- Complete re-write, with Promises and callback support
- Dropped support for node v0.8, v0.10, v0.12
- Supports Node v4, v6, v7, and v8. Will continue support for node current and active LTS versions
- For migration guide, see https://oauth2-server.readthedocs.io/en/latest/misc/migrating-v2-to-v3.html
- Fix header setting syntax
- Fix docs for supported grant types
-
Set Cache-Control and Pragma headers
-
Allow any valid URI for extension grants
-
Expose
client
toextendedGrant
and after viareq.oauth.client
-
Fix express depreciation warning for
res.send()
-
Expose
user
togenerateToken
and after viareq.user
-
Fix lockdown pattern for express 3
-
Add redis example
-
Fix docs to use new express bodyParser module
-
Fix docs for
redirect_uri
-
Clarify docs for
clientIdRegex
-
Fix docs for missing
req
argument ingenerateToken
-
Fix docs for
user
/userId
getAccessToken
-
Fix docs for argument order in
getRefreshToken
- Support "state" param for auth_code grant type
- Docs for client_credentials grant type
- Fix
getRefreshToken
in postgres model example
- Fix bug when client has multiple redirect_uri's (#84)
- Fix node 0.8.x (well npm 1.2.x) support
- Support custom loggers via
debug
param - Make OAuth2Error inherit from Error for fun and profit
- Don't go crazy when body is
null
- Update tests and examples to express 4
- Fix lockdown pattern for express 4
- Update dev dependencies (mocha, should and supertest)
- Allow client to return an array of multiple valid redirect URI's
- Fix continueAfterResponse when granting
- Add support for client_credentials grant type (@lucknerjb)
- Support Authorization grant via GET request (@mjsalinger)
- Fix continueAfterResponse option
- Add "WWW-Authenticate" header for invalid_client
- Huge intrenal refactor
- Switch from internal router ("allow" property) to exposing explit authorisation middleware to be added to individual routes
- Expose grant middleware to be attached to a route of your choosing
- Switch all model variables to camelCasing
- Add support for
authorization_code
grant type (i.e. traditional "allow", "deny" with redirects etc.) - Some, previously wrong, error codes fixed
- Fix tests for daylight saving
- Fix expiration token checking (previously expires was wrongly checked against boot time)
- Add repository field to package
- Add support for non-expiring tokens (set accessTokenLifetime/refreshTokenLifetime = null)
- Passthrough debug errors from custom generateToken
- Allow access token in body when not POST (only deny GET)
- Add support for refresh_token grant type
- Require application/x-www-form-urlencoded when access token in body
- Require authentication on both client id and secret
- Fix client credentials extraction from Authorization header
- Add passthroughErrors option
- Optimise oauth.handler() with regex caching
- Add PostgreSQL example
- Allow req.user to be set by setting token.user in getAccessToken
- Expose the token passed back from getAccessToken in req.token
- Pass through Bad Request errors from connect
- Fix generateToken override
- Allow extended grant to pass back custom error
- Fix reissuing
- Allow token reissuing (Model can return an object to indicate a reissue, plain string (as in previous implementation) or null to revert to the default token generator)
- Add optional generateToken method to model to allow custom token generation
- Fix expired token checking
- Add support for extension grants
- Use async crypto.randomBytes in token generation
- Refactor structure, break into more files