oauth-provider
A very simple oauth server on top of express that uses mongodb for data storage. The module is set to work with minimal setup and configuration. It is mostly used for setting up fast APIs for mobile applications and CMS web apps.
app.js
var oauthServer = ; var mongoConnection = mongoose; var oauth = ; //define token endpointapp;//what routes to authorizeapp;
api_route.js
var express = ;var oauth = ;var router = express; router;
Documentation
mongoConnection The connection object from mongoose.connect
tokenExpirationMinutes Sets the token expiration interval. Default value is 60 minutes.
cors Allows the api to be called cross domain
clients Defines what types of clients will consume the API.
type - string Can contain any value as long as it matches the documents inside the mongodb under the applications collection
client_credentials - object Tells the API the application type supports client_credentials grant type.
- scopes - array
Accepts string and function items.
- string - the scope that will be used for filtering requests to certain endpoints like in the api_route.js example. Can take any value.
- function - takes the application database document as a parameter and should return a string representing a scope. This is for creating custom scopes depending on whatever variables you define on the application document.
password - object Tells the API the application type supports password grant type.
- scopes - array
Accepts string and function items.
- string - the scope that will be used for filtering requests to certain endpoints like in the api_route.js example. Can take any value.
- function - takes the user database document as a parameter and should return a string representing a scope. This is for creating custom scopes depending on whatever variables you define on the application document.
return - object
The oauth call returns an object with the following methods:
-
authorization function
- Express middleware used to secure access to certain routes. In the below example it secures all the /api routes.
-
token function
- Express middleware used to obtain tokens.
-
createUser function
- Registers a new user. Handles the salt and hash. The data object can take any custom properties. You can benefit from them inside the config in your app file by having a function call instead of a string scope.
- function (user: String, pass: String, roles: Array, data: Object, callback: function(err, data) )
-
registerClient function
- Registers a new client app to consume the API. The data object can take any custom properties. You can benefit from them inside the config in your app file by having a function call instead of a string scope.
- function (name: String, key: String, secret: String, type: String, platform: String, data: Object, dev_token: Object{scopes: Array}, callback: function(err, data))
static properties - object
- authorize function
- Express middleware for further authorizing requests by scopes.
- function (scopes: Array)
Database schema
The actual database connection should exist before the call to the oauthServer module. The mongoose collection schema are self contained inside the module:
- logs - saves all data from requests coming through the authorized routes
- ipAttempts - keeps a history of token obtaining attempts with an invalid authorization header and blocks the ip after 10 unsuccessful attempts
- accessTokens - saves all the successfully generated access tokens with data regarding the client app that requested it, scope, grant_type, user and expiration
- users - the users allowed with password grant type
- applications - client applications with key and secret that are allowed to obtain tokens.
You can check the defined schema in models.js
Example server
I have included an example server using the module if you want to check it out here. Open it up in a browser and test it with apidoc. The important files are app.js, /api/* folder and the gulpfile.js. The rest is just express-generator.
Future version
- Will improve the docs and expose the ip and user blocking mechanism inside the config.
- Will review the oauth2 specs and try to stick to them.
- Will write tests