Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
express-authenticators
Advanced tools
Third party authenticators in nodejs. Support various providers. Almost zero dependencies.
Modern OAuth/OAuth2 authenticator.
r3986
and jws
(jws
is required for Google and Apple token check).yarn
: yarn add express-authenticators
.npm
: npm install --save express-authenticators
.fetch
polyfilled.randomUUID()
).export {
getGoogleConsentUrl, getGoogleAccessToken, fetchGoogleProfile, refreshGoogleAccessToken, verifyGoogleIdToken,
getFacebookConsentUrl, getFacebookAccessToken, fetchFacebookProfile,
getAppleConsentUrl, getAppleToken, generateAppleClientSecret, verifyAppleIdToken, revokeAppleToken,
getGithubConsentUrl, getGithubAccessToken, fetchGithubProfile,
getFoursquareConsentUrl, getFoursquareAccessToken, fetchFoursquareProfile,
getInstagramConsentUrl, getInstagramAccessToken, fetchInstagramProfile,
getLineConsentUrl, getLineAccessToken, fetchLineProfile, refreshLineAccessToken,
getLinkedInConsentUrl, getLinkedInAccessToken, fetchLinkedInProfile,
getTwitterConsentUrl, getTwitterAccessToken, fetchTwitterProfile,
getTumblrConsentUrl, getTumblrAccessToken, fetchTumblrProfile,
getZaloConsentUrl, getZaloAccessToken, fetchZaloProfile, refreshZaloAccessToken,
getPinterestConsentUrl, getPinterestAccessToken, fetchPinterestProfile,
getConsentUrl, getAccessToken,
getOauth1ConsentUrl, getOAuth1AccessToken, oauth1SignAndFetch,
}
import {
getGoogleConsentUrl, getGoogleAccessToken, fetchGoogleProfile, refreshGoogleAccessToken, verifyGoogleIdToken,
} from 'express-authenticators'
import express from 'express'
import session from 'express-session'
const app = express()
app.use(session())
app.get(
'/auth/google',
async (req, res, next) => {
req.session.someInfo = 'my info' // store the user credential
try {
const {url, state} = await getGoogleConsentUrl({
clientID: 'your client id',
redirectUri: 'https://your-host.com/auth/google/callback',
})
req.session.oauthGoogle = JSON.stringify(state)
res.redirect(302, url)
} catch (e) {
next(e)
}
}
)
app.get( // for AppleAuthenticator, must use POST method instead
'/auth/google/callback',
async (req, res, next) => {
try {
const {access_token} = await getGoogleAccessToken(
{
clientID: 'your client id',
clientSecret: 'your client secret',
redirectUri: 'https://your-host.com/auth/google/callback',
},
JSON.parse(req.session.oauthGoogle),
Object.fromEntries(new URLSearchParams(new URL(`https://example.com${req.url}`).search)) // for AppleAuthenticator, use req.body instead
)
const profile = await fetchGoogleProfile(access_token)
console.log('got profile', profile)
res.send(JSON.stringify(profile))
} catch (e) {
next(e)
}
}
)
All fetch profile APIs return the same interface:
interface OAuthProfile {
id?: string
email?: string
emailVerified?: boolean
first?: string
last?: string
avatar?: string
raw: any
}
Where raw
is the raw JSON-parsed data returned from the provider.
Other fields are calculated carefully based on the data returned from each provider.
FAQs
Third party authenticators in nodejs. Support various providers. Almost zero dependencies.
The npm package express-authenticators receives a total of 2 weekly downloads. As such, express-authenticators popularity was classified as not popular.
We found that express-authenticators demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.