Merge branch 'v4.3.0-dev' into 89_11_565

Author: jankapunkt

.github/workflows/codeql-analysis.yml

@@ -14,6 +14,7 @@ name: "CodeQL Semantic Analysis"
 on:
   push: # all pushes
   pull_request: # all PR
+    types: [review_requested, ready_for_review] # only non-draft PR
   schedule:
     - cron: '0 2 * * *' # every night at 2am
 

.github/workflows/tests-release.yml

@@ -0,0 +1,151 @@
+name: Tests for Release
+
+on:
+  push:
+    branches:
+      - release-* # all release-<version> branches
+  pull_request:
+    # only non-draft PR and when there are "pushes" to the open PR
+    types: [review_requested, ready_for_review, synchronize]
+    branches:
+      - release-* # all release-<version> branches
+
+
+jobs:
+  # STEP 1 - NPM Audit
+
+  # Before we even test a thing we want to have a clean audit! Since this is
+  # sufficient to be done using the lowest node version, we can easily use
+  # a fixed one:
+
+  audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        node-version: '14'
+    # install to create local package-lock.json but don't cache the files
+    # also: no audit for dev dependencies
+    - run: npm i --package-lock-only  && npm audit --production
+
+  # STEP 2 - basic unit tests
+
+  # This is the standard unit tests as we do in the basic tests for every PR
+  unittest:
+    name: Basic unit tests
+    runs-on: ubuntu-latest
+    needs: [audit]
+    strategy:
+      matrix:
+        node: [14, 16, 18]
+    steps:
+    - name: Checkout ${{ matrix.node }}
+      uses: actions/checkout@v2
+
+    - name: Setup node ${{ matrix.node }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node }}
+
+    - name: Cache dependencies ${{ matrix.node }}
+      uses: actions/cache@v1
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ matrix.node }}
+
+    # for this workflow we also require npm audit to pass
+    - run: npm i
+    - run: npm run test:coverage
+
+    # with the following action we enforce PRs to have a high coverage
+    # and ensure, changes are tested well enough so that coverage won't fail
+    - name: check coverage
+      uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
+      with:
+        path: './coverage/lcov.info'
+        min_coverage: 95
+
+  # STEP 3 - Integration tests
+
+  # Since our release may affect several packages that depend on it we need to
+  # cover the closest ones, like adapters and examples.
+
+  integrationtests:
+    name: Extended integration tests
+    runs-on: ubuntu-latest
+    needs: [unittest]
+    strategy:
+      matrix:
+        node: [14, 16, 18] # TODO get running for node 16
+    steps:
+    # checkout this repo
+    - name: Checkout ${{ matrix.node }}
+      uses: actions/checkout@v2
+
+    # checkout express-adapter repo
+    - name: Checkout express-adapter ${{ matrix.node }}
+      uses: actions/checkout@v2
+      with:
+        repository:  node-oauth/express-oauth-server
+        path: github/testing/express
+
+    - name: Setup node ${{ matrix.node }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node }}
+
+    - name: Cache dependencies ${{ matrix.node }}
+      uses: actions/cache@v1
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server
+
+    # in order to test the adapter we need to use the current checkout
+    # and install it as local dependency
+    # we just cloned and install it as local dependency
+    - run: |
+        cd github/testing/express
+        npm i
+        npm install ../../../
+        npm run test
+
+    # todo repeat with other adapters
+
+  publish-npm-dry:
+    runs-on: ubuntu-latest
+    needs: [integrationtests]
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 14
+          registry-url: https://registry.npmjs.org/
+      - run: npm i
+      - run: npm publish --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.npm_token}}
+
+  publish-github-dry:
+    needs: [integrationtests]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        # we always publish targeting the lowest supported node version
+        node-version: 14
+        registry-url: $registry-url(npm)
+    - run: npm i
+    - run: npm publish --dry-run
+      env:
+        NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/tests.yml

@@ -1,47 +1,24 @@
-name: Test suite
+name: Tests
+
+# This workflow runs standard unit tests to ensure basic integrity and avoid
+# regressions on pull-requests (and pushes)
 
 on:
   push:
     branches:
-      - master # allthough  master is push protected we still keep it
+      - master    # allthough  master is push protected we still keep it
       - development
-  pull_request: # runs on all PR
+  pull_request:   # runs on all PR
+    branches-ignore:
+      - release-* # on release we run an extended workflow so no need for this
 
 jobs:
-  # ----------------------------------
-  # uncomment when a linter is added
-  # ----------------------------------
-  
-  # lintjs:
-  #   name: Javascript lint
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #   - name: checkout
-  #     uses: actions/checkout@v2
-  # 
-  #   - name: setup node
-  #     uses: actions/setup-node@v1
-  #     with:
-  #       node-version: '12.x'
-  # 
-  #   - name: cache dependencies
-  #     uses: actions/cache@v1
-  #     with:
-  #       path: ~/.npm
-  #       key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-  #       restore-keys: |
-  #         ${{ runner.os }}-node-
-  #   - run: npm ci
-  #   - run: npm run lint
-
   unittest:
     name: unit tests
     runs-on: ubuntu-latest
-    # uncomment when a linter is added
-    # needs: [lintjs]
     strategy:
       matrix:
-        node: [12, 14, 16]
+        node: [14, 16, 18]
     steps:
     - name: Checkout ${{ matrix.node }}
       uses: actions/checkout@v2
@@ -58,18 +35,13 @@ jobs:
         key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
         restore-keys: |
           ${{ runner.os }}-node-${{ matrix.node }}
-    - run: npm ci
+    - run: npm i
     - run: npm run test:coverage
 
-    # ----------------------------------
-    # uncomment when a linter is added
-    # ----------------------------------
-  
-    # - name: check coverage
-    #   uses: devmasx/coverage-check-action@v1.2.0
-    #   with:
-    #     type: lcov
-    #     result_path: coverage/lcov.info
-    #     min_coverage: 90
-    #     token: ${{github.token}}
-    
+    # with the following action we enforce PRs to have a high coverage
+    # and ensure, changes are tested well enough so that coverage won't fail
+    - name: check coverage
+      uses: VeryGoodOpenSource/very_good_coverage@v1.2.0
+      with:
+        path: './coverage/lcov.info'
+        min_coverage: 95

.gitignore

@@ -39,3 +39,6 @@ tramp
 # coverage
 coverage
 .nyc_output
+
+package-lock.json
+yarn.lock

.npmignore

@@ -1 +1,3 @@
 test/
+package-lock.json
+yarn.lock

.npmrc

@@ -0,0 +1 @@
+package-lock=false

CHANGELOG.md

@@ -1,5 +1,39 @@
 ## Changelog
 
+## 4.2.0
+### Fixed
+- fix(core): Bearer regular expression matching in authenticate handler #105
+- fix(request): set WWW-Authenticate header for invalid requests #96 oauthjs#646
+- fix(handler): deny access when body.allowed is 'false' (#94)
+- fix(handlers): skip varcheck for state when allowEmptyState #89 #93
+
+### Added
+- supported custom validateRedirectUri
+- feature: Supported state in case of denialMerge #99
+- Bearer regular expression matching in authenticate handler
+- docs: Update extension-grants.rst with example #92
+- feature(core): extract is.js into standalone package @node-oauth/formats #55
+- feature(authorize): allow custom implementations of validateRedirectUri via model #89 p.4
+  - support custom validateRedirectUri()
+  - allow to implement model.validateRedirectUri
+  - updated AuthorizeHandler
+  - default conforms with RFC 6819 Section-5.2.3.5
+
+### Tests
+- Integration test password grant (#100)
+    * test example
+    * created db & model factories
+    * added refresh_token grant type test
+    * removed failing test, not implemented feature
+    * add reference to issue
+    * client authentication test
+    * random client credentials in test
+    * replace math.random by crypto.randomBytes
+
+### CI
+- refactor(ci): remove unused ci workflow
+- fix(ci): use node-oauth/express-oauth-server for integration test
+
 ## 4.1.1
 
 ### Added

docs/misc/extension-grants.rst

@@ -2,7 +2,51 @@
  Extension Grants
 ==================
 
-.. todo:: Describe how to implement extension grants.
+Create a subclass of ``AbstractGrantType`` and create methods `handle` and `saveToken` along with other required methods according to your needs:
+
+.. code-block:: js
+
+  const OAuth2Server = require('oauth2-server');
+  const AbstractGrantType = OAuth2Server.AbstractGrantType;
+  const InvalidArgumentError = OAuth2Server.InvalidArgumentError;
+  const InvalidRequestError = OAuth2Server.InvalidRequestError;
+
+  class MyCustomGrantType extends AbstractGrantType {
+      constructor(opts) {
+          super(opts);
+      }
+
+      async handle(request, client) {
+          if (!request) throw new InvalidArgumentError('Missing `request`');
+          if (!client) throw new InvalidArgumentError('Missing `client`');
+
+          let scope = this.getScope(request);
+          let user = await this.getUserBySomething(request);
+
+          return this.saveToken(user, client, scope);
+      }
+
+      async saveToken(user, client, scope) {
+          this.validateScope(user, client, scope);
+
+          let token = {
+              accessToken: await this.generateAccessToken(client, user, scope),
+              accessTokenExpiresAt: this.getAccessTokenExpiresAt(),
+              refreshToken: await this.generateRefreshToken(client, user, scope),
+              refreshTokenExpiresAt: this.getRefreshTokenExpiresAt(),
+              scope: scope
+          };
+
+          return this.model.saveToken(token, client, user);
+      }
+
+      async getUserBySomething(request) {
+          //Get user's data by corresponding data (FB User ID, Google, etc.), etc.
+      }
+  }
+
+  module.exports = MyCustomGrantType;
 
 Extension grants are registered through :ref:`OAuth2Server#token() <OAuth2Server#token>` (``options.extendedGrantTypes``).
 
+This might require you to approve the new ``grant_type`` for a particular ``client`` if you do checks on valid grant types.

lib/grant-types/refresh-token-grant-type.js

@@ -101,7 +101,7 @@ RefreshTokenGrantType.prototype.getRefreshToken = function(request, client) {
       }
 
       if (token.client.id !== client.id) {
-        throw new InvalidGrantError('Invalid grant: refresh token is invalid');
+        throw new InvalidGrantError('Invalid grant: refresh token was issued to another client');
       }
 
       if (token.refreshTokenExpiresAt && !(token.refreshTokenExpiresAt instanceof Date)) {
@@ -130,7 +130,7 @@ RefreshTokenGrantType.prototype.revokeToken = function(token) {
   return promisify(this.model.revokeToken, 1).call(this.model, token)
     .then(function(status) {
       if (!status) {
-        throw new InvalidGrantError('Invalid grant: refresh token is invalid');
+        throw new InvalidGrantError('Invalid grant: refresh token is invalid or could not be revoked');
       }
 
       return token;

lib/handlers/authenticate-handler.js

@@ -90,6 +90,12 @@ AuthenticateHandler.prototype.handle = function(request, response) {
       // @see https://tools.ietf.org/html/rfc6750#section-3.1
       if (e instanceof UnauthorizedRequestError) {
         response.set('WWW-Authenticate', 'Bearer realm="Service"');
+      } else if (e instanceof InvalidRequestError) {
+        response.set('WWW-Authenticate', 'Bearer realm="Service",error="invalid_request"');
+      } else if (e instanceof InvalidTokenError) {
+        response.set('WWW-Authenticate', 'Bearer realm="Service",error="invalid_token"');
+      } else if (e instanceof InsufficientScopeError) {
+        response.set('WWW-Authenticate', 'Bearer realm="Service",error="insufficient_scope"');
       }
 
       if (!(e instanceof OAuthError)) {
@@ -140,7 +146,7 @@ AuthenticateHandler.prototype.getTokenFromRequest = function(request) {
 
 AuthenticateHandler.prototype.getTokenFromRequestHeader = function(request) {
   const token = request.get('Authorization');
-  const matches = token.match(/Bearer\s(\S+)/);
+  const matches = token.match(/^Bearer\s(\S+)/);
 
   if (!matches) {
     throw new InvalidRequestError('Invalid request: malformed authorization header');