fix(oauth): correct OAuth implementation to match bunq documentation
This commit is contained in:
18
changelog.md
18
changelog.md
@@ -1,5 +1,23 @@
|
|||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
## 2025-07-22 - 3.0.8 - fix(oauth)
|
||||||
|
Correct OAuth implementation to match bunq documentation
|
||||||
|
|
||||||
|
- Removed OAuth mode from HTTP client - OAuth tokens use normal request signing
|
||||||
|
- OAuth tokens now work exactly like regular API keys (per bunq docs)
|
||||||
|
- Fixed test comments to reflect correct OAuth behavior
|
||||||
|
- Simplified OAuth handling by removing unnecessary special cases
|
||||||
|
- OAuth tokens properly go through full auth flow with request signing
|
||||||
|
|
||||||
|
## 2025-07-22 - 3.0.7 - fix(oauth)
|
||||||
|
Fix OAuth token authentication flow
|
||||||
|
|
||||||
|
- OAuth tokens now go through full initialization (installation → device → session)
|
||||||
|
- Fixed "Insufficient authentication" errors by treating OAuth tokens as API keys
|
||||||
|
- OAuth tokens are used as the 'secret' parameter, not as session tokens
|
||||||
|
- Follows bunq documentation: "Just use the OAuth Token as a normal bunq API key"
|
||||||
|
- Removed incorrect session skip logic for OAuth tokens
|
||||||
|
|
||||||
## 2025-07-22 - 3.0.6 - fix(oauth)
|
## 2025-07-22 - 3.0.6 - fix(oauth)
|
||||||
Fix OAuth token private key error
|
Fix OAuth token private key error
|
||||||
|
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "@apiclient.xyz/bunq",
|
"name": "@apiclient.xyz/bunq",
|
||||||
"version": "3.0.6",
|
"version": "3.0.8",
|
||||||
"private": false,
|
"private": false,
|
||||||
"description": "A full-featured TypeScript/JavaScript client for the bunq API",
|
"description": "A full-featured TypeScript/JavaScript client for the bunq API",
|
||||||
"type": "module",
|
"type": "module",
|
||||||
|
12
readme.md
12
readme.md
@@ -436,17 +436,19 @@ const bunq = new BunqAccount({
|
|||||||
apiKey: 'your-oauth-access-token', // OAuth token from bunq OAuth flow
|
apiKey: 'your-oauth-access-token', // OAuth token from bunq OAuth flow
|
||||||
deviceName: 'OAuth App',
|
deviceName: 'OAuth App',
|
||||||
environment: 'PRODUCTION',
|
environment: 'PRODUCTION',
|
||||||
isOAuthToken: true // Important: Set this flag for OAuth tokens
|
isOAuthToken: true // Optional: Set for OAuth-specific handling
|
||||||
});
|
});
|
||||||
|
|
||||||
await bunq.init();
|
await bunq.init();
|
||||||
|
|
||||||
// OAuth tokens already have an associated session from the OAuth flow,
|
// OAuth tokens work just like regular API keys:
|
||||||
// so the library will skip session creation and use the token directly
|
// 1. They go through installation → device → session creation
|
||||||
|
// 2. The OAuth token is used as the 'secret' during authentication
|
||||||
|
// 3. A session token is created and used for all API calls
|
||||||
const accounts = await bunq.getAccounts();
|
const accounts = await bunq.getAccounts();
|
||||||
|
|
||||||
// Note: OAuth tokens have their own expiry mechanism managed by bunq's OAuth server
|
// According to bunq documentation:
|
||||||
// The library will not attempt to refresh OAuth tokens
|
// "Just use the OAuth Token (access_token) as a normal bunq API key"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Error Handling
|
### Error Handling
|
||||||
|
@@ -15,7 +15,8 @@ tap.test('should handle OAuth token initialization', async () => {
|
|||||||
|
|
||||||
// Mock test - in reality this would connect to bunq
|
// Mock test - in reality this would connect to bunq
|
||||||
try {
|
try {
|
||||||
// The init should skip session creation for OAuth tokens
|
// OAuth tokens should go through full initialization flow
|
||||||
|
// (installation → device → session)
|
||||||
await oauthBunq.init();
|
await oauthBunq.init();
|
||||||
console.log('OAuth token initialization successful (mock)');
|
console.log('OAuth token initialization successful (mock)');
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
@@ -24,7 +25,7 @@ tap.test('should handle OAuth token initialization', async () => {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
tap.test('should not attempt session refresh for OAuth tokens', async () => {
|
tap.test('should handle OAuth token session management', async () => {
|
||||||
const oauthBunq = new bunq.BunqAccount({
|
const oauthBunq = new bunq.BunqAccount({
|
||||||
apiKey: 'test-oauth-token',
|
apiKey: 'test-oauth-token',
|
||||||
deviceName: 'OAuth Test App',
|
deviceName: 'OAuth Test App',
|
||||||
@@ -32,7 +33,8 @@ tap.test('should not attempt session refresh for OAuth tokens', async () => {
|
|||||||
isOAuthToken: true
|
isOAuthToken: true
|
||||||
});
|
});
|
||||||
|
|
||||||
// Test that ensureValidSession doesn't try to refresh OAuth tokens
|
// OAuth tokens now behave the same as regular API keys
|
||||||
|
// They go through normal session management
|
||||||
try {
|
try {
|
||||||
await oauthBunq.apiContext.ensureValidSession();
|
await oauthBunq.apiContext.ensureValidSession();
|
||||||
console.log('OAuth session management test passed');
|
console.log('OAuth session management test passed');
|
||||||
@@ -41,7 +43,7 @@ tap.test('should not attempt session refresh for OAuth tokens', async () => {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
tap.test('should handle OAuth tokens without private key errors', async () => {
|
tap.test('should handle OAuth tokens through full initialization', async () => {
|
||||||
const oauthBunq = new bunq.BunqAccount({
|
const oauthBunq = new bunq.BunqAccount({
|
||||||
apiKey: 'test-oauth-token',
|
apiKey: 'test-oauth-token',
|
||||||
deviceName: 'OAuth Test App',
|
deviceName: 'OAuth Test App',
|
||||||
@@ -50,21 +52,17 @@ tap.test('should handle OAuth tokens without private key errors', async () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// Initialize (should skip session creation)
|
// OAuth tokens go through full initialization flow
|
||||||
|
// The OAuth token is used as the API key/secret
|
||||||
await oauthBunq.init();
|
await oauthBunq.init();
|
||||||
|
|
||||||
// Try to make a request (should skip signing)
|
// The HTTP client works normally with OAuth tokens (including request signing)
|
||||||
// This would have thrown "Private key not generated yet" before the fix
|
|
||||||
const httpClient = oauthBunq.apiContext.getHttpClient();
|
const httpClient = oauthBunq.apiContext.getHttpClient();
|
||||||
|
|
||||||
// Test that HTTP client is in OAuth mode and won't try to sign
|
console.log('OAuth initialization test passed - full flow completed');
|
||||||
console.log('OAuth HTTP client test passed - no private key errors');
|
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
// Expected to fail with network/auth error, not private key error
|
// Expected to fail with invalid token error, not initialization skip
|
||||||
if (error.message && error.message.includes('Private key not generated')) {
|
console.log('OAuth initialization test completed (expected auth failure with mock token)');
|
||||||
throw new Error('OAuth mode should not require private keys');
|
|
||||||
}
|
|
||||||
console.log('OAuth private key test completed (expected network failure)');
|
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@@ -44,15 +44,6 @@ export class BunqApiContext {
|
|||||||
* Initialize the API context (installation, device, session)
|
* Initialize the API context (installation, device, session)
|
||||||
*/
|
*/
|
||||||
public async init(): Promise<void> {
|
public async init(): Promise<void> {
|
||||||
// If using OAuth token, skip session creation
|
|
||||||
if (this.options.isOAuthToken) {
|
|
||||||
// OAuth tokens already have an associated session
|
|
||||||
this.context.sessionToken = this.options.apiKey;
|
|
||||||
this.session = new BunqSession(this.crypto, this.context);
|
|
||||||
this.session.setOAuthMode(true);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Try to load existing context
|
// Try to load existing context
|
||||||
const existingContext = await this.loadContext();
|
const existingContext = await this.loadContext();
|
||||||
|
|
||||||
@@ -78,6 +69,11 @@ export class BunqApiContext {
|
|||||||
this.options.deviceDescription,
|
this.options.deviceDescription,
|
||||||
this.options.permittedIps || []
|
this.options.permittedIps || []
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// Set OAuth mode if applicable (for session expiry handling)
|
||||||
|
if (this.options.isOAuthToken) {
|
||||||
|
this.session.setOAuthMode(true);
|
||||||
|
}
|
||||||
|
|
||||||
// Save context
|
// Save context
|
||||||
await this.saveContext();
|
await this.saveContext();
|
||||||
@@ -135,11 +131,6 @@ export class BunqApiContext {
|
|||||||
* Refresh session if needed
|
* Refresh session if needed
|
||||||
*/
|
*/
|
||||||
public async ensureValidSession(): Promise<void> {
|
public async ensureValidSession(): Promise<void> {
|
||||||
// OAuth tokens don't need session refresh
|
|
||||||
if (this.options.isOAuthToken) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
await this.session.refreshSession();
|
await this.session.refreshSession();
|
||||||
await this.saveContext();
|
await this.saveContext();
|
||||||
}
|
}
|
||||||
|
@@ -10,20 +10,12 @@ export class BunqHttpClient {
|
|||||||
private crypto: BunqCrypto;
|
private crypto: BunqCrypto;
|
||||||
private context: IBunqApiContext;
|
private context: IBunqApiContext;
|
||||||
private requestCounter: number = 0;
|
private requestCounter: number = 0;
|
||||||
private isOAuthMode: boolean = false;
|
|
||||||
|
|
||||||
constructor(crypto: BunqCrypto, context: IBunqApiContext) {
|
constructor(crypto: BunqCrypto, context: IBunqApiContext) {
|
||||||
this.crypto = crypto;
|
this.crypto = crypto;
|
||||||
this.context = context;
|
this.context = context;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Set OAuth mode
|
|
||||||
*/
|
|
||||||
public setOAuthMode(isOAuth: boolean): void {
|
|
||||||
this.isOAuthMode = isOAuth;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Update the API context (used after getting session token)
|
* Update the API context (used after getting session token)
|
||||||
*/
|
*/
|
||||||
@@ -44,20 +36,13 @@ export class BunqHttpClient {
|
|||||||
const body = options.body ? JSON.stringify(options.body) : undefined;
|
const body = options.body ? JSON.stringify(options.body) : undefined;
|
||||||
|
|
||||||
// Add signature if required
|
// Add signature if required
|
||||||
// Skip signing for OAuth tokens or if explicitly disabled
|
if (options.useSigning !== false && this.crypto.getPrivateKey()) {
|
||||||
if (options.useSigning !== false && !this.isOAuthMode) {
|
headers['X-Bunq-Client-Signature'] = this.crypto.createSignatureHeader(
|
||||||
try {
|
options.method,
|
||||||
const privateKey = this.crypto.getPrivateKey();
|
options.endpoint,
|
||||||
headers['X-Bunq-Client-Signature'] = this.crypto.createSignatureHeader(
|
headers,
|
||||||
options.method,
|
body || ''
|
||||||
options.endpoint,
|
);
|
||||||
headers,
|
|
||||||
body || ''
|
|
||||||
);
|
|
||||||
} catch (error) {
|
|
||||||
// If no private key is available (e.g., OAuth mode), skip signing
|
|
||||||
// This is expected for OAuth tokens
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make the request
|
// Make the request
|
||||||
@@ -81,8 +66,7 @@ export class BunqHttpClient {
|
|||||||
const response = await plugins.smartrequest.request(url, requestOptions);
|
const response = await plugins.smartrequest.request(url, requestOptions);
|
||||||
|
|
||||||
// Verify response signature if we have server public key
|
// Verify response signature if we have server public key
|
||||||
// Skip verification for OAuth tokens as they don't have installation keys
|
if (this.context.serverPublicKey) {
|
||||||
if (this.context.serverPublicKey && !this.isOAuthMode) {
|
|
||||||
// Convert headers to string-only format
|
// Convert headers to string-only format
|
||||||
const stringHeaders: { [key: string]: string } = {};
|
const stringHeaders: { [key: string]: string } = {};
|
||||||
for (const [key, value] of Object.entries(response.headers)) {
|
for (const [key, value] of Object.entries(response.headers)) {
|
||||||
|
@@ -149,8 +149,6 @@ export class BunqSession {
|
|||||||
// OAuth tokens don't expire in the same way as regular sessions
|
// OAuth tokens don't expire in the same way as regular sessions
|
||||||
// Set a far future expiry time
|
// Set a far future expiry time
|
||||||
this.sessionExpiryTime = plugins.smarttime.TimeStamp.fromMilliSeconds(Date.now() + 365 * 24 * 60 * 60 * 1000);
|
this.sessionExpiryTime = plugins.smarttime.TimeStamp.fromMilliSeconds(Date.now() + 365 * 24 * 60 * 60 * 1000);
|
||||||
// Also set OAuth mode on HTTP client
|
|
||||||
this.httpClient.setOAuthMode(true);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -158,11 +156,6 @@ export class BunqSession {
|
|||||||
* Check if session is still valid
|
* Check if session is still valid
|
||||||
*/
|
*/
|
||||||
public isSessionValid(): boolean {
|
public isSessionValid(): boolean {
|
||||||
// OAuth tokens are always considered valid (they have their own expiry mechanism)
|
|
||||||
if (this.isOAuthMode) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!this.sessionExpiryTime) {
|
if (!this.sessionExpiryTime) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@@ -175,11 +168,6 @@ export class BunqSession {
|
|||||||
* Refresh the session if needed
|
* Refresh the session if needed
|
||||||
*/
|
*/
|
||||||
public async refreshSession(): Promise<void> {
|
public async refreshSession(): Promise<void> {
|
||||||
// OAuth tokens don't need session refresh
|
|
||||||
if (this.isOAuthMode) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!this.isSessionValid()) {
|
if (!this.isSessionValid()) {
|
||||||
await this.createSession();
|
await this.createSession();
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user