Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
passport-oauth2-refresh
Advanced tools
A passport.js add-on to provide automatic OAuth 2.0 token refreshing.
An add-on to the Passport authentication library to provide a simple way to refresh your OAuth 2.0 access tokens.
npm install passport-oauth2-refresh
When setting up your passport strategies, add a call to refresh.use()
after passport.use()
.
An example, using the Facebook strategy:
const passport = require('passport');
const refresh = require('passport-oauth2-refresh');
const FacebookStrategy = require('passport-facebook').Strategy;
const strategy = new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: "http://www.example.com/auth/facebook/callback"
},
function(accessToken, refreshToken, profile, done) {
// Make sure you store the refreshToken somewhere!
User.findOrCreate(..., function(err, user) {
if (err) { return done(err); }
done(null, user);
});
});
passport.use(strategy);
refresh.use(strategy);
When you need to refresh the access token, call requestNewAccessToken()
:
const refresh = require('passport-oauth2-refresh');
refresh.requestNewAccessToken(
'facebook',
'some_refresh_token',
function (err, accessToken, refreshToken) {
// You have a new access token, store it in the user object,
// or use it to make a new request.
// `refreshToken` may or may not exist, depending on the strategy you are using.
// You probably don't need it anyway, as according to the OAuth 2.0 spec,
// it should be the same as the initial refresh token.
},
);
Instead of using the default strategy.name
, you can setup passport-oauth2-refresh
to use an specific name instead.
// Setup
passport.use('gmail', googleStrategy);
// To refresh
refresh.requestNewAccessToken('gmail', 'some_refresh_token', done);
This can be useful if you'd like to reuse strategy objects but under a different name.
Most passport strategies that use OAuth 2.0 should work without any additional configuration. Some strategies, however require custom OAuth configuration, or do not expose an oauth2 adapter for internal use. In these cases, a callback can be specified by calling the use
function with an extra options
parameter:
const { OAuth2 } = require('oauth');
refresh.use(strategy, {
setRefreshOAuth2() {
return new OAuth2(/* custom oauth config */);
},
});
The setRefreshOAuth2
callback should return an instance of the node-oauth OAuth2 class.
The callback is called with two named parameters, which can be used to further customise the OAuth2 adapter:
refresh.use(strategy, {
setRefreshOAuth2({ strategyOAuth2, refreshOAuth2 }) {
// These named parameters are set for most strategies.
// The `refreshOAuth2` instance is a clone of the one supplied by the strategy, inheriting most of its config.
// Customise it here and return if necessary.
// For example, to set a proxy:
refreshOAuth2.setAgent(new HttpsProxyAgent(agentUrl));
return refreshOAuth2;
},
});
Some endpoints require additional parameters to be sent when requesting a new access token. To send these parameters, specify the parameters when calling requestNewAccessToken
as follows:
const extraParams = { some: 'extra_param' };
refresh.requestNewAccessToken('gmail', 'some_refresh_token', extraParams, done);
Projects that need multiple instances of Passport can construct them using the Passport
constructor available on the passport
module. Similarly, this module provides
an AuthTokenRefresh
constructor that can be used instead of the single instance provided
by default.
const { Passport } = require('passport');
const { AuthTokenRefresh } = require('passport-oauth2-refresh');
const passport = new Passport();
const refresh = new AuthTokenRefresh();
// Additional, distinct instances of these modules can also be created
Passport is a library which doesn't deal in implementation-specific details. From the author:
Passport is a library for authenticating requests, and only that. It is not going to get involved in anything that is specific to OAuth, or any other authorization protocol.
Fair enough. Hence, this add-on was born as a way to help deal with refreshing OAuth 2.0 tokens.
It is particularly useful when dealing with Google's OAuth 2.0 implementation, which expires access tokens after 1 hour.
MIT
FAQs
A passport.js add-on to provide automatic OAuth 2.0 token refreshing.
We found that passport-oauth2-refresh demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.