Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
@digicatapult/tsoa-oauth-express
Advanced tools
This library enables easy implementation of OAuth2 authentication for tsoa on express. To use this library first add it as an npm
dependency to your existing tsoa
application.
npm i @digicatapult/tsoa-oauth-express
Your authentication file (see tsoa's documentation on authentication setup here) will then need to contain something like:
import type express from 'express'
import type * as jwt from 'jsonwebtoken'
import mkExpressAuthentication, { AuthOptions } from '@digicatapult/tsoa-oauth-express'
// module options
const options: AuthOptions = {
...
}
export const expressAuthentication = mkExpressAuthentication(options)
where the options
value is an object with the following type and properties:
interface AuthOptions {
securityName?: string
verifyOptions?: jwt.VerifyOptions & { complete?: false }
jwksUri: () => Promise<string>
getAccessToken: (req: express.Request) => Promise<string | undefined>
getScopesFromToken: (decoded: string | jwt.JwtPayload) => Promise<string[]>
tryRefreshTokens: (req: express.Request) => Promise<boolean>
}
property | required | description |
---|---|---|
jwksUri | true | Resolves to the uri for your identity providers jwks configuration |
getAccessToken | true | Resolves a JWT from the Request . For example this may come from an authorization header or a cookie based on requirements |
getScopesFromToken | true | Resolves to an array of OAuth scopes that the provided token supports |
securityName | false | OpenAPI Security scheme name to be secured |
verifyOptions | false | jsonwebtoken verification options. See the jsonwebtoken documentation for details |
tryRefreshTokens | false | Performs a token refresh. Resolves to true if the refressh succeeded otherwise false . By default this always resolves to false |
An example implementation of using the OAuth client-credential flow to authenticate a machine-to-machine (m2m) API is included in the package repository. This consists of two parts, a pre-configured Keycloak
instance which can be instantiated with docker compose
to act as our identity provider and an example application under ./example which implements to tsoa
server. For further information please see the tsoa authentication documentation and our authentication handler example at ./example/authentication.ts.
To get started first bring up the Keycloak
instance by executing from the repository root:
docker compose up -d
This will automatically pre-configure a client called example
with client secret example
. We can then fetch a m2m token by executing:
curl --request POST \
--url 'http://localhost:3080/realms/example/protocol/openid-connect/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=example \
--data client_secret=example
This will return a JSON object with a JWT auth token in the access_token
property that takes the form like eyJhbGci...r8TIOfRQ
.
The example server can then be run with:
npm run example
This server listens on port 3000 and exposes two routes /authenticated
and /unauthenticated
where only the first route requires an auth token. So we can for example call
curl http://localhost:3000/unauthenticated
which should return something like
{ "message": "This route is unauthenticated", "authenticated": false }
But calling the authenticated route (curl http://localhost:3000/authenticated
) in the same was will return an error
{ "message": "unauthenticated" }
Providing the JWT auth token as part of an authentication header:
curl http://localhost:3000/authenticated --header 'authorization: bearer eyJhbGci...r8TIOfRQ'
causes the call to succeed:
{ "message": "This route is authenticated", "authenticated": true }
FAQs
Authentication handler for TSOA using OAuth2 JWT tokens
The npm package @digicatapult/tsoa-oauth-express receives a total of 232 weekly downloads. As such, @digicatapult/tsoa-oauth-express popularity was classified as not popular.
We found that @digicatapult/tsoa-oauth-express demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.