Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
oauth2orize
Advanced tools
OAuth2orize is an authorization server toolkit for Node.js. It provides a suite of middleware that, combined with Passport authentication strategies and application-specific route handlers, can be used to assemble a server that implements the OAuth 2.0 protocol.
Advertisement
Node.js API Masterclass With Express & MongoDB
Create a real world backend for a bootcamp directory app
$ npm install oauth2orize
OAuth 2.0 defines an authorization framework, allowing an extensible set of authorization grants to be exchanged for access tokens. Implementations are free to choose what grant types to support, by using bundled middleware to support common types or plugins to support extension types.
Call createServer()
to create a new OAuth 2.0 server. This instance exposes
middleware that will be mounted in routes, as well as configuration options.
var server = oauth2orize.createServer();
A client must obtain permission from a user before it is issued an access token. This permission is known as a grant, the most common type of which is an authorization code.
server.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, done) {
var code = utils.uid(16);
var ac = new AuthorizationCode(code, client.id, redirectURI, user.id, ares.scope);
ac.save(function(err) {
if (err) { return done(err); }
return done(null, code);
});
}));
OAuth2orize also bundles support for implicit token grants.
After a client has obtained an authorization grant from the user, that grant can be exchanged for an access token.
server.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) {
AuthorizationCode.findOne(code, function(err, code) {
if (err) { return done(err); }
if (client.id !== code.clientId) { return done(null, false); }
if (redirectURI !== code.redirectUri) { return done(null, false); }
var token = utils.uid(256);
var at = new AccessToken(token, code.userId, code.clientId, code.scope);
at.save(function(err) {
if (err) { return done(err); }
return done(null, token);
});
});
}));
OAuth2orize also bundles support for password and client credential grants. Additionally, bundled refresh token support allows expired access tokens to be renewed.
When a client requests authorization, it will redirect the user to an authorization endpoint. The server must authenticate the user and obtain their permission.
app.get('/dialog/authorize',
login.ensureLoggedIn(),
server.authorize(function(clientID, redirectURI, done) {
Clients.findOne(clientID, function(err, client) {
if (err) { return done(err); }
if (!client) { return done(null, false); }
if (client.redirectUri != redirectURI) { return done(null, false); }
return done(null, client, client.redirectURI);
});
}),
function(req, res) {
res.render('dialog', { transactionID: req.oauth2.transactionID,
user: req.user, client: req.oauth2.client });
});
In this example, connect-ensure-login
middleware is being used to make sure a user is authenticated before
authorization proceeds. At that point, the application renders a dialog
asking the user to grant access. The resulting form submission is processed
using decision
middleware.
app.post('/dialog/authorize/decision',
login.ensureLoggedIn(),
server.decision());
Based on the grant type requested by the client, the appropriate grant module registered above will be invoked to issue an authorization code.
Obtaining the user's authorization involves multiple request/response pairs. During this time, an OAuth 2.0 transaction will be serialized to the session. Client serialization functions are registered to customize this process, which will typically be as simple as serializing the client ID, and finding the client by ID when deserializing.
server.serializeClient(function(client, done) {
return done(null, client.id);
});
server.deserializeClient(function(id, done) {
Clients.findOne(id, function(err, client) {
if (err) { return done(err); }
return done(null, client);
});
});
Once a user has approved access, the authorization grant can be exchanged by the client for an access token.
app.post('/token',
passport.authenticate(['basic', 'oauth2-client-password'], { session: false }),
server.token(),
server.errorHandler());
Passport strategies are used to authenticate the client, in this case using either an HTTP Basic authentication header (as provided by passport-http) or client credentials in the request body (as provided by passport-oauth2-client-password).
Based on the grant type issued to the client, the appropriate exchange module
registered above will be invoked to issue an access token. If an error occurs,
errorHandler
middleware will format an error response.
Once an access token has been issued, a client will use it to make API requests on behalf of the user.
app.get('/api/userinfo',
passport.authenticate('bearer', { session: false }),
function(req, res) {
res.json(req.user);
});
In this example, bearer tokens are issued, which are then authenticated using an HTTP Bearer authentication header (as provided by passport-http-bearer)
This example demonstrates how to implement an OAuth service provider, complete with protected API access.
oauth2orize uses the debug module. You can enable debugging messages on the console by doing export DEBUG=oauth2orize
before running your application.
Copyright (c) 2012-2021 Jared Hanson <https://www.jaredhanson.me/>
[1.12.0] - 2023-10-13
extend
callback to grant.code
setup function, used to extend the
authorization response. Needed to support extensions such as OpenID Connect
Session Management 1.0.FAQs
OAuth 2.0 authorization server toolkit for Node.js.
The npm package oauth2orize receives a total of 106,129 weekly downloads. As such, oauth2orize popularity was classified as popular.
We found that oauth2orize demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.