OAuth2 authorization server & middleware for Lux API framework.
Lux OAuth2 is an OAuth2 authorization server & middleware for Lux API framework.
$ npm install --save lux-oauth2
Lux OAuth2 has been built with extension in mind. More grant types will soon be available out-of-the-box, along with details of how to define your own custom grant types.
Currently, Lux OAuth2 only supports a password with refresh_token grant type flow.
Ready your database with the required models listed below. Check out the example app for more guidance.
useroauth-access-tokenoauth-clientoauth-refresh-tokenInitialize a new OAuth2 server instance. Ensure to add all the required models and any grant types you wish to use.
// app/middleware/oauth2.jsimport { OAuth2BaseServer, OAuth2PasswordGrantType } from 'lux-oauth2';import OAuthAccessToken from 'app/models/oauth-access-token';import OAuthClient from 'app/models/oauth-client';import OAuthRefreshToken from 'app/models/oauth-refresh-token';import User from 'app/models/user';class OAuth2Server extends OAuth2BaseServer {static models = {accessToken: OAuthAccessToken,client: OAuthClient,refreshToken: OAuthRefreshToken,user: User};static grantTypes = [OAuth2PasswordGrantType];}export default new OAuth2Server();
The token endpoint will require a POST action. OAuth2 recommends using the /oauth/token route.
// app/routes.jsthis.resource('oauth', {only: []}, function(){this.post('/token', 'token');});
The payload sent to the server must be wrapped in a data attribute. The following controller setup allows the parameters through to the controller, where the requestToken function is then called.
// app/controllers/oauth.jsimport { Controller } from 'lux-framework';import OAuth2Server from 'app/middleware/oauth2';class OauthController extends Controller {params = ['grantType','username','password']query = ['data']token(request, response) {return OAuth2Server.requestToken(request, response);}}export default OauthController;
Add the authenticate action to the application controller’s beforeAction array to ensure the OAuth2 server attempts to authenticate a user for each request.
import { Controller } from 'lux-framework';import OAuth2Server from 'app/middleware/oauth2';class ApplicationController extends Controller {beforeAction = [OAuth2Server.authenticate];}export default ApplicationController;
This adds an oauth2 object to the request, containing an isAuthenticated boolean value and the currentUser.
console.log(request.oauth2);// => { isAuthenticated: true, currentUser: User }
Add the authenticatedRoute action to any resource you wish to protect.
// app/controllers/user.jsimport { Controller } from 'lux-framework';import OAuth2Server from 'app/middleware/oauth2';class UsersController extends Controller {beforeAction = [OAuth2Server.authenticatedRoute];}export default UsersController;
Keep certain endpoints from requiring authentication using lux-unless.
beforeAction = [unless({ path: ['/users/stats'] }, OAuth2Server.authenticatedRoute)];
The following additional options can be set on the OAuth2 server.
class OAuth2Server extends OAuth2BaseServer {accessTokenLifetime = 3600;refreshTokenLifetime = 1209600;}
If you need to override one of the OAuth2Server’s core methods, simply redefine the method in the OAuth2Server.
class OAuth2Server extends OAuth2BaseServer {getUser = async (email, password, done) => {// add your custom method of retrieving the user...}}
Coming soon™…
$ cd /examples/lux-oauth2-example$ npm install$ lux db:create && lux db:migrate && lux db:seed$ lux serve
Use the Lux OAuth2 Example Postman Collection to check the following:
email & password sent to the token endpoint to check credentials errors.refresh_token value to auth via refresh token./users to find it requires authentication.Bearer <YOUR_ACCESS_TOKEN> to the Authorization header to access the /users data.
$ npm install$ npm test
This project is licensed under the MIT license. See the LICENSE file for more info.