node-oauth2-server
node-oauth2-server copied to clipboard
oauthjs
This project is back under active development and maintenance!
Hello!
After a hiatus following the 3.0.0 release, I'm very happy to say that I will am planning to pick up the maintenance and development of this project. The point of this issue is to outline the plan.
History
3.0.0 was released in August 2017, when the project was already 4 years old, and was the result of a great amount of effort from a number of people in iterating towards a much improved codebase and documentation. Unfortunately, following this all of us who were involved in the release became rather busy with projects elsewhere and were not able to continue to work on the project. As such, we've been stuck on 3.0.0 since then!
I put out a request for maintainers in 2019, although I did receive a few responses I didn't find anyone who was able to start in earnest. The action that drew most traction was a complete rewrite of the project in typescript in #564 - this was great to see, as was the amount of attention it got which showed there were still a good number of people using or interested in the project. However, after observation of the progress of that project it's clear that the maintenance is still one of the hardest parts of such a project and I can understand why anyone would struggle to take that on. I realised that another big rewrite really wasn't what the project needed.
A change in my working situation has left me with a little more time to spare, I've been mostly using this on another OS project of mine (https://github.com/thomseddon/traefik-forward-auth) but I'd like to try and pick up this project too.
Plan
In summary:
- v3 - backwards compatible bug fixes only
- v4 - largely backwards compatible fixes and improvements (no code/model changes required)
A lot of people have been lingering on the 3.0.0 release for a long time and has certainly been battle tested. We've amassed over 100 issues and 22 PRs for this release so I would like to make a big effort to give v3 the fixes it deserves. I have already started this by updating all dependencies and releasing 3.0.2 🎉 In honour of the backwards compatibility, I will also be maintaining support for node 4/6/8 in v3.
Due to the nature of the project, most changes do change the server behaviour and so can be considered "backwards incompatible". To help prevent any jarring changes, the plan is for a v4 release which is as backwards compatible as possible. My goal is to keep the integration entirely backwards compatible, so there should be no client code changes required at all for this entire release. We will drop support for EOL node.js version 4/6/8 and plough through as many fixes and improvements as possible.
Thanks for your patience over the years, I'm already enjoying getting stuck back in again!
No, it will be based on v3 and be mostly backwards compatible with existing code
Is it planned to implement those changes from v4 also in v5 or is v5 now dead?
So are you planning to "throw-away" all of the efforts that went into v5? Isn't Typescript meanwhile the de-facto standard for writing larger JavaScript-based projects?
All code has bugs - with v3 we have a somewhat battle hardened release with over 100 issues/PRs raised in this repo outlining many real bugs, doc issues and proposed features.
Whereas v5 is a massive rewrite with significantly less review in comparison - it may address some existing bugs, but will undoubtedly introduce new bugs.
As mentioned above, In the interest of forward momentum I'd like to fix the bugs and make the project better 👍
Thanks a lot for going this path. It's great to see, that I can continue to rely on this package. Is there a way to send a small donation :moneybag: to show some :heart:
We are with you. Thank you so much for the support and the awesome work you are doing?
Is v5-dev branch really dead ? As i understand, typescript version is not any more in the roadmap.
It's true, it's important to be backward compatible, but it's also important to move forward and update the code to support latest features of oauth2.
Some of thoses features were implemented in v5-dev and we were waiting for those to be merged. Better typing, Pkce was also one of them. Can we expect to get it soon ?
You talk about v4, but we didn't see any branch related to it. Is this really planned ?
We know it's important to get help. How can we help you to move forward ? We just won't want to write code that is going to be "throw-away" like in v5-dev.
I think it would be great to have a v4 branch and a v4 project that contains all the issues relevant for v4. By doing so we know where to put our efforts in.
@thomseddon what do you think?
👍 3.1 will be released next week (3.1.0-rc1 is published on npm now)
The existing next branch was actually pegged for v4 and includes some necessary breaking changes. I'll create a new v4 branch shortly which will be based on the existing next branch, rebased from master/v3-catchup (#629)
I'm hoping to merge the existing PKCE PR into v4 too.
For those that have asked about sponsorship - thank you so much, I'd really like to spend more time on this project (there's a lot of work to do :) and I've setup github sponsorship, so for anyone who would like to help in that way it would really allow me to focus more time into this and would be greatly appreciated.
I think there should be someone getting sponsored to tackle the remaining issued or at least to manage incoming PRs.
@thomseddon honestly i'd say put v3 into maintenance mode (security fixes only), skip v4, and start pushing forward on v5 /w typescript and breaking changes. it's daunting work to build out improvements for 3 separate versions. if you don't have much time then reducing the surface area will surely help, and the typescript branch seems much cleaner to work with and build upon.
I agree with @night that managing 3 versions is a huge effort and maybe also the reason this repo getting stuck again?
@ukneeq I think it's the dev branch
I dont think, that the complexity is the reason that this project got stuck again. I suppose when @thomseddon was claiming that this project is under active development and maintenance, that he was in a jobless situation and thats why it was back under development... But soon after he was again busy with a job which supplies him with money. And so this Project is stuck again. I mean it is totally understandable, I would also be less productive in an open source project, if I have a paid Job.
What you gonna do? Issue is also, that this is a security relevant product. If you have a not trustworthy contributor/maintainer which puts malicious code into the product, then alot of companies will be hackable. But on the other hand, we can have a critical community and make it necessary to have x approvals before the maintainers can actually merge into master. I would also agree that new maintainers need to disclose their identities and who their employers are, so that making them to be maintainers does not mean to make a malicious anonymous able to taint the code.
I would be happy if I could support this Project.
If you are still in need of maintainers let me know, I really enjoy using this module and would be happy to contribute and improve it as much as I can!
Maybe we should Talk with another group Like auth0 and ask if they fork it and maintain it with our community support.
>This project is back under active development and maintenance!
Sooo that was a lie.
Would be great to have at least some kind of election for maintainers so this can continue to stay alive.
I think there would be a lot of people willing to maintain this project. The only thing that is missing are specifics tasks or todos that people can assign to themselves.
Personally I think the typescript version (v5) should be picked up again.
If we could define some reliable criteria for someone becoming a trusted maintainer we could start elections and @thomseddon only needs to add them. I think from there we could work in fixes for 3.x and 5.0 as well
The trusted maintainers can assign taks, review and merge PRs
I think the minimal effort should be to at least merge in updated dependencies e.g.: https://github.com/oauthjs/node-oauth2-server/pull/677 and similar
I wrote this today to auth0:
Hello Auth0 Dev Team,
I wanted to ask you if your developers could fork the node-oauth2-server project on github.
https://github.com/oauthjs/node-oauth2-server
Alot of products use this project but the maintainer of the project abandoned it. We, the community, provided various PRs for this product, but till today the maintainer does not merge anything. We discussed about forking off the project, but tbh. this product is too security sensitive to have it maintained by the community in a noname github repo.
I personally would prefer if auth0 would be the trustworthy maintainer of the product. So you would fork the project and continue it as e.g. auth0/node-oauth2-server. We, the community, could then provide PRs and could have atleast some progress.
I hope you join us in the discussion on github:
https://github.com/oauthjs/node-oauth2-server/issues/621
Thank you very much!!!
Best Regards Aras Abbasi
I wrote an identical E-Mail to the CEO of auth0.
Lets hope this project gets finally the love it needs. :)
Hi Aras,
Thank you for thinking of Auth0 when considering trustworthy open source maintainers.
From a quick glance, the main project’s aim appears to be implementing an OAuth2’s authorization server in Node, so that developers can host that function themselves in their codebase.
While that is an approach that has its rightful place in a number of scenarios, we believe that in the more general cases developers are better served by offloading authentication to a service- where they can rely on experts and cloud infrastructure to bear the brunt of the security, availability, manageability, scalability, compliance, interop and change management that are typically very onerous and tricky to achieve in one’s own code, unless identity and security are the core business of the implementer. You can find a summary of our thoughts on the matter here.
As such, I am sure you can see how it would be hard for us to pick on the mantle of maintainer for this project. I do hope you’ll find a viable maintainer, and I look forward to help in case you’ll want to test interoperability with our services!
Best,
Vittorio
So... any other idea how to get this project under "control"?
As I said 1 year ago, We started implementing our own version of an oauth2 server with typescript. It's a draft at the moment and does not cover the entire project. However if you want to have a look, you're welcome. It is build to work with Express and Fastify and we are ok to open the project to maintainers. https://github.com/Pop-Code/oauth2
It is build to work with Express and Fastify
We are using sencha/connect so for us this would already be a nogo to add another library just for compatibility reasons.