Passport HTTP OAuth 1.0 Strategy

0.1.3 · abandoned · verified Wed Apr 22

This package provides an HTTP OAuth 1.0 authentication strategy for Passport.js, enabling authentication of requests using the authorization scheme defined by the OAuth 1.0 protocol. It ships with two primary strategies: `ConsumerStrategy` for authenticating consumers (clients) based on their keys and secrets, typically used for request token and access token endpoints, and `TokenStrategy` for authenticating subsequent API requests using previously issued access tokens. Last published in February 2013, with its current stable version being 0.1.3, this module is severely outdated. It targets Node.js versions `>= 0.4.0`, rendering it incompatible with modern Node.js environments and best practices. While OAuth 1.0 was a significant advancement, it has largely been superseded by OAuth 2.0 for new application development due to OAuth 2.0's simplified implementation, its reliance on HTTPS for security, and its greater flexibility for various client types beyond traditional web applications. This module is considered abandoned and should not be used in new projects or integrated into contemporary systems.

Common errors

```
Error: Cannot find module 'passport'
```
cause The core `passport` library is not installed or available in the project's `node_modules`.

fix Ensure `passport` is installed: `npm install passport`
```
Error: Cannot find module 'passport-http-oauth'
```
cause The `passport-http-oauth` package itself has not been installed.

fix Install the package: `npm install passport-http-oauth`
```
TypeError: Strategy is not a constructor
```
cause Attempting to import `Strategy` (or `ConsumerStrategy`, `TokenStrategy`) using ES module `import` syntax instead of CommonJS `require()`, or trying to access it incorrectly from the module export.

fix Use CommonJS `require()` syntax as the package does not support ES modules: `const { Strategy } = require('passport-http-oauth');`
```
ERR_OSSL_EVP_UNSUPPORTED: Unsupported cipher algorithm
```
cause This error or similar OpenSSL-related errors often occur when running very old Node.js packages with modern Node.js versions (e.g., Node.js 17+). The underlying crypto algorithms or their default settings used by old libraries might be deprecated or removed in newer OpenSSL versions linked by Node.js.

fix This package is incompatible with modern Node.js. It's impossible to fix this without rewriting the package's cryptographic parts to use modern Node.js crypto APIs. The only solution is to migrate to a modern, actively maintained authentication strategy or to run the application in an environment with an extremely old and insecure Node.js version, which is not recommended.

Warnings

breaking This package is effectively abandoned, with its last release (0.1.3) dating back to February 2013. It is not maintained and is highly unlikely to be compatible with modern Node.js versions (e.g., Node.js 14+), which may lead to runtime errors, dependency conflicts, or critical security vulnerabilities.
Fix: Migrate to a modern authentication solution, preferably using OAuth 2.0 (e.g., `passport-oauth2` or provider-specific OAuth 2.0 strategies like `passport-google-oauth20`) for new implementations. If OAuth 1.0 is strictly required, consider actively maintained alternatives or be prepared to fork and maintain the code yourself.
breaking The `engines.node` entry specifies '>= 0.4.0', indicating compatibility with extremely old Node.js versions. Using this package with current Node.js versions will almost certainly result in compatibility issues, including deprecated APIs, incompatible buffer handling, and potentially missing native modules or crypto functions.
Fix: This package is not compatible with modern Node.js runtimes. There is no direct fix for modern Node.js; a complete replacement or substantial refactoring is necessary.
gotcha OAuth 1.0, while robust for its time, relies on complex cryptographic signatures for every request. Compared to OAuth 2.0's simpler bearer token model (often secured via HTTPS), OAuth 1.0 implementation can be more challenging and error-prone. The complexity of handling secrets and signature generation increases the attack surface if not implemented perfectly.
Fix: For new applications, prioritize OAuth 2.0, which is simpler to implement and generally considered more flexible and secure for a wider range of modern application architectures. Ensure all OAuth 2.0 communication occurs over HTTPS.
gotcha As an abandoned package, `passport-http-oauth` will not receive security patches for newly discovered vulnerabilities in its own code or its transitive dependencies. This poses a significant supply chain risk if used in production, potentially exposing your application to known exploits.
Fix: Do not use abandoned packages in production. Regularly audit your dependencies for known vulnerabilities using tools like `npm audit` or Snyk, and prioritize using actively maintained libraries. For authentication, always opt for well-supported and secure solutions.

Install

npm install passport-http-oauth npm
yarn add passport-http-oauth yarn
pnpm add passport-http-oauth pnpm

Imports

Strategy
wrong:
```
import { Strategy } from 'passport-http-oauth';
```
correct:
```
const { Strategy } = require('passport-http-oauth');
```
The package exclusively uses CommonJS modules. Attempting to use ES module syntax (import) will result in a runtime error. This module is often directly extended to create custom strategies.
ConsumerStrategy
wrong:
```
import { ConsumerStrategy } from 'passport-http-oauth';
```
correct:
```
const { ConsumerStrategy } = require('passport-http-oauth');
```
Used for authenticating OAuth 1.0 consumers (applications) at the request token and access token endpoints. It expects a consumer key and secret for signature verification.
TokenStrategy
wrong:
```
import { TokenStrategy } from 'passport-http-oauth';
```
correct:
```
const { TokenStrategy } = require('passport-http-oauth');
```
Designed for protecting API endpoints by authenticating requests using issued OAuth 1.0 access tokens and their associated secrets.

Quickstart

This quickstart demonstrates how to configure and use `ConsumerStrategy` and `TokenStrategy` with Express and Passport.js for OAuth 1.0 authentication. It sets up mock consumer and token validation for illustrative purposes, emphasizing the distinct roles of each strategy for different OAuth 1.0 endpoints.

const express = require('express');
const passport = require('passport');
const { ConsumerStrategy, TokenStrategy } = require('passport-http-oauth');

const app = express();

// Minimal Passport setup for an API
app.use(passport.initialize());

// --- Consumer Strategy (for Request Token/Access Token Endpoints) ---
passport.use('consumer', new ConsumerStrategy(
  function(consumerKey, done) {
    // In a real app, look up consumerKey in your database
    if (consumerKey === 'myConsumerKey') {
      // Return consumer secret
      return done(null, { id: 'myConsumer', secret: 'myConsumerSecret' });
    } else {
      return done(null, false);
    }
  },
  function(consumer, done) {
    // This is typically for validating a temporary token if one is supplied
    // For initial request tokens, no token is present, so we just return the consumer.
    return done(null, consumer);
  },
  function(consumer, token, signature, params, done) {
    // In a real app, validate the request signature based on consumer, token, and parameters
    // This is a placeholder for actual signature verification logic
    const isValidSignature = true; // Replace with actual crypto-based validation
    if (isValidSignature) {
      return done(null, consumer);
    } else {
      return done(null, false, { message: 'Invalid signature.' });
    }
  }
));

// --- Token Strategy (for Protected API Endpoints) ---
passport.use('token', new TokenStrategy(
  function(consumerKey, done) {
    // In a real app, look up consumerKey in your database
    if (consumerKey === 'myConsumerKey') {
      return done(null, { id: 'myConsumer', secret: 'myConsumerSecret' });
    } else {
      return done(null, false);
    }
  },
  function(consumer, token, done) {
    // In a real app, look up token and token secret in your database
    if (token === 'myAccessToken') {
      // Typically return the user associated with this token
      return done(null, { id: 'userId123', name: 'Test User', tokenSecret: 'myAccessTokenSecret' });
    } else {
      return done(null, false);
    }
  },
  function(consumer, token, profile, signature, params, done) {
    // In a real app, validate the request signature
    const isValidSignature = true; // Replace with actual crypto-based validation
    if (isValidSignature) {
      return done(null, profile);
    } else {
      return done(null, false, { message: 'Invalid signature.' });
    }
  }
));

// Example: Request token endpoint protected by ConsumerStrategy
app.get('/oauth/request_token', passport.authenticate('consumer', { session: false }), (req, res) => {
  // Generate and return a request token here
  res.json({ message: 'Request token endpoint reached via Consumer Strategy!' });
});

// Example: Protected API endpoint using TokenStrategy
app.get('/api/resource', passport.authenticate('token', { session: false }), (req, res) => {
  res.json({ message: `Hello, ${req.user.name}! Access granted via Token Strategy.` });
});

const PORT = 3000;
app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}`);
  console.log('Use tools like Postman to send requests with OAuth 1.0 Authorization header.');
  console.log('e.g., GET /api/resource with Authorization: OAuth consumer_key="myConsumerKey", oauth_token="myAccessToken", oauth_signature_method="HMAC-SHA1", oauth_timestamp="...", oauth_nonce="...", oauth_version="1.0", oauth_signature="..."');
});

view raw JSON →