Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor project #1

Open
wants to merge 41 commits into
base: master
Choose a base branch
from
Open

Refactor project #1

wants to merge 41 commits into from

Conversation

nunofgs
Copy link

@nunofgs nunofgs commented Apr 24, 2015

OAuth2-Server

Introduces a new OAuth server implementation with the following changes:

  • Added a promise-based API which supports both promises and node-style callbacks.
  • Added support for scopes for all grant types.
  • Added syntax-checking to all user input as defined in the spec.
  • Added OAuth client validation to authorization requests which fixes an edge-case where an auth code would be generated even if the OAuth client did not support authorization codes.
  • Fixed authorization requests now defer to the authentication middleware in order to verify that the request is authenticated (in the process, multiple bugs were fixed since the original library was doing this in place and consequently skipping many important checks).
  • Fixed incorrect (non-spec compliant) validation of the redirectUri in the authorization_code grant.
  • Fixed incorrect handling of custom grant types (the spec requires that extended grants be specified in the form of a uri).
  • Fixed non-spec compliant behavior when validating unsupported grant types.
  • Fixed non-spec compliant errors being returned to the response.
  • Fixed objects retrieved from the model are no longer injected into the current execution context and are instead returned in the original promise.
  • Fixed parameters given to model calls are now objects previously fetched from the model which reduces the number of database queries per OAuth request.
  • Fixed tokens are no longer allowed to be passed by GET parameter as recommended by the OAuth spec, for security reasons.
  • Improved authorization_code grant by allowing the redirect_uri parameter to be omitted (as required by the spec).
  • Improved authorization_code grant type by revoking the authorization code immediately upon issuing an access token (as required by the spec).
  • Improved refresh_token grant type by revoking the previous refresh_token immediately upon issuing an access token (as required by the spec).
  • Improved architecture by separating the grant-types, response-types and token-types into strongly typed classes.
  • Improved error handling by throwing strongly-typed errors so they can be caught in our backend.
  • Improved error handling by wrapping model errors in a server_error, as required by the spec.
  • Improved validation of all objects retrieved from the model (no validation was being done on expiry dates, for example).
  • Removed dependency on the express framework.
  • Removed injection of response body and headers in favor of strongly-typed Request and Response classes.
  • Renamed authorise, grant and authCodeGrant middlewares to more OAuth spec-friendly authenticate, token and authorize, respectively.

@@ -0,0 +1,29 @@
{
"bitwise": true,
"browser": true,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be removed or set to false.

@nunofgs nunofgs force-pushed the enhancement/refactor-project branch from 8f51b6a to 82973a5 Compare February 4, 2016 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants