atlassian-oauth2
Advanced tools
Comparing version 0.2.3 to 0.3.0
@@ -13,11 +13,13 @@ var request = require('request'), | ||
/** | ||
* Creates a JWT claimset for authenticating the add-on to the OAuth2 service | ||
* Creates a JWT claimset for authenticating the add-on to the OAuth2 service. | ||
* | ||
* This is the generic base used to generate payloads for both accountId and userKey. | ||
* | ||
* @param {String} hostBaseUrl - The fully qualified instance name, for example `https://instance.atlassian.net` | ||
* @param {String} oauthClientId - The OAuth client id which corresponds to the `hostBaseUrl` which was provided to the add-on during installation | ||
* @param {String} userKey - The user key (not username) of the user to retrieve an access token for | ||
* @param {String=} audience - The user key (not username) of the user to retrieve an access token for | ||
* @param {String} subClaim - The sub claim to use when making the request to the server. | ||
* @param {String=} audience - The authorization server to use (only intended to be changed for internal Atlassian use). | ||
* @returns {Object} A claimset to be encoded and sent with the token request | ||
*/ | ||
function _createAssertionPayload (hostBaseUrl, oauthClientId, userKey, audience) { | ||
function _createGenericAssertionPayload (hostBaseUrl, oauthClientId, subClaim, audience) { | ||
var now = Math.floor(Date.now() / 1000); | ||
@@ -28,4 +30,4 @@ var exp = now + EXPIRE_IN_SECONDS; | ||
"iss": JWT_CLAIM_PREFIX + ":clientid:" + oauthClientId, | ||
"sub": JWT_CLAIM_PREFIX + ":userkey:" + userKey, | ||
"tnt": hostBaseUrl, | ||
"sub": subClaim, | ||
"aud": audience || AUTHORIZATION_SERVER_URL, | ||
@@ -37,2 +39,12 @@ "iat": now, | ||
function _createUserKeyAssertionPayload(hostBaseUrl, oauthClientId, userKey, audience) { | ||
var subClaim = JWT_CLAIM_PREFIX + ":userkey:" + userKey; | ||
return _createGenericAssertionPayload(hostBaseUrl, oauthClientId, subClaim, audience); | ||
} | ||
function _createAAIDAssertingPayload(hostBaseUrl, oauthClientId, aAID, audience) { | ||
var subClaim = JWT_CLAIM_PREFIX + ":useraccountid:" + aAID; | ||
return _createGenericAssertionPayload(hostBaseUrl, oauthClientId, subClaim, audience); | ||
} | ||
/** | ||
@@ -46,3 +58,4 @@ * Retrieves an OAuth 2 access token for a given user and instance by creating a JWT token | ||
* @param {String} opts.sharedSecret - The shared secret which corresponds to the `hostBaseUrl` which was provided to the add-on during installation | ||
* @param {String} opts.userKey - The user key (not username) of the user to retrieve an access token for | ||
* @param {String} opts.userAccountId - The account id of the user to retrieve an access token for | ||
* @param {String} opts.userKey - The user key (not username) of the user to retrieve an access token for (if userAccountId not provided) | ||
* @param {String} opts.scopes - An array of scopes to request for when creating the access token | ||
@@ -56,3 +69,12 @@ * @param {String=} opts.authorizationServerBaseUrl - An alternative authorization server to use (intended for internal use by Atlassian only) | ||
return new RSVP.Promise(function (resolve, reject) { | ||
var jwtClaims = _createAssertionPayload(opts.hostBaseUrl, opts.oauthClientId, opts.userKey, opts.authorizationServerBaseUrl); | ||
var jwtClaims; | ||
if(opts.userAccountId) { | ||
jwtClaims = _createAAIDAssertingPayload(opts.hostBaseUrl, opts.oauthClientId, opts.userAccountId, opts.authorizationServerBaseUrl); | ||
} else if(opts.userKey) { | ||
jwtClaims = _createUserKeyAssertionPayload(opts.hostBaseUrl, opts.oauthClientId, opts.userAccountId, opts.authorizationServerBaseUrl); | ||
} else { | ||
reject('No user identifier (userKey or userAccountId) provided'); | ||
} | ||
var assertion = jwt.encode(jwtClaims, opts.sharedSecret); | ||
@@ -91,4 +113,6 @@ | ||
module.exports = { | ||
_createAssertionPayload: _createAssertionPayload, | ||
_createUserKeyAssertionPayload: _createUserKeyAssertionPayload, | ||
_createAAIDAssertingPayload: _createAAIDAssertingPayload, | ||
_createAssertionPayload: _createUserKeyAssertionPayload, // Don't change the default export in case something else is using it | ||
getAccessToken: getAccessToken | ||
}; |
{ | ||
"name": "atlassian-oauth2", | ||
"description": "Atlassian Connect OAuth2 library", | ||
"version": "0.2.3", | ||
"version": "0.3.0", | ||
"author": "Seb Ruiz <sruiz@atlassian.com>", | ||
@@ -6,0 +6,0 @@ "repository": { |
@@ -66,2 +66,9 @@ var should = require('should'), | ||
}); | ||
it('Claimset should have aaid if supplied', function(done) { | ||
var aaid = "21d6059f-cdfe-4db7-85c7-4a250c94667a"; | ||
var token = oauth2._createAAIDAssertingPayload(hostBaseUrl, oauthClientId, aaid); | ||
token.sub.should.be.eql('urn:atlassian:connect:useraccountid:' + aaid); | ||
done(); | ||
}) | ||
}); | ||
@@ -170,2 +177,17 @@ | ||
it('Request should work when only accountId provided', function(done) { | ||
interceptRequest(done, 200, { | ||
userKey: null, // this should remove the 'admin' default. | ||
userAccountId: '21d6059f-cdfe-4db7-85c7-4a250c94667a' | ||
}) | ||
}); | ||
it('Request should work when both accountId and userKey supplied', function(done) { | ||
// It should use accountId if both provided | ||
interceptRequest(done, 200, { | ||
userKey: 'admin', | ||
userAccountId: '21d6059f-cdfe-4db7-85c7-4a250c94667a' | ||
}); | ||
}); | ||
describe('scopes', function () { | ||
@@ -172,0 +194,0 @@ it('no scopes', function (done) { |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
16881
7
296