oauthinaction / oauth-in-action-code Goto Github PK
View Code? Open in Web Editor NEWSource code for OAuth 2 in Action
Home Page: https://www.manning.com/books/oauth-2-in-action
License: Other
Source code for OAuth 2 in Action
Home Page: https://www.manning.com/books/oauth-2-in-action
License: Other
if (__.contains(['client_secret_basic', 'client_secret_post']), reg.token_endpoint_auth_method) {
has the ")" position wrong, also the "client_secret_basic" in the example sometimes been mentioned as "secret_basic"
The Express middleware sets headers automatically, so code like this gets overwritten:
var headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic ' + encodeClientCredentials(client.client_id, client.client_secret)
};
var tokRes = request('POST', authServer.tokenEndpoint, {
body: form_data,
headers: headers
});
If you check what's actually in the headers of tokRes you'll see something like:
Headers: { 'x-powered-by': 'Express',
'content-type': 'application/json; charset=utf-8',
'content-length': '33',
etag: 'W/"21-occYTPXPStEvVz6I6gFNf+WJ+pg"',
date: 'Thu, 21 Jun 2018 23:43:03 GMT',
connection: 'close' }
This basically makes it impossible to pass client_id, client_secret in headers.
Hey guys, would you mind telling Manning that it's currently impossible to buy the book because clicking "add to cart" on the book page [1] does nothing? I've read excerpts and they were great, so I'd really like to purchase the entire eBook. Or is there a way to purchase it off of Manning's site?
[1] https://www.manning.com/books/oauth-2-in-action/
I have to introduce some time gap between nosql.clear() and nosql.insert(), like below:
// clear the database on startup
nosql.clear();
// inject our pre-baked refresh token
setTimeout(() => nosql.insert({ refresh_token: 'j2r3oj32r23rmasd98uhjrk2o3i', client_id: 'oauth-client-1', scope: 'foo bar' }), 5000)
Does anybody know why? Is there any better way to fix this?
"3.3.2 Processing the authorization response"
...
"Our final function for this part of the OAuth client looks like this:"
...
Missing comma in the code example for the headers
Hello and thank you so much for your very helpful book and useful examples!
I'm trying to learn about OAuth to use in a split-stack Ruby on Rails/React client application (i.e., front and back end deployed separately). In order to further my learning, I'm re-implementing your exercises in Rails and React. (Auth servers and protected resources are Rails monoliths and clients have a separate front and back end.)
I was going to push my work to a private repo so as to avoid stepping on your toes or creating copyright issues, but it occurred to me that maybe you/your readers would find it valuable to have these examples available publicly, especially since having a fully separate front and back end for the client application is a really common pattern that does introduce additional complexity.
Maybe you don't care but I just wanted to check if you/your publisher would prefer this stuff be private or if your readers might find it valuable.
To anybody going through the exercises after node v10.0.0,
nosql v3.0.3, used in the code exercises, has a bug in FileReader.prototype.open in index.js line 2388. The callback in fs signature is no longer optional since v7.0.0 and throws an error since node v10.0.0
However, newer versions of nosql, have a different API than the one used in the exercises code. A quick fix, just to follow the exercises: in the node_modules/nosql/index.js, at line 2388, change
fs.close(fd);
to
fs.close(fd, err=>{console.log(err)});
Cheers
When running the exercises with the complete client code (client.js), fetching the token works, but when trying to request the protected resources, an error is thrown on the protectedResources server:
$ node protectedResource.js
OAuth Resource Server is listening at http://127.0.0.1:9002
Incoming token: 4ZYxN6lwg71yGIDb5UoOIlqdcNEqL8To
fs.js:144
throw new ERR_INVALID_CALLBACK();
^
TypeError [ERR_INVALID_CALLBACK]: Callback must be a function
at makeCallback (fs.js:144:11)
at Object.close (fs.js:399:20)
at next (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/nosql/index.js:2388:8)
at /home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/nosql/index.js:2413:4
at FSReqCallback.wrapper [as oncomplete] (fs.js:478:5)
causing the client to throw:
Error: socket hang up
at doRequest (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/sync-request/index.js:31:11)
at /home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/client.js:127:17
at Layer.handle [as handle_request] (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/layer.js:95:5)
at next (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/layer.js:95:5)
at /home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/index.js:335:12)
at next (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/index.js:275:10)
at expressInit (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/middleware/init.js:40:5)
at Layer.handle [as handle_request] (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/index.js:317:13)
at /home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/index.js:284:7
at Function.process_params (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/index.js:335:12)
at next (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/router/index.js:275:10)
at query (/home/myuser/Projects/oauth-in-action-code/exercises/ch-3-ex-2/node_modules/express/lib/middleware/query.js:45:5)
Using:
node 11.1.0
npm 6.4.1
I cannot obtain the protected resource based on the current setup.
Following app.get("/fetch resource") router I get back the console.log message: Making request with access token OzH6eSierpbDo7YaeFcp861YmvHKBTPf, but I get the error view with a code of 401
The resource object resulting from the post request to app.post("/resource") router is as follows:
Response {
statusCode: 401,
headers:
{ 'x-powered-by': 'Express',
'access-control-allow-origin': '*',
date: 'Mon, 01 Jul 2019 20:19:43 GMT',
connection: 'close',
'content-length': '0' },
body: <Buffer >,
url: undefined }
It seems that the nosql.one function does not find the token in the database (as the incoming token message shows the value of the token) although if i inspect the nosql file the token is written on the file.
The docs for nosql seems very thin, i can find any help in them for solving the problem.
The following code has a syntax error
The correct code should be var checkClientMetadata = function(req, res) {
In line 44 of exercises/ch-6-ex-2/client.js
, the code access refresh_token
which is not declared or used.
The following
app.get('/', function (req, res) {
res.render('index', {access_token: access_token, refresh_token: refresh_token, scope: scope});
});
should become
app.get('/', function (req, res) {
res.render('index', {access_token: access_token, scope: scope});
});
I will be happy to put in a PR for this
if a client fails to send the text 'Basic' at the beginning of the auth header, the auth server code isn't smart enough to treat that as a bad request and tries to look up the client anyway.
index template in 3-1 requires 'scope', exercise doesn't use it
Page 96 of the page shows:
nosql.insert({ access_token: access_token, client_id: clientId, scope: rscope });
Should be:
nosql.insert({ access_token: access_token, client_id: client.client_id, scope: rscope });
I've started the tour through "OAuth 2.0 in Action" and begun the exercises in chapter 3. At the end of chapter 3.3 and at the start of chapter 3.4, I've tried to get a protected resource from the server in 'protectedResource.js'. The server crashed, if it tries to call 'nosql.one(..., ...)' with the following error-message:
OAuth Resource Server is listening at http://127.0.0.1:9002
Incoming token: 987tghjkiu6trfghjuytrghj
fs.js:156
throw new ERR_INVALID_CALLBACK(cb);
^
TypeError [ERR_INVALID_CALLBACK]: Callback must be a function. Received undefined
please remove this ticket, I just see I was in the wrong subdirectory of the project, not in "native-client".
On new Node.js versions new Buffer()
is deprecated Buffer.from
seems like a better option for the cases that new Buffer
was used in this book. I get the following error in authorizationServer.js
and client.js
(node:15865) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
I used Buffer.from in both places and it seems to work just fine.
Hi,
I've noticed that there's no "How to Install and Run the Project" section in README.md for readers that might not be proficient with JavaScript or Node environment. I've added such section, but since english is not my native language you probably might want to proofread it first. You can look it up here:
#57
Best Regards,
Tomasz Mróz
I tried working through Chapter 3 Exercise 1. I copy and pasted the code for the client from the appendix. I notice the code for the authorization server and protected resource appears to be completely filled in already, so I didn't make any changes to that code. However, at the end of the exercise when I get a token and then click Get Protected Resource, I get the following error message in the terminal for my protected resource server:
node .\protectedResource.js
OAuth Resource Server is listening at http://127.0.0.1:9002
Incoming token: xmFD2F9vg6AF4tQGLIzX19Vm27gI426K
fs.js:142
throw new ERR_INVALID_CALLBACK();
^
TypeError [ERR_INVALID_CALLBACK]: Callback must be a function
at makeCallback (fs.js:142:11)
at Object.close (fs.js:400:20)
at next (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\nosql\index.js:2388:8)
at C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\nosql\index.js:2413:4
at FSReqCallback.wrapper [as oncomplete] (fs.js:479:5)
Throughout this process, the following appears in the terminal for the client server. It appears to have no problem getting the authorization code and then the access token. The logs say it begins to make the request for the protected resource with an access code:
node .\client.js
OAuth Client is listening at http://127.0.0.1:9000
redirect http://localhost:9001/authorize?response_type=code&client_id=oauth-client-1&redirect_uri=http%3A%2F%2Flocalhost%3A9000%2Fcallback&state=uaupQrqmFN8xKZzps0WT8YgSxdGeNJQR
Requesting access token for code 7ZsNkiot
Got access token: 11zLkASTHepVKxWQ7lClBAEX8iWYcFRs
(node:8588) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Making request with access token 11zLkASTHepVKxWQ7lClBAEX8iWYcFRs
Error: read ECONNRESET
at doRequest (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\sync-request\index.js:31:11)
at C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\client.js:120:17
at Layer.handle [as handle_request] (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\layer.js:95:5)
at next (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\route.js:137:13)
at Route.dispatch (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\route.js:112:3)
at Layer.handle [as handle_request] (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\layer.js:95:5)
at C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\index.js:281:22
at Function.process_params (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\index.js:335:12)
at next (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\index.js:275:10)
at expressInit (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\middleware\init.js:40:5)
at Layer.handle [as handle_request] (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\layer.js:95:5)
at trim_prefix (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\index.js:317:13)
at C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\index.js:284:7
at Function.process_params (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\index.js:335:12)
at next (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\router\index.js:275:10)
at query (C:\Users\mattw\repos\oauth-in-action-code\exercises\ch-3-ex-1\node_modules\express\lib\middleware\query.js:45:5)
A portion of this error appears in my web browser too - the part that begins with Error: read ECONNRESET
.
A return statement should be added after
https://github.com/oauthinaction/oauth-in-action-code/blob/master/exercises/ch-3-ex-1/completed/client.js#L114
to prevent subsequent code from rerendering the page.
Otherwise, an error will occur:
Error: Can't set headers after they are sent.
In example 4-1 you can not recieve a token, because there is no username passed to the autorization server.
Just as a proof of concept:
It works if you just add a hard coded user name to the approve.html:
<input type="hidden" name="user" value="bob">
Best
Fabian
In the exercise I was getting the token but getting a failure when accessing the protected resource. e.g. checking the token in the client.js I could see I got B7agg1tSi7TpDyZiz9SgXhE2cRheu5i3
but the log for protectedResource had
Incoming token: 7agg1tSi7TpDyZiz9SgXhE2cRheu5i3
No matching token was found.
I'm new to node and not sure of the details of this slice function but when i removed the space i.e. changed to
inToken = auth.slice('bearer'.length);
it worked for me.
nosql will cause an exception in FileReader.prototype.open
line 2388 will cause an exception in Node.js > v10.0.0. The callback parameter is no longer optional for fs.close
. Not passing it will throw a TypeError at runtime. There was a depreciation warning since Node.js v7.0.0. My workaround for now is to change fs.close
to fs.closeSync
in line 2388 of the index.js file in node_modules/nosql. The author has indeicated that he will be making changes to the module soon. Refer to petersirka/nosql#46
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.