{"id":17325,"library":"passport-http-oauth","title":"Passport HTTP OAuth 1.0 Strategy","description":"This package provides an HTTP OAuth 1.0 authentication strategy for Passport.js, enabling authentication of requests using the authorization scheme defined by the OAuth 1.0 protocol. It ships with two primary strategies: `ConsumerStrategy` for authenticating consumers (clients) based on their keys and secrets, typically used for request token and access token endpoints, and `TokenStrategy` for authenticating subsequent API requests using previously issued access tokens. Last published in February 2013, with its current stable version being 0.1.3, this module is severely outdated. It targets Node.js versions `>= 0.4.0`, rendering it incompatible with modern Node.js environments and best practices. While OAuth 1.0 was a significant advancement, it has largely been superseded by OAuth 2.0 for new application development due to OAuth 2.0's simplified implementation, its reliance on HTTPS for security, and its greater flexibility for various client types beyond traditional web applications. This module is considered abandoned and should not be used in new projects or integrated into contemporary systems.","status":"abandoned","version":"0.1.3","language":"javascript","source_language":"en","source_url":"git://github.com/jaredhanson/passport-http-oauth","tags":["javascript","passport","http","oauth","authn","authentication","authz","authorization","api"],"install":[{"cmd":"npm install passport-http-oauth","lang":"bash","label":"npm"},{"cmd":"yarn add passport-http-oauth","lang":"bash","label":"yarn"},{"cmd":"pnpm add passport-http-oauth","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Core Passport.js library required for defining and using authentication strategies.","package":"passport","optional":false}],"imports":[{"note":"The package exclusively uses CommonJS modules. Attempting to use ES module syntax (import) will result in a runtime error. This module is often directly extended to create custom strategies.","wrong":"import { Strategy } from 'passport-http-oauth';","symbol":"Strategy","correct":"const { Strategy } = require('passport-http-oauth');"},{"note":"Used for authenticating OAuth 1.0 consumers (applications) at the request token and access token endpoints. It expects a consumer key and secret for signature verification.","wrong":"import { ConsumerStrategy } from 'passport-http-oauth';","symbol":"ConsumerStrategy","correct":"const { ConsumerStrategy } = require('passport-http-oauth');"},{"note":"Designed for protecting API endpoints by authenticating requests using issued OAuth 1.0 access tokens and their associated secrets.","wrong":"import { TokenStrategy } from 'passport-http-oauth';","symbol":"TokenStrategy","correct":"const { TokenStrategy } = require('passport-http-oauth');"}],"quickstart":{"code":"const express = require('express');\nconst passport = require('passport');\nconst { ConsumerStrategy, TokenStrategy } = require('passport-http-oauth');\n\nconst app = express();\n\n// Minimal Passport setup for an API\napp.use(passport.initialize());\n\n// --- Consumer Strategy (for Request Token/Access Token Endpoints) ---\npassport.use('consumer', new ConsumerStrategy(\n  function(consumerKey, done) {\n    // In a real app, look up consumerKey in your database\n    if (consumerKey === 'myConsumerKey') {\n      // Return consumer secret\n      return done(null, { id: 'myConsumer', secret: 'myConsumerSecret' });\n    } else {\n      return done(null, false);\n    }\n  },\n  function(consumer, done) {\n    // This is typically for validating a temporary token if one is supplied\n    // For initial request tokens, no token is present, so we just return the consumer.\n    return done(null, consumer);\n  },\n  function(consumer, token, signature, params, done) {\n    // In a real app, validate the request signature based on consumer, token, and parameters\n    // This is a placeholder for actual signature verification logic\n    const isValidSignature = true; // Replace with actual crypto-based validation\n    if (isValidSignature) {\n      return done(null, consumer);\n    } else {\n      return done(null, false, { message: 'Invalid signature.' });\n    }\n  }\n));\n\n// --- Token Strategy (for Protected API Endpoints) ---\npassport.use('token', new TokenStrategy(\n  function(consumerKey, done) {\n    // In a real app, look up consumerKey in your database\n    if (consumerKey === 'myConsumerKey') {\n      return done(null, { id: 'myConsumer', secret: 'myConsumerSecret' });\n    } else {\n      return done(null, false);\n    }\n  },\n  function(consumer, token, done) {\n    // In a real app, look up token and token secret in your database\n    if (token === 'myAccessToken') {\n      // Typically return the user associated with this token\n      return done(null, { id: 'userId123', name: 'Test User', tokenSecret: 'myAccessTokenSecret' });\n    } else {\n      return done(null, false);\n    }\n  },\n  function(consumer, token, profile, signature, params, done) {\n    // In a real app, validate the request signature\n    const isValidSignature = true; // Replace with actual crypto-based validation\n    if (isValidSignature) {\n      return done(null, profile);\n    } else {\n      return done(null, false, { message: 'Invalid signature.' });\n    }\n  }\n));\n\n// Example: Request token endpoint protected by ConsumerStrategy\napp.get('/oauth/request_token', passport.authenticate('consumer', { session: false }), (req, res) => {\n  // Generate and return a request token here\n  res.json({ message: 'Request token endpoint reached via Consumer Strategy!' });\n});\n\n// Example: Protected API endpoint using TokenStrategy\napp.get('/api/resource', passport.authenticate('token', { session: false }), (req, res) => {\n  res.json({ message: `Hello, ${req.user.name}! Access granted via Token Strategy.` });\n});\n\nconst PORT = 3000;\napp.listen(PORT, () => {\n  console.log(`Server running on http://localhost:${PORT}`);\n  console.log('Use tools like Postman to send requests with OAuth 1.0 Authorization header.');\n  console.log('e.g., GET /api/resource with Authorization: OAuth consumer_key=\"myConsumerKey\", oauth_token=\"myAccessToken\", oauth_signature_method=\"HMAC-SHA1\", oauth_timestamp=\"...\", oauth_nonce=\"...\", oauth_version=\"1.0\", oauth_signature=\"...\"');\n});","lang":"javascript","description":"This quickstart demonstrates how to configure and use `ConsumerStrategy` and `TokenStrategy` with Express and Passport.js for OAuth 1.0 authentication. It sets up mock consumer and token validation for illustrative purposes, emphasizing the distinct roles of each strategy for different OAuth 1.0 endpoints."},"warnings":[{"fix":"Migrate to a modern authentication solution, preferably using OAuth 2.0 (e.g., `passport-oauth2` or provider-specific OAuth 2.0 strategies like `passport-google-oauth20`) for new implementations. If OAuth 1.0 is strictly required, consider actively maintained alternatives or be prepared to fork and maintain the code yourself.","message":"This package is effectively abandoned, with its last release (0.1.3) dating back to February 2013. It is not maintained and is highly unlikely to be compatible with modern Node.js versions (e.g., Node.js 14+), which may lead to runtime errors, dependency conflicts, or critical security vulnerabilities.","severity":"breaking","affected_versions":"all"},{"fix":"This package is not compatible with modern Node.js runtimes. There is no direct fix for modern Node.js; a complete replacement or substantial refactoring is necessary.","message":"The `engines.node` entry specifies '>= 0.4.0', indicating compatibility with extremely old Node.js versions. Using this package with current Node.js versions will almost certainly result in compatibility issues, including deprecated APIs, incompatible buffer handling, and potentially missing native modules or crypto functions.","severity":"breaking","affected_versions":"all"},{"fix":"For new applications, prioritize OAuth 2.0, which is simpler to implement and generally considered more flexible and secure for a wider range of modern application architectures. Ensure all OAuth 2.0 communication occurs over HTTPS.","message":"OAuth 1.0, while robust for its time, relies on complex cryptographic signatures for every request. Compared to OAuth 2.0's simpler bearer token model (often secured via HTTPS), OAuth 1.0 implementation can be more challenging and error-prone. The complexity of handling secrets and signature generation increases the attack surface if not implemented perfectly.","severity":"gotcha","affected_versions":"all"},{"fix":"Do not use abandoned packages in production. Regularly audit your dependencies for known vulnerabilities using tools like `npm audit` or Snyk, and prioritize using actively maintained libraries. For authentication, always opt for well-supported and secure solutions.","message":"As an abandoned package, `passport-http-oauth` will not receive security patches for newly discovered vulnerabilities in its own code or its transitive dependencies. This poses a significant supply chain risk if used in production, potentially exposing your application to known exploits.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure `passport` is installed: `npm install passport`","cause":"The core `passport` library is not installed or available in the project's `node_modules`.","error":"Error: Cannot find module 'passport'"},{"fix":"Install the package: `npm install passport-http-oauth`","cause":"The `passport-http-oauth` package itself has not been installed.","error":"Error: Cannot find module 'passport-http-oauth'"},{"fix":"Use CommonJS `require()` syntax as the package does not support ES modules: `const { Strategy } = require('passport-http-oauth');`","cause":"Attempting to import `Strategy` (or `ConsumerStrategy`, `TokenStrategy`) using ES module `import` syntax instead of CommonJS `require()`, or trying to access it incorrectly from the module export.","error":"TypeError: Strategy is not a constructor"},{"fix":"This package is incompatible with modern Node.js. It's impossible to fix this without rewriting the package's cryptographic parts to use modern Node.js crypto APIs. The only solution is to migrate to a modern, actively maintained authentication strategy or to run the application in an environment with an extremely old and insecure Node.js version, which is not recommended.","cause":"This error or similar OpenSSL-related errors often occur when running very old Node.js packages with modern Node.js versions (e.g., Node.js 17+). The underlying crypto algorithms or their default settings used by old libraries might be deprecated or removed in newer OpenSSL versions linked by Node.js.","error":"ERR_OSSL_EVP_UNSUPPORTED: Unsupported cipher algorithm"}],"ecosystem":"npm","meta_description":null}