node-oauth / express-oauth-server Goto Github PK

I must've just missed this, but there's no reason to include express as a dependeny. Sure people will use it for express, but by removing express we reduce our dependency map on our side

We should use the same linter cofig as in our oauth2-server repo

We need GitHub actions to run our CI on push/pr

First we need to get a decent code coverage and implement #3 #2 and #1

Hi,

I'm n the process of trying to use the in-memory model in the examples folder to get going but in my Typescript project I have several errors relating to missing functions. I suspect that this also may apply to the other examples too.

e.g. verifyScope()

Can you confirm?

John

We need to update the deps of this one and release a version that passes npm audit

How run postgres example?

Hi all,

to be honest: I don't know if I am missing something from the big picture, if I do something wrong or if something is broken. Currently we have a home-brewed single-sign-on solution running which works fine but is not an industrial standard. That's why we plan moving to OAuth2. I am currently in a very early prototyping phase to find my way into OAuth2 and see what could how be done.

I started a small plain JS prototype project using express-oauth-server and followed the Documentation, the examples (also the additional example at https://github.com/14gasher/oauth-example as well as the original documentation at https://node-oauthoauth2-server.readthedocs.io/en/latest/model/spec.htm

Testing is done by a quickly setup Grafana-Docker-Container which has been configured to authorize via OAuth2.

[auth.generic_oauth]
enabled = true
name = OAuth
client_id = GrafanaDemo
client_secret = some_secret
scopes = user:email,read:org
auth_url = http://dev-vm:3001/login/oauth/authorize
token_url = http://dev-vm:3001/login/oauth/access_token
api_url = http://dev-vm:3001/user

Now when logging in my small prototype gets invoked. Specifically the model-function getClient(). That function is implemented with no real logic:

getClient : (clientId, clientSecret) => {
    console.log(`getClient(${clientId}, ${clientSecret})`);
    return new Promise((resolve, reject) => {
        let client = {
            id: clientId,
            clientId: clientId,
            clientSecret: clientSecret,
            grants: [
                "authorization_code",
                "refresh_token"
            ],
            redirectUris: [
                "http://dev-vm:3000/login/generic_oauth" // Grafana redirect
            ]
        };
        resolve(client);
    });
}

However, this renders an empty, dead page in the browser. Examining the call by using curl I get a HTTP-401 and no further redirect etc:

*   Trying 127.0.1.1:3001...
* Connected to dev-vm (127.0.1.1) port 3001 (#0)
> GET /login/oauth/authorize?client_id=GrafanaDemo&redirect_uri=http%3A%2F%2Fdev-vm%3A3000%2Flogin%2Fgeneric_oauth&response_type=code&scope=user%3Aemail+read%3Aorg&state=zUFDlXkJUTCSaeqipcRm9HlviQ_iZ9075WjlAIFZ2ws%3D HTTP/1.1
> Host: dev-vm:3001
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< X-Powered-By: Express
< www-authenticate: Bearer realm="Service"
< Date: Tue, 10 Oct 2023 08:24:14 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Content-Length: 0
< 
* Connection #0 to host dev-vm left intact

What am I doing wrong or am I missing something?

Additional Iinfo:
I implemented

• getClient()
• saveAuthorizationCode()
• getAccessToken()
• getAuthorizationCode()
• generateAuthorizationCode()
• verifyScope()
• getUser()
• getUserFromClient()
• generateAccessToken()
  just to see if any other functions would be called (they don't). Also I debugged in @node-oauth/express-oauth-server and its dependency @node-oauth/oauth2-server to see what causes this error. I do not see anything fail inside.

Additional Info 2 (oh dear, it's been a long time since I filed a bug report):
Node: 18.17.1
Direct Dependencies:

• @node-oauth/express-oauth-server 3.0.1
• body-parser 1.20.2
• express 4.18.2

Just passing by and I was wondering if this fork will be published under https://www.npmjs.com/package/express-oauth-server soon or after. With https://github.com/eclipse/thingweb.node-wot we are having annoying npm audit problems that I would like to resolve. Thank you for your time! :)

After the recent update to the @node-oauth/oauth2-server package to version 5.0.x, there is a bug related to error evaluation.

The main issue arises when an error is thrown from @node-oauth/express-oauth-server, which still uses @node-oauth/oauth2-server version 4.3.0. Due to this version discrepancy, the error instances from the older version do not match those from the new version 5.0.x, leading to compatibility issues.

Just pointing out the issue as there is already a PR which updates the version of @node-oauth/oauth2-server to the latest one.

For the express-oauth-server counterpart from oauthjs, there are types specified in DefinitelyTyped: https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/express-oauth-server/index.d.ts

However for this project, there is nothing of that sort. It would be good to include the typings file from DefinitelyTypes and point to it in package.json. Right now, when I import the package on TypeScript projects, it would complain that there is no types associated: