npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@drstrain/oauth2

v0.1.0

Published

OAuth2 client for DrStrain SSO

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

silversoulsilversoul

Keywords

oauth2oauthssodrstrainpkceauth

Readme

@drstrain/oauth2

OAuth2 client for DrStrain SSO. Works in Node.js (≥20) and modern browsers.

Install

npm install @drstrain/oauth2

Quickstart

Confidential client (server-side)

import { OAuth2Client } from '@drstrain/oauth2';

const client = new OAuth2Client({
  issuer: 'https://sso.drstra.in',
  clientId: 'YOUR_CLIENT_ID',
  clientSecret: 'YOUR_CLIENT_SECRET',
  redirectUri: 'https://yourapp.com/oauth2/callback',
});

// 1. Send the user to the authorize URL
const url = client.authorizeUrl({
  scope: ['profile:read', 'offline_access'],
  state: 'any_state',
});
res.redirect(url);

// 2. In your callback handler, exchange the code for tokens
const tokens = await client.exchangeCode({ code: req.query.code });
// tokens: { access_token, token_type, expires_in, scope, refresh_token? }

// 3. Call scope-protected endpoints with the access token
const me = await client.getProfile(tokens.access_token);

Public client (browser SPA, with PKCE)

import { OAuth2Client } from '@drstrain/oauth2';

const client = new OAuth2Client({
  issuer: 'https://sso.drstra.in',
  clientId: 'YOUR_CLIENT_ID',
  redirectUri: 'https://yourapp.com/oauth2/callback',
  // no clientSecret — public clients use PKCE instead
});

// Before redirect: generate verifier + challenge, stash verifier
const { verifier, challenge } = await OAuth2Client.generatePkce();
sessionStorage.setItem('pkce_verifier', verifier);

window.location.href = client.authorizeUrl({
  scope: ['profile:read'],
  state: crypto.randomUUID(),
  codeChallenge: challenge,
});

// In your callback page: exchange code + verifier
const tokens = await client.exchangeCode({
  code: new URL(location.href).searchParams.get('code')!,
  codeVerifier: sessionStorage.getItem('pkce_verifier')!,
});
sessionStorage.removeItem('pkce_verifier');

API

new OAuth2Client(config)

{
  issuer: string;          // SSO base URL, e.g. 'https://sso.drstra.in'
  clientId: string;
  clientSecret?: string;   // confidential clients only
  redirectUri: string;
}

client.authorizeUrl(opts) → string

Build the URL to redirect the user to.

{
  scope: Scope[];                       // ['profile:read', 'offline_access', ...]
  state?: string;
  codeChallenge?: string;               // for PKCE
  codeChallengeMethod?: 'S256';         // default 'S256'
}

client.exchangeCode(opts) → Promise<Tokens>

{
  code: string;
  codeVerifier?: string;   // required for PKCE flows
}

client.refreshToken(refreshToken) → Promise<Tokens>

Returns a fresh access token + a rotated refresh token. Always store the new refresh token.

Scope-protected endpoints

Each call requires an access token whose scope grants access. They throw OAuthError (status 403) if the scope is missing.

| Method | Required scope | Returns | | ----------------------------------------- | ------------------ | ----------------------------- | | client.getProfile(token) | profile:read | { sub, email, name, picture } | | client.updateProfile(token, patch) | profile:write | updated profile | | client.getTeams(token) | team:read | { memberOf, leaderOf } | | client.manageTeamMember(token, opts) | team:write | { ok: true } |

updateProfile accepts { name?: string, avatar?: Blob } (multipart form). manageTeamMember accepts { teamId: number, userId: string, action: 'add' | 'remove' }.

OAuth2Client.generatePkce() → Promise<{ verifier, challenge }>

Generate a random PKCE verifier and its SHA-256 base64url challenge.

OAuthError

Thrown on any non-2xx response.

class OAuthError extends Error {
  readonly code: string | undefined;     // e.g. 'invalid_grant', 'insufficient_scope'
  readonly status: number;               // HTTP status
  readonly body: { error?: string; error_description?: string; [k: string]: unknown };
}

Scopes

| Scope | Purpose | | ---------------- | ------------------------------------------------------------------------- | | profile:read | Read the user's identity (sub, email, name, picture). | | profile:write | Update the user's name and avatar. | | team:read | List teams the user belongs to or leads. | | team:write | Add/remove members from teams the user leads. | | offline_access | Issue a refresh token alongside the access token. |

Tests

Tests live at the repo root in /tests and run end-to-end against a real wrangler dev worker — no mocks. See the root README for instructions.

License

MIT