passport-http-2legged-oauth
Advanced tools
HTTP OAuth 2-legged (even called 0-legged) authentication strategy for Passport.
This oauth strategy is used for a 2-legged scenario (even called 0-legged). Its a consumer to server authentication where each request is signed as defined in oauth but an empty access_token is used. No user data is exposed, as it is the consumer that has access to the protected resource.
It works as https://github.com/jaredhanson/passport-http-oauth but skips the access_token verification step and accepts empty access_tokens.
The cose base is 98% https://github.com/jaredhanson/passport-http-oauth but adapted for the 2-legged scenario. So thanks jaredhanson for all work!.
To see how it works, you can run the example. Its quite easy to set up:
First install all needed dependecies for this example:
npm install express passport passport-http-2legged-oauth
Now create a file called server.js with the following:
var express = require('express');
var app = express();
var passport = require('passport');
var twoLeggedStrategy = require('passport-http-2legged-oauth').Strategy;
Initialize passport and start the http server
// This is standard passport
app.use(passport.initialize());
// And here we start the http server
app.listen(1337);
Now we add a public route and a private route
// We add a route that is open
app.get("/", function(req, res) {
res.setHeader("content-type", "text/html");
res.send("Hi. Try <a href='/private'>/private</a> for a private endpoint.");
});
// And we add a secure route. Add the security and that we arent using any sessions (no point in 2-legged)
app.get("/private", [passport.authenticate('oauth', {session: false}), function(req, res) {
res.send({secret: true});
}]);
Define a list of apps with keys and secrets. This would normaly be saved in a database, but for the sake of simplicity, we just have an object in this example
var appList = {
"111111": {
secret: "xxx"
}
};
Register our two legged strategy with passport with the two callbacks needed. One for checking if we can find the correct user/app by key The other to check if the timestamp is ok, ie the request isnt too old
passport.use(new twoLeggedStrategy(checkAppKey, checkTimestampAndNonce));
// A function to find the app by key. If we find it, we return the secret used to
// check if the request is valid
function findApp(key, next) {
var consumer = appList[key];
if (consumer) {
next(null, {secret: consumer.secret});
} else {
next(true);
}
}
// Check if the key is valid and get the secret
function checkAppKey(consumerKey, done) {
findApp(consumerKey, function(err, consumer) {
if (err) { return done(err); }
if (!consumer) { return done(null, false); }
console.log("Found an app with the suplied key '%s'", consumerKey);
return done(null, consumer, consumer.secret);
});
}
// Check if the timestamp is ok (and nonce, but we dont check nonce in this example)
function checkTimestampAndNonce(timestamp, nonce, app, req, done) {
var timeDelta = Math.round((new Date()).getTime() / 1000) - timestamp;
// Here we check if the request is too old.. If its too old, return false
if (timeDelta >= 10) {
done(null, false);
}
else {
done(null, true);
}
}
Install oauth first
npm install oauth
Then create a file called client.js
Get the required module for oauth
var oauth = require("oauth");
Define the key and secret for your app
var key = "111111";
var secret = "xxx";
Create the oauth client. Set null for the first two arguments since we dont have endpoints for getting tokens etc (for 3-legged)
var request = new oauth.OAuth(null, null, key, secret, '1.0', null, 'HMAC-SHA1');
And now do the actuall request to the private endpoint
request.get("http://localhost:1337/private", null, null, function(err, data, res) {
if (err) {
console.error("Err", err);
} else {
console.log("Success", data);
}
});
If everything goes well, you should get a success message! You can download the complete sourcecode for this example in the /example folder
FAQs
HTTP OAuth 2-legged (even called 0-legged) authentication strategy for Passport.
The npm package passport-http-2legged-oauth receives a total of 3 weekly downloads. As such, passport-http-2legged-oauth popularity was classified as not popular.
We found that passport-http-2legged-oauth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ransomware negotiators share how modern cybercriminals operate like corporations, using specialized teams, negotiation tactics, and reputation management.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.