feat: client_{id,_secret} are no longer passed as query, but basic authentication only (#41)

gr2m · web-flow · commit 85a04fad0aa5 · 2020-02-25T13:41:33.000-08:00
BREAKING CHANGE: `:client_id` and `:access_token` URL parameters are no longer set by default

BREAKING CHANGE: `client_id` and `client_secret` are now passed as basic authentication for any URL

BREAKING CHANGE: The `url` option has been removed for `auth({ type: "app" })`

BREAKING CHANGE: `auth({ type: "app" })` no longer returns a `.query` key
diff --git a/README.md b/README.md
@@ -16,8 +16,8 @@ It implements authentication using an OAuth app’s client ID and secret as well
 - [`createOAuthAppAuth(options)`](#createoauthappauthoptions)
 - [`auth()`](#auth)
 - [Authentication object](#authentication-object)
-  - [OAuth authentication](#oauth-authentication)
-  - [OAuth access token authentication](#oauth-access-token-authentication)
+    - [OAuth authentication](#oauth-authentication)
+    - [OAuth access token authentication](#oauth-access-token-authentication)
 - [`auth.hook(request, route, parameters)` or `auth.hook(request, options)`](#authhookrequest-route-parameters-or-authhookrequest-options)
 - [Implementation details](#implementation-details)
 - [License](#license)
@@ -62,20 +62,18 @@ const auth = createOAuthAppAuth({
   clientSecret: "secret"
 });
 
-// OAuth Apps authenticate using ?client_id=...&client_secret=... query parameters
-// or Basic auth, depending on the request URL (see implementation details below).
+// OAuth Apps authenticate using Basic auth, where
+// username is clientId and password is clientSecret
 const appAuthentication = await auth({
-  type: "oauth-app",
-  url: "/orgs/:org/repos"
+  type: "oauth-app"
 });
 // resolves with
 // {
 //   type: 'oauth-app',
 //   clientId: '123',
 //   clientSecret: 'secret',
-//   query: {
-//     client_id: '123',
-//     client_secret: 'secret'
+//   headers: {
+//     authorization: 'basic MTIzOnNlY3JldA=='
 //   }
 // }
 
@@ -222,22 +220,6 @@ The async `auth()` method returned by `createOAuthAppAuth(options)` accepts the
         <strong>Required.</strong> Either <code>"oauth-app"</code> or <code>"token"</code>.
       </td>
     </tr>
-    <tr>
-      <th>
-        <code>options.url</code>
-      </th>
-      <th>
-        <code>string</code>
-      </th>
-      <td>
-        <strong>Required if <code>options.type</code> set to <code>"oauth-app"</code>.</strong> An absolute URL or endpoint route path. Examples:
-        <ul>
-          <li><code>"https://enterprise.github.com/api/v3/applications/1234567890abcdef1234/tokens/secret123"</code></li>
-          <li><code>"/applications/1234567890abcdef1234/tokens/secret123"</code></li>
-          <li><code>"/applications/:client_id/tokens/:access_token"</code></li>
-        </ul>
-      </td>
-    </tr>
     <tr>
       <th>
         <code>options.code</code>
@@ -339,22 +321,7 @@ The async `auth(options)` method to one of two possible authentication objects
         <code>object</code>
       </th>
       <td>
-        <code>{}</code> if no <code>url</code> option was passed or the passed <code>url</code> option <em>does not</em> match <code>/applications/:client_id/tokens/:access_token</code>.<br>
-        <br>
-        <code>{ authorization }</code> if the passed <code>url</code> option <em>does</em> match <code>/applications/:client_id/tokens/:access_token</code>.
-      </td>
-    </tr>
-    <tr>
-      <th>
-        <code>query</code>
-      </th>
-      <th>
-        <code>object</code>
-      </th>
-      <td>
-        <code>{ client_id, client_secret }</code> if no <code>url</code> option was passed or the passed <code>url</code> option <em>does not</em> match <code>/applications/:client_id/tokens/:access_token</code>.<br>
-        <br>
-        <code>{}</code> if the passed <code>url</code> option <em>does</em> match <code>/applications/:client_id/tokens/:access_token</code>.
+        <code>{ authorization }</code>.
       </td>
     </tr>
   </tbody>
@@ -433,10 +400,7 @@ The `request` option is an instance of [`@octokit/request`](https://github.com/o
 `auth.hook()` can be called directly to send an authenticated request
 
 ```js
-const { data: authorizations } = await auth.hook(
-  request,
-  "GET /applications/:client_id/tokens/:access_token"
-);
+const { data: user } = await auth.hook(request, "GET /user");
 ```
 
 Or it can be passed as option to [`request()`](https://github.com/octokit/request.js#request).
@@ -448,27 +412,23 @@ const requestWithAuth = request.defaults({
   }
 });
 
-const { data: authorization } = await requestWithAuth(
-  "GET /applications/:client_id/tokens/:access_token"
-);
+const { data: user } = await requestWithAuth("GET /user");
 ```
 
 ## Implementation details
 
-Client ID and secret can be passed as URL query parameters (`?client_id=...&client_secret=...`) to get a higher rate limit compared to unauthenticated requests. This is meant for the use on servers only: never expose an OAuth client secret on a client such as a web application!
-
-The only exceptions are
+Client ID and secret can be passed as Basic auth in the `Authorization` header in order to get a higher rate limit compared to unauthenticated requests. This is meant for the use on servers only: never expose an OAuth client secret on a client such as a web application!
 
-- [`GET /applications/:client_id/tokens/:access_token`](https://developer.github.com/v3/oauth_authorizations/#check-an-authorization) - Check an authorization
-- [`POST /applications/:client_id/tokens/:access_token`](https://developer.github.com/v3/oauth_authorizations/#reset-an-authorization) - Reset an authorization
-- [`DELETE /applications/:client_id/tokens/:access_token`](https://developer.github.com/v3/oauth_authorizations/#revoke-an-authorization-for-an-application) - Revoke an authorization for an application
+`auth.hook` will set the correct authentication header automatically based on the request URL. For all [OAuth Application endpoints](https://developer.github.com/v3/apps/oauth_applications/), the `Authorization` header is set to basic auth. For all other endpoints and token is retrieved and used in the `Authorization` header. The token is cached and used for succeeding requsets.
 
-For these endpoints, client ID and secret need to be passed as basic authentication in the `Authorization` header. Because of these exception an `options.url` parameter must be passed to the async `auth()` function if `options.type` is set to `oauth-app`. Additionally, `:client_id` and `:access_token` are defaulted to `options.clientId` passed to `createOAuthAppAuth(options)` and the token which was created using `options.code`, if passed.
-
-To reset the current access token, you can do this
+To reset the cached access token, you can do this
 
 ```js
-await auth.hook(request, "POST /applications/:client_id/tokens/:access_token");
+const { token } = await auth({ type: "token" });
+await auth.hook(request, "POST /applications/:client_id/token", {
+  client_id: "123",
+  access_token: token
+});
 ```
 
 The internally cached token will be replaced and used for succeeding requests. See also ["the REST API documentation"](https://developer.github.com/v3/oauth_authorizations/).
diff --git a/src/auth.ts b/src/auth.ts
@@ -21,28 +21,12 @@ export async function auth(
     };
   }
 
-  const [headers, query] = requiresBasicAuth(authOptions.url)
-    ? [
-        {
-          authorization: `basic ${btoa(
-            `${state.clientId}:${state.clientSecret}`
-          )}`
-        },
-        {}
-      ]
-    : [
-        {},
-        {
-          client_id: state.clientId,
-          client_secret: state.clientSecret
-        }
-      ];
-
   return {
     type: "oauth-app",
     clientId: state.clientId,
     clientSecret: state.clientSecret,
-    headers,
-    query
+    headers: {
+      authorization: `basic ${btoa(`${state.clientId}:${state.clientSecret}`)}`
+    }
   };
 }
diff --git a/src/hook.ts b/src/hook.ts
@@ -10,53 +10,54 @@ import {
   Route,
   State
 } from "./types";
+import { EndpointDefaults } from "@octokit/types";
 
 export async function hook(
   state: State,
   request: RequestInterface,
   route: Route | EndpointOptions,
   parameters?: RequestParameters
 ): Promise<AnyResponse> {
-  let endpoint = request.endpoint.merge(route as string, parameters);
+  let endpoint = request.endpoint.merge(
+    route as string,
+    parameters
+  ) as EndpointDefaults & { url: string };
 
   // Do not intercept request to retrieve a new token
   if (/\/login\/oauth\/access_token$/.test(endpoint.url as string)) {
-    return request(endpoint as EndpointOptions);
+    return request(endpoint);
   }
 
-  const { token } = await getOAuthAccessToken(state, { request });
-
-  if (!requiresBasicAuth(endpoint.url)) {
-    endpoint.headers.authorization = `token ${token}`;
-
-    return request(endpoint as EndpointOptions);
-  }
-
-  const credentials = btoa(`${state.clientId}:${state.clientSecret}`);
-  endpoint.headers.authorization = `basic ${credentials}`;
-
-  // default `:client_id` & `:access_token` URL parameters
-  if (endpoint.url && /:client_id/.test(endpoint.url)) {
-    endpoint = Object.assign(
-      {
-        client_id: state.clientId,
-        access_token: token
-      },
-      endpoint
-    );
+  if (requiresBasicAuth(endpoint.url)) {
+    const credentials = btoa(`${state.clientId}:${state.clientSecret}`);
+    endpoint.headers.authorization = `basic ${credentials}`;
+
+    const response = await request(endpoint);
+
+    const parsedEndpoint = request.endpoint.parse(endpoint);
+    // `POST /applications/:client_id/tokens/:access_token` (legacy) or
+    // `PATCH /applications/:client_id/token` resets the passed token
+    // and returns a new one. If that’s the current request then update internal state.
+    const isLegacyTokenResetRequest =
+      endpoint.method === "POST" &&
+      /^\/applications\/:?[\w_]+\/tokens\/:?[\w_]+$/.test(endpoint.url);
+    const isTokenResetRequest =
+      endpoint.method === "PATCH" &&
+      /^\/applications\/:?[\w_]+\/token$/.test(endpoint.url);
+
+    if (isLegacyTokenResetRequest || isTokenResetRequest) {
+      state.token = {
+        token: response.data.token,
+        // @ts-ignore figure this out
+        scope: response.data.scopes
+      };
+    }
+
+    return response;
   }
 
-  const response = await request(endpoint as EndpointOptions);
-
-  // `POST /applications/:client_id/tokens/:access_token` resets the passed token
-  // and returns a new one. If that’s the current request then update internal state.
-  const parsedEndpoint = request.endpoint.parse(endpoint);
-  const isTokenResetRequest =
-    parsedEndpoint.method === "POST" &&
-    new RegExp(token).test(parsedEndpoint.url);
-  if (isTokenResetRequest && state.token) {
-    state.token.token = response.data.token;
-  }
+  const { token } = await getOAuthAccessToken(state, { request });
+  endpoint.headers.authorization = `token ${token}`;
 
-  return response;
+  return request(endpoint as EndpointOptions);
 }
diff --git a/src/requires-basic-auth.ts b/src/requires-basic-auth.ts
@@ -1,6 +1,5 @@
 /**
- * An OAuth app authenticates using ?client_id=...&client_secret=... query parameters, with the
- * exception of these three endpoints, which require the client ID/secret to be sent as basic auth
+ * The following endpoints require an OAuth App to authenticate using its client_id and client_secret.
  *
  * - [`POST /applications/:client_id/token`](https://developer.github.com/v3/apps/oauth_applications/#check-a-token) - Check a token
  * - [`PATCH /applications/:client_id/token`](https://developer.github.com/v3/apps/oauth_applications/#reset-a-token) - Reset a token
@@ -14,8 +13,8 @@
  * - [`DELETE /applications/:client_id/tokens/:access_token`](https://developer.github.com/v3/apps/oauth_applications/#revoke-an-authorization-for-an-application) - Revoke an authorization for an application
  * - [`DELETE /applications/:client_id/grants/:access_token`](https://developer.github.com/v3/apps/oauth_applications/#revoke-a-grant-for-an-application) - Revoke a grant for an application
  */
-const OAUTH_ROUTES_EXCEPTIONS = /\/applications\/:?[\w_]+\/(token|grant)(s\/:?[\w_]+)?($|\?)/;
+const ROUTES_REQUIRING_BASIC_AUTH = /\/applications\/:?[\w_]+\/(token|grant)(s\/:?[\w_]+)?($|\?)/;
 
 export function requiresBasicAuth(url: string | undefined) {
-  return url && OAUTH_ROUTES_EXCEPTIONS.test(url);
+  return url && ROUTES_REQUIRING_BASIC_AUTH.test(url);
 }
diff --git a/src/types.ts b/src/types.ts
@@ -22,7 +22,6 @@ export type StrategyOptions = {
 
 type AuthAppOptions = {
   type: "oauth-app";
-  url: string;
 };
 export type AuthTokenOptions = {
   type: "token";
@@ -46,11 +45,7 @@ export type appAuthentication = {
   clientId: string;
   clientSecret: string;
   headers: {
-    authorization?: string;
-  };
-  query: {
-    client_id?: string;
-    client_secret?: string;
+    authorization: string;
   };
 };
 export type Authentication = TokenAuthentication | appAuthentication;
diff --git a/test/index.test.ts b/test/index.test.ts

-Original file line number
+Diff line change
 import { createOAuthAppAuth } from "../src/index";
 -test("README example with `url`", async () => {
 +test("README example with type: 'oauth-app'", async () => {
   const auth = createOAuthAppAuth({
     clientId: "123",
     clientSecret: "secret",
   });
   const authentication = await auth({
 -    type: "oauth-app",
 -    url: "/orgs/:org/repos"
 +    type: "oauth-app"
   });
   expect(authentication).toEqual({
     type: "oauth-app",
     clientId: "123",
     clientSecret: "secret",
 -    headers: {},
 -    query: {
 -      client_id: "123",
 -      client_secret: "secret"
 +    headers: {
 +      authorization: "basic MTIzOnNlY3JldA==" // btoa('123:secret')
+    }
   });
 });
 -test("README example with `auth: 'token'`", async () => {
 +test("README example with `type: 'token'`", async () => {
   const mock = fetchMock.sandbox().postOnce(
     "https://github.com/login/oauth/access_token",
+    {
   });
 });
 -test('`url` is "/applications/:client_id/token"', async () => {
 -  const auth = createOAuthAppAuth({
 -    clientId: "123",
 -    clientSecret: "secret",
 -    code: "random123",
 -    state: "mystate123"
 -  });
+-
 -  const authentication = await auth({
 -    type: "oauth-app",
 -    url: "/applications/:client_id/token"
 -  });
+-
 -  expect(authentication).toEqual({
 -    type: "oauth-app",
 -    clientId: "123",
 -    clientSecret: "secret",
 -    headers: {
 -      authorization: "basic MTIzOnNlY3JldA==" // btoa('123:secret')
 -    },
 -    query: {}
 -  });
 -});
+-
 -test('`url` is "/applications/:client_id/grant"', async () => {
 -  const auth = createOAuthAppAuth({
 -    clientId: "123",
 -    clientSecret: "secret",
 -    code: "random123",
 -    state: "mystate123"
 -  });
+-
 -  const authentication = await auth({
 -    type: "oauth-app",
 -    url: "/applications/:client_id/grant"
 -  });
+-
 -  expect(authentication).toEqual({
 -    type: "oauth-app",
 -    clientId: "123",
 -    clientSecret: "secret",
 -    headers: {
 -      authorization: "basic MTIzOnNlY3JldA==" // btoa('123:secret')
 -    },
 -    query: {}
 -  });
 -});
+-
 -test('`url` is "/applications/:client_id/tokens/:access_token" (deprecated)', async () => {
 -  const auth = createOAuthAppAuth({
 -    clientId: "123",
 -    clientSecret: "secret",
 -    code: "random123",
 -    state: "mystate123"
 -  });
+-
 -  const authentication = await auth({
 -    type: "oauth-app",
 -    url: "/applications/:client_id/tokens/secret123"
 -  });
+-
 -  expect(authentication).toEqual({
 -    type: "oauth-app",
 -    clientId: "123",
 -    clientSecret: "secret",
 -    headers: {
 -      authorization: "basic MTIzOnNlY3JldA==" // btoa('123:secret')
 -    },
 -    query: {}
 -  });
 -});
+-
 test("`code`, `redirectUrl`, `state` set as strategyOptions", async () => {
   const matchCreateAccessToken: MockMatcherFunction = (
     url,
   expect(mock.done()).toBe(true);
 });
 -test("auth.hook defaults URL parameters for '/applications/:client_id/tokens/:access_token'", async () => {
 +test("auth.hook(request, 'POST https://github.com/login/oauth/access_token') does not send request twice (#35)", async () => {
 +  const mock = fetchMock
 +    .sandbox()
 +    .postOnce("https://github.com/login/oauth/access_token", {
 +      access_token: "secret123",
 +      scope: ""
 +    });
++
 +  const auth = createOAuthAppAuth({
 +    clientId: "123",
 +    clientSecret: "secret"
 +  });
++
 +  const requestWithAuth = request.defaults({
 +    request: {
 +      fetch: mock,
 +      hook: auth.hook
 +    }
 +  });
++
 +  await requestWithAuth("POST https://github.com/login/oauth/access_token", {
 +    headers: {
 +      accept: "application/json"
 +    },
 +    type: "token",
 +    code: "random123",
 +    state: "mystate123"
 +  });
 +});
++
 +test("auth.hook(request, 'POST /applications/:client_id/tokens/:access_token') resets the used token (legacy endpoint)", async () => {
   const mock = fetchMock
     .sandbox()
     .postOnce("https://github.com/login/oauth/access_token", {
       access_token: "secret123",
       scope: ""
     })
     .getOnce(
 -      "https://api.github.com/applications/123/tokens/secret123",
 +      "https://api.github.com/user",
       { id: 123 },
+      {
         headers: {
 -          authorization: "basic MTIzOnNlY3JldA==" // btoa('123:secret')
 -        }
 -      }
 -    )
 -    .getOnce(
 -      "https://api.github.com/applications/123/tokens/othersecret",
 -      { id: 456 },
 -      {
 -        headers: {
 -          authorization: "basic MTIzOnNlY3JldA==" // btoa('123:secret')
 +          authorization: "token secret123"
+        }
+      }
+    )
 +    .postOnce("https://api.github.com/applications/123/tokens/secret123", {
 +      token: "newsecret123"
 +    })
     .getOnce(
 -      "https://api.github.com/applications/123/tokens/yetanothersecret",
 -      { id: 789 },
 +      "https://api.github.com/user",
 +      { id: 123 },
+      {
         headers: {
 -          authorization: "basic MTIzOnNlY3JldA==" // btoa('123:secret')
 -        }
 +          authorization: "token newsecret123"
 +        },
 +        overwriteRoutes: false
+      }
     );
     state: "mystate123"
   });
 -  const requestWithMock = request.defaults({
 -    request: {
 -      fetch: mock
 -    }
 -  });
 -  const requestWithAuth = requestWithMock.defaults({
 +  const requestWithAuth = request.defaults({
     request: {
 +      fetch: mock,
       hook: auth.hook
+    }
   });
 -  const { data: data1 } = await requestWithAuth(
 -    "GET /applications/:client_id/tokens/:access_token"
 -  );
 -  const {
 -    data: data2
 -  } = await requestWithAuth(
 -    "GET /applications/:client_id/tokens/:access_token",
 -    { access_token: "othersecret" }
 -  );
 -  const { data: data3 } = await requestWithAuth(
 -    "GET /applications/123/tokens/yetanothersecret"
 -  );
 +  const response1 = await requestWithAuth("GET /user");
 +  expect(response1.data).toStrictEqual({ id: 123 });
 -  expect(mock.done()).toBe(true);
 -  expect(data1.id).toBe(123);
 -  expect(data2.id).toBe(456);
 -  expect(data3.id).toBe(789);
 +  await requestWithAuth("POST /applications/:client_id/tokens/:access_token", {
 +    client_id: "123",
 +    access_token: "secret123"
 +  });
++
 +  const response2 = await requestWithAuth("GET /user");
 +  expect(response2.data).toStrictEqual({ id: 123 });
 });
 -test("auth.hook(request, 'POST https://github.com/login/oauth/access_token') does not send request twice (#35)", async () => {
 +test("auth.hook(request, 'POST /applications/:client_id/token') checks token", async () => {
   const mock = fetchMock
     .sandbox()
     .postOnce("https://github.com/login/oauth/access_token", {
       access_token: "secret123",
       scope: ""
 -    });
 +    })
 +    .postOnce(
 +      "https://api.github.com/applications/123/token",
 +      {
 +        token: "secret123"
 +      },
 +      {
 +        body: {
 +          access_token: "secret123"
 +        }
 +      }
 +    );
   const auth = createOAuthAppAuth({
     clientId: "123",
 -    clientSecret: "secret"
 +    clientSecret: "secret",
 +    code: "random123",
 +    state: "mystate123"
   });
   const requestWithAuth = request.defaults({
+    }
   });
 -  await requestWithAuth("POST https://github.com/login/oauth/access_token", {
 -    headers: {
 -      accept: "application/json"
 -    },
 -    type: "token",
 -    code: "random123",
 -    state: "mystate123"
 +  const response = await requestWithAuth(
 +    "POST /applications/:client_id/token",
 +    {
 +      client_id: "123",
 +      access_token: "secret123"
 +    }
 +  );
++
 +  expect(response.data).toStrictEqual({
 +    token: "secret123"
   });
 });
 -test("auth.hook(request, 'POST /applications/:client_id/tokens/:access_token') resets the used token", async () => {
 +test("auth.hook(request, 'PATCH /applications/:client_id/token') resets the used token", async () => {
   const mock = fetchMock
     .sandbox()
     .postOnce("https://github.com/login/oauth/access_token", {
       { id: 123 },
+      {
         headers: {
 -          authorization: "token secret123" // btoa('123:secret')
 +          authorization: "token secret123"
 +        }
 +      }
 +    )
 +    .patchOnce(
 +      "https://api.github.com/applications/123/token",
 +      {
 +        token: "newsecret123"
 +      },
 +      {
 +        body: {
 +          access_token: "secret123"
+        }
+      }
+    )
 -    .postOnce("https://api.github.com/applications/123/tokens/secret123", {
 -      token: "newsecret123"
 -    })
     .getOnce(
       "https://api.github.com/user",
       { id: 123 },
+      {
         headers: {
 -          authorization: "token newsecret123" // btoa('123:secret')
 +          authorization: "token newsecret123"
         },
         overwriteRoutes: false
+      }
   const response1 = await requestWithAuth("GET /user");
   expect(response1.data).toStrictEqual({ id: 123 });
 -  await requestWithAuth("POST /applications/:client_id/tokens/:access_token");
 +  await requestWithAuth("PATCH /applications/:client_id/token", {
 +    client_id: "123",
 +    access_token: "secret123"
 +  });
++
   const response2 = await requestWithAuth("GET /user");
   expect(response2.data).toStrictEqual({ id: 123 });
 });