npm
Sign UpSign In

This package has been deprecated

Author message:

no longer maintained

oauth-provider

1.0.7 • Public • Published

oauth-provider

A very simple oauth server on top of express that uses mongodb for data storage. The module is set to work with minimal setup and configuration. It is mostly used for setting up fast APIs for mobile applications and CMS web apps.

app.js

var oauthServer = require('oauth-provider');
 
var mongoConnection = mongoose.connect(config.dbConnectionString);
 
var oauth = oauthServer({
    mongoConnection: mongoConnection,
    tokenExpirationMinutes: 10, //defaults to 60
    cors: true, //defaults to true
    clients: [{
        type: 'simple_client',
        client_credentials: {
            scopes: ['app_scope', function(app){
                if(app.data.special) //data: Application property free to edit
                    return 'special_scope';
            }]
        },
        password: {
            scopes: ['app_scope', 'user_scope', function(user){
                if(user.roles.indexOf('admin')!=-1)
                    return 'admin_scope';
            }]
        }
    }]
});
 
//define token endpoint
app.post('/api/token', oauth.token());
//what routes to authorize
app.use('/api/*', oauth.authorization());

api_route.js

var express = require('express');
var oauth = require('oauth');
var router = express.Router();
 
router.post('/', oauth.authorize(['app_scope']), function(req, res, next){
    res.locals.access_token; //the access token with all associated data
    
    //in case password grant_type was used
    res.locals.user; //user data for current token user
});

Documentation

mongoConnection The connection object from mongoose.connect

tokenExpirationMinutes Sets the token expiration interval. Default value is 60 minutes.

cors Allows the api to be called cross domain

clients Defines what types of clients will consume the API.

type - string Can contain any value as long as it matches the documents inside the mongodb under the applications collection

client_credentials - object Tells the API the application type supports client_credentials grant type.

  • scopes - array Accepts string and function items.
    • string - the scope that will be used for filtering requests to certain endpoints like in the api_route.js example. Can take any value.
    • function - takes the application database document as a parameter and should return a string representing a scope. This is for creating custom scopes depending on whatever variables you define on the application document.

password - object Tells the API the application type supports password grant type.

  • scopes - array Accepts string and function items.
    • string - the scope that will be used for filtering requests to certain endpoints like in the api_route.js example. Can take any value.
    • function - takes the user database document as a parameter and should return a string representing a scope. This is for creating custom scopes depending on whatever variables you define on the application document.

return - object

The oauth call returns an object with the following methods:

  • authorization function

    • Express middleware used to secure access to certain routes. In the below example it secures all the /api routes.

  • token function

    • Express middleware used to obtain tokens.

  • createUser function

    • Registers a new user. Handles the salt and hash. The data object can take any custom properties. You can benefit from them inside the config in your app file by having a function call instead of a string scope.
    • function (user: String, pass: String, roles: Array, data: Object, callback: function(err, data) )

  • registerClient function

    • Registers a new client app to consume the API. The data object can take any custom properties. You can benefit from them inside the config in your app file by having a function call instead of a string scope.
    • function (name: String, key: String, secret: String, type: String, platform: String, data: Object, dev_token: Object{scopes: Array}, callback: function(err, data))

static properties - object

  • authorize function
    • Express middleware for further authorizing requests by scopes.
    • function (scopes: Array)

Database schema

The actual database connection should exist before the call to the oauthServer module. The mongoose collection schema are self contained inside the module:

  • logs - saves all data from requests coming through the authorized routes
  • ipAttempts - keeps a history of token obtaining attempts with an invalid authorization header and blocks the ip after 10 unsuccessful attempts
  • accessTokens - saves all the successfully generated access tokens with data regarding the client app that requested it, scope, grant_type, user and expiration
  • users - the users allowed with password grant type
  • applications - client applications with key and secret that are allowed to obtain tokens.

You can check the defined schema in models.js

Example server

I have included an example server using the module if you want to check it out here. Open it up in a browser and test it with apidoc. The important files are app.js, /api/* folder and the gulpfile.js. The rest is just express-generator.

Future version

  • Will improve the docs and expose the ip and user blocking mechanism inside the config.
  • Will review the oauth2 specs and try to stick to them.
  • Will write tests

Readme

Keywords

Package Sidebar

Install

npm i oauth-provider

Repository

github.com/adrianvlupu/node-oauth-server

Homepage

github.com/adrianvlupu/node-oauth-server#readme

Weekly Downloads

0

Version

1.0.7

License

none

Last publish

Collaborators

  • adrianvlupu
Try on RunKit
Report malware