ricokahler / oauth2-popup-flow Goto Github PK

Right now on bundlephobia, oauth2-popup-flow has a bundle size of 1.6kB. This is okay but it could be much smaller. I attribute this to the use of the classes and static methods that a minifier doesn't have the ability to minifiy.

For v2, we'll remove the class and that will probably give us a much smaller bundle size.

Self-explanatory. This issue exists as a work item for me to implement this.

In README.md you have "React + React Router" pointing to a broken link.

On many modern browsers, window.open doesn't actually use a popup. Instead, it opens a new tab. Being able to customize the windowFeatures passed to window.open (e.g. as part of a "popupOptions` dictionary) would allow developers to customize the size and behavior of the login window, including whether it opens as a popup and, if so, where on the page it opens.

Here's a simple usage example i'm envisioning:

const tumblr = new OAuth2PopupFlow({
  authorizationUri: 'https://example.com/oauth2/authorize',
  clientId: 'YOUR_CLIENT_ID',
  redirectUri: "http:​//localhost:8000/redirect.html",
  scope: 'basic',
  popupOptions: {
    popup: true,
    width: 500,
    height: 800,
  }
});

and the corresponding window.open call would be:

window.open("https://example.com/oauth2/authorize?...", "oauth_login_window", "popup=true,width=500,height=800");

Some authentication services return a "code" as part of the OAuth flow and that eventually needs to be converted into a full token. It'd be great to be able to use afterResponse to perform an API request to convert the temporary code into the token?

As another chore item to myself, this repo has some dev deps that have some security vulnerabilities. This doesn't matter for end-users because this library has zero dependencies as a feature but it'd be nice to get up to date. While I'm at it, might as well update the docs to work.

• update dev deps
• update docs

Rollup is known to produce smaller and more readable bundles so as a chore item to myself, this repo will switch to using rollup.

I may also start creating ESM ES6 bundles just to have it (however, this isn't very useful because there's not really anything to tree shake).

The docs for token and tokenPayload say

If the user is loggedIn(), the token will be returned immediate, else it will open a popup and wait until the user is loggedIn() (i.e. a new token has been added)."

However, this is incorrect. token() and tokenPayload() do not open a popup on their own, they have to be used in combination .

IMO, this is pretty inconvenient for an implementor. It would be better if token() and tokenPayload() matched the documented behavior, and just "did the right thing" automatically depending on whether the user was logged in or not.

Quite a bit has chanced since this lib has been released so this issue represents what features should go into v2.

• #41
• #132
• #134
• repo overhaul — most of my other repos have a lot more CI and updated builds so this one will follow that work. This will include renovatebot, semantic release, updated rollup configs

Some OAuth 2 implementations, when using implicit flow, will pass back a hash that looks something like this:

localhost:8080/redirect.html#access_token=redacted&expires_in=2520&token_type=bearer&scope=basic&state=whatever#_=_

This is to defend against open redirects in clients that don't strictly specify their redirect URLs. It's a very common legacy OAuth behavior. However, decodeUriToObject doesn't handle this case correctly. Instead, the trailing #_ is added to the last string property, as follows:

{
    "access_token": "redacted",
    "expires_in": "2520",
    "token_type": "bearer",
    "scope": "basic",
    "state": "whatever#_"
}

Note that although the "state" property comes from additionalAuthorizationParameters, it's not special here. The server can choose to pass back the authorization response properties in whatever order it chooses to, and #_ would always be included with whatever value comes last in the URL, including the access_token or the expires_in value, among others.

I've been using renovate bot for dependencies and it's way more convenient over dependabot. This is chore item for me.

Also:

• switch to microbundle
• use semantic release for publishing
• renovate bot

The examples I wrote for this repo are over a year old. If someone would be willing, I'm accepting PRs for updated examples or even new ones.

Additionally, it would be nice to move them to CodeSandbox.

Let me know!