Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

oauth4webapi

Package Overview
Dependencies
Maintainers
1
Versions
52
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

oauth4webapi - npm Package Versions

23
6

3.1.3

Diff

Changelog

Source

3.1.3 (2024-11-15)

Refactor

  • more descriptive "not a conform" message (0295887)
panva
published 3.1.2 •

Changelog

Source

3.1.2 (2024-10-24)

Refactor

  • shake the supported function when not needed (c390093)
  • types: update indexable on MTLSEndpointAliases to be a string (a405c89)
panva
published 3.1.1 •

Changelog

Source

3.1.1 (2024-10-14)

Refactor

  • simpler consume of Request bodies (bcf0b86)
panva
published 3.1.0 •

Changelog

Source

3.1.0 (2024-10-14)

Features

  • add support for form_post Request instance in hybrid response mode validate response functions (5e22d9d)
panva
published 3.0.1 •

Changelog

Source

3.0.1 (2024-10-13)

Refactor

panva
published 3.0.0 •

Changelog

Source

3.0.0 (2024-10-07)

⚠ BREAKING CHANGES

  • build target is now ES2022
  • jweDecrypt is no longer an allowed symbol on the Client interface, it is instead an option passed to functions that may encounter encrypted assertions
  • specifying Ed448 curve for EdDSA is no longer supported, EdDSA is now just an alias for the fully-specified Ed25519 JWS algorithm
  • assertions signed with an Ed25519 CryptoKey will now use the Ed25519 JWS alg value instead of EdDSA. This can be reverted using the modifyAssertion symbol export
  • the audience of a Private Key JWT and Client Secret JWT client assertions is now just the issuer identifier
  • remove modifyAssertion from the PrivateKey interface
  • optional (non-repudiation) signature validation of ID Token JWS Signatures is now done the same way as JWT UserInfo and JWT Introspection is done, with a Response instance rather than a TokenEndpointResponse object
  • validateJwtIntrospectionSignature is now validateApplicationLevelSignature
  • validateJwtUserInfoSignature is now validateApplicationLevelSignature
  • validateIdTokenSignature is now validateApplicationLevelSignature
  • DPoP request options are now obtained by calling the DPoP() exported function. This returns a handle that also maintains its own LRU nonce caches
  • client authentication is now an explicit argument to authenticated functions
  • processAuthorizationCodeOpenIDResponse() method was removed in favour of processAuthorizationCodeResponse()
  • processAuthorizationCodeOAuth2Response() method was removed in favour of processAuthorizationCodeResponse()
  • All grant functions that execute against the Token Endpoint will now validate ID Token when there is one in the response. This has already been the behaviour of functions such as processRefreshTokenResponse() or processDeviceCodeResponse()
  • Presence of auth_time is now required in all ID Tokens if client.default_auth_time is set
  • encode client_secret_basic - _ . ! ~ * ' ( ) characters
  • remove all deprecated options
  • remove the useMtlsAlias symbol and options
  • all functions now reject interacting with non-TLS HTTP endpoints. You can use the allowInsecureRequests in the HttpRequestOptions interface to revert this behaviour.
  • removed the isOAuth2Error() helper, all functions that used to possibly return an OAuth2Error now reject with ResponseBodyError or AuthorizationResponseError instead
  • removed parseWwwAuthenticateChallenges(), all functions verify process Response now reject with WWWAuthenticateChallengeError instead
  • removed protectedResourceRequest() now rejects with WWWAuthenticateChallengeError when the Response has one

Features

  • add a counterpart process method to genericTokenEndpointRequest (848f3f6)
  • add a helper function for DPoP retry management (06493e3)
  • add support for client_secret_jwt (cf85fd6)
  • add support for code id_token response without FAPI 1.0 s_hash (eebb4f1)
  • add unified authorization code method (07d4ff9)
  • allow setting expected JWT algorithms in validateJwtAccessToken (8f20f91)

Fixes

  • encode client_secret_basic - _ . ! ~ * ' ( ) characters (cd5bbc1)
  • types: infer CryptoKey type for @types/node types' sake (d126f1f)

Documentation

  • add more examples (dcaf056)
  • export and document error codes (364cbd8)
  • hide the error constructors (a1cb7f8)
  • minor touch ups (fee6790)
  • re-generate API reference docs (c4a7f64)
  • update client auth method docs (ef8fe9f)
  • update examples due to changes (f24b39d)
  • update examples due to changes (fcd3c3e)
  • update groups, properties (329876a)
  • update inline examples (33ee2b0)
  • update README.md (0bd2e56)
  • update several examples and add descriptions to DAG (dd99b9a)

Refactor

  • add a source map, update pkg exports (0232cf2)
  • add causes and codes to "is not a conform" errors (a0b19c5)
  • add claim/attribute names to error reasons (fe11bdc)
  • add more error messages and update codes (038b44a)
  • add OperationProcessingError code and cause when wrong callback method is used (9d4c546)
  • added codes and reasons to as many errors as possible (bce81b4)
  • allow and document tls client auth methods (f0e7919)
  • better type for oauth.customFetch implementations, updated examples (a06efb5)
  • build target is now ES2022 (8af3e9f)
  • changed the default client authentication (4fe3f2c)
  • client authentication is now an explicit argument to authenticated functions (cefcf32)
  • future proof Ed25519 (ac0550d)
  • improve tree-shaking of JWT claims verification (60b7dcf)
  • jweDecrypt is now an option on the functions that support it (d7e8482)
  • keep all OAuthError properties (fce528e)
  • make DPoP implementation tree-shakeable (1fca2a3)
  • private_key_jwt audience is now only the issuer identifier (f388ba8)
  • push id token required claims straight to jwt validation (ec45b61)
  • reject requests to non-HTTPS endpoints by default (4829da6)
  • remove all deprecated options (137a547)
  • remove modifyAssertion from the PrivateKey interface (4d8b9e8)
  • remove the useMtlsAlias symbol and options (cd5ed0d)
  • remove the weird use of JWSAlgorithm type (970e3b6)
  • removed the parseWwwAuthenticateChallenges export (5fa774d)
  • resolve only successful responses (0f8bcc3)
  • unify validating endpoints and checking their protocols (e16254f)
  • update the CryptoKey workarounds without affecting docs (0d3b05a)
  • userInfoRequest should not reject www-authenticate (e373ec3)
  • validating ID Token signatures is now done with a Response (d71bc2c)
panva
published 2.17.0 •

Changelog

Source

2.17.0 (2024-09-22)

Features

  • support client use_mtls_endpoint_aliases metadata (60c9df4)

Documentation

  • fix calculatePKCECodeChallenge description (ac014f2)

Refactor

  • deprecate the useMtlsAlias symbol and options (d2b7cb0)
  • use as Type for type assertions instead of <Type> (a0ccf56)
panva
published 2.16.0 •

Changelog

Source

2.16.0 (2024-09-16)

Features

  • add a hook for decrypting JWE assertions (62795a6)
  • allow to modify issued JWT headers and payloads before signing (30931ba)

Documentation

  • update docs on useMtlsAlias (006db55)
panva
published 2.15.0 •

Changelog

Source

2.15.0 (2024-09-15)

Features

  • support generic token endpoint grant requests (2f454b5)
panva
published 2.14.0 •

Changelog

Source

2.14.0 (2024-09-15)

Features

  • add non-repudiation signature validation methods (0916de2)

Documentation

  • update JSDoc to use more link syntax (d78f090)
  • update various comments and documentation (9c3f1ed)
23
6
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc