Skip to main content

NodeJS OAuth 2.0 app

caution

If you are developing a single-page, mobile or native application, make sure you can ensure Client Secret privacy.

See OAuth documentation for more details.

tip

This page contains OAuth client code sample only. For more details about the OAuth authorization check related article.

const cors = require('cors'),
  express = require('express'),
  app = express(),
  simpleOAuth = require('simple-oauth2');

const credentialsInvia = {
  client: {
    // The following lines must be filled with the same values as entered at https://devs.inviabroker.com/myapps
    // Client ID. Must be treated as public information
    id: 'd8d...ce7', 
    // Client secret. Must be treated as private information
    secret: '4s7...40=', 
  },
  auth: {
    // Address of the production environment auth server. Test env server is available at https://oauthdev.inviabroker.com
    tokenHost: 'https://oauth.inviabroker.com', 
    // Resource to which the client application will direct the user to enter their credentials
    authorizePath: '/authorize',
    // Resource to which the client application will access to generate tokens after successful user authorization
    tokenPath: '/token',
  }
};

const OAuth2 = simpleOAuth.create(credentialsInvia);
// CORS to all domains. Delete or customize as necessary
app.use(cors()); 

app.get('/', function (req, res) {
  let state = '';
  const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

  for (let i = 0; i < 15; i++) {
    state += possible.charAt(Math.floor(Math.random() * possible.length));
  }
  
  authorization_uri = OAuth2.authorizationCode.authorizeURL({
    // Address of the client application page to which the user will be redirected after successful authorization
    // This address must be the same as the one listed on https://devs.inviabroker.com/myapps
    redirect_uri: 'https://localhost:3001/callback', 
    // List of scopes requested by the application by default
    // The user can change the actual scopes granted to the application on the authorization page
    scope: 'ordersread trades personal trades',
    // A condition with which you can identify a customer who has returned via redirect
    state
  });

  const tpl = `
    <html>
      <body>
        <h4>Ouath client app example</h4>
        <a href="${authorization_uri}">Connect to Invia</a>
      </body>
    </html>
  `;

  res.send(tpl);
});

// Callback, which gets tokens by authorization code
app.get('/callback', async function (req, res) {
  if(req.query.error){
      res.send(req.query.error);
      return;
  }
  const code = req.query.code;
  const tokenConfig = {
      code,
      redirect_uri: 'https://localhost:3001/callback',
      client_id: credentialsInvia.client.id,
      client_secret: credentialsInvia.client.secret
    };

  try {
    const result = await OAuth2.authorizationCode.getToken(tokenConfig);
    const tokenResp = OAuth2.accessToken.create(result);

    const tpl = `
      <html>
        <body>
          <h4>Ouath client app example</h4>
          <div><b>Success</b></div>
          <div>Acess Token: ${tokenResp.token.access_token}</div>
          <div>Refresh Token: ${tokenResp.token.refresh_token}</div>
        </body>
      </html>
    `;

    res.send(tpl);
  } catch (error) {
    res.send('Access Token Error', error.message);
  }
});

app.listen(3001);
 
console.log('OAuth Client started on port 3001');