Gathering detailed insights and metrics for @octokit/auth-oauth-user
Gathering detailed insights and metrics for @octokit/auth-oauth-user
Octokit authentication strategy for OAuth clients
Installations
npm install @octokit/auth-oauth-userScore
91.1
Supply Chain
99.5
Quality
85.5
Maintenance
100
Vulnerability
100
License
Developer
octokit
Developer Guide
BETA
Module System
ESM
Min. Node Version
>= 18
Typescript Support
Yes
Node Version
20.12.1
NPM Version
10.5.0
Statistics
17 Stars
318 Commits
7 Forks
6 Watching
6 Branches
14 Contributors
Updated on 05 Nov 2024
Languages
TypeScript (96.48%)
JavaScript (3.52%)
Total Downloads
Cumulative downloads
Total Downloads
106,947,922
Last day
-10.5%
199,790
Compared to previous day
Last week
0.9%
1,186,373
Compared to previous week
Last month
2.1%
5,151,950
Compared to previous month
Last year
58.5%
54,662,084
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
auth-oauth-user.js
Octokit authentication strategy for OAuth user authentication
Important: @octokit/auth-oauth-user requires your app's client_secret, which must not be exposed. If you are looking for an OAuth user authentication strategy that can be used on a client (browser, IoT, CLI), check out @octokit/auth-oauth-user-client. Note that @octokit/auth-oauth-user-client requires a backend. The only exception is @octokit/auth-oauth-device which does not require the client_secret, but does not work in browsers due to CORS constraints.
Table of contents
Features
- Code for token exchange from GitHub's OAuth web flow
- GitHub's OAuth device flow
- Caches token for succesive calls
- Auto-refreshing for expiring user access tokens
- Applies the correct authentication strategy based on the request URL when using with
Octokit - Token verification
- Token reset
- Token invalidation
- Application grant revocation
Standalone usage
|
Browsers |
Load
|
|---|---|
|
Node |
Install with
|
Exchange code from OAuth web flow
1const auth = createOAuthUserAuth({ 2 clientId: "1234567890abcdef1234", 3 clientSecret: "1234567890abcdef1234567890abcdef12345678", 4 code: "code123", 5 // optional 6 state: "state123", 7 redirectUrl: "https://acme-inc.com/login", 8}); 9 10// Exchanges the code for the user access token authentication on first call 11// and caches the authentication for successive calls 12const { token } = await auth();
About GitHub's OAuth web flow
OAuth Device flow
1const auth = createOAuthUserAuth({ 2 clientId: "1234567890abcdef1234", 3 clientSecret: "1234567890abcdef1234567890abcdef12345678", 4 onVerification(verification) { 5 // verification example 6 // { 7 // device_code: "3584d83530557fdd1f46af8289938c8ef79f9dc5", 8 // user_code: "WDJB-MJHT", 9 // verification_uri: "https://github.com/login/device", 10 // expires_in: 900, 11 // interval: 5, 12 // }; 13 14 console.log("Open %s", verification.verification_uri); 15 console.log("Enter code: %s", verification.user_code); 16 }, 17}); 18 19// resolves once the user entered the `user_code` on `verification_uri` 20const { token } = await auth();
About GitHub's OAuth device flow
Use an existing authentication
1const auth = createOAuthUserAuth({ 2 clientId: "1234567890abcdef1234", 3 clientSecret: "1234567890abcdef1234567890abcdef12345678", 4 clientType: "oauth-app", 5 token: "token123", 6}); 7 8// will return the passed authentication 9const { token } = await auth();
Usage with Octokit
|
Browsers |
|
|---|---|
|
Node |
Install with
|
1const octokit = new Octokit({ 2 authStrategy: createOAuthUserAuth, 3 auth: { 4 clientId: "1234567890abcdef1234", 5 clientSecret: "1234567890abcdef1234567890abcdef12345678", 6 code: "code123", 7 }, 8}); 9 10// Exchanges the code for the user access token authentication on first request 11// and caches the authentication for successive requests 12const { 13 data: { login }, 14} = await octokit.request("GET /user"); 15console.log("Hello, %s!", login);
createOAuthUserAuth(options) or new Octokit({ auth })
The createOAuthUserAuth method accepts a single options object as argument. The same set of options can be passed as auth to the Octokit constructor when setting authStrategy: createOAuthUserAuth
When using GitHub's OAuth web flow
| name | type | description |
|---|---|---|
clientId
|
string
| Required. Client ID of your GitHub/OAuth App. Find it on your app's settings page. |
clientSecret
|
string
| Required. Client Secret for your GitHub/OAuth App. Create one on your app's settings page. |
clientType
|
string
|
Either "oauth-app" or "github-app". Defaults to "oauth-app".
|
code
|
string
|
Required. The authorization code which was passed as query parameter to the callback URL from GitHub's OAuth web application flow. |
state
|
string
|
The unguessable random string you provided in Step 1 of GitHub's OAuth web application flow. |
redirectUrl
|
string
|
The |
request
|
function
|
You can pass in your own @octokit/request instance. For usage with enterprise, set baseUrl to the API root endpoint. Example:
|
When using GitHub's OAuth device flow
| name | type | description |
|---|---|---|
clientId
|
string
| Required. Client ID of your GitHub/OAuth App. Find it on your app's settings page. |
clientSecret
|
string
|
Required. Client Secret for your GitHub/OAuth App. The clientSecret is not needed for the OAuth device flow itself, but it is required for resetting, refreshing, and invalidating a token. Find the Client Secret on your app's settings page.
|
clientType
|
string
|
Either "oauth-app" or "github-app". Defaults to "oauth-app".
|
onVerification
|
function
|
Required. A function that is called once the device and user codes were retrieved The
|
request
|
function
|
You can pass in your own @octokit/request instance. For usage with enterprise, set baseUrl to the API root endpoint. Example:
|
When passing an existing authentication object
| name | type | description |
|---|---|---|
clientType
|
string
|
Required. Either "oauth-app" or "github".
|
clientId
|
string
| Required. Client ID of your GitHub/OAuth App. Find it on your app's settings page. |
clientSecret
|
string
| Required. Client Secret for your GitHub/OAuth App. Create one on your app's settings page. |
token
|
string
| Required. The user access token |
scopes
|
array of strings
|
Required if clientType is set to "oauth-app". Array of OAuth scope names the token was granted
|
refreshToken
|
string
|
Only relevant if clientType is set to "github-app" and token expiration is enabled.
|
expiresAt
|
string
|
Only relevant if clientType is set to "github-app" and token expiration is enabled. Date timestamp in ISO 8601 standard. Example: 2022-01-01T08:00:0.000Z
|
refreshTokenExpiresAt
|
string
|
Only relevant if clientType is set to "github-app" and token expiration is enabled. Date timestamp in ISO 8601 standard. Example: 2021-07-01T00:00:0.000Z
|
request
|
function
|
You can pass in your own @octokit/request instance. For usage with enterprise, set baseUrl to the API root endpoint. Example:
|
[!IMPORTANT] As we use conditional exports, you will need to adapt your
tsconfig.jsonby setting"moduleResolution": "node16", "module": "node16".See the TypeScript docs on package.json "exports".
See this helpful guide on transitioning to ESM from @sindresorhus
auth(options) or octokit.auth(options)
The async auth() method is returned by createOAuthUserAuth(options) or set on the octokit instance when the Octokit constructor was called with authStrategy: createOAuthUserAuth.
Once auth() receives a valid authentication object it caches it in memory and uses it for subsequent calls. It also caches if the token is invalid and no longer tries to send any requests. If the authentication is using a refresh token, a new token will be requested as needed. Calling auth({ type: "reset" }) will replace the internally cached authentication.
Resolves with an authentication object.
| name | type | description |
|---|---|---|
type
|
string
|
Without setting Possible values for
|
Authentication object
There are three possible results
- OAuth APP authentication token
- GitHub APP user authentication token with expiring disabled
- GitHub APP user authentication token with expiring enabled
The differences are
scopesis only present for OAuth AppsrefreshToken,expiresAt,refreshTokenExpiresAtare only present for GitHub Apps, and only if token expiration is enabled
OAuth APP authentication token
| name | type | description |
|---|---|---|
type
|
string
|
"token"
|
tokenType
|
string
|
"oauth"
|
clientType
|
string
|
"oauth-app"
|
clientId
|
string
|
The clientId from the strategy options
|
clientSecret
|
string
|
The clientSecret from the strategy options
|
token
|
string
| The user access token |
scopes
|
array of strings
| array of scope names enabled for the token |
onTokenCreated
|
function
| callback invoked when a token is "reset" or "refreshed" |
invalid
|
boolean
|
Either |
GitHub APP user authentication token with expiring disabled
| name | type | description |
|---|---|---|
type
|
string
|
"token"
|
tokenType
|
string
|
"oauth"
|
clientType
|
string
|
"github-app"
|
clientId
|
string
|
The clientId from the strategy options
|
clientSecret
|
string
|
The clientSecret from the strategy options
|
token
|
string
| The user access token |
onTokenCreated
|
function
| callback invoked when a token is "reset" or "refreshed" |
invalid
|
boolean
|
Either |
GitHub APP user authentication token with expiring enabled
| name | type | description |
|---|---|---|
type
|
string
|
"token"
|
tokenType
|
string
|
"oauth"
|
clientType
|
string
|
"github-app"
|
clientId
|
string
|
The clientId from the strategy options
|
clientSecret
|
string
|
The clientSecret from the strategy options
|
token
|
string
| The user access token |
refreshToken
|
string
| The refresh token |
expiresAt
|
string
|
Date timestamp in ISO 8601 standard. Example: 2022-01-01T08:00:0.000Z
|
refreshTokenExpiresAt
|
string
|
Date timestamp in ISO 8601 standard. Example: 2021-07-01T00:00:0.000Z
|
invalid
|
boolean
|
Either |
auth.hook(request, route, parameters) or auth.hook(request, options)
auth.hook() hooks directly into the request life cycle. It amends the request to authenticate correctly based on the request URL.
The request option is an instance of @octokit/request. The route/options parameters are the same as for the request() method.
auth.hook() can be called directly to send an authenticated request
1const { data: user } = await auth.hook(request, "GET /user");
Or it can be passed as option to request().
1const requestWithAuth = request.defaults({ 2 request: { 3 hook: auth.hook, 4 }, 5}); 6 7const { data: user } = await requestWithAuth("GET /user");
Types
1import { 2 GitHubAppAuthentication, 3 GitHubAppAuthenticationWithExpiration, 4 GitHubAppAuthOptions, 5 GitHubAppStrategyOptions, 6 GitHubAppStrategyOptionsDeviceFlow, 7 GitHubAppStrategyOptionsExistingAuthentication, 8 GitHubAppStrategyOptionsExistingAuthenticationWithExpiration, 9 GitHubAppStrategyOptionsWebFlow, 10 OAuthAppAuthentication, 11 OAuthAppAuthOptions, 12 OAuthAppStrategyOptions, 13 OAuthAppStrategyOptionsDeviceFlow, 14 OAuthAppStrategyOptionsExistingAuthentication, 15 OAuthAppStrategyOptionsWebFlow, 16} from "@octokit/auth-oauth-user";
Contributing
See CONTRIBUTING.md
License
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
15 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:17
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
2 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Reason
dependency not pinned by hash detected -- score normalized to 6
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add_to_octokit_project.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/add_to_octokit_project.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/codeql-analysis.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/codeql-analysis.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/immediate-response.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/immediate-response.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/update-prettier.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-prettier.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/octokit/auth-oauth-user.js/update-prettier.yml/main?enable=pin
- Info: 5 out of 13 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 4 out of 4 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29
- Warn: no topLevel permission defined: .github/workflows/add_to_octokit_project.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:11
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-prettier.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
7.5
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More