Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
lib-oauth-tooling
Advanced tools
A simple typescript based library for supporting OAuth2 flows. Currently the following flows are supported:
TokenCache
service to manage access tokens in your applicationSee STUPS documentation and OAuth2 documentation for more information.
If you depend on the realm
property you now have to pass the value via the queryParams
parameters in OAuthConfig
:
// will NOT work anymore:
getAccessToken({
// all the other config
// ...
realm: EMPLOYEES_REALM,
})
.then(token: Token => {
// ...
});
// instead use this:
getAccessToken({
// all the other config
// ...
queryParams: { realm: '/employees' }
})
.then(token: Token => {
// ...
});
See the changelog for more information.
Note: node >= 6.0.0
required to consume this library.
Run npm install lib-oauth-tooling
.
Import a member of this lib like so (of course ES5 syntax is working as well...):
import {
TokenCache,
handleOAuthRequestMiddleware,
requireScopesMiddleware,
...
} from 'lib-oauth-tooling';
Class to request and cache tokens on client-side.
const tokenCache = new TokenCache({
'service-foo': ['foo.read', 'foo.write'],
'service-bar': ['bar.read']
}, oAuthConfig);
tokenCache.get('service-foo')
.then((token: Token) => {
console.log(token.access_token);
});
oauthConfig
:
credentialsDir
stringgrantType
string (AUTHORIZATION_CODE_GRANT
| PASSWORD_CREDENTIALS_GRANT
)accessTokenEndpoint
stringtokenInfoEndpoint
string - mandatory for TokenCachescopes
string[] optionalqueryParams
{} optionalredirect_uri
string optional (required with AUTHORIZATION_CODE_GRANT
)code
string optional (required with AUTHORIZATION_CODE_GRANT
)Express middleware to extract and validate an access token. It attaches the scopes matched by the token to the request (request.scopes
) for further usage.
If the token is not valid the request is rejected (with 401 Unauthorized).
app.use(handleOAuthRequestMiddleware({
publicEndpoints: ['/heartbeat', '/status'],
tokenInfoEndpoint: 'auth.example.com/tokeninfo'
});
options
:
publicEndpoints
string[]tokenInfoEndpoint
stringSpecifies the scopes needed to access an endpoint. Assumes that there is an request.scopes
property (as attached by handleOAuthRequestMiddleware
) to match the required scopes against.
If the the requested scopes are not matched request is rejected (with 403 Forbidden).
app.get('/secured/route', requireScopesMiddleware(['scopeA', 'scopeB']), (request, response) => {
// do your work...
})
Makes a request to the tokenInfoEndpoint
to validate the given accessToken
.
getTokenInfo(tokenInfoEndpoint, accessToken)
.then((token: Token) => {
console.log(token.access_token);
})
.catch((err) => {
console.log(err);
});
Type Token
is defined like:
interface Token {
access_token: string;
expires_in?: number;
scope?: string[];
token_type?: string;
local_expiry?: number;
[key: string]: {};
}
Helper function to get an access token for the specified scopes.
getAccessToken(options)
.then((token: Token) => {
console.log(token.access_token);
})
.catch((err) => {
console.log(err);
});
options
:
credentialsDir
stringgrantType
string (AUTHORIZATION_CODE_GRANT
| PASSWORD_CREDENTIALS_GRANT
| REFRESH_TOKEN_GRANT
)accessTokenEndpoint
stringscopes
string optionalqueryParams
{} optionalredirect_uri
string optional (required with AUTHORIZATION_CODE_GRANT
)code
string optional (required with AUTHORIZATION_CODE_GRANT
)refreshToken
string optional (required with REFRESH_TOKEN_GRANT)String constant specifying the Authorization Code Grant type.
String constant specifying the Resource Owner Password Credentials Grant type.
String constant specifying the Refresh Token Grant type.
If you want to test oAuth locally without being able to actually call real endpoints this library provides some tooling.
Mocks a tokeninfo
endpoint.
mockTokeninfoEndpoint({
url: 'http://some.oauth.endpoint/tokeninfo',
tokens: [{
access_token: 'someToken123',
scope: ['uid', 'something.read', 'something.write']
}],
times: 1
});
options
:
url
string (url of the tokeninfo
endpoint)tokens
any optional (list of valid tokens)times
number optional (for how many times/calls the endpoint is mocked, default is Number.MAX_SAFE_INTEGER
)Mocks a access_token
endpoint.
mockAccessTokenEndpoint({
url: 'http://some.oauth.endpoint/access_token',
times: 1
});
options
:
url
string (url of the access_token
endpoint)times
number optional (for how many times/calls the endpoint is mocked, default is Number.MAX_SAFE_INTEGER
)Cleans all nock
mocks (not only from this lib, really ALL) and given tokens.
Helpful when having multiple tests in a test suite, you can call cleanMock()
in the afterEach()
callback for example.
cleanMock();
npm install
tsc
npm run tslint
npm test
- runs all testsnpm run unit-test
- runs unit testsnpm run integration-test
- runs integration tests2.0.0
- BREAKINGThe (zalando-specific) realm
property was removed from OAuthConfig
. Also, the corresponding constants (SERVICES_REALM
and EMPLYEES_REALM
) were removed. Instead, you can add the realm (and arbitrary other query parameters) via the queryParams
property in OAuthConfig
.
1.0.0
- BREAKINGThe signature of requireScopesMiddleware
is now incompatible with previous versions, precedenceFunction?
is now part of precedenceOptions?
.
MIT
FAQs
A simple typescript based oauth tooling library
We found that lib-oauth-tooling demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.