UNPKG

@types/passport-google-oauth20

Version:

TypeScript definitions for passport-google-oauth20

github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/passport-google-oauth20

DefinitelyTyped/DefinitelyTyped

295 lines (284 loc) 10.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
import * as express from "express"; import * as passport from "passport"; import * as oauth2 from "passport-oauth2"; export type OAuth2StrategyOptionsWithoutRequiredURLs = Pick< oauth2._StrategyOptionsBase, Exclude<keyof oauth2._StrategyOptionsBase, "authorizationURL" | "tokenURL"> >; export interface _StrategyOptionsBase extends OAuth2StrategyOptionsWithoutRequiredURLs { authorizationURL?: string | undefined; callbackURL?: string | undefined; clientID: string; clientSecret: string; /** * Scopes (permissions) you might need to request to access Google APIs, * depending on the level of access you need. Sensitive scopes require * review by Google and have a _sensitive_ indicator on the Google Cloud * Platform (GCP) Console OAuth consent screen configuration page. * * One or many of these [Google * Scopes](https://developers.google.com/identity/protocols/oauth2/scopes) * * For a basic auth scenario, this is typically `['email', 'profile']` which * is an accepted abbreviation for `['https://www.googleapis.com/auth/userinfo.email', * 'https://www.googleapis.com/auth/userinfo.profile']`. */ scope?: string | string[] | undefined; tokenURL?: string | undefined; userProfileURL?: string | undefined; } export interface StrategyOptions extends _StrategyOptionsBase { passReqToCallback?: false | undefined; } export interface StrategyOptionsWithRequest extends _StrategyOptionsBase { passReqToCallback: true; } export interface Profile extends passport.Profile { profileUrl: string; provider: "google"; /** * An identifier for the user, unique among all Google accounts and * never reused. A Google account can have multiple email addresses at * different points in time, but the sub value is never changed. Use sub * within your application as the unique-identifier key for the user. * Maximum length of 255 case-sensitive ASCII characters. * * Ex: `"10769150350006150715113082367"` */ id: string; emails?: Array<{ value: string; verified: boolean }>; _raw: string; /** * ID Token payload, adhering to Google's implementation of the OpenID * Connect standard See * [documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect#an-id-tokens-payload) * * An ID token is a JSON object containing a set of name/value pairs. Here's an example, formatted for readability: * ```json * { * "iss": "https://accounts.google.com", * "azp": "1234987819200.apps.googleusercontent.com", * "aud": "1234987819200.apps.googleusercontent.com", * "sub": "10769150350006150715113082367", * "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", * "hd": "example.com", * "email": "jsmith@example.com", * "email_verified": true, * "iat": 1353601026, * "exp": 1353604926, * "nonce": "0394852-3190485-2490358" * } * ``` */ _json: { /** * The Issuer Identifier for the Issuer of the response. Always * https://accounts.google.com or accounts.google.com for Google ID * tokens. * * Ex: `"https://accounts.google.com"` */ iss: string; /** * The client_id of the authorized presenter. This claim is only needed when the * party requesting the ID token is not the same as the audience of the ID * token. This may be the case at Google for hybrid apps where a web application * and Android app have a different OAuth 2.0 client_id but share the same * Google APIs project. * * Ex: `"1234987819200.apps.googleusercontent.com"` */ azp?: string; /** * The audience that this ID token is intended for. It must be one of * the OAuth 2.0 client IDs of your application. * * Ex: `"1234987819200.apps.googleusercontent.com"` */ aud: string; /** * An identifier for the user, unique among all Google accounts and * never reused. A Google account can have multiple email addresses at * different points in time, but the sub value is never changed. Use sub * within your application as the unique-identifier key for the user. * Maximum length of 255 case-sensitive ASCII characters. * * Ex: `"10769150350006150715113082367"` */ sub: string; /** * Access token hash. Provides validation that the access token is tied to the * identity token. If the ID token is issued with an access_token value in the * server flow, this claim is always included. This claim can be used as an * alternate mechanism to protect against cross-site request forgery attacks, * but if you follow Step 1 and Step 3 it is not necessary to verify the access * token. * * Ex: `"HK6E_P6Dh8Y93mRNtsDB1Q"` */ at_hash?: string; /** * The time the ID token was issued. Represented in Unix time (integer * seconds). * * Ex: `1353601026` */ iat: number; /** * Expiration time on or after which the ID token must not be accepted. * Represented in Unix time (integer seconds). * * Ex: `1353604926` */ exp: number; /** * The user's email address. This value may not be unique to this user and is * not suitable for use as a primary key. Provided only if your scope included * the email scope value. * * Ex: `"jsmith@example.com"` */ email?: string; /** * True if the user's e-mail address has been verified; otherwise false. */ email_verified?: boolean; /** * The user's given name(s) or first name(s). Might be provided when a name * claim is present. */ given_name?: string; /** * The user's surname(s) or last name(s). Might be provided when a name claim is * present. */ family_name?: string; /** * The user's full name, in a displayable form. Might be provided when: * * - The request scope included the string "profile" * - The ID token is returned from a token refresh * * When name claims are present, you can use them to update your app's user records. Note that this claim is never guaranteed to be present. */ name?: string; /** * The hosted G Suite domain of the user. Provided only if the user belongs to a * hosted domain. * * Ex: `"example.com"` */ hd?: string; /** * The user's locale, represented by a [BCP 47](https://www.rfc-editor.org/info/bcp47) language tag. Might be provided * when a name claim is present. * * Ex: `"en"` */ locale?: string; /** * The value of the nonce supplied by your app in the authentication * request. You should enforce protection against replay attacks by ensuring * it is presented only once. * * Ex: `"0394852-3190485-2490358"` */ nonce?: string; /** * The URL of the user's profile picture. Might be provided when: * - The request scope included the string "profile" * - The ID token is returned from a token refresh When picture claims * are present, you can use them to update your app's user records. * Note that this claim is never guaranteed to be present. * * Ex: `"https://lh4.googleusercontent.com/-aBcDeFG/ABCDEFGHI/JSKLMNO/pQRstuv/s99-c/photo.jpg"` */ picture?: string; /** * The URL of the user's profile page. Might be provided when: * - The request scope included the string "profile" * - The ID token is returned from a token refresh When profile claims * are present, you can use them to update your app's user records. * Note that this claim is never guaranteed to be present. */ profile?: string; }; } export type VerifyCallback = oauth2.VerifyCallback; export class Strategy extends oauth2.Strategy { constructor( options: StrategyOptions, verify: (accessToken: string, refreshToken: string, profile: Profile, done: VerifyCallback) => void, ); constructor( options: StrategyOptions, verify: ( accessToken: string, refreshToken: string, params: GoogleCallbackParameters, profile: Profile, done: VerifyCallback, ) => void, ); constructor( options: StrategyOptionsWithRequest, verify: ( req: express.Request, accessToken: string, refreshToken: string, profile: Profile, done: VerifyCallback, ) => void, ); constructor( options: StrategyOptionsWithRequest, verify: ( req: express.Request, accessToken: string, refreshToken: string, params: GoogleCallbackParameters, profile: Profile, done: VerifyCallback, ) => void, ); } // additional Google-specific options export interface AuthenticateOptionsGoogle extends passport.AuthenticateOptions { accessType?: "offline" | "online" | undefined; prompt?: string | undefined; loginHint?: string | undefined; includeGrantedScopes?: boolean | undefined; display?: string | undefined; hostedDomain?: string | undefined; hd?: string | undefined; requestVisibleActions?: any; openIDRealm?: any; } export interface GoogleCallbackParameters { access_token: string; refresh_token?: string | undefined; id_token?: string | undefined; expires_in: number; scope: string; token_type: string; } // allow Google-specific options when using "google" strategy declare module "passport" { interface Authenticator< InitializeRet = express.Handler, AuthenticateRet = any, AuthorizeRet = AuthenticateRet, AuthorizeOptions = passport.AuthenticateOptions, > { authenticate( strategy: "google", options: AuthenticateOptionsGoogle, callback?: (...args: any[]) => any, ): AuthenticateRet; authorize( strategy: "google", options: AuthenticateOptionsGoogle, callback?: (...args: any[]) => any, ): AuthorizeRet; } }