@jackdbd/fastify-authorization-endpoint
Advanced tools
Fastify plugin that adds an [IndieAuth Authorization Endpoint](https://indieauth.spec.indieweb.org/#authorization-endpoint) to a Fastify server.
Fastify plugin that adds an IndieAuth Authorization Endpoint to a Fastify server.
An IndieAuth Authorization Endpoint is responsible for obtaining authentication or authorization consent from the end user and generating and verifying authorization codes.
npm install @jackdbd/fastify-authorization-endpoint
Options for the Fastify authorization-endpoint plugin
Properties
| Name | Type | Description | Required |
|---|---|---|---|
| ajv | Instance of Ajv | no | |
| authorizationCodeExpiration | string | Default: "10 minutes"Minimal Length: 1 | no |
| components | object | Filepaths to WebC components | no |
| redirectPathOnSubmit | string | Default: "/consent"Minimal Length: 1 | no |
| includeErrorDescription | boolean | Whether to include an error_description property in all error responses. This is meant to assist the client developer in understanding the error. This is NOT meant to be shown to the end user.Default: false | no |
| issuer | string | The authorization server's issuer identifier. It's a URL that uses the "https" scheme and has no query or fragment components. It MUST also be a prefix of the indieauth-metadata URL. Format: "uri" | no |
| logPrefix | string | Default: "authorization-endpoint " | no |
| onAuthorizationCodeVerified | Function | Handler that runs after the authorization code has been verified. You should use this handler to inform your storage backend that the authorization code has been used. | yes |
| onUserApprovedRequest | Function | Handler executed after the user approves the authorization request on the consent screen. You should use it to persist the authorization code generated by the authorization code generated by the authorization endpoint into your storage backend. | yes |
| reportAllAjvErrors (report all AJV errors) | boolean | Whether to report all AJV validation errors. Default: false | no |
| retrieveAuthorizationCode | Function | Function that retrieves an authorization code from a storage backend. | yes |
| templates | string[] | Filepaths to WebC templates | no |
Example
{
"authorizationCodeExpiration": "10 minutes",
"components": {},
"redirectPathOnSubmit": "/consent",
"includeErrorDescription": false,
"logPrefix": "authorization-endpoint ",
"reportAllAjvErrors": false
}
Filepaths to WebC components
Properties
| Name | Type | Description | Required |
|---|---|---|---|
| consent-form | string | Minimal Length: 1 | |
| scope-list | string | Minimal Length: 1 | |
| the-footer | string | Minimal Length: 1 | |
| the-header | string | Minimal Length: 1 |
Filepaths to WebC templates
Items
Item Type: string
Item Minimal Length: 1
Minimum Items: 1
When the end user accesses the authorization endpoint, they are presented with a consent screen. The details displayed on the consent screen are populated based on the information provided in the query string of the request.
Properties
| Name | Type | Description | Required |
|---|---|---|---|
| client_id | string | The ID of the application that asks for authorization. An IndieAuth client ID is a URL. Format: "uri" | yes |
| code_challenge (PKCE code challenge) | string | The PKCE code challenge. See Client Creates the Code Challenge. Minimal Length: 43Maximal Length: 128 | yes |
| code_challenge_method (PKCE code challenge method) | The hashing method used to calculate the code challenge in the PKCE OAuth 2.0 flow. See Client Creates the Code Challenge. | yes | |
| me | yes | ||
| redirect_uri | string | Holds a URL. A successful response from this endpoint results in a redirect to this URL. Format: "uri" | yes |
| response_type (OAuth 2.0 response_type) | Tells the authorization server which grant to execute. Default: "code" | yes | |
| scope (OAuth 2.0 scope (scopes) claim) | string | Scope values. See RFC8693 scope claim Minimal Length: 1 | no |
| state (OAuth 2.0 state parameter (CSRF token)) | string | An opaque value used by the client to maintain state between the request and callback. The parameter SHOULD be used for preventing cross-site request forgery. See OAuth 2.0 Authorization Request. Minimal Length: 1 | yes |
Example
{
"response_type": "code"
}
To verify that the authorization code is valid, the token endpoint of the authorization server makes a POST request to the authorization endpoint.
Properties
| Name | Type | Description | Required |
|---|---|---|---|
| client_id | string | The ID of the application that asks for authorization. An IndieAuth client ID is a URL. Format: "uri" | yes |
| code | string | The authorization code generated by the authorization endpoint. The code MUST expire shortly after it is issued to mitigate the risk of leaks, and MUST be valid for only one use. A maximum lifetime of 10 minutes is recommended. See Authorization Response. Minimal Length: 1 | yes |
| code_verifier | string | PKCE code verifier. A high-entropy cryptographic random string. See Client Creates a Code Verifier. Minimal Length: 43Maximal Length: 128 | yes |
| grant_type | string | Constant Value: "authorization_code" | yes |
| redirect_uri | string | Holds a URL. A successful response from this endpoint results in a redirect to this URL. Format: "uri" | yes |
| Package | Version |
|---|---|
| @fastify/formbody | ^8.0.2 |
| @fastify/response-validation | ^3.0.3 |
| @hapi/hoek | ^11.0.7 |
| @jackdbd/canonical-url | ^0.0.0-canary.1 |
| @jackdbd/fastify-webc | ^0.0.0-canary.1 |
| @jackdbd/indieauth | ^0.0.0-canary.1 |
| @jackdbd/oauth2 | ^0.0.0-canary.1 |
| @jackdbd/oauth2-error-responses | ^0.0.0-canary.1 |
| @jackdbd/pkce | ^0.0.0-canary.1 |
| @jackdbd/schema-validators | ^0.0.0-canary.1 |
| @sinclair/typebox | ^0.34.14 |
| ajv | ^8.17.1 |
| ajv-formats | ^3.0.1 |
| dayjs | ^1.11.13 |
| dayjs-plugin-utc | ^0.1.2 |
| fastify-plugin | ^5.0.1 |
| ms | 3.0.0-canary.1 |
⚠️ Peer Dependencies
This package defines 1 peer dependency.
| Peer | Version range |
|---|---|
fastify | >=5.0.0 |
The authorization codes issued by the authorization endpoint implemented by this plugin are Nano IDs generated with nanoid.
email, profilecreate, update, delete, undelete, draft, media© 2024 - 2025 Giacomo Debidda // MIT License
FAQs
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Socket uncovered npm malware campaign mimicking popular Node.js libraries and packages from other ecosystems; packages steal data and execute remote code.
Research
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
Research
Socket uncovers malicious packages on PyPI using Gmail's SMTP protocol for command and control (C2) to exfiltrate data and execute commands.