +- .../grant-types/abstract-grant-type_test.js | 14 +- .../authorization-code-grant-type_test.js | 18 +- .../client-credentials-grant-type_test.js | 12 +- .../grant-types/password-grant-type_test.js | 16 +- .../refresh-token-grant-type_test.js | 8 +- .../handlers/authenticate-handler_test.js | 36 +-- .../handlers/authorize-handler_test.js | 24 +- .../handlers/token-handler_test.js | 34 +-- test/integration/server_test.js | 2 +- .../authorization-code-grant-type_test.js | 6 +- .../client-credentials-grant-type_test.js | 6 +- .../grant-types/password-grant-type_test.js | 6 +- .../refresh-token-grant-type_test.js | 12 +- .../handlers/authenticate-handler_test.js | 6 +- test/unit/handlers/authorize-handler_test.js | 8 +- test/unit/server_test.js | 18 -- 30 files changed, 355 insertions(+), 309 deletions(-) create mode 100644 lib/utils/scope-util.js diff --git a/CHANGELOG.md b/CHANGELOG.md index 81b82f07..b7faf9f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ - this is a breaking change, because **it removes callback support** for `OAuthServer` and your model implementation. - fixed missing await in calling generateAuthorizationCode in AuthorizeHandler +- validate scope as an array of strings ## 4.2.0 ### Fixed @@ -52,7 +53,7 @@ - Upgrades all code from ES5 to ES6, where possible. ## 4.1.0 -### Changed +### Changed * Bump dev dependencies to resolve vulnerabilities * Replaced jshint with eslint along with should and chai * Use sha256 when generating tokens diff --git a/docs/api/oauth2-server.rst b/docs/api/oauth2-server.rst index 48acf538..9fcf8123 100644 --- a/docs/api/oauth2-server.rst +++ b/docs/api/oauth2-server.rst @@ -73,7 +73,7 @@ Authenticates a request. +------------------------------------------------+-----------------+-----------------------------------------------------------------------+ | [options={}] | Object | Handler options. | +------------------------------------------------+-----------------+-----------------------------------------------------------------------+ -| [options.scope=undefined] | String | The scope(s) to authenticate. | +| [options.scope=undefined] | String[] | The scope(s) to authenticate. | +------------------------------------------------+-----------------+-----------------------------------------------------------------------+ | [options.addAcceptedScopesHeader=true] | Boolean | Set the ``X-Accepted-OAuth-Scopes`` HTTP header on response objects. | +------------------------------------------------+-----------------+-----------------------------------------------------------------------+ diff --git a/docs/model/spec.rst b/docs/model/spec.rst index 953c2811..5b1695f3 100644 --- a/docs/model/spec.rst +++ b/docs/model/spec.rst @@ -41,7 +41,7 @@ Code examples on this page use *promises*. .. _Model#generateAccessToken: -``generateAccessToken(client, user, scope, [callback])`` +``generateAccessToken(client, user, scope)`` ======================================================== Invoked to generate a new access token. @@ -64,7 +64,7 @@ This model function is **optional**. If not implemented, a default handler is us +------------+----------+---------------------------------------------------------------------+ | user | Object | The user the access token is generated for. | +------------+----------+---------------------------------------------------------------------+ -| scope | String | The scopes associated with the access token. Can be ``null``. | +| scope | String[] | The scopes associated with the access token. Can be ``null``. | +------------+----------+---------------------------------------------------------------------+ | [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | +------------+----------+---------------------------------------------------------------------+ @@ -85,7 +85,7 @@ A ``String`` to be used as access token. .. _Model#generateRefreshToken: -``generateRefreshToken(client, user, scope, [callback])`` +``generateRefreshToken(client, user, scope)`` ========================================================= Invoked to generate a new refresh token. @@ -107,7 +107,7 @@ This model function is **optional**. If not implemented, a default handler is us +------------+----------+---------------------------------------------------------------------+ | user | Object | The user the refresh token is generated for. | +------------+----------+---------------------------------------------------------------------+ -| scope | String | The scopes associated with the refresh token. Can be ``null``. | +| scope | String[] | The scopes associated with the refresh token. Can be ``null``. | +------------+----------+---------------------------------------------------------------------+ | [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | +------------+----------+---------------------------------------------------------------------+ @@ -148,7 +148,7 @@ This model function is **optional**. If not implemented, a default handler is us +------------+----------+---------------------------------------------------------------------+ | user | Object | The user the authorization code is generated for. | +------------+----------+---------------------------------------------------------------------+ -| scope | String | The scopes associated with the authorization code. Can be ``null``. | +| scope | String[] | The scopes associated with the authorization code. Can be ``null``. | +------------+----------+---------------------------------------------------------------------+ | [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | +------------+----------+---------------------------------------------------------------------+ @@ -188,23 +188,23 @@ This model function is **required** if :ref:`OAuth2Server#authenticate() VALID_SCOPES.indexOf(s) >= 0)) { + if (!scope.every(s => VALID_SCOPES.indexOf(s) >= 0)) { return false; } return scope; @@ -917,14 +917,9 @@ To accept partially valid scopes: const VALID_SCOPES = ['read', 'write']; function validateScope(user, client, scope) { - return scope - .split(' ') - .filter(s => VALID_SCOPES.indexOf(s) >= 0) - .join(' '); + return scope.filter(s => VALID_SCOPES.indexOf(s) >= 0); } -Note that the example above will still reject completely invalid scopes, since ``validateScope`` returns an empty string if all scopes are filtered out. - -------- .. _Model#verifyScope: @@ -951,7 +946,7 @@ This model function is **required** if scopes are used with :ref:`OAuth2Server#a +------------------------------+----------+---------------------------------------------------------------------+ | [token.accessTokenExpiresAt] | Date | The expiry time of the access token. | +------------------------------+----------+---------------------------------------------------------------------+ -| [token.scope] | String | The authorized scope of the access token. | +| [token.scope] | String[] | The authorized scope of the access token. | +------------------------------+----------+---------------------------------------------------------------------+ | token.client | Object | The client associated with the access token. | +------------------------------+----------+---------------------------------------------------------------------+ @@ -959,7 +954,7 @@ This model function is **required** if scopes are used with :ref:`OAuth2Server#a +------------------------------+----------+---------------------------------------------------------------------+ | token.user | Object | The user associated with the access token. | +------------------------------+----------+---------------------------------------------------------------------+ -| scope | String | The required scopes. | +| scope | String[] | The required scopes. | +------------------------------+----------+---------------------------------------------------------------------+ | [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | +------------------------------+----------+---------------------------------------------------------------------+ @@ -976,13 +971,12 @@ Returns ``true`` if the access token passes, ``false`` otherwise. :: - function verifyScope(token, scope) { + function verifyScope(token, requestedScopes) { if (!token.scope) { return false; } - let requestedScopes = scope.split(' '); - let authorizedScopes = token.scope.split(' '); - return requestedScopes.every(s => authorizedScopes.indexOf(s) >= 0); + let authorizedScopes = token.scope; + return requestedScopes.every(s => token.scope.includes(scope)); } -------- diff --git a/index.d.ts b/index.d.ts index 4c253606..d48f6c0d 100644 --- a/index.d.ts +++ b/index.d.ts @@ -118,13 +118,13 @@ declare namespace OAuth2Server { * Generate access token. Calls Model#generateAccessToken() if implemented. * */ - generateAccessToken(client: Client, user: User, scope: string | string[]): Promise; + generateAccessToken(client: Client, user: User, scope: string[]): Promise; /** * Generate refresh token. Calls Model#generateRefreshToken() if implemented. * */ - generateRefreshToken(client: Client, user: User, scope: string | string[]): Promise; + generateRefreshToken(client: Client, user: User, scope: string[]): Promise; /** * Get access token expiration date. @@ -142,13 +142,13 @@ declare namespace OAuth2Server { * Get scope from the request body. * */ - getScope(request: Request): string; + getScope(request: Request): string[]; /** * Validate requested scope. Calls Model#validateScope() if implemented. * */ - validateScope(user: User, client: Client, scope: string | string[]): Promise; + validateScope(user: User, client: Client, scope: string[]): Promise; /** * Retrieve info from the request and client and return token @@ -168,7 +168,7 @@ declare namespace OAuth2Server { /** * The scope(s) to authenticate. */ - scope?: string | string[] | undefined; + scope?: string[] | undefined; /** * Set the X-Accepted-OAuth-Scopes HTTP header on response objects. @@ -245,7 +245,7 @@ declare namespace OAuth2Server { * Invoked to generate a new access token. * */ - generateAccessToken?(client: Client, user: User, scope: string | string[]): Promise; + generateAccessToken?(client: Client, user: User, scope: string[]): Promise; /** * Invoked to retrieve a client using a client id or a client id/client secret combination, depending on the grant type. @@ -272,7 +272,7 @@ declare namespace OAuth2Server { * Optional, if a custom authenticateHandler is used or if there is no scope part of the request. * */ - verifyScope(token: Token, scope: string | string[]): Promise; + verifyScope?(token: Token, scope: string[]): Promise; } interface AuthorizationCodeModel extends BaseModel, RequestAuthenticationModel { @@ -280,13 +280,13 @@ declare namespace OAuth2Server { * Invoked to generate a new refresh token. * */ - generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise; + generateRefreshToken?(client: Client, user: User, scope: string[]): Promise; /** * Invoked to generate a new authorization code. * */ - generateAuthorizationCode?(client: Client, user: User, scope: string | string[]): Promise; + generateAuthorizationCode?(client: Client, user: User, scope: string[]): Promise; /** * Invoked to retrieve an existing authorization code previously saved through Model#saveAuthorizationCode(). @@ -314,8 +314,8 @@ declare namespace OAuth2Server { * Invoked to check if the requested scope is valid for a particular client/user combination. * */ - validateScope?(user: User, client: Client, scope: string | string[]): Promise; - + validateScope?(user: User, client: Client, scope: string[]): Promise; + /** * Invoked to check if the provided `redirectUri` is valid for a particular `client`. * @@ -328,7 +328,7 @@ declare namespace OAuth2Server { * Invoked to generate a new refresh token. * */ - generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise; + generateRefreshToken?(client: Client, user: User, scope: string[]): Promise; /** * Invoked to retrieve a user using a username/password combination. @@ -340,7 +340,7 @@ declare namespace OAuth2Server { * Invoked to check if the requested scope is valid for a particular client/user combination. * */ - validateScope?(user: User, client: Client, scope: string | string[]): Promise; + validateScope?(user: User, client: Client, scope: string[]): Promise; } interface RefreshTokenModel extends BaseModel, RequestAuthenticationModel { @@ -348,7 +348,7 @@ declare namespace OAuth2Server { * Invoked to generate a new refresh token. * */ - generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise; + generateRefreshToken?(client: Client, user: User, scope: string[]): Promise; /** * Invoked to retrieve an existing refresh token previously saved through Model#saveToken(). @@ -374,7 +374,7 @@ declare namespace OAuth2Server { * Invoked to check if the requested scope is valid for a particular client/user combination. * */ - validateScope?(user: User, client: Client, scope: string | string[]): Promise; + validateScope?(user: User, client: Client, scope: string[]): Promise; } interface ExtensionModel extends BaseModel, RequestAuthenticationModel {} @@ -406,7 +406,7 @@ declare namespace OAuth2Server { authorizationCode: string; expiresAt: Date; redirectUri: string; - scope?: string | string[] | undefined; + scope?: string[] | undefined; client: Client; user: User; codeChallenge?: string; @@ -422,7 +422,7 @@ declare namespace OAuth2Server { accessTokenExpiresAt?: Date | undefined; refreshToken?: string | undefined; refreshTokenExpiresAt?: Date | undefined; - scope?: string | string[] | undefined; + scope?: string[] | undefined; client: Client; user: User; [key: string]: any; @@ -434,7 +434,7 @@ declare namespace OAuth2Server { interface RefreshToken { refreshToken: string; refreshTokenExpiresAt?: Date | undefined; - scope?: string | string[] | undefined; + scope?: string[] | undefined; client: Client; user: User; [key: string]: any; diff --git a/lib/grant-types/abstract-grant-type.js b/lib/grant-types/abstract-grant-type.js index 72fcc837..bce24ed8 100644 --- a/lib/grant-types/abstract-grant-type.js +++ b/lib/grant-types/abstract-grant-type.js @@ -6,8 +6,8 @@ const InvalidArgumentError = require('../errors/invalid-argument-error'); const InvalidScopeError = require('../errors/invalid-scope-error'); -const isFormat = require('@node-oauth/formats'); const tokenUtil = require('../utils/token-util'); +const { parseScope } = require('../utils/scope-util'); class AbstractGrantType { constructor (options) { @@ -73,11 +73,7 @@ class AbstractGrantType { * Get scope from the request body. */ getScope (request) { - if (!isFormat.nqschar(request.body.scope)) { - throw new InvalidArgumentError('Invalid parameter: `scope`'); - } - - return request.body.scope; + return parseScope(request.body.scope); } /** diff --git a/lib/grant-types/refresh-token-grant-type.js b/lib/grant-types/refresh-token-grant-type.js index dd6f7e25..45237dbc 100644 --- a/lib/grant-types/refresh-token-grant-type.js +++ b/lib/grant-types/refresh-token-grant-type.js @@ -10,6 +10,7 @@ const InvalidGrantError = require('../errors/invalid-grant-error'); const InvalidRequestError = require('../errors/invalid-request-error'); const ServerError = require('../errors/server-error'); const isFormat = require('@node-oauth/formats'); +const InvalidScopeError = require('../errors/invalid-scope-error'); /** * Constructor. @@ -55,7 +56,9 @@ class RefreshTokenGrantType extends AbstractGrantType { token = await this.getRefreshToken(request, client); token = await this.revokeToken(token); - return this.saveToken(token.user, client, token.scope); + const scope = this.getScope(request, token); + + return this.saveToken(token.user, client, scope); } /** @@ -142,6 +145,33 @@ class RefreshTokenGrantType extends AbstractGrantType { return this.model.saveToken(token, client, user); } + + getScope (request, token) { + const requestedScope = super.getScope(request); + const originalScope = token.scope; + + if (!originalScope && !requestedScope) { + return; + } + + if (!originalScope && requestedScope) { + throw new InvalidScopeError('Invalid scope: Unable to add extra scopes'); + } + + if (!requestedScope) { + return originalScope; + } + + const valid = requestedScope.every(scope => { + return originalScope.includes(scope); + }); + + if (!valid) { + throw new InvalidScopeError('Invalid scope: Unable to add extra scopes'); + } + + return requestedScope; + } } /** diff --git a/lib/handlers/authenticate-handler.js b/lib/handlers/authenticate-handler.js index 54945285..019b284d 100644 --- a/lib/handlers/authenticate-handler.js +++ b/lib/handlers/authenticate-handler.js @@ -235,8 +235,6 @@ class AuthenticateHandler { if (!scope) { throw new InsufficientScopeError('Insufficient scope: authorized scope is insufficient'); } - - return scope; } /** @@ -244,12 +242,16 @@ class AuthenticateHandler { */ updateResponse (response, accessToken) { + if (accessToken.scope == null) { + return; + } + if (this.scope && this.addAcceptedScopesHeader) { - response.set('X-Accepted-OAuth-Scopes', this.scope); + response.set('X-Accepted-OAuth-Scopes', this.scope.join(' ')); } if (this.scope && this.addAuthorizedScopesHeader) { - response.set('X-OAuth-Scopes', accessToken.scope); + response.set('X-OAuth-Scopes', accessToken.scope.join(' ')); } } } diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index a854eaf0..a02a5b9d 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -20,6 +20,7 @@ const isFormat = require('@node-oauth/formats'); const tokenUtil = require('../utils/token-util'); const url = require('url'); const pkce = require('../pkce/pkce'); +const { parseScope } = require('../utils/scope-util'); /** * Response types. @@ -226,11 +227,7 @@ class AuthorizeHandler { getScope (request) { const scope = request.body.scope || request.query.scope; - if (!isFormat.nqschar(scope)) { - throw new InvalidScopeError('Invalid parameter: `scope`'); - } - - return scope; + return parseScope(scope); } /** diff --git a/lib/server.js b/lib/server.js index a73acd63..656ad306 100644 --- a/lib/server.js +++ b/lib/server.js @@ -30,10 +30,6 @@ class OAuth2Server { */ authenticate (request, response, options) { - if (typeof options === 'string') { - options = {scope: options}; - } - options = Object.assign({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, diff --git a/lib/utils/scope-util.js b/lib/utils/scope-util.js new file mode 100644 index 00000000..61278587 --- /dev/null +++ b/lib/utils/scope-util.js @@ -0,0 +1,16 @@ +const isFormat = require('@node-oauth/formats'); +const InvalidScopeError = require('../errors/invalid-scope-error'); + +module.exports = { + parseScope: function (requestedScope) { + if (!isFormat.nqschar(requestedScope)) { + throw new InvalidScopeError('Invalid parameter: `scope`'); + } + + if (requestedScope == null) { + return undefined; + } + + return requestedScope.split(' '); + } +}; diff --git a/test/compliance/client-credential-workflow_test.js b/test/compliance/client-credential-workflow_test.js index 6b7a2898..5e71d4ab 100644 --- a/test/compliance/client-credential-workflow_test.js +++ b/test/compliance/client-credential-workflow_test.js @@ -90,14 +90,14 @@ describe('ClientCredentials Workflow Compliance (4.4)', function () { response.body.token_type.should.equal('Bearer'); response.body.access_token.should.equal(token.accessToken); response.body.expires_in.should.be.a('number'); - response.body.scope.should.equal(enabledScope); + response.body.scope.should.eql(['read', 'write']); ('refresh_token' in response.body).should.equal(false); token.accessToken.should.be.a('string'); token.accessTokenExpiresAt.should.be.a('date'); ('refreshToken' in token).should.equal(false); ('refreshTokenExpiresAt' in token).should.equal(false); - token.scope.should.equal(enabledScope); + token.scope.should.eql(['read', 'write']); db.accessTokens.has(token.accessToken).should.equal(true); db.refreshTokens.has(token.refreshToken).should.equal(false); @@ -130,7 +130,7 @@ describe('ClientCredentials Workflow Compliance (4.4)', function () { token.accessToken.should.equal(accessToken); token.user.should.deep.equal(userDoc); token.client.should.deep.equal(clientDoc); - token.scope.should.equal(enabledScope); + token.scope.should.eql(['read', 'write']); response.status.should.equal(200); // there should be no information in the response as it @@ -139,4 +139,4 @@ describe('ClientCredentials Workflow Compliance (4.4)', function () { response.headers.should.deep.equal({}); }); }); -}); \ No newline at end of file +}); diff --git a/test/compliance/password-grant-type_test.js b/test/compliance/password-grant-type_test.js index 7941d54f..c30e440d 100644 --- a/test/compliance/password-grant-type_test.js +++ b/test/compliance/password-grant-type_test.js @@ -101,13 +101,13 @@ describe('PasswordGrantType Compliance', function () { response.body.access_token.should.equal(token.accessToken); response.body.refresh_token.should.equal(token.refreshToken); response.body.expires_in.should.be.a('number'); - response.body.scope.should.equal(scope); + response.body.scope.should.eql(['read', 'write']); token.accessToken.should.be.a('string'); token.refreshToken.should.be.a('string'); token.accessTokenExpiresAt.should.be.a('date'); token.refreshTokenExpiresAt.should.be.a('date'); - token.scope.should.equal(scope); + token.scope.should.eql(['read', 'write']); db.accessTokens.has(token.accessToken).should.equal(true); db.refreshTokens.has(token.refreshToken).should.equal(true); @@ -134,7 +134,7 @@ describe('PasswordGrantType Compliance', function () { authenticationResponse, {}); - authenticated.scope.should.equal(scope); + authenticated.scope.should.eql(['read', 'write']); authenticated.user.should.be.an('object'); authenticated.client.should.be.an('object'); }); diff --git a/test/compliance/refresh-token-grant-type_test.js b/test/compliance/refresh-token-grant-type_test.js index b01fef3d..8c0e4982 100644 --- a/test/compliance/refresh-token-grant-type_test.js +++ b/test/compliance/refresh-token-grant-type_test.js @@ -62,6 +62,7 @@ const DB = require('../helpers/db'); const createModel = require('../helpers/model'); const createRequest = require('../helpers/request'); const Response = require('../../lib/response'); +const should = require('chai').should(); require('chai').should(); @@ -123,13 +124,13 @@ describe('RefreshTokenGrantType Compliance', function () { refreshResponse.body.access_token.should.equal(token.accessToken); refreshResponse.body.refresh_token.should.equal(token.refreshToken); refreshResponse.body.expires_in.should.be.a('number'); - refreshResponse.body.scope.should.equal(scope); + refreshResponse.body.scope.should.eql(['read', 'write']); token.accessToken.should.be.a('string'); token.refreshToken.should.be.a('string'); token.accessTokenExpiresAt.should.be.a('date'); token.refreshTokenExpiresAt.should.be.a('date'); - token.scope.should.equal(scope); + token.scope.should.eql(['read', 'write']); db.accessTokens.has(token.accessToken).should.equal(true); db.refreshTokens.has(token.refreshToken).should.equal(true); @@ -147,27 +148,62 @@ describe('RefreshTokenGrantType Compliance', function () { }); }); - // TODO: test refresh token with different scopes - // https://github.com/node-oauth/node-oauth2-server/issues/104 + it('Should throw invalid_scope error', async function () { + const request = createLoginRequest(); + const response = new Response({}); + + const credentials = await auth.token(request, response, {}); + + const refreshRequest = createRefreshRequest(credentials.refreshToken); + const refreshResponse = new Response({}); + + refreshRequest.body.scope = 'invalid'; + + await auth.token(refreshRequest, refreshResponse, {}) + .then(should.fail) + .catch(err => { + err.name.should.equal('invalid_scope'); + }); + }); + + it('Should throw error if requested scope is greater than original scope', async function () { + const request = createLoginRequest(); + const response = new Response({}); + + request.body.scope = 'read'; + + const credentials = await auth.token(request, response, {}); + + const refreshRequest = createRefreshRequest(credentials.refreshToken); + const refreshResponse = new Response({}); + + refreshRequest.scope = 'read write'; + + await auth.token(refreshRequest, refreshResponse, {}) + .then(should.fail) + .catch(err => { + err.name.should.equal('invalid_scope'); + }); + }); + + it('Should create refresh token with smaller scope', async function () { + const request = createLoginRequest(); + const response = new Response({}); - // it('Should throw invalid_scope error', async function () { - // const request = createLoginRequest(); - // const response = new Response({}); + const credentials = await auth.token(request, response, {}); - // const credentials = await auth.token(request, response, {}); + const refreshRequest = createRefreshRequest(credentials.refreshToken); + const refreshResponse = new Response({}); - // const refreshRequest = createRefreshRequest(credentials.refreshToken); - // const refreshResponse = new Response({}); + refreshRequest.body.scope = 'read'; - // refreshRequest.scope = 'invalid'; + const token = await auth.token(refreshRequest, refreshResponse, {}); - // await auth.token(refreshRequest, refreshResponse, {}) - // .then(() => { - // throw Error('Should not reach this'); - // }) - // .catch(err => { - // err.name.should.equal('invalid_scope'); - // }); - // }); + refreshResponse.body.token_type.should.equal('Bearer'); + refreshResponse.body.access_token.should.equal(token.accessToken); + refreshResponse.body.refresh_token.should.equal(token.refreshToken); + refreshResponse.body.expires_in.should.be.a('number'); + refreshResponse.body.scope.should.eql(['read']); + }); }); }); diff --git a/test/helpers/model.js b/test/helpers/model.js index 7a1893b1..6566f0cd 100644 --- a/test/helpers/model.js +++ b/test/helpers/model.js @@ -71,11 +71,7 @@ function createModel (db) { } async function verifyScope (token, scope) { - if (typeof scope === 'string') { - return scopes.includes(scope); - } else { - return scope.every(s => scopes.includes(s)); - } + return scope.every(s => scopes.includes(s)); } return { diff --git a/test/integration/grant-types/abstract-grant-type_test.js b/test/integration/grant-types/abstract-grant-type_test.js index 22247d7a..4d3e6d19 100644 --- a/test/integration/grant-types/abstract-grant-type_test.js +++ b/test/integration/grant-types/abstract-grant-type_test.js @@ -144,7 +144,7 @@ describe('AbstractGrantType integration', function() { should.fail(); } catch (e) { - e.should.be.an.instanceOf(InvalidArgumentError); + e.should.be.an.instanceOf(InvalidScopeError); e.message.should.equal('Invalid parameter: `scope`'); } }); @@ -160,22 +160,22 @@ describe('AbstractGrantType integration', function() { const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 }); const request = new Request({ body: { scope: 'foo' }, headers: {}, method: {}, query: {} }); - handler.getScope(request).should.equal('foo'); + handler.getScope(request).should.eql(['foo']); }); }); describe('validateScope()', function () { it('accepts the scope, if the model does not implement it', async function () { - const scope = 'some,scope,this,that'; + const scope = ['some,scope,this,that']; const user = { id: 123 }; const client = { id: 456 }; const handler = new AbstractGrantType({ accessTokenLifetime: 123, model: {}, refreshTokenLifetime: 456 }); const validated = await handler.validateScope(user, client, scope); - validated.should.equal(scope); + validated.should.eql(scope); }); it('accepts the scope, if the model accepts it', async function () { - const scope = 'some,scope,this,that'; + const scope = ['some,scope,this,that']; const user = { id: 123 }; const client = { id: 456 }; @@ -184,14 +184,14 @@ describe('AbstractGrantType integration', function() { // make sure the model received the correct args _user.should.deep.equal(user); _client.should.deep.equal(_client); - _scope.should.equal(scope); + _scope.should.eql(scope); return scope; } }; const handler = new AbstractGrantType({ accessTokenLifetime: 123, model, refreshTokenLifetime: 456 }); const validated = await handler.validateScope(user, client, scope); - validated.should.equal(scope); + validated.should.eql(scope); }); it('throws if the model rejects the scope', async function () { diff --git a/test/integration/grant-types/authorization-code-grant-type_test.js b/test/integration/grant-types/authorization-code-grant-type_test.js index f4598bde..d705f397 100644 --- a/test/integration/grant-types/authorization-code-grant-type_test.js +++ b/test/integration/grant-types/authorization-code-grant-type_test.js @@ -88,7 +88,7 @@ describe('AuthorizationCodeGrantType integration', function() { e.message.should.equal('Missing parameter: `request`'); } }); - + it('should throw an error if `client` is invalid (not in code)', async function() { const client = { id: 1234 }; const model = { @@ -131,7 +131,7 @@ describe('AuthorizationCodeGrantType integration', function() { it('should return a token', async function() { const client = { id: 'foobar' }; - const scope = 'fooscope'; + const scope = ['fooscope']; const user = { name: 'foouser' }; const codeDoc = { authorizationCode: 12345, @@ -153,19 +153,19 @@ describe('AuthorizationCodeGrantType integration', function() { validateScope: async function (_user, _client, _scope) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _scope.should.equal(scope); + _scope.should.eql(scope); return scope; }, generateAccessToken: async function (_client, _user, _scope) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _scope.should.equal(scope); + _scope.should.eql(scope); return 'long-access-token-hash'; }, generateRefreshToken: async function (_client, _user, _scope) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _scope.should.equal(scope); + _scope.should.eql(scope); return 'long-refresh-token-hash'; }, saveToken: async function (_token, _client, _user) { @@ -581,17 +581,17 @@ describe('AuthorizationCodeGrantType integration', function() { _token.accessTokenExpiresAt.should.be.instanceOf(Date); _token.refreshTokenExpiresAt.should.be.instanceOf(Date); _token.refreshToken.should.be.a.sha256(); - _token.scope.should.equal('foo'); + _token.scope.should.eql(['foo']); (_token.authorizationCode === undefined).should.equal(true); _user.should.equal('fallback'); _client.should.equal('fallback'); return token; }, - validateScope: function(_user= 'fallback', _client= 'fallback', _scope = 'fallback') { + validateScope: function(_user= 'fallback', _client= 'fallback', _scope = ['fallback']) { _user.should.equal('fallback'); _client.should.equal('fallback'); - _scope.should.equal('fallback'); - return 'foo'; + _scope.should.eql(['fallback']); + return ['foo']; } }; const grantType = new AuthorizationCodeGrantType({ accessTokenLifetime: 123, model: model }); diff --git a/test/integration/grant-types/client-credentials-grant-type_test.js b/test/integration/grant-types/client-credentials-grant-type_test.js index a21b1a13..97d10055 100644 --- a/test/integration/grant-types/client-credentials-grant-type_test.js +++ b/test/integration/grant-types/client-credentials-grant-type_test.js @@ -94,7 +94,7 @@ describe('ClientCredentialsGrantType integration', function() { const token = {}; const client = { foo: 'bar' }; const user = { name: 'foo' }; - const scope = 'fooscope'; + const scope = ['fooscope']; const model = { getUserFromClient: async function(_client) { @@ -106,24 +106,24 @@ describe('ClientCredentialsGrantType integration', function() { _user.should.deep.equal(user); _token.accessToken.should.equal('long-access-token-hash'); _token.accessTokenExpiresAt.should.be.instanceOf(Date); - _token.scope.should.equal(scope); + _token.scope.should.eql(scope); return token; }, validateScope: async function (_user, _client, _scope) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _scope.should.equal(scope); + _scope.should.eql(scope); return scope; }, generateAccessToken: async function (_client, _user, _scope) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _scope.should.equal(scope); + _scope.should.eql(scope); return 'long-access-token-hash'; } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); - const request = new Request({ body: { scope }, headers: {}, method: {}, query: {} }); + const request = new Request({ body: { scope: scope.join(' ') }, headers: {}, method: {}, query: {} }); const data = await grantType.handle(request, client); data.should.equal(token); @@ -218,7 +218,7 @@ describe('ClientCredentialsGrantType integration', function() { const model = { getUserFromClient: () => should.fail(), saveToken: function() { return token; }, - validateScope: function() { return 'foo'; } + validateScope: function() { return ['foo']; } }; const grantType = new ClientCredentialsGrantType({ accessTokenLifetime: 123, model: model }); const data = await grantType.saveToken(token); diff --git a/test/integration/grant-types/password-grant-type_test.js b/test/integration/grant-types/password-grant-type_test.js index df1db899..20d2ac4f 100644 --- a/test/integration/grant-types/password-grant-type_test.js +++ b/test/integration/grant-types/password-grant-type_test.js @@ -92,7 +92,7 @@ describe('PasswordGrantType integration', function() { it('should return a token', async function() { const client = { id: 'foobar' }; - const scope = 'baz'; + const scope = ['baz']; const token = {}; const user = { id: 123456, @@ -109,19 +109,19 @@ describe('PasswordGrantType integration', function() { validateScope: async function(_user, _client, _scope) { _client.should.equal(client); _user.should.equal(user); - _scope.should.equal(scope); + _scope.should.eql(scope); return scope; }, generateAccessToken: async function (_client, _user, _scope) { _client.should.equal(client); _user.should.equal(user); - _scope.should.equal(scope); + _scope.should.eql(scope); return 'long-access-token-hash'; }, generateRefreshToken: async function (_client, _user, _scope) { _client.should.equal(client); _user.should.equal(user); - _scope.should.equal(scope); + _scope.should.eql(scope); return 'long-refresh-token-hash'; }, saveToken: async function(_token, _client, _user) { @@ -313,14 +313,14 @@ describe('PasswordGrantType integration', function() { _token.accessTokenExpiresAt.should.be.instanceOf(Date); _token.refreshTokenExpiresAt.should.be.instanceOf(Date); _token.refreshToken.should.be.a.sha256(); - _token.scope.should.equal('foo'); + _token.scope.should.eql(['foo']); _client.should.equal('fallback'); _user.should.equal('fallback'); return token; }, - validateScope: async function(_scope = 'fallback') { - _scope.should.equal('fallback'); - return 'foo'; + validateScope: async function(_scope = ['fallback']) { + _scope.should.eql(['fallback']); + return ['foo']; } }; const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); diff --git a/test/integration/grant-types/refresh-token-grant-type_test.js b/test/integration/grant-types/refresh-token-grant-type_test.js index 316b8064..0619fefd 100644 --- a/test/integration/grant-types/refresh-token-grant-type_test.js +++ b/test/integration/grant-types/refresh-token-grant-type_test.js @@ -116,7 +116,7 @@ describe('RefreshTokenGrantType integration', function() { accessToken: 'foo', client: { id: 123 }, user: { name: 'foo' }, - scope: 'read write', + scope: ['read', 'write'], refreshTokenExpiresAt: new Date( new Date() * 2) }; const model = { @@ -131,13 +131,13 @@ describe('RefreshTokenGrantType integration', function() { generateAccessToken: async function (_client, _user, _scope) { _user.should.deep.equal({ name: 'foo' }); _client.should.deep.equal({ id: 123 }); - _scope.should.equal('read write'); + _scope.should.eql(['read', 'write']); return 'new-access-token'; }, generateRefreshToken: async function (_client, _user, _scope) { _user.should.deep.equal({ name: 'foo' }); _client.should.deep.equal({ id: 123 }); - _scope.should.equal('read write'); + _scope.should.eql(['read', 'write']); return 'new-refresh-token'; }, saveToken: async function(_token, _client, _user) { @@ -506,7 +506,7 @@ describe('RefreshTokenGrantType integration', function() { saveToken: async function(_token, _client, _user) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _token.scope.should.deep.equal(scope); + _token.scope.should.deep.eql(scope); _token.accessToken.should.be.a.sha256(); _token.refreshToken.should.be.a.sha256(); _token.accessTokenExpiresAt.should.be.instanceOf(Date); diff --git a/test/integration/handlers/authenticate-handler_test.js b/test/integration/handlers/authenticate-handler_test.js index 712dd7cd..52355550 100644 --- a/test/integration/handlers/authenticate-handler_test.js +++ b/test/integration/handlers/authenticate-handler_test.js @@ -46,7 +46,7 @@ describe('AuthenticateHandler integration', function() { it('should throw an error if `scope` was given and `addAcceptedScopesHeader()` is missing', function() { try { - new AuthenticateHandler({ model: { getAccessToken: function() {} }, scope: 'foobar' }); + new AuthenticateHandler({ model: { getAccessToken: function() {} }, scope: ['foobar'] }); should.fail(); } catch (e) { @@ -57,7 +57,7 @@ describe('AuthenticateHandler integration', function() { it('should throw an error if `scope` was given and `addAuthorizedScopesHeader()` is missing', function() { try { - new AuthenticateHandler({ addAcceptedScopesHeader: true, model: { getAccessToken: function() {} }, scope: 'foobar' }); + new AuthenticateHandler({ addAcceptedScopesHeader: true, model: { getAccessToken: function() {} }, scope: ['foobar'] }); should.fail(); } catch (e) { @@ -68,7 +68,7 @@ describe('AuthenticateHandler integration', function() { it('should throw an error if `scope` was given and the model does not implement `verifyScope()`', function() { try { - new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: { getAccessToken: function() {} }, scope: 'foobar' }); + new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: { getAccessToken: function() {} }, scope: ['foobar'] }); should.fail(); } catch (e) { @@ -93,10 +93,10 @@ describe('AuthenticateHandler integration', function() { addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, - scope: 'foobar' + scope: ['foobar'] }); - grantType.scope.should.equal('foobar'); + grantType.scope.should.eql(['foobar']); }); }); @@ -254,7 +254,7 @@ describe('AuthenticateHandler integration', function() { return true; } }; - const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' }); + const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] }); const request = new Request({ body: {}, headers: { 'Authorization': 'Bearer foo' }, @@ -522,9 +522,9 @@ describe('AuthenticateHandler integration', function() { return false; } }; - const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' }); + const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] }); - return handler.verifyScope('foo') + return handler.verifyScope(['foo']) .then(should.fail) .catch(function(e) { e.should.be.an.instanceOf(InsufficientScopeError); @@ -539,9 +539,9 @@ describe('AuthenticateHandler integration', function() { return true; } }; - const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' }); + const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] }); - handler.verifyScope('foo').should.be.an.instanceOf(Promise); + handler.verifyScope(['foo']).should.be.an.instanceOf(Promise); }); it('should support non-promises', function() { @@ -551,9 +551,9 @@ describe('AuthenticateHandler integration', function() { return true; } }; - const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'foo' }); + const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['foo'] }); - handler.verifyScope('foo').should.be.an.instanceOf(Promise); + handler.verifyScope(['foo']).should.be.an.instanceOf(Promise); }); }); @@ -566,7 +566,7 @@ describe('AuthenticateHandler integration', function() { const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: false, model: model }); const response = new Response({ body: {}, headers: {} }); - handler.updateResponse(response, { scope: 'foo biz' }); + handler.updateResponse(response, { scope: ['foo', 'biz'] }); response.headers.should.not.have.property('x-accepted-oauth-scopes'); }); @@ -576,10 +576,10 @@ describe('AuthenticateHandler integration', function() { getAccessToken: function() {}, verifyScope: function() {} }; - const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: false, model: model, scope: 'foo bar' }); + const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: false, model: model, scope: ['foo', 'bar'] }); const response = new Response({ body: {}, headers: {} }); - handler.updateResponse(response, { scope: 'foo biz' }); + handler.updateResponse(response, { scope: ['foo', 'biz'] }); response.get('X-Accepted-OAuth-Scopes').should.equal('foo bar'); }); @@ -592,7 +592,7 @@ describe('AuthenticateHandler integration', function() { const handler = new AuthenticateHandler({ addAcceptedScopesHeader: false, addAuthorizedScopesHeader: true, model: model }); const response = new Response({ body: {}, headers: {} }); - handler.updateResponse(response, { scope: 'foo biz' }); + handler.updateResponse(response, { scope: ['foo', 'biz'] }); response.headers.should.not.have.property('x-oauth-scopes'); }); @@ -602,10 +602,10 @@ describe('AuthenticateHandler integration', function() { getAccessToken: function() {}, verifyScope: function() {} }; - const handler = new AuthenticateHandler({ addAcceptedScopesHeader: false, addAuthorizedScopesHeader: true, model: model, scope: 'foo bar' }); + const handler = new AuthenticateHandler({ addAcceptedScopesHeader: false, addAuthorizedScopesHeader: true, model: model, scope: ['foo', 'bar'] }); const response = new Response({ body: {}, headers: {} }); - handler.updateResponse(response, { scope: 'foo biz' }); + handler.updateResponse(response, { scope: ['foo', 'biz'] }); response.get('X-OAuth-Scopes').should.equal('foo biz'); }); diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js index 1e4a515d..fbc3a9c4 100644 --- a/test/integration/handlers/authorize-handler_test.js +++ b/test/integration/handlers/authorize-handler_test.js @@ -464,7 +464,7 @@ describe('AuthorizeHandler integration', function() { return { authorizationCode: 12345, client }; }, validateScope: async function(_user, _client, _scope) { - _scope.should.equal('read'); + _scope.should.eql(['read']); return false; } }; @@ -629,7 +629,7 @@ describe('AuthorizeHandler integration', function() { it('should return the `code` if successful (full model implementation)', async function () { const user = { name: 'fooUser' }; const state = 'fooobarstatebaz'; - const scope = 'read'; + const scope = ['read']; const client = { id: 'client-1322132131', grants: ['authorization_code'], @@ -655,19 +655,19 @@ describe('AuthorizeHandler integration', function() { }, verifyScope: async function (_tokenDoc, _scope) { _tokenDoc.should.equal(accessTokenDoc); - _scope.should.equal(accessTokenDoc.scope); + _scope.should.eql(accessTokenDoc.scope); return true; }, validateScope: async function (_user, _client, _scope) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _scope.should.equal(scope); + _scope.should.eql(scope); return _scope; }, generateAuthorizationCode: async function (_client, _user, _scope) { _user.should.deep.equal(user); _client.should.deep.equal(client); - _scope.should.equal(scope); + _scope.should.eql(scope); return authorizationCode; }, saveAuthorizationCode: async function (code, _client, _user) { @@ -689,12 +689,12 @@ describe('AuthorizeHandler integration', function() { 'Authorization': `Bearer ${accessTokenDoc.accessToken}` }, method: {}, - query: { state, scope } + query: { state, scope: scope.join(' ') } }); const response = new Response({ body: {}, headers: {} }); const data = await handler.handle(request, response); - data.scope.should.equal(scope); + data.scope.should.eql(scope); data.client.should.deep.equal(client); data.user.should.deep.equal(user); data.expiresAt.should.be.instanceOf(Date); @@ -1096,7 +1096,7 @@ describe('AuthorizeHandler integration', function() { const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: { scope: 'foo' }, headers: {}, method: {}, query: {} }); - handler.getScope(request).should.equal('foo'); + handler.getScope(request).should.eql(['foo']); }); }); @@ -1110,7 +1110,7 @@ describe('AuthorizeHandler integration', function() { const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: { scope: 'foo' } }); - handler.getScope(request).should.equal('foo'); + handler.getScope(request).should.eql(['foo']); }); }); }); @@ -1421,7 +1421,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {code_challenge_method: 'S256'}, headers: {}, method: {}, query: {} }); const codeChallengeMethod = handler.getCodeChallengeMethod(request); @@ -1454,7 +1454,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); const codeChallengeMethod = handler.getCodeChallengeMethod(request); @@ -1469,7 +1469,7 @@ describe('AuthorizeHandler integration', function() { getClient: function() {}, saveAuthorizationCode: function() {} }; - const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); + const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model }); const request = new Request({ body: {code_challenge: 'challenge'}, headers: {}, method: {}, query: {} }); const codeChallengeMethod = handler.getCodeChallenge(request); diff --git a/test/integration/handlers/token-handler_test.js b/test/integration/handlers/token-handler_test.js index 4477c7b8..1c2db3b4 100644 --- a/test/integration/handlers/token-handler_test.js +++ b/test/integration/handlers/token-handler_test.js @@ -298,12 +298,12 @@ describe('TokenHandler integration', function() { }); it('should return a bearer token if successful', function() { - const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: 'foobar', user: {} }; + const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['foobar'], user: {} }; const model = { getClient: function() { return { grants: ['password'] }; }, getUser: function() { return {}; }, saveToken: function() { return token; }, - validateScope: function() { return 'baz'; } + validateScope: function() { return ['baz']; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); const request = new Request({ @@ -329,12 +329,12 @@ describe('TokenHandler integration', function() { }); it('should not return custom attributes in a bearer token if the allowExtendedTokenAttributes is not set', function() { - const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: 'foobar', user: {}, foo: 'bar' }; + const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['foobar'], user: {}, foo: 'bar' }; const model = { getClient: function() { return { grants: ['password'] }; }, getUser: function() { return {}; }, saveToken: function() { return token; }, - validateScope: function() { return 'baz'; } + validateScope: function() { return ['baz']; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); const request = new Request({ @@ -364,12 +364,12 @@ describe('TokenHandler integration', function() { }); it('should return custom attributes in a bearer token if the allowExtendedTokenAttributes is set', function() { - const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: 'foobar', user: {}, foo: 'bar' }; + const token = { accessToken: 'foo', client: {}, refreshToken: 'bar', scope: ['foobar'], user: {}, foo: 'bar' }; const model = { getClient: function() { return { grants: ['password'] }; }, getUser: function() { return {}; }, saveToken: function() { return token; }, - validateScope: function() { return 'baz'; } + validateScope: function() { return ['baz']; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120, allowExtendedTokenAttributes: true }); const request = new Request({ @@ -795,7 +795,7 @@ describe('TokenHandler integration', function() { getAuthorizationCode: function() { return { authorizationCode: 12345, client: { id: 'foobar' }, expiresAt: new Date(new Date() * 2), user: {} }; }, getClient: function() {}, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; }, + validateScope: function() { return ['foo']; }, revokeAuthorizationCode: function() { return { authorizationCode: 12345, client: { id: 'foobar' }, expiresAt: new Date(new Date() / 2), user: {} }; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); @@ -834,7 +834,7 @@ describe('TokenHandler integration', function() { getAuthorizationCode: function() { return authorizationCode; }, getClient: function() {}, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; }, + validateScope: function() { return ['foo']; }, revokeAuthorizationCode: function() { return authorizationCode; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); @@ -872,7 +872,7 @@ describe('TokenHandler integration', function() { getAuthorizationCode: function() { return authorizationCode; }, getClient: function() {}, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; }, + validateScope: function() { return ['foo']; }, revokeAuthorizationCode: function() { return authorizationCode; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); @@ -910,7 +910,7 @@ describe('TokenHandler integration', function() { getAuthorizationCode: function() { return authorizationCode; }, getClient: function() {}, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; }, + validateScope: function() { return ['foo']; }, revokeAuthorizationCode: function() { return authorizationCode; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); @@ -949,7 +949,7 @@ describe('TokenHandler integration', function() { getAuthorizationCode: function() { return authorizationCode; }, getClient: function() {}, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; }, + validateScope: function() { return ['foo']; }, revokeAuthorizationCode: function() { return authorizationCode; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); @@ -984,7 +984,7 @@ describe('TokenHandler integration', function() { getAuthorizationCode: function() { return authorizationCode; }, getClient: function() {}, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; }, + validateScope: function() { return ['foo']; }, revokeAuthorizationCode: function() { return authorizationCode; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); @@ -1016,7 +1016,7 @@ describe('TokenHandler integration', function() { getClient: function() {}, getUserFromClient: function() { return {}; }, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; } + validateScope: function() { return ['foo']; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); const request = new Request({ @@ -1045,7 +1045,7 @@ describe('TokenHandler integration', function() { getClient: function() {}, getUser: function() { return {}; }, saveToken: function() { return token; }, - validateScope: function() { return 'baz'; } + validateScope: function() { return ['baz']; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); const request = new Request({ @@ -1107,7 +1107,7 @@ describe('TokenHandler integration', function() { getClient: function() {}, getUser: function() { return {}; }, saveToken: function() { return token; }, - validateScope: function() { return 'foo'; } + validateScope: function() { return ['foo']; } }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120, extendedGrantTypes: { 'urn:ietf:params:oauth:grant-type:saml2-bearer': PasswordGrantType } }); const request = new Request({ body: { grant_type: 'urn:ietf:params:oauth:grant-type:saml2-bearer', username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); @@ -1176,8 +1176,8 @@ describe('TokenHandler integration', function() { saveToken: function() {} }; const handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 }); - const tokenType = handler.getTokenType({ accessToken: 'foo', refreshToken: 'bar', scope: 'foobar' }); - tokenType.should.deep.include({ accessToken: 'foo', accessTokenLifetime: undefined, refreshToken: 'bar', scope: 'foobar' }); + const tokenType = handler.getTokenType({ accessToken: 'foo', refreshToken: 'bar', scope: ['foobar'] }); + tokenType.should.deep.include({ accessToken: 'foo', accessTokenLifetime: undefined, refreshToken: 'bar', scope: ['foobar'] }); }); }); diff --git a/test/integration/server_test.js b/test/integration/server_test.js index aad03356..7732bdc2 100644 --- a/test/integration/server_test.js +++ b/test/integration/server_test.js @@ -144,7 +144,7 @@ describe('Server integration', function() { saveToken: function() { return { accessToken: 1234, client: {}, user: {} }; }, - validateScope: function() { return 'foo'; } + validateScope: function() { return ['foo']; } }; const server = new Server({ model: model }); const request = new Request({ body: { client_id: 1234, client_secret: 'secret', grant_type: 'password', username: 'foo', password: 'pass', scope: 'foo' }, headers: { 'content-type': 'application/x-www-form-urlencoded', 'transfer-encoding': 'chunked' }, method: 'POST', query: {} }); diff --git a/test/unit/grant-types/authorization-code-grant-type_test.js b/test/unit/grant-types/authorization-code-grant-type_test.js index c3502bee..3ffe46ad 100644 --- a/test/unit/grant-types/authorization-code-grant-type_test.js +++ b/test/unit/grant-types/authorization-code-grant-type_test.js @@ -72,17 +72,17 @@ describe('AuthorizationCodeGrantType', function() { }; const handler = new AuthorizationCodeGrantType({ accessTokenLifetime: 120, model: model }); - sinon.stub(handler, 'validateScope').returns('foobiz'); + sinon.stub(handler, 'validateScope').returns(['foobiz']); sinon.stub(handler, 'generateAccessToken').returns(Promise.resolve('foo')); sinon.stub(handler, 'generateRefreshToken').returns(Promise.resolve('bar')); sinon.stub(handler, 'getAccessTokenExpiresAt').returns(Promise.resolve('biz')); sinon.stub(handler, 'getRefreshTokenExpiresAt').returns(Promise.resolve('baz')); - return handler.saveToken(user, client, 'foobar', 'foobiz') + return handler.saveToken(user, client, 'foobar', ['foobiz']) .then(function() { model.saveToken.callCount.should.equal(1); model.saveToken.firstCall.args.should.have.length(3); - model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', authorizationCode: 'foobar', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: 'foobiz' }); + model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', authorizationCode: 'foobar', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: ['foobiz'] }); model.saveToken.firstCall.args[1].should.equal(client); model.saveToken.firstCall.args[2].should.equal(user); model.saveToken.firstCall.thisValue.should.equal(model); diff --git a/test/unit/grant-types/client-credentials-grant-type_test.js b/test/unit/grant-types/client-credentials-grant-type_test.js index 3997823b..5e012b43 100644 --- a/test/unit/grant-types/client-credentials-grant-type_test.js +++ b/test/unit/grant-types/client-credentials-grant-type_test.js @@ -43,15 +43,15 @@ describe('ClientCredentialsGrantType', function() { }; const handler = new ClientCredentialsGrantType({ accessTokenLifetime: 120, model: model }); - sinon.stub(handler, 'validateScope').returns('foobar'); + sinon.stub(handler, 'validateScope').returns(['foobar']); sinon.stub(handler, 'generateAccessToken').returns('foo'); sinon.stub(handler, 'getAccessTokenExpiresAt').returns('biz'); - return handler.saveToken(user, client, 'foobar') + return handler.saveToken(user, client, ['foobar']) .then(function() { model.saveToken.callCount.should.equal(1); model.saveToken.firstCall.args.should.have.length(3); - model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', scope: 'foobar' }); + model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', scope: ['foobar'] }); model.saveToken.firstCall.args[1].should.equal(client); model.saveToken.firstCall.args[2].should.equal(user); model.saveToken.firstCall.thisValue.should.equal(model); diff --git a/test/unit/grant-types/password-grant-type_test.js b/test/unit/grant-types/password-grant-type_test.js index ceb2ad9d..f2411765 100644 --- a/test/unit/grant-types/password-grant-type_test.js +++ b/test/unit/grant-types/password-grant-type_test.js @@ -45,17 +45,17 @@ describe('PasswordGrantType', function() { }; const handler = new PasswordGrantType({ accessTokenLifetime: 120, model: model }); - sinon.stub(handler, 'validateScope').returns('foobar'); + sinon.stub(handler, 'validateScope').returns(['foobar']); sinon.stub(handler, 'generateAccessToken').returns('foo'); sinon.stub(handler, 'generateRefreshToken').returns('bar'); sinon.stub(handler, 'getAccessTokenExpiresAt').returns('biz'); sinon.stub(handler, 'getRefreshTokenExpiresAt').returns('baz'); - return handler.saveToken(user, client, 'foobar') + return handler.saveToken(user, client, ['foobar']) .then(function() { model.saveToken.callCount.should.equal(1); model.saveToken.firstCall.args.should.have.length(3); - model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: 'foobar' }); + model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: ['foobar'] }); model.saveToken.firstCall.args[1].should.equal(client); model.saveToken.firstCall.args[2].should.equal(user); model.saveToken.firstCall.thisValue.should.equal(model); diff --git a/test/unit/grant-types/refresh-token-grant-type_test.js b/test/unit/grant-types/refresh-token-grant-type_test.js index c91a37ed..8d2faee6 100644 --- a/test/unit/grant-types/refresh-token-grant-type_test.js +++ b/test/unit/grant-types/refresh-token-grant-type_test.js @@ -131,11 +131,11 @@ describe('RefreshTokenGrantType', function() { sinon.stub(handler, 'getAccessTokenExpiresAt').returns('biz'); sinon.stub(handler, 'getRefreshTokenExpiresAt').returns('baz'); - return handler.saveToken(user, client, 'foobar') + return handler.saveToken(user, client, ['foobar']) .then(function() { model.saveToken.callCount.should.equal(1); model.saveToken.firstCall.args.should.have.length(3); - model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: 'foobar' }); + model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: ['foobar'] }); model.saveToken.firstCall.args[1].should.equal(client); model.saveToken.firstCall.args[2].should.equal(user); model.saveToken.firstCall.thisValue.should.equal(model); @@ -158,11 +158,11 @@ describe('RefreshTokenGrantType', function() { sinon.stub(handler, 'getAccessTokenExpiresAt').returns('biz'); sinon.stub(handler, 'getRefreshTokenExpiresAt').returns('baz'); - return handler.saveToken(user, client, 'foobar') + return handler.saveToken(user, client, ['foobar']) .then(function() { model.saveToken.callCount.should.equal(1); model.saveToken.firstCall.args.should.have.length(3); - model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', scope: 'foobar' }); + model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', scope: ['foobar'] }); model.saveToken.firstCall.args[1].should.equal(client); model.saveToken.firstCall.args[2].should.equal(user); model.saveToken.firstCall.thisValue.should.equal(model); @@ -185,11 +185,11 @@ describe('RefreshTokenGrantType', function() { sinon.stub(handler, 'getAccessTokenExpiresAt').returns('biz'); sinon.stub(handler, 'getRefreshTokenExpiresAt').returns('baz'); - return handler.saveToken(user, client, 'foobar') + return handler.saveToken(user, client, ['foobar']) .then(function() { model.saveToken.callCount.should.equal(1); model.saveToken.firstCall.args.should.have.length(3); - model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: 'foobar' }); + model.saveToken.firstCall.args[0].should.eql({ accessToken: 'foo', accessTokenExpiresAt: 'biz', refreshToken: 'bar', refreshTokenExpiresAt: 'baz', scope: ['foobar'] }); model.saveToken.firstCall.args[1].should.equal(client); model.saveToken.firstCall.args[2].should.equal(user); model.saveToken.firstCall.thisValue.should.equal(model); diff --git a/test/unit/handlers/authenticate-handler_test.js b/test/unit/handlers/authenticate-handler_test.js index ff0a924d..c8433057 100644 --- a/test/unit/handlers/authenticate-handler_test.js +++ b/test/unit/handlers/authenticate-handler_test.js @@ -166,13 +166,13 @@ describe('AuthenticateHandler', function() { getAccessToken: function() {}, verifyScope: sinon.stub().returns(true) }; - const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: 'bar' }); + const handler = new AuthenticateHandler({ addAcceptedScopesHeader: true, addAuthorizedScopesHeader: true, model: model, scope: ['bar'] }); - return handler.verifyScope('foo') + return handler.verifyScope(['foo']) .then(function() { model.verifyScope.callCount.should.equal(1); model.verifyScope.firstCall.args.should.have.length(2); - model.verifyScope.firstCall.args[0].should.equal('foo', 'bar'); + model.verifyScope.firstCall.args[0].should.eql(['foo'], ['bar']); model.verifyScope.firstCall.thisValue.should.equal(model); }) .catch(should.fail); diff --git a/test/unit/handlers/authorize-handler_test.js b/test/unit/handlers/authorize-handler_test.js index 91ab651e..078f82f8 100644 --- a/test/unit/handlers/authorize-handler_test.js +++ b/test/unit/handlers/authorize-handler_test.js @@ -86,11 +86,11 @@ describe('AuthorizeHandler', function() { }; const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); - return handler.saveAuthorizationCode('foo', 'bar', 'qux', 'biz', 'baz', 'boz') + return handler.saveAuthorizationCode('foo', 'bar', ['qux'], 'biz', 'baz', 'boz') .then(function() { model.saveAuthorizationCode.callCount.should.equal(1); model.saveAuthorizationCode.firstCall.args.should.have.length(3); - model.saveAuthorizationCode.firstCall.args[0].should.eql({ authorizationCode: 'foo', expiresAt: 'bar', redirectUri: 'baz', scope: 'qux' }); + model.saveAuthorizationCode.firstCall.args[0].should.eql({ authorizationCode: 'foo', expiresAt: 'bar', redirectUri: 'baz', scope: ['qux'] }); model.saveAuthorizationCode.firstCall.args[1].should.equal('biz'); model.saveAuthorizationCode.firstCall.args[2].should.equal('boz'); model.saveAuthorizationCode.firstCall.thisValue.should.equal(model); @@ -106,11 +106,11 @@ describe('AuthorizeHandler', function() { }; const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model }); - return handler.saveAuthorizationCode('foo', 'bar', 'qux', 'biz', 'baz', 'boz', 'codeChallenge', 'codeChallengeMethod') + return handler.saveAuthorizationCode('foo', 'bar', ['qux'], 'biz', 'baz', 'boz', 'codeChallenge', 'codeChallengeMethod') .then(function() { model.saveAuthorizationCode.callCount.should.equal(1); model.saveAuthorizationCode.firstCall.args.should.have.length(3); - model.saveAuthorizationCode.firstCall.args[0].should.eql({ authorizationCode: 'foo', expiresAt: 'bar', redirectUri: 'baz', scope: 'qux', codeChallenge: 'codeChallenge', codeChallengeMethod: 'codeChallengeMethod' }); + model.saveAuthorizationCode.firstCall.args[0].should.eql({ authorizationCode: 'foo', expiresAt: 'bar', redirectUri: 'baz', scope: ['qux'], codeChallenge: 'codeChallenge', codeChallengeMethod: 'codeChallengeMethod' }); model.saveAuthorizationCode.firstCall.args[1].should.equal('biz'); model.saveAuthorizationCode.firstCall.args[2].should.equal('boz'); model.saveAuthorizationCode.firstCall.thisValue.should.equal(model); diff --git a/test/unit/server_test.js b/test/unit/server_test.js index df685213..fd7bd391 100644 --- a/test/unit/server_test.js +++ b/test/unit/server_test.js @@ -30,24 +30,6 @@ describe('Server', function() { AuthenticateHandler.prototype.handle.firstCall.args[0].should.equal('foo'); AuthenticateHandler.prototype.handle.restore(); }); - - it('should map string passed as `options` to `options.scope`', function() { - const model = { - getAccessToken: function() {}, - verifyScope: function() {} - }; - const server = new Server({ model: model }); - - sinon.stub(AuthenticateHandler.prototype, 'handle').returns(Promise.resolve()); - - server.authenticate('foo', 'bar', 'test'); - - AuthenticateHandler.prototype.handle.callCount.should.equal(1); - AuthenticateHandler.prototype.handle.firstCall.args[0].should.equal('foo'); - AuthenticateHandler.prototype.handle.firstCall.args[1].should.equal('bar'); - AuthenticateHandler.prototype.handle.firstCall.thisValue.should.have.property('scope', 'test'); - AuthenticateHandler.prototype.handle.restore(); - }); }); describe('authorize()', function() { From 22217513b24e52faebe75b315484d339e49b9428 Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Sat, 9 Sep 2023 23:29:53 +0200 Subject: [PATCH 22/47] removed callbacks from docs --- README.md | 4 +-- docs/api/oauth2-server.rst | 18 ++-------- docs/docs/getting-started.rst | 2 +- docs/model/spec.rst | 65 ++++++++--------------------------- lib/server.js | 1 - 5 files changed, 21 insertions(+), 69 deletions(-) diff --git a/README.md b/README.md index b60607f8..d4e0cb2d 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ If you're using one of those frameworks it is strongly recommended to use the re ## Features - Supports `authorization_code`, `client_credentials`, `refresh_token` and `password` grant, as well as *extension grants*, with scopes. -- Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)). +- Can be used with *promises*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)). - Fully [RFC 6749](https://tools.ietf.org/html/rfc6749.html) and [RFC 6750](https://tools.ietf.org/html/rfc6750.html) compliant. - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc. - Support for PKCE @@ -40,7 +40,7 @@ Please leave an issue if something is confusing or missing in the docs. ## Examples -Most users should refer to our [Express (active)](https://github.com/node-oauth/express-oauth-server) or +Most users should refer to our [Express (active)](https://github.com/node-oauth/express-oauth-server) or [Koa (not maintained by us)](https://github.com/oauthjs/koa-oauth-server/tree/master/examples) examples. More examples can be found here: https://github.com/14gasher/oauth-example diff --git a/docs/api/oauth2-server.rst b/docs/api/oauth2-server.rst index 9fcf8123..bdcf4ae6 100644 --- a/docs/api/oauth2-server.rst +++ b/docs/api/oauth2-server.rst @@ -57,7 +57,7 @@ Advanced example with additional options: .. _OAuth2Server#authenticate: -``authenticate(request, response, [options], [callback])`` +``authenticate(request, response, [options])`` ========================================================== Authenticates a request. @@ -81,8 +81,6 @@ Authenticates a request. +------------------------------------------------+-----------------+-----------------------------------------------------------------------+ | [options.allowBearerTokensInQueryString=false] | Boolean | Allow clients to pass bearer tokens in the query string of a request. | +------------------------------------------------+-----------------+-----------------------------------------------------------------------+ -| [callback=undefined] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------------------------------------------+-----------------+-----------------------------------------------------------------------+ **Return value:** @@ -94,8 +92,6 @@ Possible errors include but are not limited to: :doc:`/api/errors/unauthorized-request-error`: The protected resource request failed authentication. -The returned ``Promise`` **must** be ignored if ``callback`` is used. - **Remarks:** :: @@ -121,7 +117,7 @@ The returned ``Promise`` **must** be ignored if ``callback`` is used. .. _OAuth2Server#authorize: -``authorize(request, response, [options], [callback])`` +``authorize(request, response, [options])`` ======================================================= Authorizes a token request. @@ -145,8 +141,6 @@ Authorizes a token request. +-----------------------------------------+-----------------+-----------------------------------------------------------------------------+ | [options.authorizationCodeLifetime=300] | Number | Lifetime of generated authorization codes in seconds (default = 5 minutes). | +-----------------------------------------+-----------------+-----------------------------------------------------------------------------+ -| [callback=undefined] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+-----------------------------------------+-----------------+-----------------------------------------------------------------------------+ **Return value:** @@ -158,8 +152,6 @@ Possible errors include but are not limited to: :doc:`/api/errors/access-denied-error` The resource owner denied the access request (i.e. ``request.query.allow`` was ``'false'``). -The returned ``Promise`` **must** be ignored if ``callback`` is used. - **Remarks:** If ``request.query.allowed`` equals the string ``'false'`` the access request is denied and the returned promise is rejected with an :doc:`/api/errors/access-denied-error`. @@ -211,7 +203,7 @@ When working with a session-based login mechanism, the handler can simply look l .. _OAuth2Server#token: -``token(request, response, [options], [callback])`` +``token(request, response, [options])`` =================================================== Retrieves a new token for an authorized token request. @@ -239,8 +231,6 @@ Retrieves a new token for an authorized token request. +----------------------------------------------+-----------------+-------------------------------------------------------------------------------------------+ | [options.extendedGrantTypes={}] | Object | Additional supported grant types. | +----------------------------------------------+-----------------+-------------------------------------------------------------------------------------------+ -| [callback=undefined] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+----------------------------------------------+-----------------+-------------------------------------------------------------------------------------------+ **Return value:** @@ -252,8 +242,6 @@ Possible errors include but are not limited to: :doc:`/api/errors/invalid-grant-error`: The access token request was invalid or not authorized. -The returned ``Promise`` **must** be ignored if ``callback`` is used. - **Remarks:** If ``options.allowExtendedTokenAttributes`` is ``true`` any additional properties set on the object returned from :ref:`Model#saveToken() ` are copied to the token response sent to the client. diff --git a/docs/docs/getting-started.rst b/docs/docs/getting-started.rst index ff2c1156..85bfd6e1 100644 --- a/docs/docs/getting-started.rst +++ b/docs/docs/getting-started.rst @@ -28,7 +28,7 @@ Features ======== - Supports :ref:`authorization code `, :ref:`client credentials `, :ref:`refresh token ` and :ref:`password ` grant, as well as :ref:`extension grants `, with scopes. -- Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using Babel_). +- Can be used with *promises*, *ES6 generators* and *async*/*await* (using Babel_). - Fully :rfc:`6749` and :rfc:`6750` compliant. - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc. - Complete `test suite`_. diff --git a/docs/model/spec.rst b/docs/model/spec.rst index 5b1695f3..c4f0dc11 100644 --- a/docs/model/spec.rst +++ b/docs/model/spec.rst @@ -2,7 +2,7 @@ Model Specification ===================== -Each model function supports *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using Babel_). Note that promise support implies support for returning plain values where asynchronism is not required. +Each model function supports *promises*, *ES6 generators* and *async*/*await* (using Babel_). Note that promise support implies support for returning plain values where asynchronism is not required. .. _Babel: https://babeljs.io @@ -14,11 +14,6 @@ Each model function supports *promises*, *Node-style callbacks*, *ES6 generators return new Promise('works!'); }, - // Or, calling a Node-style callback. - getAuthorizationCode: function(done) { - done(null, 'works!'); - }, - // Or, using generators. getClient: function*() { yield somethingAsync(); @@ -66,8 +61,6 @@ This model function is **optional**. If not implemented, a default handler is us +------------+----------+---------------------------------------------------------------------+ | scope | String[] | The scopes associated with the access token. Can be ``null``. | +------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -109,8 +102,6 @@ This model function is **optional**. If not implemented, a default handler is us +------------+----------+---------------------------------------------------------------------+ | scope | String[] | The scopes associated with the refresh token. Can be ``null``. | +------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -128,7 +119,7 @@ A ``String`` to be used as refresh token. .. _Model#generateAuthorizationCode: -``generateAuthorizationCode(client, user, scope, [callback])`` +``generateAuthorizationCode(client, user, scope)`` ========================================= Invoked to generate a new authorization code. @@ -150,8 +141,6 @@ This model function is **optional**. If not implemented, a default handler is us +------------+----------+---------------------------------------------------------------------+ | scope | String[] | The scopes associated with the authorization code. Can be ``null``. | +------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -163,7 +152,7 @@ A ``String`` to be used as authorization code. .. _Model#getAccessToken: -``getAccessToken(accessToken, [callback])`` +``getAccessToken(accessToken)`` =========================================== Invoked to retrieve an existing access token previously saved through :ref:`Model#saveToken() `. @@ -181,8 +170,6 @@ This model function is **required** if :ref:`OAuth2Server#authenticate() `. @@ -255,8 +242,6 @@ This model function is **required** if the ``refresh_token`` grant is used. +==============+==========+=====================================================================+ | refreshToken | String | The access token to retrieve. | +--------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+--------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -311,7 +296,7 @@ An ``Object`` representing the refresh token and associated data. .. _Model#getAuthorizationCode: -``getAuthorizationCode(authorizationCode, [callback])`` +``getAuthorizationCode(authorizationCode)`` ======================================================= Invoked to retrieve an existing authorization code previously saved through :ref:`Model#saveAuthorizationCode() `. @@ -329,8 +314,6 @@ This model function is **required** if the ``authorization_code`` grant is used. +===================+==========+=====================================================================+ | authorizationCode | String | The authorization code to retrieve. | +-------------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+-------------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -388,7 +371,7 @@ An ``Object`` representing the authorization code and associated data. .. _Model#getClient: -``getClient(clientId, clientSecret, [callback])`` +``getClient(clientId, clientSecret)`` ================================================= Invoked to retrieve a client using a client id or a client id/client secret combination, depending on the grant type. @@ -411,8 +394,6 @@ This model function is **required** for all grant types. +--------------+----------+---------------------------------------------------------------------+ | clientSecret | String | The client secret of the client to retrieve. Can be ``null``. | +--------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+--------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -460,7 +441,7 @@ The return value (``client``) can carry additional properties that will be ignor .. _Model#getUser: -``getUser(username, password, [callback])`` +``getUser(username, password)`` =========================================== Invoked to retrieve a user using a username/password combination. @@ -480,8 +461,6 @@ This model function is **required** if the ``password`` grant is used. +------------+----------+---------------------------------------------------------------------+ | password | String | The user's password. | +------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -500,7 +479,7 @@ An ``Object`` representing the user, or a falsy value if no such user could be f .. _Model#getUserFromClient: -``getUserFromClient(client, [callback])`` +``getUserFromClient(client)`` ========================================= Invoked to retrieve the user associated with the specified client. @@ -520,8 +499,6 @@ This model function is **required** if the ``client_credentials`` grant is used. +------------+----------+---------------------------------------------------------------------+ | client.id | String | A unique string identifying the client. | +------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -542,7 +519,7 @@ An ``Object`` representing the user, or a falsy value if the client does not hav .. _Model#saveToken: -``saveToken(token, client, user, [callback])`` +``saveToken(token, client, user)`` ============================================== Invoked to save an access token and optionally a refresh token, depending on the grant type. @@ -577,8 +554,6 @@ This model function is **required** for all grant types. +-------------------------------+----------+---------------------------------------------------------------------+ | user | Object | The user associated with the token(s). | +-------------------------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+-------------------------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -650,7 +625,7 @@ If the ``allowExtendedTokenAttributes`` server option is enabled (see :ref:`OAut .. _Model#saveAuthorizationCode: -``saveAuthorizationCode(code, client, user, [callback])`` +``saveAuthorizationCode(code, client, user)`` ========================================================= Invoked to save an authorization code. @@ -680,8 +655,6 @@ This model function is **required** if the ``authorization_code`` grant is used. +------------------------+----------+---------------------------------------------------------------------+ | user | Object | The user associated with the authorization code. | +------------------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------------------+----------+---------------------------------------------------------------------+ .. todo:: Is ``code.scope`` really optional? @@ -742,7 +715,7 @@ An ``Object`` representing the authorization code and associated data. .. _Model#revokeToken: -``revokeToken(token, [callback])`` +``revokeToken(token)`` ================================== Invoked to revoke a refresh token. @@ -772,8 +745,6 @@ This model function is **required** if the ``refresh_token`` grant is used. +-------------------------------+----------+---------------------------------------------------------------------+ | token.user | Object | The user associated with the refresh token. | +-------------------------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+-------------------------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -797,7 +768,7 @@ Return ``true`` if the revocation was successful or ``false`` if the refresh tok .. _Model#revokeAuthorizationCode: -``revokeAuthorizationCode(code, [callback])`` +``revokeAuthorizationCode(code)`` ============================================= Invoked to revoke an authorization code. @@ -829,8 +800,6 @@ This model function is **required** if the ``authorization_code`` grant is used. +--------------------+----------+---------------------------------------------------------------------+ | code.user | Object | The user associated with the authorization code. | +--------------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+--------------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -854,7 +823,7 @@ Return ``true`` if the revocation was successful or ``false`` if the authorizati .. _Model#validateScope: -``validateScope(user, client, scope, [callback])`` +``validateScope(user, client, scope)`` ================================================== Invoked to check if the requested ``scope`` is valid for a particular ``client``/``user`` combination. @@ -880,8 +849,6 @@ This model function is **optional**. If not implemented, any scope is accepted. +------------+----------+---------------------------------------------------------------------+ | scope | String[] | The scopes to validate. | +------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -924,7 +891,7 @@ To accept partially valid scopes: .. _Model#verifyScope: -``verifyScope(accessToken, scope, [callback])`` +``verifyScope(accessToken, scope)`` =============================================== Invoked during request authentication to check if the provided access token was authorized the requested scopes. @@ -956,8 +923,6 @@ This model function is **required** if scopes are used with :ref:`OAuth2Server#a +------------------------------+----------+---------------------------------------------------------------------+ | scope | String[] | The required scopes. | +------------------------------+----------+---------------------------------------------------------------------+ -| [callback] | Function | Node-style callback to be used instead of the returned ``Promise``. | -+------------------------------+----------+---------------------------------------------------------------------+ **Return value:** @@ -983,7 +948,7 @@ Returns ``true`` if the access token passes, ``false`` otherwise. .. _Model#validateRedirectUri: -``validateRedirectUri(redirectUri, client, [callback])`` +``validateRedirectUri(redirectUri, client)`` ================================================================ Invoked to check if the provided ``redirectUri`` is valid for a particular ``client``. diff --git a/lib/server.js b/lib/server.js index 656ad306..a2e31878 100644 --- a/lib/server.js +++ b/lib/server.js @@ -26,7 +26,6 @@ class OAuth2Server { /** * Authenticate a token. - * Note, that callback will soon be deprecated! */ authenticate (request, response, options) { From 716b52e7d7751e03366af4b318dd7fec8065bf46 Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Sun, 10 Sep 2023 08:40:17 +0200 Subject: [PATCH 23/47] forgot a single scope --- test/integration/grant-types/abstract-grant-type_test.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/grant-types/abstract-grant-type_test.js b/test/integration/grant-types/abstract-grant-type_test.js index 4d3e6d19..d48c1ee0 100644 --- a/test/integration/grant-types/abstract-grant-type_test.js +++ b/test/integration/grant-types/abstract-grant-type_test.js @@ -195,7 +195,7 @@ describe('AbstractGrantType integration', function() { }); it('throws if the model rejects the scope', async function () { - const scope = 'some,scope,this,that'; + const scope = ['some,scope,this,that']; const user = { id: 123 }; const client = { id: 456 }; const returnTypes = [undefined, null, false, 0, '']; @@ -206,7 +206,7 @@ describe('AbstractGrantType integration', function() { // make sure the model received the correct args _user.should.deep.equal(user); _client.should.deep.equal(_client); - _scope.should.equal(scope); + _scope.should.eql(scope); return type; } From 3e3010785c9f494f549ad3b7f9aaa6d7bdc4b51c Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 18 Sep 2023 16:27:41 +0200 Subject: [PATCH 24/47] release 5.0.0-rc,3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 10a65c08..e167c96c 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "5.0.0-rc.2", + "version": "5.0.0-rc.3", "keywords": [ "oauth", "oauth2" From 0d4e5f36c62714fbee277c0314cc3f0c81f33308 Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Wed, 27 Sep 2023 22:34:04 +0200 Subject: [PATCH 25/47] added extra test for coverage --- .../refresh-token-grant-type_test.js | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/test/compliance/refresh-token-grant-type_test.js b/test/compliance/refresh-token-grant-type_test.js index 8c0e4982..09427855 100644 --- a/test/compliance/refresh-token-grant-type_test.js +++ b/test/compliance/refresh-token-grant-type_test.js @@ -186,6 +186,26 @@ describe('RefreshTokenGrantType Compliance', function () { }); }); + it('Should throw error if a scope is requested without a previous scope', async function () { + const request = createLoginRequest(); + const response = new Response({}); + + delete request.body.scope; + + const credentials = await auth.token(request, response, {}); + + const refreshRequest = createRefreshRequest(credentials.refreshToken); + const refreshResponse = new Response({}); + + refreshRequest.scope = 'read write'; + + await auth.token(refreshRequest, refreshResponse, {}) + .then(should.fail) + .catch(err => { + err.name.should.equal('invalid_scope'); + }); + }); + it('Should create refresh token with smaller scope', async function () { const request = createLoginRequest(); const response = new Response({}); From 6d7a990c907dff4794fc5c6e0cd34c8eb01d762b Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Thu, 28 Sep 2023 09:57:44 +0200 Subject: [PATCH 26/47] remove invalid bearer token that was used in test --- test/integration/handlers/authorize-handler_test.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js index fbc3a9c4..8bc3ae09 100644 --- a/test/integration/handlers/authorize-handler_test.js +++ b/test/integration/handlers/authorize-handler_test.js @@ -635,9 +635,9 @@ describe('AuthorizeHandler integration', function() { grants: ['authorization_code'], redirectUris: ['http://example.com/cb'] }; - const authorizationCode = 'long-authz-code-?'; + const authorizationCode = 'long-authz-code'; const accessTokenDoc = { - accessToken: 'some-access-token-code-?', + accessToken: 'some-access-token-code', client, user, scope, @@ -703,7 +703,7 @@ describe('AuthorizeHandler integration', function() { response .get('location') .should - .equal('http://example.com/cb?code=long-authz-code-%3F&state=fooobarstatebaz'); + .equal('http://example.com/cb?code=long-authz-code&state=fooobarstatebaz'); }); it('should support a custom `authenticateHandler`', async function () { From 1c409269c71e70449b7f79c45cb77a9687bfe15b Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Fri, 29 Sep 2023 08:54:34 +0200 Subject: [PATCH 27/47] publish 5.0.0-rc.4 --- package.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index e167c96c..8e8364e5 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "5.0.0-rc.3", + "version": "5.0.0-rc.4", "keywords": [ "oauth", "oauth2" @@ -22,7 +22,8 @@ "files": [ "index.js", "index.d.ts", - "lib" + "lib", + "CHANGELOG.md" ], "dependencies": { "@node-oauth/formats": "1.0.0", From da3dc541211f75675bc34ae8fece79def6e82643 Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Sat, 7 Oct 2023 13:29:10 +0200 Subject: [PATCH 28/47] fix typing of revokeToken --- index.d.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.d.ts b/index.d.ts index d48f6c0d..48d32426 100644 --- a/index.d.ts +++ b/index.d.ts @@ -360,7 +360,7 @@ declare namespace OAuth2Server { * Invoked to revoke a refresh token. * */ - revokeToken(token: RefreshToken | Token): Promise; + revokeToken(token: RefreshToken): Promise; } interface ClientCredentialsModel extends BaseModel, RequestAuthenticationModel { From d41585b1fd9aea5a3f5ee06713bcd2455ab8f51f Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Wed, 25 Oct 2023 17:04:26 +0200 Subject: [PATCH 29/47] pass client to model function --- docs/model/spec.rst | 18 +++++++------- index.d.ts | 2 +- lib/grant-types/password-grant-type.js | 6 ++--- .../grant-types/password-grant-type_test.js | 24 ++++++++++++------- .../grant-types/password-grant-type_test.js | 5 ++-- 5 files changed, 33 insertions(+), 22 deletions(-) diff --git a/docs/model/spec.rst b/docs/model/spec.rst index c4f0dc11..87344641 100644 --- a/docs/model/spec.rst +++ b/docs/model/spec.rst @@ -441,7 +441,7 @@ The return value (``client``) can carry additional properties that will be ignor .. _Model#getUser: -``getUser(username, password)`` +``getUser(username, password, client)`` =========================================== Invoked to retrieve a user using a username/password combination. @@ -454,13 +454,15 @@ This model function is **required** if the ``password`` grant is used. **Arguments:** -+------------+----------+---------------------------------------------------------------------+ -| Name | Type | Description | -+============+==========+=====================================================================+ -| username | String | The username of the user to retrieve. | -+------------+----------+---------------------------------------------------------------------+ -| password | String | The user's password. | -+------------+----------+---------------------------------------------------------------------+ ++-------------------+----------+---------------------------------------------------------------------+ +| Name | Type | Description | ++===================+==========+=====================================================================+ +| username | String | The username of the user to retrieve. | ++-------------------+----------+---------------------------------------------------------------------+ +| password | String | The user's password. | ++-------------------+----------+---------------------------------------------------------------------+ +| client (optional) | Client | The user's password. | ++-------------------+----------+---------------------------------------------------------------------+ **Return value:** diff --git a/index.d.ts b/index.d.ts index 48d32426..5cd73d9c 100644 --- a/index.d.ts +++ b/index.d.ts @@ -334,7 +334,7 @@ declare namespace OAuth2Server { * Invoked to retrieve a user using a username/password combination. * */ - getUser(username: string, password: string): Promise; + getUser(username: string, password: string, client: Client): Promise; /** * Invoked to check if the requested scope is valid for a particular client/user combination. diff --git a/lib/grant-types/password-grant-type.js b/lib/grant-types/password-grant-type.js index d8c3f059..b09e4993 100644 --- a/lib/grant-types/password-grant-type.js +++ b/lib/grant-types/password-grant-type.js @@ -47,7 +47,7 @@ class PasswordGrantType extends AbstractGrantType { } const scope = this.getScope(request); - const user = await this.getUser(request); + const user = await this.getUser(request, client); return this.saveToken(user, client, scope); } @@ -56,7 +56,7 @@ class PasswordGrantType extends AbstractGrantType { * Get user using a username/password combination. */ - async getUser(request) { + async getUser(request, client) { if (!request.body.username) { throw new InvalidRequestError('Missing parameter: `username`'); } @@ -73,7 +73,7 @@ class PasswordGrantType extends AbstractGrantType { throw new InvalidRequestError('Invalid parameter: `password`'); } - const user = await this.model.getUser(request.body.username, request.body.password); + const user = await this.model.getUser(request.body.username, request.body.password, client); if (!user) { throw new InvalidGrantError('Invalid grant: user credentials are invalid'); diff --git a/test/integration/grant-types/password-grant-type_test.js b/test/integration/grant-types/password-grant-type_test.js index 20d2ac4f..ef9b2f16 100644 --- a/test/integration/grant-types/password-grant-type_test.js +++ b/test/integration/grant-types/password-grant-type_test.js @@ -177,11 +177,12 @@ describe('PasswordGrantType integration', function() { getUser: () => should.fail(), saveToken: () => should.fail() }; + const client = { id: 'foobar' }; const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: {}, headers: {}, method: {}, query: {} }); try { - await grantType.getUser(request); + await grantType.getUser(request, client); should.fail(); } catch (e) { @@ -195,11 +196,12 @@ describe('PasswordGrantType integration', function() { getUser: () => should.fail(), saveToken: () => should.fail() }; + const client = { id: 'foobar' }; const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo' }, headers: {}, method: {}, query: {} }); try { - await grantType.getUser(request); + await grantType.getUser(request, client); should.fail(); } catch (e) { @@ -213,11 +215,12 @@ describe('PasswordGrantType integration', function() { getUser: () => should.fail(), saveToken: () => should.fail() }; + const client = { id: 'foobar' }; const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: '\r\n', password: 'foobar' }, headers: {}, method: {}, query: {} }); try { - await grantType.getUser(request); + await grantType.getUser(request, client); should.fail(); } catch (e) { @@ -231,11 +234,12 @@ describe('PasswordGrantType integration', function() { getUser: () => should.fail(), saveToken: () => should.fail() }; + const client = { id: 'foobar' }; const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foobar', password: '\r\n' }, headers: {}, method: {}, query: {} }); try { - await grantType.getUser(request); + await grantType.getUser(request, client); should.fail(); } catch (e) { @@ -249,11 +253,12 @@ describe('PasswordGrantType integration', function() { getUser: async () => undefined, saveToken: () => should.fail() }; + const client = { id: 'foobar' }; const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); try { - await grantType.getUser(request); + await grantType.getUser(request, client); should.fail(); } catch (e) { e.should.be.an.instanceOf(InvalidGrantError); @@ -263,6 +268,7 @@ describe('PasswordGrantType integration', function() { it('should return a user', async function() { const user = { email: 'foo@bar.com' }; + const client = { id: 'foobar' }; const model = { getUser: function(username, password) { username.should.equal('foo'); @@ -274,12 +280,13 @@ describe('PasswordGrantType integration', function() { const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); - const data = await grantType.getUser(request); + const data = await grantType.getUser(request, client); data.should.equal(user); }); it('should support promises', function() { const user = { email: 'foo@bar.com' }; + const client = { id: 'foobar' }; const model = { getUser: async function() { return user; }, saveToken: () => should.fail() @@ -287,11 +294,12 @@ describe('PasswordGrantType integration', function() { const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); - grantType.getUser(request).should.be.an.instanceOf(Promise); + grantType.getUser(request, client).should.be.an.instanceOf(Promise); }); it('should support non-promises', function() { const user = { email: 'foo@bar.com' }; + const client = { id: 'foobar' }; const model = { getUser: function() { return user; }, saveToken: () => should.fail() @@ -299,7 +307,7 @@ describe('PasswordGrantType integration', function() { const grantType = new PasswordGrantType({ accessTokenLifetime: 123, model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); - grantType.getUser(request).should.be.an.instanceOf(Promise); + grantType.getUser(request, client).should.be.an.instanceOf(Promise); }); }); diff --git a/test/unit/grant-types/password-grant-type_test.js b/test/unit/grant-types/password-grant-type_test.js index f2411765..63f43933 100644 --- a/test/unit/grant-types/password-grant-type_test.js +++ b/test/unit/grant-types/password-grant-type_test.js @@ -20,13 +20,14 @@ describe('PasswordGrantType', function() { getUser: sinon.stub().returns(true), saveToken: function() {} }; + const client = { id: 'foobar' }; const handler = new PasswordGrantType({ accessTokenLifetime: 120, model: model }); const request = new Request({ body: { username: 'foo', password: 'bar' }, headers: {}, method: {}, query: {} }); - return handler.getUser(request) + return handler.getUser(request, client) .then(function() { model.getUser.callCount.should.equal(1); - model.getUser.firstCall.args.should.have.length(2); + model.getUser.firstCall.args.should.have.length(3); model.getUser.firstCall.args[0].should.equal('foo'); model.getUser.firstCall.args[1].should.equal('bar'); model.getUser.firstCall.thisValue.should.equal(model); From d01219331c8d17c9154d76b897ad1c65ec932912 Mon Sep 17 00:00:00 2001 From: Joren Vandeweyer Date: Thu, 26 Oct 2023 10:00:36 +0200 Subject: [PATCH 30/47] fixed typo --- docs/model/spec.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model/spec.rst b/docs/model/spec.rst index 87344641..665f4eee 100644 --- a/docs/model/spec.rst +++ b/docs/model/spec.rst @@ -461,7 +461,7 @@ This model function is **required** if the ``password`` grant is used. +-------------------+----------+---------------------------------------------------------------------+ | password | String | The user's password. | +-------------------+----------+---------------------------------------------------------------------+ -| client (optional) | Client | The user's password. | +| client (optional) | Client | The client. | +-------------------+----------+---------------------------------------------------------------------+ **Return value:** From ca43d4aa08c8eea0b3715442c0de7dc7278f79a6 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Wed, 1 Nov 2023 08:46:39 +0100 Subject: [PATCH 31/47] fix(pkce): get code challenge and method from either body or query (redo #197) --- lib/handlers/authorize-handler.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js index a02a5b9d..12ca72cf 100644 --- a/lib/handlers/authorize-handler.js +++ b/lib/handlers/authorize-handler.js @@ -367,7 +367,7 @@ class AuthorizeHandler { } getCodeChallenge (request) { - return request.body.code_challenge; + return request.body.code_challenge || request.query.code_challenge; } /** @@ -378,7 +378,7 @@ class AuthorizeHandler { * (see https://www.rfc-editor.org/rfc/rfc7636#section-4.4) */ getCodeChallengeMethod (request) { - const algorithm = request.body.code_challenge_method; + const algorithm = request.body.code_challenge_method || request.query.code_challenge_method; if (algorithm && !pkce.isValidMethod(algorithm)) { throw new InvalidRequestError(`Invalid request: transform algorithm '${algorithm}' not supported`); From eb9f12348ef001cac0950f2ddaeb7f111d68d34b Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Wed, 1 Nov 2023 08:54:20 +0100 Subject: [PATCH 32/47] build: publish release 5.0.0-rc.5 --- CHANGELOG.md | 10 +++++++++- package.json | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7faf9f8..79ef175d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,13 +2,21 @@ ## 5.0.0 +This release contains several breaking changes. +Please carefully consult the documentation while updating. + - removed `bluebird` and `promisify-any` - uses native Promises and `async/await` everywhere - drop support for Node 14 (EOL), setting Node 16 as `engine` in `package.json` - this is a breaking change, because **it removes callback support** for `OAuthServer` and your model implementation. - fixed missing await in calling generateAuthorizationCode in AuthorizeHandler -- validate scope as an array of strings +- fix scope validation bug +- revoke code before validating redirect URI +- improved Bearer token validation +- validate scope as an array of strings (breaking change) +- model support for retrieving user based on client +- more tests added; test coverage improved ## 4.2.0 ### Fixed diff --git a/package.json b/package.json index 8e8364e5..a4169b88 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "5.0.0-rc.4", + "version": "5.0.0-rc.5", "keywords": [ "oauth", "oauth2" From 7e2abeec689f8eadb6c28172704056649252ba2b Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 06:35:34 +0100 Subject: [PATCH 33/47] docs: add readthedocs v2 config file --- .readthedocs.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .readthedocs.yml diff --git a/.readthedocs.yml b/.readthedocs.yml new file mode 100644 index 00000000..d9ee7902 --- /dev/null +++ b/.readthedocs.yml @@ -0,0 +1,22 @@ +# .readthedocs.yaml +# Read the Docs configuration file +# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details + +# Required +version: 2 + +# Set the version of Python and other tools you might need +build: + os: ubuntu-22.04 + tools: + python: "3.11" + +# Build documentation in the docs/ directory with Sphinx +sphinx: + configuration: docs/conf.py + +# We recommend specifying your dependencies to enable reproducible builds: +# https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html +# python: +# install: +# - requirements: docs/requirements.txt \ No newline at end of file From f3e243894652f3d9cb7c7766ca5de02366c94b3e Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 06:56:47 +0100 Subject: [PATCH 34/47] docs: sphinx conf updated to v2 compatible --- docs/conf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index d9aae790..a621e906 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # -# oauth2-server documentation build configuration file, created by +# @node-oauth/oauth2-server documentation build configuration file, created by # sphinx-quickstart on Thu Nov 17 16:47:05 2016. # # This file is execfile()d with the current directory set to its containing dir. @@ -272,5 +272,5 @@ highlight_language = 'js' def setup(app): - app.add_stylesheet('custom.css') + app.add_css_file('custom.css') From 6d27e3fb36bc00d6df13440c79654d9780c39e17 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 08:25:55 +0100 Subject: [PATCH 35/47] docs: merged master docs into 5.0.0 --- docs/api/errors/access-denied-error.rst | 2 +- docs/api/errors/insufficient-scope-error.rst | 2 +- docs/api/errors/invalid-argument-error.rst | 2 +- docs/api/errors/invalid-client-error.rst | 2 +- docs/api/errors/invalid-grant-error.rst | 2 +- docs/api/errors/invalid-request-error.rst | 2 +- docs/api/errors/invalid-scope-error.rst | 2 +- docs/api/errors/invalid-token-error.rst | 2 +- docs/api/errors/oauth-error.rst | 2 +- docs/api/errors/server-error.rst | 2 +- docs/api/errors/unauthorized-client-error.rst | 2 +- .../api/errors/unauthorized-request-error.rst | 2 +- .../errors/unsupported-grant-type-error.rst | 2 +- .../unsupported-response-type-error.rst | 2 +- docs/api/oauth2-server.rst | 2 +- docs/api/request.rst | 4 +- docs/api/response.rst | 4 +- docs/index.rst | 17 ++- docs/misc/extension-grants.rst | 2 +- docs/misc/migrating-v2-to-v3.rst | 2 +- docs/misc/pkce.rst | 141 ++++++++++++++++++ docs/model/spec.rst | 16 +- docs/npm_conf.py | 6 +- 23 files changed, 186 insertions(+), 36 deletions(-) create mode 100644 docs/misc/pkce.rst diff --git a/docs/api/errors/access-denied-error.rst b/docs/api/errors/access-denied-error.rst index e561c5b0..11e61ec9 100644 --- a/docs/api/errors/access-denied-error.rst +++ b/docs/api/errors/access-denied-error.rst @@ -6,7 +6,7 @@ The resource owner or authorization server denied the request. See :rfc:`Section :: - const AccessDeniedError = require('oauth2-server/lib/errors/access-denied-error'); + const AccessDeniedError = require('@node-oauth/oauth2-server/lib/errors/access-denied-error'); -------- diff --git a/docs/api/errors/insufficient-scope-error.rst b/docs/api/errors/insufficient-scope-error.rst index be3539de..b19e2acb 100644 --- a/docs/api/errors/insufficient-scope-error.rst +++ b/docs/api/errors/insufficient-scope-error.rst @@ -6,7 +6,7 @@ The request requires higher privileges than provided by the access token. See :r :: - const InsufficientScopeError = require('oauth2-server/lib/errors/insufficient-scope-error'); + const InsufficientScopeError = require('@node-oauth/oauth2-server/lib/errors/insufficient-scope-error'); -------- diff --git a/docs/api/errors/invalid-argument-error.rst b/docs/api/errors/invalid-argument-error.rst index 650e1d9f..11b554eb 100644 --- a/docs/api/errors/invalid-argument-error.rst +++ b/docs/api/errors/invalid-argument-error.rst @@ -6,7 +6,7 @@ An invalid argument was encountered. :: - const InvalidArgumentError = require('oauth2-server/lib/errors/invalid-argument-error'); + const InvalidArgumentError = require('@node-oauth/oauth2-server/lib/errors/invalid-argument-error'); .. note:: This error indicates that the module is used incorrectly (i.e., there is a programming error) and should never be seen because of external errors (like invalid data sent by a client). diff --git a/docs/api/errors/invalid-client-error.rst b/docs/api/errors/invalid-client-error.rst index d25a4934..5ddd0a40 100644 --- a/docs/api/errors/invalid-client-error.rst +++ b/docs/api/errors/invalid-client-error.rst @@ -6,7 +6,7 @@ Client authentication failed (e.g., unknown client, no client authentication inc :: - const InvalidClientError = require('oauth2-server/lib/errors/invalid-client-error'); + const InvalidClientError = require('@node-oauth/oauth2-server/lib/errors/invalid-client-error'); -------- diff --git a/docs/api/errors/invalid-grant-error.rst b/docs/api/errors/invalid-grant-error.rst index 8f2a9ba2..79317149 100644 --- a/docs/api/errors/invalid-grant-error.rst +++ b/docs/api/errors/invalid-grant-error.rst @@ -6,7 +6,7 @@ The provided authorization grant (e.g., authorization code, resource owner crede :: - const InvalidGrantError = require('oauth2-server/lib/errors/invalid-grant-error'); + const InvalidGrantError = require('@node-oauth/oauth2-server/lib/errors/invalid-grant-error'); -------- diff --git a/docs/api/errors/invalid-request-error.rst b/docs/api/errors/invalid-request-error.rst index 119ab40e..bbb38c44 100644 --- a/docs/api/errors/invalid-request-error.rst +++ b/docs/api/errors/invalid-request-error.rst @@ -6,7 +6,7 @@ The request is missing a required parameter, includes an invalid parameter value :: - const InvalidRequestError = require('oauth2-server/lib/errors/invalid-request-error'); + const InvalidRequestError = require('@node-oauth/oauth2-server/lib/errors/invalid-request-error'); -------- diff --git a/docs/api/errors/invalid-scope-error.rst b/docs/api/errors/invalid-scope-error.rst index 801930f9..01c70d26 100644 --- a/docs/api/errors/invalid-scope-error.rst +++ b/docs/api/errors/invalid-scope-error.rst @@ -6,7 +6,7 @@ The requested scope is invalid, unknown, or malformed. See :rfc:`Section 4.1.2.1 :: - const InvalidScopeError = require('oauth2-server/lib/errors/invalid-scope-error'); + const InvalidScopeError = require('@node-oauth/oauth2-server/lib/errors/invalid-scope-error'); -------- diff --git a/docs/api/errors/invalid-token-error.rst b/docs/api/errors/invalid-token-error.rst index 21ffad8f..fc0da035 100644 --- a/docs/api/errors/invalid-token-error.rst +++ b/docs/api/errors/invalid-token-error.rst @@ -6,7 +6,7 @@ The access token provided is expired, revoked, malformed, or invalid for other r :: - const InvalidTokenError = require('oauth2-server/lib/errors/invalid-token-error'); + const InvalidTokenError = require('@node-oauth/oauth2-server/lib/errors/invalid-token-error'); -------- diff --git a/docs/api/errors/oauth-error.rst b/docs/api/errors/oauth-error.rst index c7f1d861..83be4659 100644 --- a/docs/api/errors/oauth-error.rst +++ b/docs/api/errors/oauth-error.rst @@ -6,7 +6,7 @@ Base class for all errors returned by this module. :: - const OAuthError = require('oauth2-server/lib/errors/oauth-error'); + const OAuthError = require('@node-oauth/oauth2-server/lib/errors/oauth-error'); -------- diff --git a/docs/api/errors/server-error.rst b/docs/api/errors/server-error.rst index 13f436ed..7a2dcf90 100644 --- a/docs/api/errors/server-error.rst +++ b/docs/api/errors/server-error.rst @@ -6,7 +6,7 @@ The authorization server encountered an unexpected condition that prevented it f :: - const ServerError = require('oauth2-server/lib/errors/server-error'); + const ServerError = require('@node-oauth/oauth2-server/lib/errors/server-error'); ``ServerError`` is used to wrap unknown exceptions encountered during request processing. diff --git a/docs/api/errors/unauthorized-client-error.rst b/docs/api/errors/unauthorized-client-error.rst index d04cb080..9d104cac 100644 --- a/docs/api/errors/unauthorized-client-error.rst +++ b/docs/api/errors/unauthorized-client-error.rst @@ -6,7 +6,7 @@ The authenticated client is not authorized to use this authorization grant type. :: - const UnauthorizedClientError = require('oauth2-server/lib/errors/unauthorized-client-error'); + const UnauthorizedClientError = require('@node-oauth/oauth2-server/lib/errors/unauthorized-client-error'); -------- diff --git a/docs/api/errors/unauthorized-request-error.rst b/docs/api/errors/unauthorized-request-error.rst index 495f5f8c..9ed24675 100644 --- a/docs/api/errors/unauthorized-request-error.rst +++ b/docs/api/errors/unauthorized-request-error.rst @@ -6,7 +6,7 @@ The request lacked any authentication information or the client attempted to use :: - const UnauthorizedRequestError = require('oauth2-server/lib/errors/unauthorized-request-error'); + const UnauthorizedRequestError = require('@node-oauth/oauth2-server/lib/errors/unauthorized-request-error'); According to :rfc:`Section 3.1 of RFC 6750 <6750#section-3.1>` you should just fail the request with ``401 Unauthorized`` and not send any error information in the body if this error occurs: diff --git a/docs/api/errors/unsupported-grant-type-error.rst b/docs/api/errors/unsupported-grant-type-error.rst index d2fe49f7..1e812ed7 100644 --- a/docs/api/errors/unsupported-grant-type-error.rst +++ b/docs/api/errors/unsupported-grant-type-error.rst @@ -6,7 +6,7 @@ The authorization grant type is not supported by the authorization server. See : :: - const UnsupportedGrantTypeError = require('oauth2-server/lib/errors/unsupported-grant-type-error'); + const UnsupportedGrantTypeError = require('@node-oauth/oauth2-server/lib/errors/unsupported-grant-type-error'); -------- diff --git a/docs/api/errors/unsupported-response-type-error.rst b/docs/api/errors/unsupported-response-type-error.rst index 28974eba..c9ee0fd3 100644 --- a/docs/api/errors/unsupported-response-type-error.rst +++ b/docs/api/errors/unsupported-response-type-error.rst @@ -6,7 +6,7 @@ The authorization server does not supported obtaining an authorization code usin :: - const UnsupportedResponseTypeError = require('oauth2-server/lib/errors/unsupported-response-type-error'); + const UnsupportedResponseTypeError = require('@node-oauth/oauth2-server/lib/errors/unsupported-response-type-error'); -------- diff --git a/docs/api/oauth2-server.rst b/docs/api/oauth2-server.rst index bdcf4ae6..2cb6cda4 100644 --- a/docs/api/oauth2-server.rst +++ b/docs/api/oauth2-server.rst @@ -6,7 +6,7 @@ Represents an OAuth2 server instance. :: - const OAuth2Server = require('oauth2-server'); + const OAuth2Server = require('@node-oauth/oauth2-server'); -------- diff --git a/docs/api/request.rst b/docs/api/request.rst index b8f8963a..7d5f4cad 100644 --- a/docs/api/request.rst +++ b/docs/api/request.rst @@ -6,7 +6,7 @@ Represents an incoming HTTP request. :: - const Request = require('oauth2-server').Request; + const Request = require('@node-oauth/oauth2-server').Request; -------- @@ -50,7 +50,7 @@ To convert `Express' request`_ to a ``Request`` simply pass ``req`` as ``options :: function(req, res, next) { - var request = new Request(req); + let request = new Request(req); // ... } diff --git a/docs/api/response.rst b/docs/api/response.rst index 48cc36dc..2c5d3326 100644 --- a/docs/api/response.rst +++ b/docs/api/response.rst @@ -6,7 +6,7 @@ Represents an outgoing HTTP response. :: - const Response = require('oauth2-server').Response; + const Response = require('@node-oauth/oauth2-server').Response; -------- @@ -46,7 +46,7 @@ To convert `Express' response`_ to a ``Response`` simply pass ``res`` as ``optio :: function(req, res, next) { - var response = new Response(res); + let response = new Response(res); // ... } diff --git a/docs/index.rst b/docs/index.rst index 4a7c3415..f88c4b47 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,13 +1,13 @@ -=============== - oauth2-server -=============== +========================== + @node-oauth/oauth2-server +========================== -oauth2-server_ is a complete, compliant and well tested module for implementing an OAuth2 server in Node.js_. The project is `hosted on GitHub`_ and the included test suite is automatically `run on Travis CI`_. +oauth2-server_ is a complete, compliant and well tested module for implementing an OAuth2 server in Node.js_. The project is `hosted on GitHub`_ and the included test suite is automatically `run on GitHub CI`_. -.. _oauth2-server: https://npmjs.org/package/oauth2-server +.. _oauth2-server: https://www.npmjs.com/package/@node-oauth/oauth2-server .. _Node.js: https://nodejs.org -.. _hosted on GitHub: https://github.com/oauthjs/node-oauth2-server -.. _run on Travis CI: https://travis-ci.org/oauthjs/node-oauth2-server +.. _hosted on GitHub: https://github.com/node-oauth/node-oauth2-server +.. _run on GitHub CI: https://github.com/node-oauth/node-oauth2-server/actions :ref:`installation` @@ -17,7 +17,7 @@ Example Usage :: - const OAuth2Server = require('oauth2-server'); + const OAuth2Server = require('@node-oauth/oauth2-server'); const Request = OAuth2Server.Request; const Response = OAuth2Server.Response; @@ -84,5 +84,6 @@ See the :doc:`/model/spec` of what is required from the model passed to :doc:`/a :hidden: misc/extension-grants + misc/pkce misc/migrating-v2-to-v3 diff --git a/docs/misc/extension-grants.rst b/docs/misc/extension-grants.rst index 1fbe55a2..4ce22bfd 100644 --- a/docs/misc/extension-grants.rst +++ b/docs/misc/extension-grants.rst @@ -6,7 +6,7 @@ Create a subclass of ``AbstractGrantType`` and create methods `handle` and `save .. code-block:: js - const OAuth2Server = require('oauth2-server'); + const OAuth2Server = require('@node-oauth/oauth2-server'); const AbstractGrantType = OAuth2Server.AbstractGrantType; const InvalidArgumentError = OAuth2Server.InvalidArgumentError; const InvalidRequestError = OAuth2Server.InvalidRequestError; diff --git a/docs/misc/migrating-v2-to-v3.rst b/docs/misc/migrating-v2-to-v3.rst index 9d03c8f2..8d1290c0 100644 --- a/docs/misc/migrating-v2-to-v3.rst +++ b/docs/misc/migrating-v2-to-v3.rst @@ -11,7 +11,7 @@ Middlewares The naming of the exposed middlewares has changed to match the OAuth2 _RFC_ more closely. Please refer to the table below: +-------------------+------------------------------------------------+ -| oauth2-server 2.x | oauth2-server 3.x | +| oauth2-server 2.x | @node-oauth/oauth2-server 3.x | +===================+================================================+ | authorise | authenticate | +-------------------+------------------------------------------------+ diff --git a/docs/misc/pkce.rst b/docs/misc/pkce.rst new file mode 100644 index 00000000..cb52f1e7 --- /dev/null +++ b/docs/misc/pkce.rst @@ -0,0 +1,141 @@ +================ + PKCE Support +================ + +Starting with release 4.3.0_ this library supports PKCE (Proof Key for Code Exchange by OAuth Public Clients) as +defined in :rfc:`7636`. + +.. _4.3.0: https://github.com/node-oauth/node-oauth2-server/releases/tag/v4.3.0 + +The PKCE integrates only with the :ref:`authorization code `. The abstract workflow looks like +the following: + +:: + + +-------------------+ + | Authz Server | + +--------+ | +---------------+ | + | |--(A)- Authorization Request ---->| | | + | | + t(code_verifier), t_m | | Authorization | | + | | | | Endpoint | | + | |<-(B)---- Authorization Code -----| | | + | | | +---------------+ | + | Client | | | + | | | +---------------+ | + | |--(C)-- Access Token Request ---->| | | + | | + code_verifier | | Token | | + | | | | Endpoint | | + | |<-(D)------ Access Token ---------| | | + +--------+ | +---------------+ | + +-------------------+ + + Figure 2: Abstract Protocol Flow + +See :rfc:`Section 1 of RFC 7636 <7636#section-1.1>`. + +1. Authorization request +======================== + +.. _PKCE#authorizationRequest: + + A. The client creates and records a secret named the "code_verifier" and derives a transformed version "t(code_verifier)" (referred to as the "code_challenge"), which is sent in the OAuth 2.0 Authorization Request along with the transformation method "t_m". + +The following shows an example of how a client could generate a `code_challenge`` and +``code_challenge_method`` for the authorizazion request. + +:: + + const base64URLEncode = str => str.toString('base64') + .replace(/\+/g, '-') + .replace(/\//g, '_') + .replace(/=/g, '') + + // This is the code_verifier, which is INITIALLY KEPT SECRET on the client + // and which is later passed as request param to the token endpoint. + // DO NOT SEND this with the authorization request! + const codeVerifier = base64URLEncode(crypto.randomBytes(32)) + + // This is the hashed version of the verifier, which is sent to the authorization endpoint. + // This is named t(code_verifier) in the above workflow + // Send this with the authorization request! + const codeChallenge = base64URLEncode(crypto.createHash('sha256').update(codeVerifier).digest()) + + // This is the name of the code challenge method + // This is named t_m in the above workflow + // Send this with the authorization request! + const codeChallengeMethod = 'S256' + + // add these to the request that is fired from the client + +In this project the authorize endpoint calls OAuth2Server.prototype.authorize which itself uses AuthorizeHandler. +If your Request body contains code_challenge and code_challenge_method then PKCE is active. + +:: + + const server = new OAuth2Server({ model }) + + // this could be added to express or other middleware + const authorizeEndpoint = function (req, res, next) { + const request = new Request(req) + req.query.code_challenge // the codeChallenge value + req.query.code_challenge_method // 'S256' + + server.authorize(request, response, options) + .then(function (code) { + // add code to response, code should not contain + // code_challenge or code_challenge_method + }) + .catch(function (err) { + // handle error condition + }) + } + +2. Authorization response +========================= + +.. _PKCE#authorizationResponse: + + B. The Authorization Endpoint responds as usual but records "t(code_verifier)" and the transformation method. + +The ``AuthorizeHandler.handle`` saves code challenge and code challenge method automatically via ``model.saveAuthorizationCode``. +Note that this calls your model with additional properties ``code.codeChallenge`` and ``code.codeChallengeMethod``. + + +3. Access Token Request +======================= + +.. _PKCE#accessTokenRequest: + + C. The client then sends the authorization code in the Access Token Request as usual but includes the "code_verifier" secret generated at (A). + +This is usually done in your token endpoint, that uses ``OAuth2Server.token``. + +:: + + const server = new OAuth2Server({ model }) + + // ...authorizeEndpoint + + // this could be added to express or other middleware + const tokenEndpoint = function (req, res, next) { + const request = new Request(req) + request.body.code_verifier // the non-hashed code verifier + server.token(request, response, options) + .then(function (code) { + // add code to response, code should contain + }) + .catch(function (err) { + // handle error condition + }) + } + +Note that your client should have kept ``code_verifier`` a secret until this step and now includes it as param for the token endpoint call. + + + D. The authorization server transforms "code_verifier" and compares it to "t(code_verifier)" from (B). Access is denied if they are not equal. + +This will call ``model.getAuthorizationCode`` to load the code. +The loaded code has to contain ``codeChallenge`` and ``codeChallengeMethod``. +If ``model.saveAuthorizationCode`` did not cover these values when saving the code then this step will deny the request. + +See :ref:`Model#saveAuthorizationCode` and :ref:`Model#getAuthorizationCode` diff --git a/docs/model/spec.rst b/docs/model/spec.rst index 665f4eee..f18923f8 100644 --- a/docs/model/spec.rst +++ b/docs/model/spec.rst @@ -2,7 +2,9 @@ Model Specification ===================== -Each model function supports *promises*, *ES6 generators* and *async*/*await* (using Babel_). Note that promise support implies support for returning plain values where asynchronism is not required. +**Version >=5.x:** Callback support has been removed! Each model function supports either sync or async (``Promise`` or ``async function``) return values. + +**Version <=4.x:** Each model function supports *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using Babel_). Note that promise support implies support for returning plain values where asynchronism is not required. .. _Babel: https://babeljs.io @@ -14,6 +16,11 @@ Each model function supports *promises*, *ES6 generators* and *async*/*await* (u return new Promise('works!'); }, + // Or sync-style values + getAuthorizationCode: function() { + return 'works!' + }, + // Or, using generators. getClient: function*() { yield somethingAsync(); @@ -27,7 +34,7 @@ Each model function supports *promises*, *ES6 generators* and *async*/*await* (u } }; - const OAuth2Server = require('oauth2-server'); + const OAuth2Server = require('@node-oauth/oauth2-server'); let oauth = new OAuth2Server({model: model}); Code examples on this page use *promises*. @@ -357,7 +364,7 @@ An ``Object`` representing the authorization code and associated data. }) .spread(function(code, client, user) { return { - code: code.authorization_code, + authorizationCode: code.authorization_code, expiresAt: code.expires_at, redirectUri: code.redirect_uri, scope: code.scope, @@ -898,7 +905,8 @@ To accept partially valid scopes: Invoked during request authentication to check if the provided access token was authorized the requested scopes. -This model function is **required** if scopes are used with :ref:`OAuth2Server#authenticate() `. +This model function is **required** if scopes are used with :ref:`OAuth2Server#authenticate() ` +but it's never called, if you provide your own ``authenticateHandler`` to the options. **Invoked during:** diff --git a/docs/npm_conf.py b/docs/npm_conf.py index f86915f5..41b03819 100644 --- a/docs/npm_conf.py +++ b/docs/npm_conf.py @@ -40,10 +40,10 @@ def get_config(): 'name': package['name'], 'version': package['version'], 'short_version': get_short_version(package['version']), - 'organization': 'oauthjs', + 'organization': '@node-oauth', 'copyright_year': get_copyright_year(2016), # TODO: Get authors from package. - 'docs_author': 'Max Truxa', - 'docs_author_email': 'dev@maxtruxa.com' + 'docs_author': 'Node-OAuth Authors', + 'docs_author_email': '' } From 1da98373380d196769e50e0bdd88f4d58082989f Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 08:51:04 +0100 Subject: [PATCH 36/47] docs: add migrating to v5 topic --- docs/index.rst | 1 + docs/misc/migrating-to-v5.rst | 44 +++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 docs/misc/migrating-to-v5.rst diff --git a/docs/index.rst b/docs/index.rst index f88c4b47..9f83b10a 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -85,5 +85,6 @@ See the :doc:`/model/spec` of what is required from the model passed to :doc:`/a misc/extension-grants misc/pkce + misc/migrating-v5 misc/migrating-v2-to-v3 diff --git a/docs/misc/migrating-to-v5.rst b/docs/misc/migrating-to-v5.rst new file mode 100644 index 00000000..279c343b --- /dev/null +++ b/docs/misc/migrating-to-v5.rst @@ -0,0 +1,44 @@ +=========================== + Migrating to 5.x +=========================== + +This guide covers the most breaking changes, in case you updated from an earlier version. + +------------------- +Requires Node >= 16 +------------------- + +Due to Node 14 reaching end of life (EOL; which implies no security updates) this version requires at least Node 16. +Future versions of the 5.x major releases will update to a newer Node LTS, once the current one reaches EOL. + +Note, that we also won't regard any security patches to problems that are a direct consequence of +using a Node version that reached EOL. + +------------------------ +Removed callback support +------------------------ + +With beginning of release 5.0.0 this module dropped all callback support and uses `async/await` +for all asynchronous operations. + +This implies you either need to have a more recent Node.js environment that natively supports `async/await` +or your project uses tools to support at least Promises. + +----------------- +Update your model +----------------- + +The model functions is now expected to return a Promise (or being declared as `async function`), +since callback support is dropped. + +Note: Synchronous model functions are still supported. However, we recommend to use Promise or async, +if database operations (or other heavy operations) are part of a specific model function implementation. + +------------------ +Scope is now Array +------------------ + +In earlier versions we allowed `scope` to be strings with words, separated by empty space. +With beginning of 5.0.0 the scope parameter needs to be an Array of strings. + +This implies to requests, responses and model implementations where scope is included. From ff8cdadb592304bca616a8e8a2ef6c259bf2c276 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 09:23:38 +0100 Subject: [PATCH 37/47] docs: add missing adapters and getting started guide --- docs/docs/adapters.rst | 8 ++++---- docs/docs/getting-started.rst | 17 ++++++++--------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/docs/adapters.rst b/docs/docs/adapters.rst index c302d34e..139995ee 100644 --- a/docs/docs/adapters.rst +++ b/docs/docs/adapters.rst @@ -2,14 +2,14 @@ Adapters ========== -The *oauth2-server* module is typically not used directly but through one of the available adapters, converting the interface to a suitable one for the HTTP server framework in use. +The *@node-oauth/oauth2-server* module is typically not used directly but through one of the available adapters, converting the interface to a suitable one for the HTTP server framework in use. -.. framework-agnostic but there are several officially supported adapters available for popular HTTP server frameworks such as Express_ and Koa_. +.. framework-agnostic but there are several officially supported adapters available for popular HTTP server frameworks such as Express_ and Koa_ (not maintained by us). - express-oauth-server_ for Express_ - koa-oauth-server_ for Koa_ -.. _express-oauth-server: https://npmjs.org/package/express-oauth-server +.. _express-oauth-server: https://www.npmjs.com/package/@node-oauth/express-oauth-server .. _Express: https://npmjs.org/package/express .. _koa-oauth-server: https://npmjs.org/package/koa-oauth-server .. _Koa: https://npmjs.org/package/koa @@ -32,5 +32,5 @@ Adapters typically do the following: - Copy all fields from the :doc:`Response ` back to the framework-specific request object and send it. -Adapters should preserve functionality provided by *oauth2-server* but are free to add additional features that make sense for the respective HTTP server framework. +Adapters should preserve functionality provided by *@node-oauth/oauth2-server* but are free to add additional features that make sense for the respective HTTP server framework. diff --git a/docs/docs/getting-started.rst b/docs/docs/getting-started.rst index 85bfd6e1..9d86c15b 100644 --- a/docs/docs/getting-started.rst +++ b/docs/docs/getting-started.rst @@ -9,16 +9,16 @@ Installation oauth2-server_ is available via npm_. -.. _oauth2-server: https://npmjs.org/package/oauth2-server +.. _oauth2-server: https://www.npmjs.com/package/@node-oauth/oauth2-server .. _npm: https://npmjs.org .. code-block:: sh - $ npm install oauth2-server + $ npm install @node-oauth/oauth2-server -.. note:: The *oauth2-server* module is framework-agnostic but there are several officially supported adapters available for popular HTTP server frameworks such as Express_ and Koa_. If you're using one of those frameworks it is strongly recommended to use the respective adapter module instead of rolling your own. +.. note:: The *@node-oauth/oauth2-server* module is framework-agnostic but there are several officially supported adapters available for popular HTTP server frameworks such as Express_ and Koa_. If you're using one of those frameworks it is strongly recommended to use the respective adapter module instead of rolling your own. -.. _Express: https://npmjs.org/package/express-oauth-server +.. _Express: https://www.npmjs.com/package/@node-oauth/express-oauth-server .. _Koa: https://npmjs.org/package/koa-oauth-server @@ -28,13 +28,12 @@ Features ======== - Supports :ref:`authorization code `, :ref:`client credentials `, :ref:`refresh token ` and :ref:`password ` grant, as well as :ref:`extension grants `, with scopes. -- Can be used with *promises*, *ES6 generators* and *async*/*await* (using Babel_). +- Can be used with *promises*, *ES6 generators* and *async*/*await*. - Fully :rfc:`6749` and :rfc:`6750` compliant. - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc. - Complete `test suite`_. -.. _Babel: https://babeljs.io -.. _test suite: https://github.com/oauthjs/node-oauth2-server/tree/master/test +.. _test suite: https://github.com/node-oauth/node-oauth2-server/tree/master/test .. _quick-start: @@ -46,7 +45,7 @@ Quick Start :: - const OAuth2Server = require('oauth2-server'); + const OAuth2Server = require('@node-oauth/oauth2-server'); const oauth = new OAuth2Server({ model: require('./model') @@ -78,7 +77,7 @@ Quick Start :: - const AccessDeniedError = require('oauth2-server/lib/errors/access-denied-error'); + const AccessDeniedError = require('@node-oauth/oauth2-server/lib/errors/access-denied-error'); oauth.authorize(request, response) .then((code) => { From f06f2fdf8582a32ff6a87995c27861595394c779 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 12:50:40 +0100 Subject: [PATCH 38/47] docs: update sphinx conf and index toc --- docs/conf.py | 8 ++++++-- docs/index.rst | 8 ++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index a621e906..bf40262a 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -94,7 +94,7 @@ # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'default' +html_theme = 'sphinx_rtd_theme' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the @@ -246,7 +246,11 @@ # Example configuration for intersphinx: refer to the Python standard library. -intersphinx_mapping = {'http://docs.python.org/': None} +intersphinx_mapping = { + "rtd": ("https://docs.readthedocs.io/en/stable/", None), + "python": ("https://docs.python.org/3/", None), + "sphinx": ("https://www.sphinx-doc.org/en/master/", None), +} todo_include_todos = True diff --git a/docs/index.rst b/docs/index.rst index 9f83b10a..31956216 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -45,16 +45,15 @@ Example Usage See the :doc:`/model/spec` of what is required from the model passed to :doc:`/api/oauth2-server`. +Contents +-------- .. toctree:: - :hidden: - Home .. toctree:: :maxdepth: 2 :caption: User Documentation - :hidden: docs/getting-started docs/adapters @@ -63,7 +62,6 @@ See the :doc:`/model/spec` of what is required from the model passed to :doc:`/a :maxdepth: 2 :caption: API :includehidden: - :hidden: api/oauth2-server api/request @@ -73,7 +71,6 @@ See the :doc:`/model/spec` of what is required from the model passed to :doc:`/a .. toctree:: :maxdepth: 3 :caption: Model - :hidden: model/overview model/spec @@ -81,7 +78,6 @@ See the :doc:`/model/spec` of what is required from the model passed to :doc:`/a .. toctree:: :maxdepth: 2 :caption: Miscellaneous - :hidden: misc/extension-grants misc/pkce From 7f18e08a196b1f46071f7a2498a1e68291261da6 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 12:55:26 +0100 Subject: [PATCH 39/47] docs: use requirements files to install themes and plugins --- docs/conf.py | 10 +++++++- docs/requirements.in | 2 ++ docs/requirements.txt | 58 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 docs/requirements.in create mode 100644 docs/requirements.txt diff --git a/docs/conf.py b/docs/conf.py index bf40262a..0f210e33 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -28,7 +28,15 @@ # Add any Sphinx extension module names here, as strings. They can be extensions # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. -extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.ifconfig', 'sphinx.ext.todo'] +extensions = [ + "sphinx.ext.duration", + "sphinx.ext.doctest", + "sphinx.ext.autodoc", + "sphinx.ext.ifconfig", + "sphinx.ext.autosummary", + "sphinx.ext.todo", + "sphinx.ext.intersphinx", +] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] diff --git a/docs/requirements.in b/docs/requirements.in new file mode 100644 index 00000000..8b29f019 --- /dev/null +++ b/docs/requirements.in @@ -0,0 +1,2 @@ +Sphinx>=5,<6 +sphinx_rtd_theme \ No newline at end of file diff --git a/docs/requirements.txt b/docs/requirements.txt new file mode 100644 index 00000000..35ca70fb --- /dev/null +++ b/docs/requirements.txt @@ -0,0 +1,58 @@ +# +# This file is autogenerated by pip-compile with python 3.10 +# To update, run: +# +# pip-compile docs/requirements.in +# +alabaster==0.7.12 + # via sphinx +babel==2.10.3 + # via sphinx +certifi==2022.6.15 + # via requests +charset-normalizer==2.1.0 + # via requests +docutils==0.17.1 + # via + # sphinx + # sphinx-rtd-theme +idna==3.3 + # via requests +imagesize==1.4.1 + # via sphinx +jinja2==3.1.2 + # via sphinx +markupsafe==2.1.1 + # via jinja2 +packaging==21.3 + # via sphinx +pygments==2.12.0 + # via sphinx +pyparsing==3.0.9 + # via packaging +pytz==2022.1 + # via babel +requests==2.28.1 + # via sphinx +snowballstemmer==2.2.0 + # via sphinx +sphinx==5.0.2 + # via + # -r docs/requirements.in + # sphinx-rtd-theme +sphinx-rtd-theme==1.0.0 + # via -r docs/requirements.in +sphinxcontrib-applehelp==1.0.2 + # via sphinx +sphinxcontrib-devhelp==1.0.2 + # via sphinx +sphinxcontrib-htmlhelp==2.0.0 + # via sphinx +sphinxcontrib-jsmath==1.0.1 + # via sphinx +sphinxcontrib-qthelp==1.0.3 + # via sphinx +sphinxcontrib-serializinghtml==1.1.5 + # via sphinx +urllib3==1.26.9 + # via requests \ No newline at end of file From da9ce1a53837d4b57b68abe610c500e8cce4d893 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 12:57:00 +0100 Subject: [PATCH 40/47] docs: update rtd config --- .readthedocs.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.readthedocs.yml b/.readthedocs.yml index d9ee7902..bf2b013d 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -17,6 +17,8 @@ sphinx: # We recommend specifying your dependencies to enable reproducible builds: # https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html -# python: -# install: -# - requirements: docs/requirements.txt \ No newline at end of file +python: + install: + - requirements: docs/requirements.txt + - method: pip + path: . \ No newline at end of file From 3991a8c777b79faa1eaabbd525ffc46a8bffb5cb Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 12:58:42 +0100 Subject: [PATCH 41/47] docs: remove requirements --- docs/conf.py | 18 +++----------- docs/requirements.in | 2 -- docs/requirements.txt | 58 ------------------------------------------- 3 files changed, 3 insertions(+), 75 deletions(-) delete mode 100644 docs/requirements.in delete mode 100644 docs/requirements.txt diff --git a/docs/conf.py b/docs/conf.py index 0f210e33..a621e906 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -28,15 +28,7 @@ # Add any Sphinx extension module names here, as strings. They can be extensions # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. -extensions = [ - "sphinx.ext.duration", - "sphinx.ext.doctest", - "sphinx.ext.autodoc", - "sphinx.ext.ifconfig", - "sphinx.ext.autosummary", - "sphinx.ext.todo", - "sphinx.ext.intersphinx", -] +extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.ifconfig', 'sphinx.ext.todo'] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] @@ -102,7 +94,7 @@ # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'sphinx_rtd_theme' +html_theme = 'default' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the @@ -254,11 +246,7 @@ # Example configuration for intersphinx: refer to the Python standard library. -intersphinx_mapping = { - "rtd": ("https://docs.readthedocs.io/en/stable/", None), - "python": ("https://docs.python.org/3/", None), - "sphinx": ("https://www.sphinx-doc.org/en/master/", None), -} +intersphinx_mapping = {'http://docs.python.org/': None} todo_include_todos = True diff --git a/docs/requirements.in b/docs/requirements.in deleted file mode 100644 index 8b29f019..00000000 --- a/docs/requirements.in +++ /dev/null @@ -1,2 +0,0 @@ -Sphinx>=5,<6 -sphinx_rtd_theme \ No newline at end of file diff --git a/docs/requirements.txt b/docs/requirements.txt deleted file mode 100644 index 35ca70fb..00000000 --- a/docs/requirements.txt +++ /dev/null @@ -1,58 +0,0 @@ -# -# This file is autogenerated by pip-compile with python 3.10 -# To update, run: -# -# pip-compile docs/requirements.in -# -alabaster==0.7.12 - # via sphinx -babel==2.10.3 - # via sphinx -certifi==2022.6.15 - # via requests -charset-normalizer==2.1.0 - # via requests -docutils==0.17.1 - # via - # sphinx - # sphinx-rtd-theme -idna==3.3 - # via requests -imagesize==1.4.1 - # via sphinx -jinja2==3.1.2 - # via sphinx -markupsafe==2.1.1 - # via jinja2 -packaging==21.3 - # via sphinx -pygments==2.12.0 - # via sphinx -pyparsing==3.0.9 - # via packaging -pytz==2022.1 - # via babel -requests==2.28.1 - # via sphinx -snowballstemmer==2.2.0 - # via sphinx -sphinx==5.0.2 - # via - # -r docs/requirements.in - # sphinx-rtd-theme -sphinx-rtd-theme==1.0.0 - # via -r docs/requirements.in -sphinxcontrib-applehelp==1.0.2 - # via sphinx -sphinxcontrib-devhelp==1.0.2 - # via sphinx -sphinxcontrib-htmlhelp==2.0.0 - # via sphinx -sphinxcontrib-jsmath==1.0.1 - # via sphinx -sphinxcontrib-qthelp==1.0.3 - # via sphinx -sphinxcontrib-serializinghtml==1.1.5 - # via sphinx -urllib3==1.26.9 - # via requests \ No newline at end of file From 72f3675323228965b1d411b3eda8dbfadd4aa03a Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 13:01:05 +0100 Subject: [PATCH 42/47] docs: remove build using requirements files --- .readthedocs.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.readthedocs.yml b/.readthedocs.yml index bf2b013d..d9ee7902 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -17,8 +17,6 @@ sphinx: # We recommend specifying your dependencies to enable reproducible builds: # https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html -python: - install: - - requirements: docs/requirements.txt - - method: pip - path: . \ No newline at end of file +# python: +# install: +# - requirements: docs/requirements.txt \ No newline at end of file From fb59e308a4b389ca00aa1d8aff1bbc5228471b0a Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 13:15:13 +0100 Subject: [PATCH 43/47] docs: add multiple documentation links --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c0b665af..5f01c4af 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,11 @@ If you're using one of those frameworks it is strongly recommended to use the re ## Documentation -[Documentation](https://node-oauthoauth2-server.readthedocs.io/en/latest/) is hosted on Read the Docs. +Documentation is hosted on Read the Docs. We have multiple versions of the docs available: + +- [stable](https://node-oauthoauth2-server.readthedocs.io/en/master/) (master branch) +- [development](https://node-oauthoauth2-server.readthedocs.io/en/development/) (development branch) + Please leave an issue if something is confusing or missing in the docs. ## Examples From 937d9a711da0c0f17b82fb430f7dcf895be7f735 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 13:17:46 +0100 Subject: [PATCH 44/47] docs: fix table of contents --- docs/index.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index 31956216..7c1ea417 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -52,14 +52,14 @@ Contents Home .. toctree:: - :maxdepth: 2 + :maxdepth: 1 :caption: User Documentation docs/getting-started docs/adapters .. toctree:: - :maxdepth: 2 + :maxdepth: 1 :caption: API :includehidden: @@ -69,18 +69,18 @@ Contents api/errors/index .. toctree:: - :maxdepth: 3 + :maxdepth: 1 :caption: Model model/overview model/spec .. toctree:: - :maxdepth: 2 + :maxdepth: 1 :caption: Miscellaneous misc/extension-grants misc/pkce - misc/migrating-v5 + misc/migrating-to-v5 misc/migrating-v2-to-v3 From a4f214573fcaa6cdbf787217927883f9abc56ad7 Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 13:26:29 +0100 Subject: [PATCH 45/47] docs: add sphinx rtd theme --- docs/conf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index a621e906..2abf9c3f 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -28,7 +28,7 @@ # Add any Sphinx extension module names here, as strings. They can be extensions # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. -extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.ifconfig', 'sphinx.ext.todo'] +extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.ifconfig', 'sphinx.ext.todo', 'sphinx_rtd_theme'] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] @@ -94,7 +94,7 @@ # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'default' +html_theme = "sphinx_rtd_theme" # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the From 185866900f8bae49771bfdbd12e2c38c91e2487e Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 13:29:28 +0100 Subject: [PATCH 46/47] docs: install sphinx theme with python --- .readthedocs.yml | 6 +++--- docs/requirements.txt | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 docs/requirements.txt diff --git a/.readthedocs.yml b/.readthedocs.yml index d9ee7902..bc2b3c65 100644 --- a/.readthedocs.yml +++ b/.readthedocs.yml @@ -17,6 +17,6 @@ sphinx: # We recommend specifying your dependencies to enable reproducible builds: # https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html -# python: -# install: -# - requirements: docs/requirements.txt \ No newline at end of file +python: + install: + - requirements: docs/requirements.txt \ No newline at end of file diff --git a/docs/requirements.txt b/docs/requirements.txt new file mode 100644 index 00000000..1ee13a2b --- /dev/null +++ b/docs/requirements.txt @@ -0,0 +1,4 @@ +# Defining the exact version will make sure things don't break +sphinx==5.3.0 +sphinx_rtd_theme==1.1.1 +readthedocs-sphinx-search==0.1.1 \ No newline at end of file From a7a1b25a1f698da106c7280ac2de6f033c8ff59a Mon Sep 17 00:00:00 2001 From: jankapunkt Date: Mon, 6 Nov 2023 14:58:47 +0100 Subject: [PATCH 47/47] published release 5.0.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index a4169b88..437c2476 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@node-oauth/oauth2-server", "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js", - "version": "5.0.0-rc.5", + "version": "5.0.0", "keywords": [ "oauth", "oauth2"