5.3.0

Attention! This release fixes a reported vulnerability in the PKCE workflow!

Read more here: GHSA-jhm7-29pj-4xvf

This affects all versions below 5.3.0.

What's Changed

PKCE fixes

• proper enforcement of parameter ABNF
• failed PKCE challenge revokes authorization code to prevent brute force
• challenge comparison using timing safe comparison
• plain challenges need explicit option enablePlainPKCE to be true when creating a new server instance

Other improvements

• Expose options property on OAuth2Server class types by @wille in #378
• ci: bump node versions to minimum 20 by @jankapunkt in #383
• fix: pass proper arguments to createHash by @jankapunkt in #387
• Docs: vitepress by @jankapunkt in #388

Dependencies

• build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #364
• build(deps-dev): bump mocha from 11.7.1 to 11.7.2 by @dependabot[bot] in #366
• build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in #369
• build(deps-dev): bump mocha from 11.7.2 to 11.7.3 by @dependabot[bot] in #371
• build(deps-dev): bump mocha from 11.7.3 to 11.7.4 by @dependabot[bot] in #372
• build(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #373
• build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in #374
• build(deps-dev): bump mocha from 11.7.4 to 11.7.5 by @dependabot[bot] in #375
• build(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 by @dependabot[bot] in #380
• build(deps): bump glob from 10.4.5 to 10.5.0 by @dependabot[bot] in #381
• build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #382
• build(deps-dev): bump sinon from 21.0.0 to 21.0.1 by @dependabot[bot] in #385
• build(deps-dev): bump chai from 4.5.0 to 6.2.2 by @dependabot[bot] in #386
• build(deps): bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in #392
• build(deps): bump actions/setup-node from 4 to 6 by @dependabot[bot] in #393
• build(deps): bump actions/configure-pages from 4 to 5 by @dependabot[bot] in #394
• build(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in #395
• build(deps-dev): bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in #396
• build(deps-dev): bump vitepress from 2.0.0-alpha.15 to 2.0.0-alpha.16 by @dependabot[bot] in #401
• build(deps): bump minimatch by @dependabot[bot] in #407
• build(deps-dev): bump rollup from 4.54.0 to 4.59.0 by @dependabot[bot] in #408
• build(deps-dev): bump sinon from 21.0.1 to 21.0.3 by @dependabot[bot] in #413
• build(deps-dev): bump nyc from 17.1.0 to 18.0.0 by @dependabot[bot] in #406
• build(deps): bump actions/configure-pages from 5 to 6 by @dependabot[bot] in #420
• build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by @dependabot[bot] in #419

Full Changelog: v5.2.1...v5.3.0

5.2.2-rc.0

What's Changed

• build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #364
• build(deps-dev): bump mocha from 11.7.1 to 11.7.2 by @dependabot[bot] in #366
• build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in #369
• build(deps-dev): bump mocha from 11.7.2 to 11.7.3 by @dependabot[bot] in #371
• build(deps-dev): bump mocha from 11.7.3 to 11.7.4 by @dependabot[bot] in #372
• build(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #373
• build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in #374
• build(deps-dev): bump mocha from 11.7.4 to 11.7.5 by @dependabot[bot] in #375
• Expose options property on OAuth2Server class types by @wille in #378
• build(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 by @dependabot[bot] in #380
• build(deps): bump glob from 10.4.5 to 10.5.0 by @dependabot[bot] in #381
• build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #382
• ci: bump node versions to minimum 20 by @jankapunkt in #383
• build(deps-dev): bump sinon from 21.0.0 to 21.0.1 by @dependabot[bot] in #385
• build(deps-dev): bump chai from 4.5.0 to 6.2.2 by @dependabot[bot] in #386
• fix: pass proper arguments to createHash by @jankapunkt in #387
• #389 by @runeb

New Contributors

• @wille made their first contribution in #378

Full Changelog: v5.2.1...v5.2.2-rc.0

v5.2.1

What's Changed

• build(deps-dev): bump eslint from 8.57.0 to 8.57.1 by @dependabot[bot] in #320
• build(deps-dev): bump sinon from 18.0.0 to 19.0.2 by @dependabot[bot] in #319
• build(deps-dev): bump mocha from 10.7.0 to 10.7.3 by @dependabot[bot] in #317
• build(deps-dev): bump nyc from 17.0.0 to 17.1.0 by @dependabot[bot] in #321
• build(deps-dev): bump mocha from 10.7.3 to 10.8.0 by @dependabot[bot] in #325
• build(deps-dev): bump mocha from 10.8.0 to 11.0.1 by @dependabot[bot] in #328
• build(deps-dev): bump mocha from 11.0.1 to 11.1.0 by @dependabot[bot] in #330
• Remove unnecessary whitespace by @brianhelba in #332
• build(deps-dev): bump sinon from 19.0.2 to 20.0.0 by @dependabot[bot] in #338
• build(deps): bump type-is from 1.6.18 to 2.0.1 by @dependabot[bot] in #339
• build(deps-dev): bump mocha from 11.1.0 to 11.2.2 by @dependabot[bot] in #340
• build(deps-dev): bump mocha from 11.2.2 to 11.3.0 by @dependabot[bot] in #345
• build(deps-dev): bump mocha from 11.3.0 to 11.4.0 by @dependabot[bot] in #346
• build(deps-dev): bump sinon from 20.0.0 to 21.0.0 by @dependabot[bot] in #357
• build(deps-dev): bump mocha from 11.4.0 to 11.7.1 by @dependabot[bot] in #359
• added proper typing to requireClientAuthentication in TokenOptions by @FlorianB-DE in #355
• fix(dev-deps): npm audit fix by @jankapunkt in #348
• fixed typing for Request constructor by @FlorianB-DE in #362

New Contributors

• @brianhelba made their first contribution in #332
• @FlorianB-DE made their first contribution in #355

Full Changelog: v5.2.0...v5.2.1

v5.2.0

Installation 🚀

NPM Link: https://www.npmjs.com/package/@node-oauth/oauth2-server/v/5.2.0

$ npm install @node-oauth/oauth2-server@5.2.0

What's Changed

Fixes and improvements 🔧

• docs: fixed verifyCode example by @kristofferjansson in #302
• fix(types): type declaration for AuthenticateOptions.scope by @Lordfirespeed in #305
• fix: explicitly support array of strings for AuthenticateHandler.options by @dhensby in #309
• ci: add dependabot integration for github actions by @dhensby in #311
• ci: add node 22 to test matrix by @dhensby in #312
• perf: random tokens do not need to be hashed by @dhensby in #313
• refactor(types): update types to be more concise by @dhensby in #314

Dependencies 📦

• build(deps-dev): bump mocha from 10.2.0 to 10.3.0 by @dependabot in #277
• build(deps-dev): bump mocha from 10.3.0 to 10.4.0 by @dependabot in #282
• build(deps-dev): bump sinon from 15.2.0 to 17.0.2 by @dependabot in #287
• build(deps-dev): bump sinon from 17.0.2 to 18.0.0 by @dependabot in #289
• build(deps): bump readthedocs-sphinx-search from 0.1.1 to 0.3.2 in /docs by @dependabot in #275
• build(deps-dev): bump nyc from 15.1.0 to 17.0.0 by @dependabot in #292
• build(deps-dev): bump mocha from 10.4.0 to 10.6.0 by @dependabot in #299
• build(deps-dev): bump mocha from 10.6.0 to 10.7.0 by @dependabot in #304
• build(deps-dev): bump chai from 4.3.7 to 4.5.0 by @dependabot in #315
• build(deps): bump github/codeql-action from 1 to 3 by @dependabot in #316

New Contributors 👏

• @kristofferjansson made their first contribution in #302
• @Lordfirespeed made their first contribution in #305

Full Changelog: v5.1.0...v5.2.0

v5.1.0

Installation

NPM Link: https://www.npmjs.com/package/@node-oauth/oauth2-server/v/5.1.0

$ npm install @node-oauth/oauth2-server@5.1.0

What's Changed

Fixes

• fix: update typing for validateScope making scope an optional parameter by @dhensby in #265
• Compliance/fix scope by @jankapunkt in #267

Dependencies

• build(deps-dev): bump eslint from 8.46.0 to 8.54.0 by @dependabot in #266
• build(deps-dev): bump eslint from 8.54.0 to 8.56.0 by @dependabot in #273
• build(deps-dev): bump eslint from 8.56.0 to 8.57.0 by @dependabot in #278

New Contributors

• @dhensby made their first contribution in #265

Full Changelog: v5.0.0...v5.1.0

v5.1.0-rc.0

Installation / NPM Link

$ npm install @node-oauth/oauth2-server@5.1.0-rc.0

https://www.npmjs.com/package/@node-oauth/oauth2-server/v/5.1.0-rc.0

What's Changed

• fix: update typing for validateScope making scope an optional parameter by @dhensby in #265
• Compliance/fix scope by @jankapunkt in #267

New Contributors

• @dhensby made their first contribution in #265

Full Changelog: v5.0.0...v5.1.0-rc.0

v5.0.0

This is a major release, including breaking changes!

Install this release

Npm link: https://www.npmjs.com/package/@node-oauth/oauth2-server/v/5.0.0

Install via

$ npm install  @node-oauth/oauth2-server@5.0.0

What's Changed

• refactor: Remove util.inherits #70 by @dsschiramm in #109
• Use native promises and async/await, drop bluebird and promisify-any by @jankapunkt in #190
• PKCE: get code_challenge and _method from query if not present in body by @jankapunkt in #197
• build(deps-dev): bump eslint from 8.42.0 to 8.44.0 by @dependabot in #195
• Fix generateAuthorizationCode not being awaited by @MaximilianGaedig in #203
• Fix ci for release-tests by @jankapunkt in #205
• build(deps-dev): bump eslint from 8.42.0 to 8.46.0 by @dependabot in #201
• build(deps-dev): bump sinon from 15.1.0 to 15.2.0 by @dependabot in #193
• Marked verifyScope function as optional in model types. by @shrihari-prakash in #209
• Removed callback support in typings file. by @shrihari-prakash in #211
• build(deps-dev): bump sinon from 15.1.0 to 15.2.0 by @dependabot in #206
• Fixed getUserFromClient not being awaited in client credentials grant. by @shrihari-prakash in #218
• Convert TokenModel to an ES6 class and extract utils function for calculating lifetime by @menewman in #223
• tests: add deep integration tests by @jankapunkt in #224
• Fix critical scope validation bug by @jorenvandeweyer in #228
• Convert Request, Response, CodeResponseType, TokenResponseType to ES6 classes by @menewman in #225
• Feature/refactor to es6 by @jorenvandeweyer in #227
• revoke code before validating redirect uri by @jorenvandeweyer in #231
• made badges clickable by @jorenvandeweyer in #236
• Fixes ignoring scope on refresh token call by @jorenvandeweyer in #238
• Improve bearer validation by @jorenvandeweyer in #234
• remove invalid bearer token that was used in test by @jorenvandeweyer in #243
• fix typing of revokeToken by @jorenvandeweyer in #247
• chore(docs): fix typo in lib/pkce/pkce.js wird -> weird by @ttacon in #250
• Support for retrieving user based on client by @jorenvandeweyer in #256
• Release 5.0.0 by @jankapunkt in #194
• Development by @jankapunkt in #260

New Contributors

• @dsschiramm made their first contribution in #109
• @MaximilianGaedig made their first contribution in #203
• @shrihari-prakash made their first contribution in #209
• @ttacon made their first contribution in #250

Full Changelog: v4.3.2...v5.0.0

v4.3.3

• fixed pkce retrieve code challenge and method in body and query

Full Changelog: v4.3.2...v4.3.3

v5.0.0-rc.5

Installation / NPM Link

$ npm install @node-oauth/oauth2-server@5.0.0-rc.5

https://www.npmjs.com/package/@node-oauth/oauth2-server/v/5.0.0-rc.5

What's Changed

• docs: fix links and cover missing topics by @jankapunkt in #208
• Add docs to comply with community standards by @jankapunkt in #199
• Docs: Replace code.code with code.authorizationCode (attempt 2) by @menewman in #222
• hotfix: fixed critical scope validation bug for 4.x by @jorenvandeweyer in #229
• revoke code before validating redirect uri 4.x by @jorenvandeweyer in #232
• chore(docs): fix typo in lib/pkce/pkce.js wird -> weird by @ttacon in #250

New Contributors

• @ttacon made their first contribution in #250

Full Changelog: v5.0.0-rc.4...v5.0.0-rc.5

v5.0.0-rc.4

Installation / NPM Link

$ npm install @node-oauth/oauth2-server@next

https://www.npmjs.com/package/@node-oauth/oauth2-server/v/5.0.0-rc.4

What's Changed

• made badges clickable by @jorenvandeweyer in #236
• Fixes ignoring scope on refresh token call by @jorenvandeweyer in #238
• Improve bearer validation by @jorenvandeweyer in #234
• remove invalid bearer token that was used in test by @jorenvandeweyer in #243

Full Changelog: v5.0.0-rc.3...v5.0.0-rc.4