fixed Unresolvable cycle detected

Changelog.md

@@ -1,5 +1,22 @@
 ## Changelog
 
+### 2.4.0
+
+- Set Cache-Control and Pragma headers
+- Allow any valid URI for extension grants
+- Expose `client` to `extendedGrant` and after via `req.oauth.client`
+- Fix express depreciation warning for `res.send()`
+- Expose `user` to `generateToken` and after via `req.user`
+- Fix lockdown pattern for express 3
+
+- Add redis example
+- Fix docs to use new express bodyParser module
+- Fix docs for `redirect_uri`
+- Clarify docs for `clientIdRegex`
+- Fix docs for missing `req` argument in `generateToken`
+- Fix docs for `user`/`userId` `getAccessToken`
+- Fix docs for argument order in `getRefreshToken`
+
 ### 2.3.0
 
  - Support "state" param for auth_code grant type

Readme.md

@@ -55,7 +55,7 @@ Note: As no model was actually implemented here, delving any deeper, i.e. passin
  - grant types you wish to support, currently the module supports `password` and `refresh_token`
   - Default: `[]`
 - *function|boolean* **debug**
- - If `true` errors will be  logged to console. You may also pass a custom function, in which case that function will be called with the error as it's first argument
+ - If `true` errors will be  logged to console. You may also pass a custom function, in which case that function will be called with the error as its first argument
   - Default: `false`
 - *number* **accessTokenLifetime**
  - Life of access tokens in seconds
@@ -69,8 +69,8 @@ Note: As no model was actually implemented here, delving any deeper, i.e. passin
  - Life of auth codes in seconds
   - Default: `30`
 - *regexp* **clientIdRegex**
- - Regex to match auth codes against before checking model
- - Default: `/^[a-z0-9-_]{3,40}$/i`
+ - Regex to sanity check client id against before checking model. Note: the default just matches common `client_id` structures, change as needed 
+  - Default: `/^[a-z0-9-_]{3,40}$/i`
 - *boolean* **passthroughErrors**
  - If true, **non grant** errors will not be handled internally (so you can ensure a consistent format with the rest of your api)
 - *boolean* **continueAfterResponse**
@@ -97,8 +97,9 @@ Note: see https://github.com/thomseddon/node-oauth2-server/tree/master/examples/
          - *date* **expires**
              - The date when it expires
              - `null` to indicate the token **never expires**
-         - *string|number* **userId**
-             - The user id (saved in req.user.id)
+         - *mixed* **user** *or* *string|number* **userId**
+             - If a `user` key exists, this is saved as `req.user`
+             - Otherwise a `userId` key must exist, which is saved in `req.user.id`
 
 #### getClient (clientId, clientSecret, callback)
 - *string* **clientId**
@@ -112,6 +113,7 @@ Note: see https://github.com/thomseddon/node-oauth2-server/tree/master/examples/
      - Saved in `req.client`
      - Must contain the following keys:
          - *string* **clientId**
+         - *string* **redirectUri** (`authorization_code` grant type only)
 
 #### grantTypeAllowed (clientId, grantType, callback)
 - *string* **clientId**
@@ -247,9 +249,11 @@ The spec does not actually require that you revoke the old token - hence this is
 
 ### Optional
 
-#### generateToken (type, callback)
+#### generateToken (type, req, callback)
 - *string* **type**
  - `accessToken` or `refreshToken`
+- *object* **req**
+ - The current express request
 - *function* **callback (error, token)**
  - *mixed* **error**
      - Truthy to indicate an error
@@ -262,7 +266,7 @@ The spec does not actually require that you revoke the old token - hence this is
 
 ## Extension Grants
 You can support extension/custom grants by implementing the extendedGrant method as outlined above.
-Any requests that begin with http(s):// (as [defined in the spec](http://tools.ietf.org/html/rfc6749#section-4.5)) will be passed to it for you to handle.
+Any grant type that is a valid URI will be passed to it for you to handle (as [defined in the spec](http://tools.ietf.org/html/rfc6749#section-4.5)).
 You can access the grant type via the first argument and you should pass back supported as `false` if you do not support it to ensure a consistent (and compliant) response.
 
 ## Example using the `password` grant type

examples/dynamodb/index.js

@@ -4,7 +4,9 @@ var express = require('express'),
 
 var app = express();
 
-app.use(bodyParser());
+app.use(bodyParser.urlencoded({ extended: true }));
+
+app.use(bodyParser.json());
 
 app.oauth = oauthserver({
   model: require('./model'),

examples/postgresql/index.js

@@ -4,7 +4,9 @@ var express = require('express'),
 
 var app = express();
 
-app.use(bodyParser());
+app.use(bodyParser.urlencoded({ extended: true }));
+
+app.use(bodyParser.json());
 
 app.oauth = oauthserver({
   model: require('./model'),

examples/redis/README.md

@@ -0,0 +1,19 @@
+# Redis Example
+
+A simple example with support for `password` and `refresh_token` grants using [Redis](http://redis.io/). You'll need [node-redis](https://github.com/mranney/node_redis) installed.
+
+## Usage
+
+```js
+app.oauth = oauthserver({
+  model: require('./model'),
+  grants: ['password', 'refresh_token'],
+  debug: true
+});
+```
+
+## Data model
+
+The example makes use of a simple data model where clients, tokens, refresh tokens and users are stored as [hashes](http://redis.io/topics/data-types#hashes). The allowed grants for each client are stored in a [set](http://redis.io/topics/data-types#sets) `clients:{id}:grant_types`. This allows grants to be added or removed dynamically. To simplify the user lookup users are identified by their username and not by a separate ID. Passwords are stored in the clear for simplicity, but in practice these should be hashed using a library like [bcrypt](https://github.com/ncb000gt/node.bcrypt.js).
+
+To inject some test data you can run the `testData.js` script in this directory. This will create a client with the ID `client` and secret `secret` and create a single user with the username `username` and password `password`.

examples/redis/index.js

@@ -0,0 +1,33 @@
+var express = require('express'),
+  bodyParser = require('body-parser'),
+  oauthserver = require('../../'); // Would be: 'oauth2-server'
+
+var app = express();
+
+app.use(bodyParser.urlencoded({ extended: true }));
+
+app.use(bodyParser.json());
+
+app.oauth = oauthserver({
+  model: require('./model'),
+  grants: ['password', 'refresh_token'],
+  debug: true
+});
+
+// Handle token grant requests
+app.all('/oauth/token', app.oauth.grant());
+
+app.get('/secret', app.oauth.authorise(), function (req, res) {
+  // Will require a valid access_token
+  res.send('Secret area');
+});
+
+app.get('/public', function (req, res) {
+  // Does not require an access_token
+  res.send('Public area');
+});
+
+// Error handling
+app.use(app.oauth.errorHandler());
+
+app.listen(3000);

examples/redis/model.js

@@ -0,0 +1,90 @@
+var model = module.exports,
+  util = require('util'),
+  redis = require('redis');
+
+var db = redis.createClient();
+
+var keys = {
+  token: 'tokens:%s',
+  client: 'clients:%s',
+  refreshToken: 'refresh_tokens:%s',
+  grantTypes: 'clients:%s:grant_types',
+  user: 'users:%s'
+};
+
+model.getAccessToken = function (bearerToken, callback) {
+  db.hgetall(util.format(keys.token, bearerToken), function (err, token) {
+    if (err) return callback(err);
+
+    if (!token) return callback();
+
+    callback(null, {
+      accessToken: token.accessToken,
+      clientId: token.clientId,
+      expires: token.expires ? new Date(token.expires) : null,
+      userId: token.userId
+    });
+  });
+};
+
+model.getClient = function (clientId, clientSecret, callback) {
+  db.hgetall(util.format(keys.client, clientId), function (err, client) {
+    if (err) return callback(err);
+
+    if (!client || client.clientSecret !== clientSecret) return callback();
+
+    callback(null, {
+      clientId: client.clientId,
+      clientSecret: client.clientSecret
+    });
+  });
+};
+
+model.getRefreshToken = function (bearerToken, callback) {
+  db.hgetall(util.format(keys.refreshToken, bearerToken), function (err, token) {
+    if (err) return callback(err);
+
+    if (!token) return callback();
+
+    callback(null, {
+      refreshToken: token.accessToken,
+      clientId: token.clientId,
+      expires: token.expires ? new Date(token.expires) : null,
+      userId: token.userId
+    });
+  });
+};
+
+model.grantTypeAllowed = function (clientId, grantType, callback) {
+  db.sismember(util.format(keys.grantTypes, clientId), grantType, callback);
+};
+
+model.saveAccessToken = function (accessToken, clientId, expires, user, callback) {
+  db.hmset(util.format(keys.token, accessToken), {
+    accessToken: accessToken,
+    clientId: clientId,
+    expires: expires ? expires.toISOString() : null,
+    userId: user.id
+  }, callback);
+};
+
+model.saveRefreshToken = function (refreshToken, clientId, expires, user, callback) {
+  db.hmset(util.format(keys.refreshToken, refreshToken), {
+    refreshToken: refreshToken,
+    clientId: clientId,
+    expires: expires ? expires.toISOString() : null,
+    userId: user.id
+  }, callback);
+};
+
+model.getUser = function (username, password, callback) {
+  db.hgetall(util.format(keys.user, username), function (err, user) {
+    if (err) return callback(err);
+
+    if (!user || password !== user.password) return callback();
+
+    callback(null, {
+      id: username
+    });
+  });
+};

examples/redis/testData.js

@@ -0,0 +1,27 @@
+#! /usr/bin/env node
+
+var db = require('redis').createClient();
+
+db.multi()
+  .hmset('users:username', {
+    id: 'username',
+    username: 'username',
+    password: 'password'
+  })
+  .hmset('clients:client', {
+    clientId: 'client',
+    clientSecret: 'secret'
+  })
+  .sadd('clients:client:grant_types', [
+    'password',
+    'refresh_token'
+  ])
+  .exec(function (errs) {
+    if (errs) {
+      console.error(errs[0].message);
+      return process.exit(1);
+    }
+
+    console.log('Client and user added successfully');
+    process.exit();
+  });