zalando-incubator / authmosphere Goto Github PK
View Code? Open in Web Editor NEWA library to support OAuth2 workflows in JavaScript projects
License: MIT License
A library to support OAuth2 workflows in JavaScript projects
License: MIT License
...or default to an empty array.
Decide on what type of documentation do we want to use:
Explain how to use the tooling to protect endpoints with oAuth scopes.
For example update node-uuid
to uuid
to get rid of warning on npm install
The indexer defined on the token type currently lacks type information, as in #81 the return type was explicitly set to any
.
In sum, there are two problems present with the current solution:
any
instead of is-a req: express.Request
Currently, there is no way to add query parameters to a server request.
However, there are multiple use-cases:
REALM
parameter)Therefore, the OAuth config object (used in https://github.com/zalando-incubator/lib-oauth-tooling/blob/d222a021d20b2440d3662f0249dd1057fb50c23e/src/oauth-tooling.ts#L155) should be extended by an property queryParameters
which accepts a HashMap of key value pairs which will be added to server requests.
Linting is currently not working correctly due to wrong glob expandation.
to show License tab
For example, if authorization
header is not set we do not even have to try to call an endpoint, instead fail early (see oauth-tooling.ts
).
Furthermore, validation of config in getAccessToken
should not just throw but reject the returned promise (see oauth-tooling.ts
).
Do some cleanup and increase code coverage
For example the Token
type can be improved, instead of:
interface Token {
access_token: string;
expires_in: number;
scope: string;
token_type: string;
}
we should use something like:
interface Token {
access_token: string
expires_in?: number
scope?: string
token_type?: string
[key: string]: {}
}
since we do not know what properties are exactly set on the tokens in different implementations. Furthermore, the Token
type should be exported by the library. For the typesToken
and Tokeninfo
we should check again whether it is necessary to have two types or if one (which is than more generic) is enough.
Currently we depend on [email protected]:graviton/graviton-typings.git
, we should change this...
Planned offline meeting about merge topic in CW 26.
See https://tools.ietf.org/html/rfc6749#section-1.5 and https://tools.ietf.org/html/rfc6749#section-6
Example request:
curl -X POST
-d scope="uid cn"
-d grant_type=refresh_token
-d refresh_token=2165465e-XXXXXX
-u 'stups_greendale-auth-demo_2ff5c86e-a8a2-4f54-84a1-077d73dbe1b4'
https://auth.zalando.com/z/oauth2/access_token?realm=employees
Response:
{
"scope":"uid cn",
"expires_in":3599,
"token_type":"Bearer",
"access_token":"cb56610f-XXXXX"
}
In the documentation under oauthConfig, the config values should be entered using strings, for example 'PASSWORD_CREDENTIALS_GRANT' for grant type. Expected from the lib are not strings but constants, like PASSWORD_CREDENTIALS_GRANT = 'password'. So in order to enter a working configuration, the constant have to be entered, or a 'password' string. There should be a description on how to import and use the constants.
Add
"publishConfig": {
"registry": "https://registry.npmjs.org/"
},
to package.json to make sure that the public registry is used when publishing the package.
We consume different services and access_tokens via the 'tokenCache' implementation.
Therefore we used this construct in different places and several times:
function getAccessToken() {
return tokenCache.get("specific_key")
.then(tokeninfo => tokeninfo.access_token);
}
Our solution is to provide a factory which can be consumed to access a specific key:
function accessTokenFactory(key: string): () => Promise<string> {
return function () {
return tokenCache
.get(key)
.then(tokenInfo => tokenInfo.access_token);
};
}
Maybe this function could be handy in the library as well ๐
Instead add mocha
, ts-node
, typings
and typescript
, to the devDependencies
.
In projects having [email protected] and this lib (which uses [email protected]) as dependency a npm bug (npm/npm#10727) causes problems when running npm install
twice.
https://github.com/zalando-incubator/lib-oauth-tooling/blob/master/src/express-tooling.ts#L40
precedenceFunction(req, res, next)
.then(result => {
if (result) {
next();
} else {
validateScopes(req, res, next, scopes);
}
});
If precendenceFunction throws an error this is not handled well.
There should be an catch
clause that executes and error handler that is passed by from the calling function.
This handler would allow the application to answer with an 500 or 403 or whatever is intended.
I suggest to change the API:
interface IPrecedenceFunction {
(req: any, res: any, next: Function): Promise<boolean>;
}
interface IPrecedenceOptions {
precedenceFunction: IPrecedenceFunction,
precedenceErrorHandler: Function
}
function requireScopesMiddleware(scopes: string[],
precedenceOptions?: IPrecedenceOptions) {
Use
interface Token {
access_token: string;
expires_in?: number;
scope?: string[];
token_type?: string;
local_expiry?: number;
[key: string]: any; // <= instead of[key: string]: {};
}
to fix type errors with strict typescript configurations.
In the TokenCache
we currently refresh tokens based on a hardcoded threshold: https://github.com/zalando-incubator/lib-oauth-tooling/blob/master/src/TokenCache.ts#L8, used in https://github.com/zalando-incubator/lib-oauth-tooling/blob/master/src/TokenCache.ts#L96
To be more resilient we should refresh tokens based on the percentage of their lifetime, for example when 50% of the expiration time is met. We should default this value to 50% and provide an option to be able to parameterise this value.
Type definitions serve multiple purposes. One one side, they help the compiler to determine choices depending of context and enrich the development workflow.
On the other side, do they provide documentation for possible consumers and readers.
In terms of #15 and #30, I would like to suggest to enrich the project with valuable type information to promote the usage of this library.
Something like
requireScopesMiddleware(scopes: string[], precedenceFunction:Function) {
where precedenceFunction
when returning true
will overwrite the normal scope check.
--> This would allow to check for optional scopes that are only allowed when another conidition is met.
PR will follow.
...to test, lint, publish to npm and create a tag in git.
Currently, this lib can only be used with the Zalando OAuth server since a REALM
is accepted in the OAuth config (used in https://github.com/zalando-incubator/lib-oauth-tooling/blob/d222a021d20b2440d3662f0249dd1057fb50c23e/src/oauth-tooling.ts#L155 and https://github.com/zalando-incubator/lib-oauth-tooling/blob/d222a021d20b2440d3662f0249dd1057fb50c23e/src/TokenCache.ts#L44).
It should be removed from the config. For Zalando internal use one should use the queryParameter
option proposed in #39
@graviton/...
packages cannot be consumed outside Zalando, get rid of them.
Currently you can only pass (user or client) credentials implicitly via the credentialsDir
option in the OAuthConfig type. However it may be necessary sometimes to pass such information explicitly via a string. Furthermore, not for all grant types both information are mandatory.
This ticket may be related to #110 depending on the concrete solution.
See the current validation of OAuthConfig: https://github.com/zalando-incubator/authmosphere/blob/master/src/oauth-tooling.ts#L185 resp. https://github.com/zalando-incubator/authmosphere/blob/master/src/utils.ts#L143
See the current solution of reading in the credentials: https://github.com/zalando-incubator/authmosphere/blob/master/src/oauth-tooling.ts#L187
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.