ci: update GitHub core actions to latest versions

Merge pull request #168 from node-oauth/ci-update-core-actions

Author: jankapunkt

.github/workflows/tests-release.yml

@@ -23,11 +23,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-node@v2
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
       with:
-        node-version: '12'
-    - run: npm audit --production # no audit for dev dependencies
+        node-version: 16
+    # install to create local package-lock.json but don't cache the files
+    # also: no audit for dev dependencies
+    - run: npm i --package-lock-only  && npm audit --production
 
   # STEP 2 - basic unit tests
 
@@ -38,18 +40,18 @@ jobs:
     needs: [audit]
     strategy:
       matrix:
-        node: [12, 14, 16]
+        node: [14, 16, 18]
     steps:
     - name: Checkout ${{ matrix.node }}
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Setup node ${{ matrix.node }}
-      uses: actions/setup-node@v2
+      uses: actions/setup-node@v3
       with:
         node-version: ${{ matrix.node }}
 
     - name: Cache dependencies ${{ matrix.node }}
-      uses: actions/cache@v1
+      uses: actions/cache@v3
       with:
         path: ~/.npm
         key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
@@ -79,26 +81,26 @@ jobs:
     needs: [unittest]
     strategy:
       matrix:
-        node: [12, 14] # TODO get running for node 16
+        node: [14, 16, 18] # TODO get running for node 16+
     steps:
     # checkout this repo
     - name: Checkout ${{ matrix.node }}
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # checkout express-adapter repo
     - name: Checkout express-adapter ${{ matrix.node }}
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         repository:  node-oauth/express-oauth-server
         path: github/testing/express
 
     - name: Setup node ${{ matrix.node }}
-      uses: actions/setup-node@v2
+      uses: actions/setup-node@v3
       with:
         node-version: ${{ matrix.node }}
 
     - name: Cache dependencies ${{ matrix.node }}
-      uses: actions/cache@v1
+      uses: actions/cache@v3
       with:
         path: ~/.npm
         key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
@@ -120,10 +122,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [integrationtests]
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
         with:
-          node-version: 12
+          node-version: 16
           registry-url: https://registry.npmjs.org/
       - run: npm i
       - run: npm publish --dry-run
@@ -137,11 +139,11 @@ jobs:
       contents: read
       packages: write
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-node@v2
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
       with:
         # we always publish targeting the lowest supported node version
-        node-version: 12
+        node-version: 16
         registry-url: $registry-url(npm)
     - run: npm i
     - run: npm publish --dry-run

.github/workflows/tests.yml

@@ -13,23 +13,46 @@ on:
       - release-* # on release we run an extended workflow so no need for this
 
 jobs:
+  lint:
+    name: Javascript standard lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: setup node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: cache dependencies
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-16-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+      - run: npm install
+      - run: npm run lint
+
   unittest:
     name: unit tests
     runs-on: ubuntu-latest
+    needs: [lint]
     strategy:
       matrix:
-        node: [12, 14, 16]
+        node: [14, 16, 18]
     steps:
     - name: Checkout ${{ matrix.node }}
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Setup node ${{ matrix.node }}
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@v3
       with:
         node-version: ${{ matrix.node }}
 
     - name: Cache dependencies ${{ matrix.node }}
-      uses: actions/cache@v1
+      uses: actions/cache@v3
       with:
         path: ~/.npm
         key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}

CHANGELOG.md

@@ -1,5 +1,39 @@
 ## Changelog
 
+## 4.2.0
+### Fixed
+- fix(core): Bearer regular expression matching in authenticate handler #105
+- fix(request): set WWW-Authenticate header for invalid requests #96 oauthjs#646
+- fix(handler): deny access when body.allowed is 'false' (#94)
+- fix(handlers): skip varcheck for state when allowEmptyState #89 #93
+
+### Added
+- supported custom validateRedirectUri
+- feature: Supported state in case of denialMerge #99
+- Bearer regular expression matching in authenticate handler
+- docs: Update extension-grants.rst with example #92
+- feature(core): extract is.js into standalone package @node-oauth/formats #55
+- feature(authorize): allow custom implementations of validateRedirectUri via model #89 p.4
+  - support custom validateRedirectUri()
+  - allow to implement model.validateRedirectUri
+  - updated AuthorizeHandler
+  - default conforms with RFC 6819 Section-5.2.3.5
+
+### Tests
+- Integration test password grant (#100)
+    * test example
+    * created db & model factories
+    * added refresh_token grant type test
+    * removed failing test, not implemented feature
+    * add reference to issue
+    * client authentication test
+    * random client credentials in test
+    * replace math.random by crypto.randomBytes
+
+### CI
+- refactor(ci): remove unused ci workflow
+- fix(ci): use node-oauth/express-oauth-server for integration test
+
 ## 4.1.1
 
 ### Added

docs/misc/extension-grants.rst

@@ -2,7 +2,51 @@
  Extension Grants
 ==================
 
-.. todo:: Describe how to implement extension grants.
+Create a subclass of ``AbstractGrantType`` and create methods `handle` and `saveToken` along with other required methods according to your needs:
+
+.. code-block:: js
+
+  const OAuth2Server = require('oauth2-server');
+  const AbstractGrantType = OAuth2Server.AbstractGrantType;
+  const InvalidArgumentError = OAuth2Server.InvalidArgumentError;
+  const InvalidRequestError = OAuth2Server.InvalidRequestError;
+
+  class MyCustomGrantType extends AbstractGrantType {
+      constructor(opts) {
+          super(opts);
+      }
+
+      async handle(request, client) {
+          if (!request) throw new InvalidArgumentError('Missing `request`');
+          if (!client) throw new InvalidArgumentError('Missing `client`');
+
+          let scope = this.getScope(request);
+          let user = await this.getUserBySomething(request);
+
+          return this.saveToken(user, client, scope);
+      }
+
+      async saveToken(user, client, scope) {
+          this.validateScope(user, client, scope);
+
+          let token = {
+              accessToken: await this.generateAccessToken(client, user, scope),
+              accessTokenExpiresAt: this.getAccessTokenExpiresAt(),
+              refreshToken: await this.generateRefreshToken(client, user, scope),
+              refreshTokenExpiresAt: this.getRefreshTokenExpiresAt(),
+              scope: scope
+          };
+
+          return this.model.saveToken(token, client, user);
+      }
+
+      async getUserBySomething(request) {
+          //Get user's data by corresponding data (FB User ID, Google, etc.), etc.
+      }
+  }
+
+  module.exports = MyCustomGrantType;
 
 Extension grants are registered through :ref:`OAuth2Server#token() <OAuth2Server#token>` (``options.extendedGrantTypes``).
 
+This might require you to approve the new ``grant_type`` for a particular ``client`` if you do checks on valid grant types.

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@node-oauth/oauth2-server",
   "description": "Complete, framework-agnostic, compliant and well tested module for implementing an OAuth2 Server in node.js",
-  "version": "4.1.1",
+  "version": "4.2.0",
   "keywords": [
     "oauth",
     "oauth2"
@@ -35,7 +35,7 @@
     "eslint": "8.4.1",
     "mocha": "9.2.2",
     "nyc": "15.1.0",
-    "sinon": "12.0.1"
+    "sinon": "13.0.1"
   },
   "license": "MIT",
   "engines": {