Installations

npm install passport-oauth2-refresh

Developer Guide

BETA

Typescript

No

Module System

CommonJS

Min. Node Version

>=10

Node Version

16.17.0

NPM Version

8.15.0 Score

93.7

Supply Chain

100

Quality

76

Maintenance

100

Vulnerability

100

License

Pull Requests

Open

5

Total

170

Closed

160

Merged

5

Issues

Open

3

Total

16

Closed

13

Releases

7

v2.2.0

Published on 15 Apr 2023

v2.1.0

Published on 29 Jun 2021

v2.0.2

Published on 11 May 2021

v2.0.1

Published on 02 Dec 2020

v2.0.0

Published on 25 Mar 2020

v1.1.0

Published on 06 Jun 2018

View all 7 releases

Contributors

5

Unable to fetch Contributors

View all 5 contributors

Languages

1

JavaScript

JavaScript (100%)

Developer

fiznool

Download Statistics

Total Downloads

4,054,496

Last Day

461

Last Week

10,319

Last Month

70,741

Last Year

943,904

GitHub Statistics

190 Stars

60 Commits

16 Forks

3 Watching

8 Branches

5 Contributors

Bundle Size

1.29 kB

Minified

639.00 B

Minified + Gzipped

Bundlephobia

Maintainers

1

Package Meta Information

Latest Version

2.2.0

Package Id

passport-oauth2-refresh@2.2.0

Unpacked Size

25.43 kB

Size

7.43 kB

File Count

10

NPM Version

8.15.0

Node Version

16.17.0

Publised On

15 Apr 2023

Total Downloads

Cumulative downloads

Total Downloads

4,054,496

Last day

-86.4%

461

Compared to previous day

Last week

-40.6%

10,319

Compared to previous week

Last month

-9.6%

70,741

Compared to previous month

Last year

16.1%

943,904

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dev Dependencies

6

chai eslint mocha prettier sinon sinon-chai

Versions

Passport OAuth 2.0 Refresh

An add-on to the Passport authentication library to provide a simple way to refresh your OAuth 2.0 access tokens.

Dependency Status

Installation

npm install passport-oauth2-refresh

Usage

When setting up your passport strategies, add a call to refresh.use() after passport.use().

An example, using the Facebook strategy:

1const passport = require('passport');
2const refresh = require('passport-oauth2-refresh');
3const FacebookStrategy = require('passport-facebook').Strategy;
4
5const strategy = new FacebookStrategy({
6  clientID: FACEBOOK_APP_ID,
7  clientSecret: FACEBOOK_APP_SECRET,
8  callbackURL: "http://www.example.com/auth/facebook/callback"
9},
10function(accessToken, refreshToken, profile, done) {
11  // Make sure you store the refreshToken somewhere!
12  User.findOrCreate(..., function(err, user) {
13    if (err) { return done(err); }
14    done(null, user);
15  });
16});
17
18passport.use(strategy);
19refresh.use(strategy);

When you need to refresh the access token, call requestNewAccessToken():

1const refresh = require('passport-oauth2-refresh');
2refresh.requestNewAccessToken(
3  'facebook',
4  'some_refresh_token',
5  function (err, accessToken, refreshToken) {
6    // You have a new access token, store it in the user object,
7    // or use it to make a new request.
8    // `refreshToken` may or may not exist, depending on the strategy you are using.
9    // You probably don't need it anyway, as according to the OAuth 2.0 spec,
10    // it should be the same as the initial refresh token.
11  },
12);

Specific name

Instead of using the default strategy.name, you can setup passport-oauth2-refresh to use an specific name instead.

1// Setup
2passport.use('gmail', googleStrategy);
3
4// To refresh
5refresh.requestNewAccessToken('gmail', 'some_refresh_token', done);

This can be useful if you'd like to reuse strategy objects but under a different name.

Custom OAuth2 behaviour

Most passport strategies that use OAuth 2.0 should work without any additional configuration. Some strategies, however require custom OAuth configuration, or do not expose an oauth2 adapter for internal use. In these cases, a callback can be specified by calling the use function with an extra options parameter:

1const { OAuth2 } = require('oauth');
2
3refresh.use(strategy, {
4  setRefreshOAuth2() {
5    return new OAuth2(/* custom oauth config */);
6  },
7});

The setRefreshOAuth2 callback should return an instance of the node-oauth OAuth2 class.

The callback is called with two named parameters, which can be used to further customise the OAuth2 adapter:

1refresh.use(strategy, {
2  setRefreshOAuth2({ strategyOAuth2, refreshOAuth2 }) {
3    // These named parameters are set for most strategies.
4    // The `refreshOAuth2` instance is a clone of the one supplied by the strategy, inheriting most of its config.
5    // Customise it here and return if necessary.
6    // For example, to set a proxy:
7    refreshOAuth2.setAgent(new HttpsProxyAgent(agentUrl));
8    return refreshOAuth2;
9  },
10});

Additional parameters

Some endpoints require additional parameters to be sent when requesting a new access token. To send these parameters, specify the parameters when calling requestNewAccessToken as follows:

1const extraParams = { some: 'extra_param' };
2refresh.requestNewAccessToken('gmail', 'some_refresh_token', extraParams, done);

Multiple instances

Projects that need multiple instances of Passport can construct them using the Passport constructor available on the passport module. Similarly, this module provides an AuthTokenRefresh constructor that can be used instead of the single instance provided by default.

1const { Passport } = require('passport');
2const { AuthTokenRefresh } = require('passport-oauth2-refresh');
3
4const passport = new Passport();
5const refresh = new AuthTokenRefresh();
6
7// Additional, distinct instances of these modules can also be created

Examples

See issue #1 for an example of how to refresh a token when requesting data from the Google APIs.

Why?

Passport is a library which doesn't deal in implementation-specific details. From the author:

Passport is a library for authenticating requests, and only that. It is not going to get involved in anything that is specific to OAuth, or any other authorization protocol.

Fair enough. Hence, this add-on was born as a way to help deal with refreshing OAuth 2.0 tokens.

It is particularly useful when dealing with Google's OAuth 2.0 implementation, which expires access tokens after 1 hour.

License

MIT

No vulnerabilities found.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

3

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

0

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Security-Policy

Determines if the project has published a security policy.

0

Fuzzing

Determines if the project uses fuzzing.

0

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Score

2.7

/10

Last Scanned on 2024-12-23

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More