Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
passport-http-oauth
Advanced tools
Readme
HTTP OAuth authentication strategy for Passport.
This module lets you authenticate HTTP requests using the authorization scheme defined by the OAuth 1.0 protocol. OAuth is typically used protect API endpoints, including endpoints defined by the OAuth protocol itself, as well as other endpoints exposed by the server.
By plugging into Passport, OAuth API authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
Note that this strategy provides support for implementing OAuth as a service provider. If your application is implementing OAuth as a client for delegated authentication (for example, using Facebook or Twitter), please see Passport-OAuth for the appropriate strategy.
$ npm install passport-http-oauth
The OAuth consumer authentication strategy authenticates consumers based on a
consumer key and secret (and optionally a temporary request token and secret).
The strategy requires a consumer
callback, token
callback, and validate
callback. The secrets supplied by the consumer
and token
callbacks are used
to compute a signature, and authentication fails if it does not match the
request signature. consumer
as supplied by the consumer
callback is the
authenticating entity of this strategy, and will be set by Passport at
req.user
.
passport.use('consumer', new ConsumerStrategy(
function(consumerKey, done) {
Consumer.findByKey({ key: consumerKey }, function (err, consumer) {
if (err) { return done(err); }
if (!consumer) { return done(null, false); }
return done(null, consumer, consumer.secret);
});
},
function(requestToken, done) {
RequestToken.findOne(requestToken, function (err, token) {
if (err) { return done(err); }
if (!token) { return done(null, false); }
// third argument is optional info. typically used to pass
// details needed to authorize the request (ex: `verifier`)
return done(null, token.secret, { verifier: token.verifier });
});
},
function(timestamp, nonce, done) {
// validate the timestamp and nonce as necessary
done(null, true)
}
));
Use passport.authenticate()
, specifying the 'consumer'
strategy, to
authenticate requests. This strategy is intended for use in the request token
and access token API endpoints, so the session
option can be set to false
.
For example, as route middleware in an Express application:
app.post('/access_token',
passport.authenticate('consumer', { session: false }),
oauthorize.accessToken(
// ...
});
The OAuth token authentication strategy authenticates users based on an
access token issued to a consumer. The strategy requires a consumer
callback,
verify
callback, and validate
callback. The secrets supplied by the
consumer
and verify
callbacks are used to compute a signature, and
authentication fails if it does not match the request signature. user
as
supplied by the verify
callback is the authenticating entity of this strategy,
and will be set by Passport at req.user
.
passport.use('token', new TokenStrategy(
function(consumerKey, done) {
Consumer.findByKey({ key: consumerKey }, function (err, consumer) {
if (err) { return done(err); }
if (!consumer) { return done(null, false); }
return done(null, consumer, consumer.secret);
});
},
function(accessToken, done) {
AccessToken.findOne(accessToken, function (err, token) {
if (err) { return done(err); }
if (!token) { return done(null, false); }
Users.findOne(token.userId, function(err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
// fourth argument is optional info. typically used to pass
// details needed to authorize the request (ex: `scope`)
return done(null, user, token.secret, { scope: token.scope });
});
});
},
function(timestamp, nonce, done) {
// validate the timestamp and nonce as necessary
done(null, true)
}
));
Use passport.authenticate()
, specifying the 'token'
strategy, to
authenticate requests. This strategy is intended for use in protected API
endpoints, so the session
option can be set to false
.
For example, as route middleware in an Express application:
app.get('/api/userinfo',
passport.authenticate('token', { session: false }),
function(req, res) {
res.json(req.user);
});
OAuthorize is a toolkit for implementing OAuth service providers. It bundles a suite of middleware implementing the request token, access token, and user authorization endpoints of the OAuth 1.0 protocol.
This middleware, combined with the ConsumerStrategy
and a user authentication
strategy can be used to implement the complete OAuth flow, issuing access tokens
to consumers. TokenStrategy
can then be used to protect API endpoints using
the access tokens issued.
The example
included with OAuthorize
demonstrates how to implement a complete OAuth service provider.
ConsumerStrategy
is used to authenticate clients as they request tokens from
the request token and access token endpoints. TokenStrategy
is used to
authenticate users and clients making requests to API endpoints.
$ npm install --dev
$ make test
Copyright (c) 2012-2013 Jared Hanson <http://jaredhanson.net/>
FAQs
HTTP OAuth authentication strategy for Passport.
The npm package passport-http-oauth receives a total of 238 weekly downloads. As such, passport-http-oauth popularity was classified as not popular.
We found that passport-http-oauth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.