Development

.github/workflows/tests-release.yml

@@ -10,7 +10,6 @@ on:
     branches:
       - release-* # all release-<version> branches
 
-
 jobs:
   # STEP 1 - NPM Audit
 
@@ -23,13 +22,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-node@v3
-      with:
-        node-version: 20
-    # install to create local package-lock.json but don't cache the files
-    # also: no audit for dev dependencies
-    - run: npm i --package-lock-only  && npm audit --production
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      # install to create local package-lock.json but don't cache the files
+      # also: no audit for dev dependencies
+      - run: npm i --package-lock-only  && npm audit --production
 
   # STEP 2 - basic unit tests
 
@@ -40,34 +39,34 @@ jobs:
     needs: [audit]
     strategy:
       matrix:
-        node: [14, 16, 18]
+        node: [16, 18, 20]
     steps:
-    - name: Checkout ${{ matrix.node }}
-      uses: actions/checkout@v3
-
-    - name: Setup node ${{ matrix.node }}
-      uses: actions/setup-node@v3
-      with:
-        node-version: ${{ matrix.node }}
-
-    - name: Cache dependencies ${{ matrix.node }}
-      uses: actions/cache@v3
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-${{ matrix.node }}
-    # for this workflow we also require npm audit to pass
-    - run: npm i
-    - run: npm run test:coverage
-
-    # with the following action we enforce PRs to have a high coverage
-    # and ensure, changes are tested well enough so that coverage won't fail
-    - name: check coverage
-      uses: VeryGoodOpenSource/[email protected]
-      with:
-        path: './coverage/lcov.info'
-        min_coverage: 95
+      - name: Checkout ${{ matrix.node }}
+        uses: actions/checkout@v3
+
+      - name: Setup node ${{ matrix.node }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node }}
+
+      - name: Cache dependencies ${{ matrix.node }}
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ matrix.node }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ matrix.node }}
+      # for this workflow we also require npm audit to pass
+      - run: npm i
+      - run: npm run test:coverage
+
+      # with the following action we enforce PRs to have a high coverage
+      # and ensure, changes are tested well enough so that coverage won't fail
+      - name: check coverage
+        uses: VeryGoodOpenSource/[email protected]
+        with:
+          path: './coverage/lcov.info'
+          min_coverage: 95
 
   # STEP 3 - Integration tests
 
@@ -80,41 +79,41 @@ jobs:
     needs: [unittest]
     strategy:
       matrix:
-        node: [14, 16, 18] # TODO get running for node 16+
+        node: [16, 18, 20] # TODO get running for node 16+
     steps:
-    # checkout this repo
-    - name: Checkout ${{ matrix.node }}
-      uses: actions/checkout@v3
-
-    # checkout express-adapter repo
-    - name: Checkout express-adapter ${{ matrix.node }}
-      uses: actions/checkout@v3
-      with:
-        repository:  node-oauth/express-oauth-server
-        path: github/testing/express
-
-    - name: Setup node ${{ matrix.node }}
-      uses: actions/setup-node@v3
-      with:
-        node-version: ${{ matrix.node }}
-
-    - name: Cache dependencies ${{ matrix.node }}
-      uses: actions/cache@v3
-      with:
-        path: ~/.npm
-        key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server
-
-    # in order to test the adapter we need to use the current checkout
-    # and install it as local dependency
-    # we just cloned and install it as local dependency
-    # xxx: added bluebird as explicit dependency
-    - run: |
-        cd github/testing/express
-        npm i
-        npm install ../../../
-        npm run test
+      # checkout this repo
+      - name: Checkout ${{ matrix.node }}
+        uses: actions/checkout@v3
+
+      # checkout express-adapter repo
+      - name: Checkout express-adapter ${{ matrix.node }}
+        uses: actions/checkout@v3
+        with:
+          repository: node-oauth/express-oauth-server
+          path: github/testing/express
+
+      - name: Setup node ${{ matrix.node }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node }}
+
+      - name: Cache dependencies ${{ matrix.node }}
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server-${{ hashFiles('github/testing/express/**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-${{ matrix.node }}-node-oauth/express-oauth-server
+
+      # in order to test the adapter we need to use the current checkout
+      # and install it as local dependency
+      # we just cloned and install it as local dependency
+      # xxx: added bluebird as explicit dependency
+      - run: |
+          cd github/testing/express
+          npm i
+          npm install https://github.com/node-oauth/node-oauth2-server.git#${{ github.ref_name }}
+          npm run test
 
     # todo repeat with other adapters
 
@@ -139,13 +138,13 @@ jobs:
       contents: read
       packages: write
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-node@v3
-      with:
-        # we always publish targeting the lowest supported node version
-        node-version: 16
-        registry-url: $registry-url(npm)
-    - run: npm i
-    - run: npm publish --dry-run
-      env:
-        NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          # we always publish targeting the lowest supported node version
+          node-version: 16
+          registry-url: $registry-url(npm)
+      - run: npm i
+      - run: npm publish --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.mocharc.yml

@@ -1,6 +1,6 @@
 recursive: true
 reporter: "spec"
-retries: 1
+retries: 0
 slow: 20
 timeout: 2000
 ui: "bdd"

.readthedocs.yml

@@ -17,6 +17,6 @@ sphinx:
 
 # We recommend specifying your dependencies to enable reproducible builds:
 # https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html
-# python:
-#   install:
-#   - requirements: docs/requirements.txt
+python:
+  install:
+    - requirements: docs/requirements.txt

CHANGELOG.md

@@ -1,5 +1,23 @@
 ## Changelog
 
+## 5.0.0
+
+This release contains several breaking changes.
+Please carefully consult the documentation while updating.
+
+- removed `bluebird` and `promisify-any`
+- uses native Promises and `async/await` everywhere
+- drop support for Node 14 (EOL), setting Node 16 as `engine` in `package.json`
+- this is a breaking change, because **it removes callback support** for
+  `OAuthServer` and your model implementation.
+- fixed missing await in calling generateAuthorizationCode in AuthorizeHandler
+- fix scope validation bug
+- revoke code before validating redirect URI
+- improved Bearer token validation
+- validate scope as an array of strings (breaking change)
+- model support for retrieving user based on client
+- more tests added; test coverage improved 
+
 ## 4.2.0
 ### Fixed
 - fix(core): Bearer regular expression matching in authenticate handler #105
@@ -43,7 +61,7 @@
 - Upgrades all code from ES5 to ES6, where possible.
 
 ## 4.1.0
-### Changed 
+### Changed
 * Bump dev dependencies to resolve vulnerabilities
 * Replaced jshint with eslint along with should and chai
 * Use sha256 when generating tokens

README.md

@@ -8,9 +8,9 @@ Complete, compliant and well tested module for implementing an OAuth2 server in
 [![Tests for Release](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests-release.yml/badge.svg)](https://github.com/node-oauth/node-oauth2-server/actions/workflows/tests-release.yml)
 [![Documentation Status](https://readthedocs.org/projects/node-oauthoauth2-server/badge/?version=latest)](https://node-oauthoauth2-server.readthedocs.io/en/latest/?badge=latest)
 [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
-![npm Version](https://img.shields.io/npm/v/@node-oauth/oauth2-server?label=version)
-![npm Downloads/Week](https://img.shields.io/npm/dw/@node-oauth/oauth2-server)
-![GitHub License](https://img.shields.io/github/license/node-oauth/node-oauth2-server)
+[![npm Version](https://img.shields.io/npm/v/@node-oauth/oauth2-server?label=version)](https://www.npmjs.com/package/@node-oauth/oauth2-server)
+[![npm Downloads/Week](https://img.shields.io/npm/dw/@node-oauth/oauth2-server)](https://www.npmjs.com/package/@node-oauth/oauth2-server)
+[![GitHub License](https://img.shields.io/github/license/node-oauth/node-oauth2-server)](https://github.com/node-oauth/node-oauth2-server/blob/master/LICENSE)
 
 NOTE: This project has been forked from [oauthjs/node-oauth2-server](https://github.com/oauthjs/node-oauth2-server) and is a continuation due to the project appearing to be abandoned. Please see [our issue board](https://github.com/node-oauth/node-oauth2-server/issues) to talk about next steps and the future of this project.
 
@@ -27,24 +27,35 @@ If you're using one of those frameworks it is strongly recommended to use the re
 ## Features
 
 - Supports `authorization_code`, `client_credentials`, `refresh_token` and `password` grant, as well as *extension grants*, with scopes.
-- Can be used with *promises*, *Node-style callbacks*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)).
+- Can be used with *promises*, *ES6 generators* and *async*/*await* (using [Babel](https://babeljs.io)).
 - Fully [RFC 6749](https://tools.ietf.org/html/rfc6749.html) and [RFC 6750](https://tools.ietf.org/html/rfc6750.html) compliant.
 - Implicitly supports any form of storage, e.g. *PostgreSQL*, *MySQL*, *MongoDB*, *Redis*, etc.
 - Support for PKCE
 - Complete [test suite](https://github.com/node-oauth/node-oauth2-server/tree/master/test).
 
 ## Documentation
 
-[Documentation](https://node-oauthoauth2-server.readthedocs.io/en/latest/) is hosted on Read the Docs.
+Documentation is hosted on Read the Docs. We have multiple versions of the docs available:
+
+- [stable](https://node-oauthoauth2-server.readthedocs.io/en/master/) (master branch)
+- [development](https://node-oauthoauth2-server.readthedocs.io/en/development/) (development branch)
+
 Please leave an issue if something is confusing or missing in the docs.
 
 ## Examples
 
-Most users should refer to our [Express (active)](https://github.com/node-oauth/express-oauth-server) or 
+Most users should refer to our [Express (active)](https://github.com/node-oauth/express-oauth-server) or
 [Koa (not maintained by us)](https://github.com/oauthjs/koa-oauth-server/tree/master/examples) examples.
 
 More examples can be found here: https://github.com/14gasher/oauth-example
 
+## Version 5 notes
+
+Beginning with version `5.x` we removed dual support for callbacks and promises.
+With this version there is only support for Promises / async/await.
+
+With this version we also bumped the `engine` to Node 16 as 14 is now deprecated.
+
 ## Migrating from OAuthJs and 3.x
 
 Version 4.x should not be hard-breaking, however, there were many improvements and fixes that may

SECURITY.md

@@ -5,11 +5,12 @@
 Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 4.x.x   | :white_check_mark: |
-| 3.x.x   | :white_check_mark: but only very critical security issues |
-| < 3 | :x: |
+| Version | Supported                                        |
+|---------|--------------------------------------------------|
+| 5.x.x   | :white_check_mark:                               |
+| 4.x.x   | :white_check_mark: but only high severity issues |
+| 3.x.x   | :x:                                              |
+| < 3     | :x:                                              |
 
 ## Reporting a Vulnerability