fix(oauth): correct OAuth implementation to match bunq documentation

fix(oauth): fix private key error for OAuth tokens
2025-07-22 21:56:10 +00:00 · 2025-07-22 21:18:41 +00:00
6 changed files with 67 additions and 33 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,31 @@
 # Changelog

+## 2025-07-22 - 3.0.8 - fix(oauth)
+Correct OAuth implementation to match bunq documentation
+
+- Removed OAuth mode from HTTP client - OAuth tokens use normal request signing
+- OAuth tokens now work exactly like regular API keys (per bunq docs)
+- Fixed test comments to reflect correct OAuth behavior
+- Simplified OAuth handling by removing unnecessary special cases
+- OAuth tokens properly go through full auth flow with request signing
+
+## 2025-07-22 - 3.0.7 - fix(oauth)
+Fix OAuth token authentication flow
+
+- OAuth tokens now go through full initialization (installation → device → session)
+- Fixed "Insufficient authentication" errors by treating OAuth tokens as API keys
+- OAuth tokens are used as the 'secret' parameter, not as session tokens
+- Follows bunq documentation: "Just use the OAuth Token as a normal bunq API key"
+- Removed incorrect session skip logic for OAuth tokens
+
+## 2025-07-22 - 3.0.6 - fix(oauth)
+Fix OAuth token private key error
+
+- Fixed "Private key not generated yet" error for OAuth tokens
+- Added OAuth mode to HTTP client to skip request signing
+- Skip response signature verification for OAuth tokens
+- Properly handle missing private keys in OAuth mode
+
 ## 2025-07-22 - 3.0.5 - feat(oauth)
 Add OAuth token support

--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@apiclient.xyz/bunq",
-  "version": "3.0.5",
+  "version": "3.0.8",
  "private": false,
  "description": "A full-featured TypeScript/JavaScript client for the bunq API",
  "type": "module",
--- a/readme.md
+++ b/readme.md
@@ -436,17 +436,19 @@ const bunq = new BunqAccount({
  apiKey: 'your-oauth-access-token',  // OAuth token from bunq OAuth flow
  deviceName: 'OAuth App',
  environment: 'PRODUCTION',
-  isOAuthToken: true  // Important: Set this flag for OAuth tokens
+  isOAuthToken: true  // Optional: Set for OAuth-specific handling
 });

 await bunq.init();

-// OAuth tokens already have an associated session from the OAuth flow,
-// so the library will skip session creation and use the token directly
+// OAuth tokens work just like regular API keys:
+// 1. They go through installation → device → session creation
+// 2. The OAuth token is used as the 'secret' during authentication
+// 3. A session token is created and used for all API calls
 const accounts = await bunq.getAccounts();

-// Note: OAuth tokens have their own expiry mechanism managed by bunq's OAuth server
-// The library will not attempt to refresh OAuth tokens
+// According to bunq documentation: 
+// "Just use the OAuth Token (access_token) as a normal bunq API key"
 ```

 ### Error Handling
--- a/test/test.oauth.ts
+++ b/test/test.oauth.ts
@@ -15,7 +15,8 @@ tap.test('should handle OAuth token initialization', async () => {
  
  // Mock test - in reality this would connect to bunq
  try {
-    // The init should skip session creation for OAuth tokens
+    // OAuth tokens should go through full initialization flow
+    // (installation → device → session)
    await oauthBunq.init();
    console.log('OAuth token initialization successful (mock)');
  } catch (error) {
@@ -24,7 +25,7 @@ tap.test('should handle OAuth token initialization', async () => {
  }
 });

-tap.test('should not attempt session refresh for OAuth tokens', async () => {
+tap.test('should handle OAuth token session management', async () => {
  const oauthBunq = new bunq.BunqAccount({
    apiKey: 'test-oauth-token',
    deviceName: 'OAuth Test App',
@@ -32,7 +33,8 @@ tap.test('should not attempt session refresh for OAuth tokens', async () => {
    isOAuthToken: true
  });
  
-  // Test that ensureValidSession doesn't try to refresh OAuth tokens
+  // OAuth tokens now behave the same as regular API keys
+  // They go through normal session management
  try {
    await oauthBunq.apiContext.ensureValidSession();
    console.log('OAuth session management test passed');
@@ -41,4 +43,27 @@ tap.test('should not attempt session refresh for OAuth tokens', async () => {
  }
 });

+tap.test('should handle OAuth tokens through full initialization', async () => {
+  const oauthBunq = new bunq.BunqAccount({
+    apiKey: 'test-oauth-token',
+    deviceName: 'OAuth Test App',
+    environment: 'SANDBOX',
+    isOAuthToken: true
+  });
+  
+  try {
+    // OAuth tokens go through full initialization flow
+    // The OAuth token is used as the API key/secret
+    await oauthBunq.init();
+    
+    // The HTTP client works normally with OAuth tokens (including request signing)
+    const httpClient = oauthBunq.apiContext.getHttpClient();
+    
+    console.log('OAuth initialization test passed - full flow completed');
+  } catch (error) {
+    // Expected to fail with invalid token error, not initialization skip
+    console.log('OAuth initialization test completed (expected auth failure with mock token)');
+  }
+});
+
 tap.start();
--- a/ts/bunq.classes.apicontext.ts
+++ b/ts/bunq.classes.apicontext.ts
@@ -44,15 +44,6 @@ export class BunqApiContext {
   * Initialize the API context (installation, device, session)
   */
  public async init(): Promise<void> {
-    // If using OAuth token, skip session creation
-    if (this.options.isOAuthToken) {
-      // OAuth tokens already have an associated session
-      this.context.sessionToken = this.options.apiKey;
-      this.session = new BunqSession(this.crypto, this.context);
-      this.session.setOAuthMode(true);
-      return;
-    }
-    
    // Try to load existing context
    const existingContext = await this.loadContext();
    
@@ -78,6 +69,11 @@ export class BunqApiContext {
      this.options.deviceDescription,
      this.options.permittedIps || []
    );
+    
+    // Set OAuth mode if applicable (for session expiry handling)
+    if (this.options.isOAuthToken) {
+      this.session.setOAuthMode(true);
+    }

    // Save context
    await this.saveContext();
@@ -135,11 +131,6 @@ export class BunqApiContext {
   * Refresh session if needed
   */
  public async ensureValidSession(): Promise<void> {
-    // OAuth tokens don't need session refresh
-    if (this.options.isOAuthToken) {
-      return;
-    }
-    
    await this.session.refreshSession();
    await this.saveContext();
  }
--- a/ts/bunq.classes.session.ts
+++ b/ts/bunq.classes.session.ts
@@ -156,11 +156,6 @@ export class BunqSession {
   * Check if session is still valid
   */
  public isSessionValid(): boolean {
-    // OAuth tokens are always considered valid (they have their own expiry mechanism)
-    if (this.isOAuthMode) {
-      return true;
-    }
-    
    if (!this.sessionExpiryTime) {
      return false;
    }
@@ -173,11 +168,6 @@ export class BunqSession {
   * Refresh the session if needed
   */
  public async refreshSession(): Promise<void> {
-    // OAuth tokens don't need session refresh
-    if (this.isOAuthMode) {
-      return;
-    }
-    
    if (!this.isSessionValid()) {
      await this.createSession();
    }
Author	SHA1	Message	Date
Juergen Kunz	93dddf6181	fix(oauth): correct OAuth implementation to match bunq documentation	2025-07-22 21:56:10 +00:00
Juergen Kunz	739e781cfb	fix(oauth): fix private key error for OAuth tokens	2025-07-22 21:18:41 +00:00