Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
node-oauth2-server
Advanced tools
Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
npm install oauth2-server
The module provides two middlewares, one for authorization and routing, another for error handling, use them as you would any other middleware:
var express = require('express'),
bodyParser = require('body-parser'),
oauthserver = require('oauth2-server');
var app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.oauth = oauthserver({
model: {}, // See below for specification
grants: ['password'],
debug: true
});
app.all('/oauth/token', app.oauth.grant());
app.get('/', app.oauth.authorise(), function (req, res) {
res.send('Secret area');
});
app.use(app.oauth.errorHandler());
app.listen(3000);
After running with node, visting http://127.0.0.1:3000 should present you with a json response saying your access token could not be found.
Note: As no model was actually implemented here, delving any deeper, i.e. passing an access token, will just cause a server error. See below for the specification of what's required from the model.
password
and refresh_token
[]
true
errors will be logged to console. You may also pass a custom function, in which case that function will be called with the error as its first argumentfalse
null
, tokens will considered to never expire3600
null
, tokens will considered to never expire1209600
30
client_id
structures, change as needed/^[a-z0-9-_]{3,40}$/i
next
will be called even if a response has been sent (you probably don't want this)The module requires a model object through which some aspects or storage, retrieval and custom validation are abstracted. The last parameter of all methods is a callback of which the first parameter is always used to indicate an error.
Note: see https://github.com/thomseddon/node-oauth2-server/tree/master/examples/postgresql for a full model example using postgres.
null
to indicate the token never expiresuser
key exists, this is saved as req.user
userId
key must exist, which is saved in req.user.id
req.client
authorization_code
grant type only)authorization_code
grant typeuser
to the codeGrant function (see example)password
grant typereq.user
refresh_token
grant typenull
to indicate the token never expiresThe spec does not actually require that you revoke the old token - hence this is optional (Last paragraph: http://tools.ietf.org/html/rfc6749#section-6)
req.user
client_credentials
grant typereq.user
accessToken
or refreshToken
You can support extension/custom grants by implementing the extendedGrant method as outlined above.
Any grant type that is a valid URI will be passed to it for you to handle (as defined in the spec).
You can access the grant type via the first argument and you should pass back supported as false
if you do not support it to ensure a consistent (and compliant) response.
password
grant typeFirst you must insert client id/secret and user into storage. This is out of the scope of this example.
To obtain a token you should POST to /oauth/token
. You should include your client credentials in
the Authorization header ("Basic " + client_id:client_secret base64'd), and then grant_type ("password"),
username and password in the request body, for example:
POST /oauth/token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
This will then call the following on your model (in this order):
Provided there weren't any errors, this will return the following (excluding the refresh_token
if you've not enabled the refresh_token grant type):
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
See: https://github.com/thomseddon/node-oauth2-server/blob/master/Changelog.md
Copyright (c) 2013 Thom Seddon
2.4.0
Set Cache-Control and Pragma headers
Allow any valid URI for extension grants
Expose client
to extendedGrant
and after via req.oauth.client
Fix express depreciation warning for res.send()
Expose user
to generateToken
and after via req.user
Fix lockdown pattern for express 3
Add redis example
Fix docs to use new express bodyParser module
Fix docs for redirect_uri
Clarify docs for clientIdRegex
Fix docs for missing req
argument in generateToken
Fix docs for user
/userId
getAccessToken
Fix docs for argument order in getRefreshToken
FAQs
Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
We found that node-oauth2-server demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.