Updated PayPal endpoints and UserInfo

.github/workflows/semgrep.yml

@@ -0,0 +1,15 @@
+name: Semgrep
+on:
+  pull_request_target: {}
+  push:
+    branches: ["master"] 
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
+    steps:
+      - uses: actions/checkout@v2
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}

README.md

@@ -15,6 +15,10 @@ unobtrusively integrated into any application or framework that supports
 
 ## Usage
 
+#### Register your app with PayPal
+
+Login to the [Developer Portal](https://devportal.x.com/sdm/myprofile) and register your application.
+
 #### Configure Strategy
 
 The PayPal authentication strategy authenticates users using a PayPal
@@ -34,6 +38,10 @@ accepts these credentials and calls `done` providing a user, as well as
       }
     ));
 
+You can provide an extra option when creating the `PaypalStrategy` which is `paypalEnvironment`, this
+option defines the environment where the client is located in Paypal, it can be `sandbox` or `live`, when
+no provided it will default to `live` environment. It just configures the default urls internally.
+
 #### Authenticate Requests
 
 Use `passport.authenticate()`, specifying the `'paypal'` strategy, to
@@ -45,7 +53,7 @@ application:
     app.get('/auth/paypal',
       passport.authenticate('paypal'));
 
-    app.get('/auth/paypal/callback', 
+    app.get('/auth/paypal/callback',
       passport.authenticate('paypal', { failureRedirect: '/login' }),
       function(req, res) {
         // Successful authentication, redirect home.

examples/login/app.js

@@ -3,10 +3,11 @@ var express = require('express')
   , util = require('util')
   , PayPalStrategy = require('passport-paypal-oauth').Strategy;
 
+
+// Register your app here: https://devportal.x.com
 var PAYPAL_APP_ID = "--insert-paypal-app-id-here--"
 var PAYPAL_APP_SECRET = "--insert-paypal-app-secret-here--";
 
-
 // Passport session setup.
 //   To support persistent login sessions, Passport needs to be able to
 //   serialize users into and deserialize users out of the session.  Typically,
@@ -85,8 +86,9 @@ app.get('/login', function(req, res){
 //   request.  The first step in PayPal authentication will involve
 //   redirecting the user to paypal.com.  After authorization, PayPal will
 //   redirect the user back to this application at /auth/paypal/callback
+// Supported scopes: openid profile email address phone
 app.get('/auth/paypal',
-  passport.authenticate('paypal', { scope: 'https://identity.x.com/xidentity/resources/profile/me' }),
+  passport.authenticate('paypal', { scope: 'openid profile' }),
   function(req, res){
     // The request will be redirected to PayPal for authentication, so this
     // function will not be called.

lib/passport-paypal-oauth/strategy.js

@@ -5,6 +5,18 @@ var util = require('util')
   , OAuth2Strategy = require('passport-oauth').OAuth2Strategy
   , InternalOAuthError = require('passport-oauth').InternalOAuthError;
 
+var ENVIRONMENTS = {
+  live: {
+    authorizationURL: 'https://www.paypal.com/signin/authorize',
+    tokenURL: 'https://api.paypal.com/v1/identity/openidconnect/tokenservice',
+    userProfile: 'https://api.paypal.com/v1/identity/openidconnect/userinfo/'
+  },
+  sandbox: {
+    authorizationURL: 'https://www.sandbox.paypal.com/signin/authorize',
+    tokenURL: 'https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice',
+    userProfile: 'https://api.sandbox.paypal.com/v1/identity/openidconnect/userinfo/'
+  }
+}
 
 /**
  * `Strategy` constructor.
@@ -18,9 +30,10 @@ var util = require('util')
  * credentials are not valid.  If an exception occured, `err` should be set.
  *
  * Options:
- *   - `clientID`      your application's App ID
- *   - `clientSecret`  your application's App Secret
- *   - `callbackURL`   URL to which PayPal will redirect the user after granting authorization
+ *   - `clientID`           your application's App ID
+ *   - `clientSecret`       your application's App Secret
+ *   - `callbackURL`        URL to which PayPal will redirect the user after granting authorization
+ *   - `paypalEnvironment`  Optional. "sandbox" or "live" to define where the client is located, it defaults to "live"
  *
  * Examples:
  *
@@ -42,20 +55,32 @@ var util = require('util')
  */
 function Strategy(options, verify) {
   options = options || {};
-  options.authorizationURL = options.authorizationURL || 'https://identity.x.com/xidentity/resources/authorize';
-  options.tokenURL = options.tokenURL || 'https://identity.x.com/xidentity/oauthtokenservice';
-
+  this._paypalEnv = options.paypalEnvironment ? ENVIRONMENTS[options.paypalEnvironment] : ENVIRONMENTS.live;
+  if (!this._paypalEnv) { throw new TypeError('paypalEnvironment option must be "sandbox", "live" or not set at all (default to "live")')}
+
+  options.authorizationURL = options.authorizationURL || this._paypalEnv.authorizationURL;
+  options.tokenURL = options.tokenURL || this._paypalEnv.tokenURL;
+
   OAuth2Strategy.call(this, options, verify);
   this.name = 'paypal';
-  
+
   this._oauth2.setAccessTokenName("oauth_token");
+  this._oauth2.useAuthorizationHeaderforGET(true);
 }
 
 /**
  * Inherit from `OAuth2Strategy`.
  */
 util.inherits(Strategy, OAuth2Strategy);
 
+/**
+ * Paypal user_id has the following prefix https://www.paypal.com/webapps/auth/identity/user
+ * At auth0 we don't want that prefix as it has redundant information
+ * and also prevents user_id(s) to be included in URLs
+ * We will remove this prefix.
+ */
+
+var USER_IR_PREFIX = 'https://www.paypal.com/webapps/auth/identity/user/';
 
 /**
  * Retrieve user profile from PayPal.
@@ -71,26 +96,23 @@ util.inherits(Strategy, OAuth2Strategy);
  * @api protected
  */
 Strategy.prototype.userProfile = function(accessToken, done) {
-  this._oauth2.getProtectedResource('https://identity.x.com/xidentity/resources/profile/me', accessToken, function (err, body, res) {
+  this._oauth2.get(this._paypalEnv.userProfile + '?schema=openid', accessToken, function (err, body, res) {
     if (err) { return done(new InternalOAuthError('failed to fetch user profile', err)); }
-    
+
     try {
       var json = JSON.parse(body);
-      
+
       var profile = { provider: 'paypal' };
-      profile.id = json.identity.userId;
-      profile.displayName = json.identity.firstName + " " + json.identity.lastName;
-      profile.name = { familyName: json.identity.lastName,
-                       givenName: json.identity.firstName,
-                       formatted: json.identity.fullName };
-      profile.emails = [];
-      json.identity.emails.forEach(function(email) {
-        profile.emails.push({ value: email });
-      });
-
+      profile.id = json.user_id ? json.user_id.replace(USER_IR_PREFIX, '') : '';
+      profile.displayName = json.name;
+      profile.name = { familyName: json.family_name,
+                       givenName: json.given_name,
+                       formatted: json.name };
+      profile.emails = [ json.email ];
+
       profile._raw = body;
       profile._json = json;
-      
+
       done(null, profile);
     } catch(e) {
       done(e);

opslevel.yml

@@ -0,0 +1,5 @@
+---
+version: 1
+repository:
+  owner: iam_login
+  tags:

package.json

@@ -1,8 +1,15 @@
 {
   "name": "passport-paypal-oauth",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "PayPal (OAuth) authentication strategy for Passport.",
-  "keywords": ["passport", "paypal", "auth", "authn", "authentication", "identity"],
+  "keywords": [
+    "passport",
+    "paypal",
+    "auth",
+    "authn",
+    "authentication",
+    "identity"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/jaredhanson/passport-paypal-oauth.git"
@@ -15,20 +22,24 @@
     "email": "[email protected]",
     "url": "http://www.jaredhanson.net/"
   },
-  "licenses": [ {
-    "type": "MIT",
-    "url": "http://www.opensource.org/licenses/MIT" 
-  } ],
+  "licenses": [
+    {
+      "type": "MIT",
+      "url": "http://www.opensource.org/licenses/MIT"
+    }
+  ],
   "main": "./lib/passport-paypal-oauth",
   "dependencies": {
     "pkginfo": "0.2.x",
-    "passport-oauth": "~0.1.2"
+    "passport-oauth": "1.x.x"
   },
   "devDependencies": {
-    "vows": "0.6.x"
+    "vows": "^0.8.1"
   },
   "scripts": {
     "test": "NODE_PATH=lib node_modules/.bin/vows test/*-test.js"
   },
-  "engines": { "node": ">= 0.4.0" }
+  "engines": {
+    "node": ">= 0.4.0"
+  }
 }