Release 5.0.0

.github/workflows/tests-release.yml

@@ -113,7 +113,7 @@ jobs:
     - run: |
         cd github/testing/express
         npm i
-        npm install ../../../
+        npm install https://github.com/node-oauth/node-oauth2-server.git#${{ github.ref_name }}
         npm run test
 
     # todo repeat with other adapters

CHANGELOG.md

@@ -7,6 +7,7 @@
 - drop support for Node 14 (EOL), setting Node 16 as `engine` in `package.json`
 - this is a breaking change, because **it removes callback support** for
   `OAuthServer` and your model implementation.
+- fixed missing await in calling generateAuthorizationCode in AuthorizeHandler
 
 ## 4.2.0
 ### Fixed

index.d.ts

@@ -1,4 +1,4 @@
-// Type definitions for Node OAuth2 Server 4.0
+// Type definitions for Node OAuth2 Server 5.0
 // Definitions by:  Robbie Van Gorkom <https://github.com/vangorra>,
 //                  Charles Irick <https://github.com/cirick>,
 //                  Daniel Fischer <https://github.com/d-fischer>,
@@ -23,8 +23,7 @@ declare class OAuth2Server {
     authenticate(
         request: OAuth2Server.Request,
         response: OAuth2Server.Response,
-        options?: OAuth2Server.AuthenticateOptions,
-        callback?: OAuth2Server.Callback<OAuth2Server.Token>
+        options?: OAuth2Server.AuthenticateOptions
     ): Promise<OAuth2Server.Token>;
 
     /**
@@ -33,8 +32,7 @@ declare class OAuth2Server {
     authorize(
         request: OAuth2Server.Request,
         response: OAuth2Server.Response,
-        options?: OAuth2Server.AuthorizeOptions,
-        callback?: OAuth2Server.Callback<OAuth2Server.AuthorizationCode>
+        options?: OAuth2Server.AuthorizeOptions
     ): Promise<OAuth2Server.AuthorizationCode>;
 
     /**
@@ -43,8 +41,7 @@ declare class OAuth2Server {
     token(
         request: OAuth2Server.Request,
         response: OAuth2Server.Response,
-        options?: OAuth2Server.TokenOptions,
-        callback?: OAuth2Server.Callback<OAuth2Server.Token>
+        options?: OAuth2Server.TokenOptions
     ): Promise<OAuth2Server.Token>;
 }
 
@@ -238,11 +235,6 @@ declare namespace OAuth2Server {
         extendedGrantTypes?: { [key: string]: typeof AbstractGrantType } | undefined;
     }
 
-    /**
-     * Represents a generic callback structure for model callbacks
-     */
-    type Callback<T> = (err?: any, result?: T) => void;
-
     /**
      * For returning falsey parameters in cases of failure
      */
@@ -253,54 +245,54 @@ declare namespace OAuth2Server {
          * Invoked to generate a new access token.
          *
          */
-        generateAccessToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+        generateAccessToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
         /**
          * Invoked to retrieve a client using a client id or a client id/client secret combination, depending on the grant type.
          *
          */
-        getClient(clientId: string, clientSecret: string, callback?: Callback<Client | Falsey>): Promise<Client | Falsey>;
+        getClient(clientId: string, clientSecret: string): Promise<Client | Falsey>;
 
         /**
          * Invoked to save an access token and optionally a refresh token, depending on the grant type.
          *
          */
-        saveToken(token: Token, client: Client, user: User, callback?: Callback<Token>): Promise<Token | Falsey>;
+        saveToken(token: Token, client: Client, user: User): Promise<Token | Falsey>;
     }
 
     interface RequestAuthenticationModel {
         /**
          * Invoked to retrieve an existing access token previously saved through Model#saveToken().
          *
          */
-        getAccessToken(accessToken: string, callback?: Callback<Token>): Promise<Token | Falsey>;
+        getAccessToken(accessToken: string): Promise<Token | Falsey>;
 
         /**
          * Invoked during request authentication to check if the provided access token was authorized the requested scopes.
          * Optional, if a custom authenticateHandler is used or if there is no scope part of the request.
          *
          */
-        verifyScope?(token: Token, scope: string | string[], callback?: Callback<boolean>): Promise<boolean>;
+        verifyScope(token: Token, scope: string | string[]): Promise<boolean>;
     }
 
     interface AuthorizationCodeModel extends BaseModel, RequestAuthenticationModel {
         /**
          * Invoked to generate a new refresh token.
          *
          */
-        generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+        generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
         /**
          * Invoked to generate a new authorization code.
          *
          */
-        generateAuthorizationCode?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+        generateAuthorizationCode?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
         /**
          * Invoked to retrieve an existing authorization code previously saved through Model#saveAuthorizationCode().
          *
          */
-        getAuthorizationCode(authorizationCode: string, callback?: Callback<AuthorizationCode>): Promise<AuthorizationCode | Falsey>;
+        getAuthorizationCode(authorizationCode: string): Promise<AuthorizationCode | Falsey>;
 
         /**
          * Invoked to save an authorization code.
@@ -309,20 +301,20 @@ declare namespace OAuth2Server {
         saveAuthorizationCode(
           code: Pick<AuthorizationCode, 'authorizationCode' | 'expiresAt' | 'redirectUri' | 'scope' | 'codeChallenge' | 'codeChallengeMethod'>,
           client: Client,
-          user: User,
-          callback?: Callback<AuthorizationCode>): Promise<AuthorizationCode | Falsey>;
+          user: User
+        ): Promise<AuthorizationCode | Falsey>;
 
         /**
          * Invoked to revoke an authorization code.
          *
          */
-        revokeAuthorizationCode(code: AuthorizationCode, callback?: Callback<boolean>): Promise<boolean>;
+        revokeAuthorizationCode(code: AuthorizationCode): Promise<boolean>;
 
         /**
          * Invoked to check if the requested scope is valid for a particular client/user combination.
          *
          */
-        validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback<string | Falsey>): Promise<string | string[] | Falsey>;
+        validateScope?(user: User, client: Client, scope: string | string[]): Promise<string | string[] | Falsey>;
 
         /**
          * Invoked to check if the provided `redirectUri` is valid for a particular `client`.
@@ -336,53 +328,53 @@ declare namespace OAuth2Server {
          * Invoked to generate a new refresh token.
          *
          */
-        generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+        generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
         /**
          * Invoked to retrieve a user using a username/password combination.
          *
          */
-        getUser(username: string, password: string, callback?: Callback<User | Falsey>): Promise<User | Falsey>;
+        getUser(username: string, password: string): Promise<User | Falsey>;
 
         /**
          * Invoked to check if the requested scope is valid for a particular client/user combination.
          *
          */
-        validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback<string | Falsey>): Promise<string | string[] | Falsey>;
+        validateScope?(user: User, client: Client, scope: string | string[]): Promise<string | string[] | Falsey>;
     }
 
     interface RefreshTokenModel extends BaseModel, RequestAuthenticationModel {
         /**
          * Invoked to generate a new refresh token.
          *
          */
-        generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+        generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
         /**
          * Invoked to retrieve an existing refresh token previously saved through Model#saveToken().
          *
          */
-        getRefreshToken(refreshToken: string, callback?: Callback<RefreshToken>): Promise<RefreshToken | Falsey>;
+        getRefreshToken(refreshToken: string): Promise<RefreshToken | Falsey>;
 
         /**
          * Invoked to revoke a refresh token.
          *
          */
-        revokeToken(token: RefreshToken | Token, callback?: Callback<boolean>): Promise<boolean>;
+        revokeToken(token: RefreshToken | Token): Promise<boolean>;
     }
 
     interface ClientCredentialsModel extends BaseModel, RequestAuthenticationModel {
         /**
          * Invoked to retrieve the user associated with the specified client.
          *
          */
-        getUserFromClient(client: Client, callback?: Callback<User | Falsey>): Promise<User | Falsey>;
+        getUserFromClient(client: Client): Promise<User | Falsey>;
 
         /**
          * Invoked to check if the requested scope is valid for a particular client/user combination.
          *
          */
-        validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback<string | Falsey>): Promise<string | string[] | Falsey>;
+        validateScope?(user: User, client: Client, scope: string | string[]): Promise<string | string[] | Falsey>;
     }
 
     interface ExtensionModel extends BaseModel, RequestAuthenticationModel {}

lib/grant-types/abstract-grant-type.js

@@ -32,8 +32,9 @@ class AbstractGrantType {
    */
   async generateAccessToken (client, user, scope) {
     if (this.model.generateAccessToken) {
-      const accessToken = await this.model.generateAccessToken(client, user, scope);
-      return accessToken || tokenUtil.generateRandomToken();
+      // We should not fall back to a random accessToken, if the model did not
+      // return a token, in order to prevent unintended token-issuing.
+      return this.model.generateAccessToken(client, user, scope);
     }
 
     return tokenUtil.generateRandomToken();
@@ -44,8 +45,9 @@ class AbstractGrantType {
  */
   async generateRefreshToken (client, user, scope) {
     if (this.model.generateRefreshToken) {
-      const refreshToken = await this.model.generateRefreshToken(client, user, scope);
-      return refreshToken || tokenUtil.generateRandomToken();
+      // We should not fall back to a random refreshToken, if the model did not
+      // return a token, in order to prevent unintended token-issuing.
+      return this.model.generateRefreshToken(client, user, scope);
     }
 
     return tokenUtil.generateRandomToken();

lib/grant-types/authorization-code-grant-type.js

@@ -195,11 +195,11 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
 
     const token = {
-      accessToken: accessToken,
-      authorizationCode: authorizationCode,
-      accessTokenExpiresAt: accessTokenExpiresAt,
-      refreshToken: refreshToken,
-      refreshTokenExpiresAt: refreshTokenExpiresAt,
+      accessToken,
+      authorizationCode,
+      accessTokenExpiresAt,
+      refreshToken,
+      refreshTokenExpiresAt,
       scope: validatedScope,
     };
 

lib/grant-types/client-credentials-grant-type.js

@@ -45,7 +45,7 @@ class ClientCredentialsGrantType extends AbstractGrantType {
     }
 
     const scope = this.getScope(request);
-    const user = this.getUserFromClient(client);
+    const user = await this.getUserFromClient(client);
 
     return this.saveToken(user, client, scope);
   }
@@ -73,8 +73,8 @@ class ClientCredentialsGrantType extends AbstractGrantType {
     const accessToken = await this.generateAccessToken(client, user, validatedScope);
     const accessTokenExpiresAt = await this.getAccessTokenExpiresAt(client, user, validatedScope);
     const token = {
-      accessToken: accessToken,
-      accessTokenExpiresAt: accessTokenExpiresAt,
+      accessToken,
+      accessTokenExpiresAt,
       scope: validatedScope,
     };
 

lib/grant-types/password-grant-type.js

@@ -94,10 +94,10 @@ class PasswordGrantType extends AbstractGrantType {
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
 
     const token = {
-      accessToken: accessToken,
-      accessTokenExpiresAt: accessTokenExpiresAt,
-      refreshToken: refreshToken,
-      refreshTokenExpiresAt: refreshTokenExpiresAt,
+      accessToken,
+      accessTokenExpiresAt,
+      refreshToken,
+      refreshTokenExpiresAt,
       scope: validatedScope,
     };
 

lib/grant-types/refresh-token-grant-type.js

@@ -130,9 +130,9 @@ class RefreshTokenGrantType extends AbstractGrantType {
     const accessTokenExpiresAt = await this.getAccessTokenExpiresAt();
     const refreshTokenExpiresAt = await this.getRefreshTokenExpiresAt();
     const token = {
-      accessToken: accessToken,
-      accessTokenExpiresAt: accessTokenExpiresAt,
-      scope: scope,
+      accessToken,
+      accessTokenExpiresAt,
+      scope,
     };
 
     if (this.alwaysIssueNewRefreshToken !== false) {

lib/handlers/authorize-handler.js

@@ -92,9 +92,9 @@ class  AuthorizeHandler {
         throw new AccessDeniedError('Access denied: user denied access to application');
       }
 
-      const requestedScope = this.getScope(request);
+      const requestedScope = await this.getScope(request);
       const validScope = await this.validateScope(user, client, requestedScope);
-      const authorizationCode = this.generateAuthorizationCode(client, user, validScope);
+      const authorizationCode = await this.generateAuthorizationCode(client, user, validScope);
 
       const ResponseType = this.getResponseType(request);
       const codeChallenge = this.getCodeChallenge(request);
@@ -390,6 +390,7 @@ class  AuthorizeHandler {
     return algorithm || 'plain';
   }
 }
+
 /**
  * Export constructor.
  */

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@node-oauth/oauth2-server",
   "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js",
-  "version": "4.3.0",
+  "version": "5.0.0-rc.2",
   "keywords": [
     "oauth",
     "oauth2"