Release 5.0.0

.github/workflows/tests-release.yml

@@ -113,7 +113,7 @@ jobs:
  - run: |
  cd github/testing/express
  npm i
- npm install ../../../
+ npm install https://github.com/node-oauth/node-oauth2-server.git#${{ github.ref_name }}
  npm run test
 
  # todo repeat with other adapters

CHANGELOG.md

@@ -7,6 +7,7 @@
 - drop support for Node 14 (EOL), setting Node 16 as `engine` in `package.json`
 - this is a breaking change, because **it removes callback support** for
  `OAuthServer` and your model implementation.
+- fixed missing await in calling generateAuthorizationCode in AuthorizeHandler
 
 ## 4.2.0
 ### Fixed

index.d.ts

@@ -1,4 +1,4 @@
-// Type definitions for Node OAuth2 Server 4.0
+// Type definitions for Node OAuth2 Server 5.0
 // Definitions by: Robbie Van Gorkom <https://github.com/vangorra>,
 // Charles Irick <https://github.com/cirick>,
 // Daniel Fischer <https://github.com/d-fischer>,
@@ -23,8 +23,7 @@ declare class OAuth2Server {
  authenticate(
  request: OAuth2Server.Request,
  response: OAuth2Server.Response,
- options?: OAuth2Server.AuthenticateOptions,
- callback?: OAuth2Server.Callback<OAuth2Server.Token>
+ options?: OAuth2Server.AuthenticateOptions
  ): Promise<OAuth2Server.Token>;
 
  /**
@@ -33,8 +32,7 @@ declare class OAuth2Server {
  authorize(
  request: OAuth2Server.Request,
  response: OAuth2Server.Response,
- options?: OAuth2Server.AuthorizeOptions,
- callback?: OAuth2Server.Callback<OAuth2Server.AuthorizationCode>
+ options?: OAuth2Server.AuthorizeOptions
  ): Promise<OAuth2Server.AuthorizationCode>;
 
  /**
@@ -43,8 +41,7 @@ declare class OAuth2Server {
  token(
  request: OAuth2Server.Request,
  response: OAuth2Server.Response,
- options?: OAuth2Server.TokenOptions,
- callback?: OAuth2Server.Callback<OAuth2Server.Token>
+ options?: OAuth2Server.TokenOptions
  ): Promise<OAuth2Server.Token>;
 }
 
@@ -238,11 +235,6 @@ declare namespace OAuth2Server {
  extendedGrantTypes?: { [key: string]: typeof AbstractGrantType } | undefined;
  }
 
- /**
- * Represents a generic callback structure for model callbacks
- */
- type Callback<T> = (err?: any, result?: T) => void;
-
  /**
  * For returning falsey parameters in cases of failure
  */
@@ -253,53 +245,53 @@ declare namespace OAuth2Server {
  * Invoked to generate a new access token.
  *
  */
- generateAccessToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+ generateAccessToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
  /**
  * Invoked to retrieve a client using a client id or a client id/client secret combination, depending on the grant type.
  *
  */
- getClient(clientId: string, clientSecret: string, callback?: Callback<Client | Falsey>): Promise<Client | Falsey>;
+ getClient(clientId: string, clientSecret: string): Promise<Client | Falsey>;
 
  /**
  * Invoked to save an access token and optionally a refresh token, depending on the grant type.
  *
  */
- saveToken(token: Token, client: Client, user: User, callback?: Callback<Token>): Promise<Token | Falsey>;
+ saveToken(token: Token, client: Client, user: User): Promise<Token | Falsey>;
  }
 
  interface RequestAuthenticationModel {
  /**
  * Invoked to retrieve an existing access token previously saved through Model#saveToken().
  *
  */
- getAccessToken(accessToken: string, callback?: Callback<Token>): Promise<Token | Falsey>;
+ getAccessToken(accessToken: string): Promise<Token | Falsey>;
 
  /**
  * Invoked during request authentication to check if the provided access token was authorized the requested scopes.
  *
  */
- verifyScope(token: Token, scope: string | string[], callback?: Callback<boolean>): Promise<boolean>;
+ verifyScope(token: Token, scope: string | string[]): Promise<boolean>;
  }
 
  interface AuthorizationCodeModel extends BaseModel, RequestAuthenticationModel {
  /**
  * Invoked to generate a new refresh token.
  *
  */
- generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+ generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
  /**
  * Invoked to generate a new authorization code.
  *
  */
- generateAuthorizationCode?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+ generateAuthorizationCode?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
  /**
  * Invoked to retrieve an existing authorization code previously saved through Model#saveAuthorizationCode().
  *
  */
- getAuthorizationCode(authorizationCode: string, callback?: Callback<AuthorizationCode>): Promise<AuthorizationCode | Falsey>;
+ getAuthorizationCode(authorizationCode: string): Promise<AuthorizationCode | Falsey>;
 
  /**
  * Invoked to save an authorization code.
@@ -308,20 +300,20 @@ declare namespace OAuth2Server {
  saveAuthorizationCode(
  code: Pick<AuthorizationCode, 'authorizationCode' | 'expiresAt' | 'redirectUri' | 'scope' | 'codeChallenge' | 'codeChallengeMethod'>,
  client: Client,
- user: User,
-  callback?: Callback<AuthorizationCode>): Promise<AuthorizationCode | Falsey>;
+ user: User
+ ): Promise<AuthorizationCode | Falsey>;
 
  /**
  * Invoked to revoke an authorization code.
  *
  */
- revokeAuthorizationCode(code: AuthorizationCode, callback?: Callback<boolean>): Promise<boolean>;
+ revokeAuthorizationCode(code: AuthorizationCode): Promise<boolean>;
 
  /**
  * Invoked to check if the requested scope is valid for a particular client/user combination.
  *
  */
- validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback<string | Falsey>): Promise<string | string[] | Falsey>;
+ validateScope?(user: User, client: Client, scope: string | string[]): Promise<string | string[] | Falsey>;
 
  /**
  * Invoked to check if the provided `redirectUri` is valid for a particular `client`.
@@ -335,53 +327,53 @@ declare namespace OAuth2Server {
  * Invoked to generate a new refresh token.
  *
  */
- generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+ generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
  /**
  * Invoked to retrieve a user using a username/password combination.
  *
  */
- getUser(username: string, password: string, callback?: Callback<User | Falsey>): Promise<User | Falsey>;
+ getUser(username: string, password: string): Promise<User | Falsey>;
 
  /**
  * Invoked to check if the requested scope is valid for a particular client/user combination.
  *
  */
- validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback<string | Falsey>): Promise<string | string[] | Falsey>;
+ validateScope?(user: User, client: Client, scope: string | string[]): Promise<string | string[] | Falsey>;
  }
 
  interface RefreshTokenModel extends BaseModel, RequestAuthenticationModel {
  /**
  * Invoked to generate a new refresh token.
  *
  */
- generateRefreshToken?(client: Client, user: User, scope: string | string[], callback?: Callback<string>): Promise<string>;
+ generateRefreshToken?(client: Client, user: User, scope: string | string[]): Promise<string>;
 
  /**
  * Invoked to retrieve an existing refresh token previously saved through Model#saveToken().
  *
  */
- getRefreshToken(refreshToken: string, callback?: Callback<RefreshToken>): Promise<RefreshToken | Falsey>;
+ getRefreshToken(refreshToken: string): Promise<RefreshToken | Falsey>;
 
  /**
  * Invoked to revoke a refresh token.
  *
  */
- revokeToken(token: RefreshToken | Token, callback?: Callback<boolean>): Promise<boolean>;
+ revokeToken(token: RefreshToken | Token): Promise<boolean>;
  }
 
  interface ClientCredentialsModel extends BaseModel, RequestAuthenticationModel {
  /**
  * Invoked to retrieve the user associated with the specified client.
  *
  */
- getUserFromClient(client: Client, callback?: Callback<User | Falsey>): Promise<User | Falsey>;
+ getUserFromClient(client: Client): Promise<User | Falsey>;
 
  /**
  * Invoked to check if the requested scope is valid for a particular client/user combination.
  *
  */
- validateScope?(user: User, client: Client, scope: string | string[], callback?: Callback<string | Falsey>): Promise<string | string[] | Falsey>;
+ validateScope?(user: User, client: Client, scope: string | string[]): Promise<string | string[] | Falsey>;
  }
 
  interface ExtensionModel extends BaseModel, RequestAuthenticationModel {}

lib/handlers/authorize-handler.js

@@ -93,7 +93,7 @@ AuthorizeHandler.prototype.handle = async function(request, response) {
 
  const requestedScope = this.getScope(request);
  const validScope = await this.validateScope(user, client, requestedScope);
- const authorizationCode = this.generateAuthorizationCode(client, user, validScope);
+ const authorizationCode = await this.generateAuthorizationCode(client, user, validScope);
 
  const ResponseType = this.getResponseType(request);
  const codeChallenge = this.getCodeChallenge(request);
@@ -369,7 +369,7 @@ AuthorizeHandler.prototype.updateResponse = function(response, redirectUri, stat
 };
 
 AuthorizeHandler.prototype.getCodeChallenge = function(request) {
- return request.body.code_challenge;
+ return request.body.code_challenge || request.query.code_challenge;
 };
 
 /**
@@ -380,7 +380,7 @@ AuthorizeHandler.prototype.getCodeChallenge = function(request) {
  * (see https://www.rfc-editor.org/rfc/rfc7636#section-4.4)
  */
 AuthorizeHandler.prototype.getCodeChallengeMethod = function(request) {
- const algorithm = request.body.code_challenge_method;
+ const algorithm = request.body.code_challenge_method || request.query.code_challenge_method;
 
  if (algorithm && !pkce.isValidMethod(algorithm)) {
  throw new InvalidRequestError(`Invalid request: transform algorithm '${algorithm}' not supported`);

package.json

@@ -1,7 +1,7 @@
 {
  "name": "@node-oauth/oauth2-server",
  "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js",
- "version": "4.3.0",
+ "version": "5.0.0-rc.1",
  "keywords": [
  "oauth",
  "oauth2"

test/integration/handlers/authorize-handler_test.js

@@ -563,8 +563,9 @@ describe('AuthorizeHandler integration', function() {
  getClient: function() {
  return client;
  },
- saveAuthorizationCode: function() {
- return { authorizationCode: 12345, client: client };
+ generateAuthorizationCode: async () => 'some-code',
+ saveAuthorizationCode: async function(code) {
+ return { authorizationCode: code.authorizationCode, client: client };
  }
  };
  const handler = new AuthorizeHandler({ authorizationCodeLifetime: 120, model: model });
@@ -586,7 +587,7 @@ describe('AuthorizeHandler integration', function() {
  return handler.handle(request, response)
  .then(function(data) {
  data.should.eql({
- authorizationCode: 12345,
+ authorizationCode: 'some-code',
  client: client
  });
  })