accounted4 is intended to make it easy for developers to add third-party OAuth2^! support to their Node.js applications. This project is still in its infancy; more features and providers will be added in the future. Supported OAuth2 providers are detailed below.

For more information on OAuth2, the folks at FusionAuth wrote a fantastic, easy-to-understand OAuth2 guide that I highly recommend. Additionally, the OAuth2 specification is a great resource for all other information about OAuth2.

Usage

Install the @tycrek/accounted4 package:

npm i @tycrek/accounted4

# You'll also need express-session and a session store. Optimally you'll use something other than MemoryStore in production.
npm i express-session memorystore

Preparing the code

accounted4 is intended for use with Express. It requires the use of express-session and a compatible session store. The easiest way to get started is by using the memorystore module. In a production environment, it is recommended to use a proper database with the corresponding module for a session store.

For tutorial purposes, this README will use memorystore, but feel free to use another if you prefer.

import { Accounted4 } from '@tycrek/accounted4';
import express from 'express';
import session from 'express-session';
import MemoryStore from 'memorystore';

const app = express();
const sessionStore = MemoryStore(session);

The next block attaches the session middleware to Express. You are recommended to adjust these settings as you see fit.

const DAY = 86400000;
app.use(session({
    name: 'accounted4',
    resave: true,
    saveUninitialized: false,
    cookie: { maxAge: DAY, secure: false /* set to true if using HTTPS*/ },
    secret: (Math.random() * 100).toString(),
    store: new sessionStore({ checkPeriod: DAY }) as any,
}));

This will initialize a session for each visitor to your app, which is accessible through req.session.

Configure a provider

For any provider you choose, you'll have to set up an "app" on the corresponding developer dashboard. See below for details on how to set this up for each provider.

Redirect URI's

Pretty much every provider requires a redirect URI. This is the URL that the provider will redirect to after the user has authenticated. To save some bytes, I'll just describe the redirect URI here, then you'll use it for all providers. If any providers use a different format, I'll note those differences in their subsection.

• For local development: http://localhost:8080/accounted4/<provider-name>
• For production: https://<your-domain.com>/accounted4/<provider-name>

Replace <provider-name> with the name of the provider, as listed below, in lowercase. You do not need a trailing slash. For example: https://awesome-website.com/accounted4/github or http://localhost:8080/accounted4/microsoft.

Providers

Configure accounted4

Finally, we create an instance of Accounted4. Passing the app is required as accounted4 needs to create routes for the OAuth2 provider to call upon for redirects. Support for more than one provider is planned for the future.

You can choose to apply the middleware to specific paths, or to the entire app.

const ac4 = new Accounted4(app, {
    hostname: 'localhost',
    port: 8080,
    defaultProvider: 'Microsoft',
    optionalProviders: ['GitHub'], // ! optionalProviders not yet implemented
    providerOptions: {
        Microsoft: {
            // Required by every provider
            clientId: secrets.MICROSOFT_CLIENT_ID,
            clientSecret: secrets.MICROSOFT_CLIENT_SECRET,

            // Optional for every provider (some have defaults)
            scopes: ['user.read', 'offline_access'], // You can add additional scopes

            // Optional for Microsoft (other providers may have other optional properties)
            tenant: 'consumers',
        },
        GitHub: {
            clientId: secrets.GITHUB_CLIENT_ID,
            clientSecret: secrets.GITHUB_CLIENT_SECRET,
        }
    }
});

app.use(ac4.auth());
// or
app.use('/my-private-zone', ac4.auth());

Now add the rest of your routes and start the app. Visiting any of your routes will redirect the user to the OAuth2 provider. Once they sign in, they'll be redirected back to your app.

Using the providers' API

After successful authentication, accounted4 stores the provider name and access token in the session. You can access these values through the req.session.accounted4 object. This access token can be used with the API of your chosen provider (make sure you include any necessary scopes when configuring the provider).

Next steps

At the moment, that's all there is to it! As development continues, I'll add more docs on usage.

List of providers

• Discord (with refresh)
• GitHub
• Google
• Microsoft
• Spotify (with refresh)
• Twitch (with refresh)
• Yahoo
• Amazon
• Facebook
• Twitter
• Reddit
• Shutterstock
• LinkedIn
• Intuit
• Adobe
• PayPal?
• Eventbrite
• Dropbox
• Slack
• Bitly
• Box
• GitLab
• Imgur
• Instagram
• Stripe?
• Stack Exchange
• Strava
• Vimeo
• VK (it's in russian) (more docs from @d1snin)
• Yandex
• Zoho
• SoundCloud
• Flickr?
• Pocket
• Pinterest
• Tumblr
• TikTok
• Apple (annoyingly complex guidelines)

To-do

• Add providers
• Add documentation/tests/examples
• Add support for multiple providers
• Implement logout
• Implement refreshing tokens
• Automatic State checking

Disclaimer

accounted4 is set up for OAuth2 Authorization Code Grants. If your project requires a different grant, then this library may not be the right choice. Word of advice: never use implicit grant.