leaonline
diff --git a/‎.versions
Lines changed: 64 additions & 69 deletions b/‎.versions
Lines changed: 64 additions & 69 deletions
diff --git a/‎API.md
Lines changed: 57 additions & 43 deletions b/‎API.md
Lines changed: 57 additions & 43 deletions
diff --git a/‎HISTORY.md
Lines changed: 10 additions & 0 deletions b/‎HISTORY.md
Lines changed: 10 additions & 0 deletions
diff --git a/‎lib/middleware/getDebugMiddleware.js
Lines changed: 22 additions & 5 deletions b/‎lib/middleware/getDebugMiddleware.js
Lines changed: 22 additions & 5 deletions
diff --git a/‎lib/middleware/secureHandler.js
Lines changed: 2 additions & 3 deletions b/‎lib/middleware/secureHandler.js
Lines changed: 2 additions & 3 deletions
@@ -1,70 +1,65 @@
-accounts-base@2.2.10
-accounts-password@2.4.0
-allow-deny@1.1.1
-babel-compiler@7.10.5
-babel-runtime@1.5.1
-base64@1.0.12
-binary-heap@1.0.11
-boilerplate-generator@1.7.2
-caching-compiler@1.2.2
-callback-hook@1.5.1
-check@1.3.2
-coffeescript@1.0.17
-dburles:mongo-collection-instances@0.1.3
-ddp@1.4.1
-ddp-client@2.6.1
-ddp-common@1.4.0
-ddp-rate-limiter@1.2.1
-ddp-server@2.7.0
-diff-sequence@1.1.2
-dynamic-import@0.7.3
-ecmascript@0.16.8
-ecmascript-runtime@0.8.1
-ecmascript-runtime-client@0.12.1
-ecmascript-runtime-server@0.11.0
-ejson@1.1.3
-email@2.2.5
-fetch@0.1.4
-geojson-utils@1.0.11
-http@1.4.4
-id-map@1.1.1
-inter-process-messaging@0.1.1
+accounts-base@3.0.4
+accounts-password@3.0.3
+allow-deny@2.1.0
+babel-compiler@7.11.3
+babel-runtime@1.5.2
+base64@1.0.13
+binary-heap@1.0.12
+boilerplate-generator@2.0.0
+callback-hook@1.6.0
+check@1.4.4
+core-runtime@1.0.0
+dburles:mongo-collection-instances@1.0.0
+ddp@1.4.2
+ddp-client@3.1.0
+ddp-common@1.4.4
+ddp-rate-limiter@1.2.2
+ddp-server@3.1.0
+diff-sequence@1.1.3
+dynamic-import@0.7.4
+ecmascript@0.16.10
+ecmascript-runtime@0.8.3
+ecmascript-runtime-client@0.12.2
+ecmascript-runtime-server@0.11.1
+ejson@1.1.4
+email@3.1.2
+facts-base@1.0.2
+fetch@0.1.5
+geojson-utils@1.0.12
+id-map@1.2.0
+inter-process-messaging@0.1.2
 jkuester:http@2.1.0
-leaonline:oauth2-server@5.1.0
-lmieulet:meteor-coverage@3.2.0
-lmieulet:meteor-legacy-coverage@0.1.0
-lmieulet:meteor-packages-coverage@0.1.0
-local-test:leaonline:oauth2-server@5.1.0
-localstorage@1.2.0
-logging@1.3.3
-meteor@1.11.5
-meteortesting:browser-tests@1.3.5
-meteortesting:mocha@2.0.3
-meteortesting:mocha-core@8.0.1
-minimongo@1.9.3
-modern-browsers@0.1.10
-modules@0.20.0
-modules-runtime@0.13.1
-mongo@1.16.8
-mongo-decimal@0.1.3
-mongo-dev-server@1.1.0
-mongo-id@1.0.8
-npm-mongo@4.17.2
-ordered-dict@1.1.0
-practicalmeteor:chai@1.9.2_3
-promise@0.12.2
-random@1.2.1
-rate-limit@1.1.1
-react-fast-refresh@0.2.8
-reactive-var@1.0.12
-reload@1.3.1
-retry@1.1.0
-routepolicy@1.1.1
-sha@1.0.9
-socket-stream-client@0.5.2
-tracker@1.3.3
-typescript@4.9.5
-underscore@1.6.0
-url@1.3.2
-webapp@1.13.8
-webapp-hashing@1.1.1
+lai:collection-extensions@1.0.0
+leaonline:oauth2-server@6.0.0
+local-test:leaonline:oauth2-server@6.0.0
+localstorage@1.2.1
+logging@1.3.5
+meteor@2.1.0
+meteortesting:browser-tests@1.7.0
+meteortesting:mocha@3.2.0
+meteortesting:mocha-core@8.2.0
+minimongo@2.0.2
+modern-browsers@0.2.0
+modules@0.20.3
+modules-runtime@0.13.2
+mongo@2.1.0
+mongo-decimal@0.2.0
+mongo-dev-server@1.1.1
+mongo-id@1.0.9
+npm-mongo@6.10.2
+ordered-dict@1.2.0
+promise@1.0.0
+random@1.2.2
+rate-limit@1.1.2
+react-fast-refresh@0.2.9
+reactive-var@1.0.13
+reload@1.3.2
+retry@1.1.1
+routepolicy@1.1.2
+sha@1.0.10
+socket-stream-client@0.6.0
+tracker@1.3.4
+typescript@5.6.3
+url@1.3.5
+webapp@2.0.5
+webapp-hashing@1.1.2
@@ -46,12 +46,16 @@ Uses the following values to check:</p>
 <li>&#39;saveRefreshToken&#39;,</li>
 <li>&#39;saveToken&#39;,</li>
 <li>&#39;getAccessToken&#39;</li>
+<li>&#39;revokeToken&#39;</li>
 </ul>
 </dd>
 <dt><a href="#UserValidation">UserValidation</a></dt>
 <dd><p>Used to register handlers for different instances that validate users.
 This allows you to validate user access on a client-based level.</p>
 </dd>
+<dt><a href="#validateParams">validateParams</a> ⇒ <code>boolean</code></dt>
+<dd><p>Abstraction that checks given query/body params against a given schema</p>
+</dd>
 <dt><a href="#app">app</a> : <code>Object</code></dt>
 <dd><p>Wrapped <code>WebApp</code> with express-style get/post and default use routes.</p>
 </dd>
@@ -76,6 +80,8 @@ Implements the OAuth2Server model with Meteor-Mongo bindings.
     * [.saveRefreshToken(token, clientId, expires, user)](#OAuthMeteorModel+saveRefreshToken) ⇒ <code>Promise.&lt;\*&gt;</code>
     * [.getRefreshToken()](#OAuthMeteorModel+getRefreshToken)
     * [.grantTypeAllowed(clientId, grantType)](#OAuthMeteorModel+grantTypeAllowed) ⇒ <code>boolean</code>
+    * [.verifyScope(accessToken, scope)](#OAuthMeteorModel+verifyScope) ⇒ <code>Promise.&lt;boolean&gt;</code>
+    * [.revokeToken()](#OAuthMeteorModel+revokeToken)
 
 <a name="OAuthMeteorModel+log"></a>
 
@@ -199,6 +205,24 @@ getRefreshToken(token) should return an object with:
 | clientId | 
 | grantType | 
 
+<a name="OAuthMeteorModel+verifyScope"></a>
+
+### oAuthMeteorModel.verifyScope(accessToken, scope) ⇒ <code>Promise.&lt;boolean&gt;</code>
+Compares expected scope from token with actual scope from request
+
+**Kind**: instance method of [<code>OAuthMeteorModel</code>](#OAuthMeteorModel)  
+
+| Param |
+| --- |
+| accessToken | 
+| scope | 
+
+<a name="OAuthMeteorModel+revokeToken"></a>
+
+### oAuthMeteorModel.revokeToken()
+revokeToken(refreshToken) is required and should return true
+
+**Kind**: instance method of [<code>OAuthMeteorModel</code>](#OAuthMeteorModel)  
 <a name="OAuth2ServerDefaults"></a>
 
 ## OAuth2ServerDefaults : <code>Object</code>
@@ -250,6 +274,7 @@ Defaults to a 500 response, unless further details were added.
 | res |  |  |
 | options | <code>Object</code> | options with error information |
 | options.error | <code>String</code> | Error name |
+| options.logError | <code>boolean</code> | optional flag to log the erroe to the console |
 | options.description | <code>String</code> | Error description |
 | options.uri | <code>String</code> | Optional uri to redirect to when error occurs |
 | options.status | <code>Number</code> | Optional statuscode, defaults to 500 |
@@ -274,6 +299,7 @@ Uses the following values to check:
 - 'saveRefreshToken',
 - 'saveToken',
 - 'getAccessToken'
+- 'revokeToken'
 
 **Kind**: global constant  
 **Returns**: <code>boolean</code> - true if valid, otherwise false  
@@ -289,6 +315,24 @@ Used to register handlers for different instances that validate users.
 This allows you to validate user access on a client-based level.
 
 **Kind**: global constant  
+
+* [UserValidation](#UserValidation)
+    * [.register(instance, validationHandler)](#UserValidation.register)
+    * [.isValid(instance, handlerArgs)](#UserValidation.isValid) ⇒ <code>\*</code>
+
+<a name="UserValidation.register"></a>
+
+### UserValidation.register(instance, validationHandler)
+Registers a validation method that allows
+to validate users on custom logic.
+
+**Kind**: static method of [<code>UserValidation</code>](#UserValidation)  
+
+| Param | Type | Description |
+| --- | --- | --- |
+| instance | [<code>OAuth2Server</code>](#OAuth2Server) |  |
+| validationHandler | <code>function</code> | sync or async function that performs the validation |
+
 <a name="UserValidation.isValid"></a>
 
 ### UserValidation.isValid(instance, handlerArgs) ⇒ <code>\*</code>
@@ -302,53 +346,23 @@ Delegates `handlerArgs` to the registered validation handler.
 | instance | [<code>OAuth2Server</code>](#OAuth2Server) | 
 | handlerArgs | <code>\*</code> | 
 
-<a name="app"></a>
+<a name="validateParams"></a>
 
-## app : <code>Object</code>
-Wrapped `WebApp` with express-style get/post and default use routes.
+## validateParams ⇒ <code>boolean</code>
+Abstraction that checks given query/body params against a given schema
 
 **Kind**: global constant  
-**See**: https://docs.meteor.com/packages/webapp.html  
-
-* [app](#app) : <code>Object</code>
-    * [.get(url, handler)](#app.get)
-    * [.post(url, handler)](#app.post)
-    * [.use(args)](#app.use)
-
-<a name="app.get"></a>
-
-### app.get(url, handler)
-Creates a get route for a given handler
-
-**Kind**: static method of [<code>app</code>](#app)  
-
-| Param | Type |
-| --- | --- |
-| url | <code>string</code> | 
-| handler | <code>function</code> | 
-
-<a name="app.post"></a>
-
-### app.post(url, handler)
-Creates a post route for a given handler.
-If headers' content-type does not equal to `application/x-www-form-urlencoded`
-then it will be transformed accordingly.
-
-**Kind**: static method of [<code>app</code>](#app)  
-
-| Param | Type |
-| --- | --- |
-| url | <code>string</code> | 
-| handler | <code>function</code> | 
-
-<a name="app.use"></a>
-
-### app.use(args)
-Default wrapper around `WebApp.use`
-
-**Kind**: static method of [<code>app</code>](#app)  
 
 | Param |
 | --- |
-| args | 
+| actualParams | 
+| requiredParams | 
+| debug | 
+
+<a name="app"></a>
 
+## app : <code>Object</code>
+Wrapped `WebApp` with express-style get/post and default use routes.
+
+**Kind**: global constant  
+**See**: https://docs.meteor.com/packages/webapp.html  
@@ -1,5 +1,15 @@
 # History
 
+### 6.0.0
+- Meteor 3 / Express compatibility
+- added scope verification in authenticated routes
+- improved internal logging
+- fix bug in validation for custom models
+- fix support for explicit `client.id` field
+
+## 5.0.0
+- sync support for @node-oauth/oauth2-server 5.x by
+
 ## 4.2.1
 - this is a patch release, fixing a syntax error 
   (that never got picked up, due to wrong linter config)
 
@@ -4,12 +4,29 @@ import { debug } from '../utils/console'
  * Creates a middleware to debug routes on an instance level
  * @private
  * @param instance
- * @return {function(*, *, *): *}
+ * @param options {object?} optional options
+ * @param options.description {string?} optional way to descrive the next handler
+ * @param options.data {boolean?} optional flag to log body/query
  */
-export const getDebugMiddleWare = instance => (req, res, next) => {
-  if (instance.debug === true) {
+export const getDebugMiddleWare = (instance, options = {}) => {
+  if (!instance.debug) {
+    return function (req, res, next) { next() }
+  }
+
+  return function (req, res, next) {
     const baseUrl = req.originalUrl.split('?')[0]
-    debug(req.method, baseUrl, req.query || req.body)
+    let message = `${req.method} ${baseUrl}`
+
+    if (options.description) {
+      message = `${message} (${options.description})`
+    }
+
+    if (options.data) {
+      const data = { query: req.query, body: req.body }
+      message = `${message} data: ${data}`
+    }
+
+    debug(message)
+    next()
   }
-  return next()
 }
@@ -8,11 +8,10 @@ import { bind } from '../utils/bind'
  * @param handler
  * @return {Function}
  */
-export const secureHandler = (self, handler) => bind(function (req, res, next) {
+export const secureHandler = (self, handler) => bind(async function (req, res, next) {
   const that = this
-
   try {
-    handler.call(that, req, res, next)
+    return handler.call(that, req, res, next)
   } catch (anyError) {
     // to avoid server-crashes we wrap all request handlers and
     // catch the error here, creating a default 500 response