Docs: Replace code.code with code.authorizationCode

.mocharc.yml

@@ -1,6 +1,6 @@
 recursive: true
 reporter: "spec"
-retries: 1
+retries: 0
 slow: 20
 timeout: 2000
 ui: "bdd"

CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Changelog
 
+## 5.0.0
+
+- removed `bluebird` and `promisify-any`
+- uses native Promises and `async/await` everywhere
+- drop support for Node 14 (EOL), setting Node 16 as `engine` in `package.json`
+- this is a breaking change, because **it removes callback support** for
+  `OAuthServer` and your model implementation.
+
 ## 4.2.0
 ### Fixed
 - fix(core): Bearer regular expression matching in authenticate handler #105

README.md

@@ -45,6 +45,13 @@ Most users should refer to our [Express (active)](https://github.com/node-oauth/
 
 More examples can be found here: https://github.com/14gasher/oauth-example
 
+## Version 5 notes
+
+Beginning with version `5.x` we removed dual support for callbacks and promises.
+With this version there is only support for Promises / async/await.
+
+With this version we also bumped the `engine` to Node 16 as 14 is now deprecated.
+
 ## Migrating from OAuthJs and 3.x
 
 Version 4.x should not be hard-breaking, however, there were many improvements and fixes that may

SECURITY.md

@@ -5,11 +5,12 @@
 Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 4.x.x   | :white_check_mark: |
-| 3.x.x   | :white_check_mark: but only very critical security issues |
-| < 3 | :x: |
+| Version | Supported                                        |
+|---------|--------------------------------------------------|
+| 5.x.x   | :white_check_mark:                               |
+| 4.x.x   | :white_check_mark: but only high severity issues |
+| 3.x.x   | :x:                                              |
+| < 3     | :x:                                              |
 
 ## Reporting a Vulnerability
 

docs/model/spec.rst

@@ -326,25 +326,25 @@ This model function is **required** if the ``authorization_code`` grant is used.
 
 An ``Object`` representing the authorization code and associated data.
 
-+--------------------+--------+--------------------------------------------------------------+
-| Name               | Type   | Description                                                  |
-+====================+========+==============================================================+
-| code               | Object | The return value.                                            |
-+--------------------+--------+--------------------------------------------------------------+
-| code.code          | String | The authorization code passed to ``getAuthorizationCode()``. |
-+--------------------+--------+--------------------------------------------------------------+
-| code.expiresAt     | Date   | The expiry time of the authorization code.                   |
-+--------------------+--------+--------------------------------------------------------------+
-| [code.redirectUri] | String | The redirect URI of the authorization code.                  |
-+--------------------+--------+--------------------------------------------------------------+
-| [code.scope]       | String | The authorized scope of the authorization code.              |
-+--------------------+--------+--------------------------------------------------------------+
-| code.client        | Object | The client associated with the authorization code.           |
-+--------------------+--------+--------------------------------------------------------------+
-| code.client.id     | String | A unique string identifying the client.                      |
-+--------------------+--------+--------------------------------------------------------------+
-| code.user          | Object | The user associated with the authorization code.             |
-+--------------------+--------+--------------------------------------------------------------+
++--------------------+--------+------------------------------------------------------------------+
+| Name                   | Type   | Description                                                  |
++====================+========+==================================================================+
+| code                   | Object | The return value.                                            |
++--------------------+--------+------------------------------------------------------------------+
+| code.authorizationCode | String | The authorization code passed to ``getAuthorizationCode()``. |
++--------------------+--------+------------------------------------------------------------------+
+| code.expiresAt         | Date   | The expiry time of the authorization code.                   |
++--------------------+--------+------------------------------------------------------------------+
+| [code.redirectUri]     | String | The redirect URI of the authorization code.                  |
++--------------------+--------+------------------------------------------------------------------+
+| [code.scope]           | String | The authorized scope of the authorization code.              |
++--------------------+--------+------------------------------------------------------------------+
+| code.client            | Object | The client associated with the authorization code.           |
++--------------------+--------+------------------------------------------------------------------+
+| code.client.id         | String | A unique string identifying the client.                      |
++--------------------+--------+------------------------------------------------------------------+
+| code.user              | Object | The user associated with the authorization code.             |
++--------------------+--------+------------------------------------------------------------------+
 
 ``code.client`` and ``code.user`` can carry additional properties that will be ignored by *oauth2-server*.
 
@@ -364,7 +364,7 @@ An ``Object`` representing the authorization code and associated data.
       })
       .spread(function(code, client, user) {
         return {
-          code: code.authorization_code,
+          authorizationCode: code.authorization_code,
           expiresAt: code.expires_at,
           redirectUri: code.redirect_uri,
           scope: code.scope,
@@ -792,25 +792,27 @@ This model function is **required** if the ``authorization_code`` grant is used.
 
 **Arguments:**
 
-+--------------------+----------+---------------------------------------------------------------------+
-| Name               | Type     | Description                                                         |
-+====================+==========+=====================================================================+
-| code               | Object   | The return value.                                                   |
-+--------------------+----------+---------------------------------------------------------------------+
-| code.code          | String   | The authorization code.                                             |
-+--------------------+----------+---------------------------------------------------------------------+
-| code.expiresAt     | Date     | The expiry time of the authorization code.                          |
-+--------------------+----------+---------------------------------------------------------------------+
-| [code.redirectUri] | String   | The redirect URI of the authorization code.                         |
-+--------------------+----------+---------------------------------------------------------------------+
-| [code.scope]       | String   | The authorized scope of the authorization code.                     |
-+--------------------+----------+---------------------------------------------------------------------+
-| code.client        | Object   | The client associated with the authorization code.                  |
-+--------------------+----------+---------------------------------------------------------------------+
-| code.client.id     | String   | A unique string identifying the client.                             |
-+--------------------+----------+---------------------------------------------------------------------+
-| code.user          | Object   | The user associated with the authorization code.                    |
-+--------------------+----------+---------------------------------------------------------------------+
++--------------------+----------+-------------------------------------------------------------------------+
+| Name                   | Type     | Description                                                         |
++====================+==========+=========================================================================+
+| code                   | Object   | The code to be revoked.                                             |
++--------------------+----------+-------------------------------------------------------------------------+
+| code.authorizationCode | String   | The authorization code.                                             |
++--------------------+----------+-------------------------------------------------------------------------+
+| code.expiresAt         | Date     | The expiry time of the authorization code.                          |
++--------------------+----------+-------------------------------------------------------------------------+
+| [code.redirectUri]     | String   | The redirect URI of the authorization code.                         |
++--------------------+----------+-------------------------------------------------------------------------+
+| [code.scope]           | String   | The authorized scope of the authorization code.                     |
++--------------------+----------+-------------------------------------------------------------------------+
+| code.client            | Object   | The client associated with the authorization code.                  |
++--------------------+----------+-------------------------------------------------------------------------+
+| code.client.id         | String   | A unique string identifying the client.                             |
++--------------------+----------+-------------------------------------------------------------------------+
+| code.user              | Object   | The user associated with the authorization code.                    |
++--------------------+----------+-------------------------------------------------------------------------+
+| [callback]             | Function | Node-style callback to be used instead of the returned ``Promise``. |
++--------------------+----------+-------------------------------------------------------------------------+
 
 **Return value:**
 

index.d.ts

@@ -277,9 +277,10 @@ declare namespace OAuth2Server {
 
         /**
          * Invoked during request authentication to check if the provided access token was authorized the requested scopes.
+         * Optional, if a custom authenticateHandler is used or if there is no scope part of the request.
          *
          */
-        verifyScope(token: Token, scope: string | string[], callback?: Callback<boolean>): Promise<boolean>;
+        verifyScope?(token: Token, scope: string | string[], callback?: Callback<boolean>): Promise<boolean>;
     }
 
     interface AuthorizationCodeModel extends BaseModel, RequestAuthenticationModel {

lib/errors/access-denied-error.js

@@ -5,7 +5,6 @@
  */
 
 const OAuthError = require('./oauth-error');
-const util = require('util');
 
 /**
  * Constructor.
@@ -15,21 +14,18 @@ const util = require('util');
  * @see https://tools.ietf.org/html/rfc6749#section-4.1.2.1
  */
 
-function AccessDeniedError(message, properties) {
-  properties = Object.assign({
-    code: 400,
-    name: 'access_denied'
-  }, properties);
+class AccessDeniedError extends OAuthError {
+  constructor(message, properties) {
+    properties = {
+      code: 400,
+      name: 'access_denied',
+      ...properties
+    };
 
-  OAuthError.call(this, message, properties);
+    super(message, properties);
+  }
 }
 
-/**
- * Inherit prototype.
- */
-
-util.inherits(AccessDeniedError, OAuthError);
-
 /**
  * Export constructor.
  */

lib/errors/insufficient-scope-error.js

@@ -5,7 +5,6 @@
  */
 
 const OAuthError = require('./oauth-error');
-const util = require('util');
 
 /**
  * Constructor.
@@ -15,21 +14,18 @@ const util = require('util');
  * @see https://tools.ietf.org/html/rfc6750.html#section-3.1
  */
 
-function InsufficientScopeError(message, properties) {
-  properties = Object.assign({
-    code: 403,
-    name: 'insufficient_scope'
-  }, properties);
+class InsufficientScopeError extends OAuthError {
+  constructor(message, properties) {
+    properties = {
+      code: 403,
+      name: 'insufficient_scope',
+      ...properties
+    };
 
-  OAuthError.call(this, message, properties);
+    super(message, properties);
+  }
 }
 
-/**
- * Inherit prototype.
- */
-
-util.inherits(InsufficientScopeError, OAuthError);
-
 /**
  * Export constructor.
  */

lib/errors/invalid-argument-error.js

@@ -5,27 +5,23 @@
  */
 
 const OAuthError = require('./oauth-error');
-const util = require('util');
 
 /**
  * Constructor.
  */
 
-function InvalidArgumentError(message, properties) {
-  properties = Object.assign({
-    code: 500,
-    name: 'invalid_argument'
-  }, properties);
+class InvalidArgumentError extends OAuthError {
+  constructor(message, properties) {
+    properties = {
+      code: 500,
+      name: 'invalid_argument',
+      ...properties
+    };
 
-  OAuthError.call(this, message, properties);
+    super(message, properties);
+  }
 }
 
-/**
- * Inherit prototype.
- */
-
-util.inherits(InvalidArgumentError, OAuthError);
-
 /**
  * Export constructor.
  */

lib/errors/invalid-client-error.js

@@ -5,7 +5,6 @@
  */
 
 const OAuthError = require('./oauth-error');
-const util = require('util');
 
 /**
  * Constructor.
@@ -16,21 +15,18 @@ const util = require('util');
  * @see https://tools.ietf.org/html/rfc6749#section-5.2
  */
 
-function InvalidClientError(message, properties) {
-  properties = Object.assign({
-    code: 400,
-    name: 'invalid_client'
-  }, properties);
+class InvalidClientError extends OAuthError {
+  constructor(message, properties) {
+    properties = {
+      code: 400,
+      name: 'invalid_client',
+      ...properties
+    };
 
-  OAuthError.call(this, message, properties);
+    super(message, properties);
+  }
 }
 
-/**
- * Inherit prototype.
- */
-
-util.inherits(InvalidClientError, OAuthError);
-
 /**
  * Export constructor.
  */

lib/errors/invalid-grant-error.js

@@ -5,7 +5,6 @@
  */
 
 const OAuthError = require('./oauth-error');
-const util = require('util');
 
 /**
  * Constructor.
@@ -17,21 +16,18 @@ const util = require('util');
  * @see https://tools.ietf.org/html/rfc6749#section-5.2
  */
 
-function InvalidGrantError(message, properties) {
-  properties = Object.assign({
-    code: 400,
-    name: 'invalid_grant'
-  }, properties);
+class InvalidGrantError extends OAuthError {
+  constructor(message, properties) {
+    properties = {
+      code: 400,
+      name: 'invalid_grant',
+      ...properties
+    };
 
-  OAuthError.call(this, message, properties);
+    super(message, properties);
+  }
 }
 
-/**
- * Inherit prototype.
- */
-
-util.inherits(InvalidGrantError, OAuthError);
-
 /**
  * Export constructor.
  */

lib/errors/invalid-request-error.js

@@ -5,7 +5,6 @@
  */
 
 const OAuthError = require('./oauth-error');
-const util = require('util');
 
 /**
  * Constructor.
@@ -16,21 +15,18 @@ const util = require('util');
  * @see https://tools.ietf.org/html/rfc6749#section-4.2.2.1
  */
 
-function InvalidRequest(message, properties) {
-  properties = Object.assign({
-    code: 400,
-    name: 'invalid_request'
-  }, properties);
+class InvalidRequest extends OAuthError {
+  constructor(message, properties) {
+    properties = {
+      code: 400,
+      name: 'invalid_request',
+      ...properties
+    };
 
-  OAuthError.call(this, message, properties);
+    super(message, properties);
+  }
 }
 
-/**
- * Inherit prototype.
- */
-
-util.inherits(InvalidRequest, OAuthError);
-
 /**
  * Export constructor.
  */