Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new CLI command to assess a FusionAuth instance against key OAuth 2.1 (draft-ietf-oauth-v2-1-15) recommendations, with both human-readable and JSON output modes.
Changes:
- Introduces
check:oauth-2-1command to validate tenant-, instance-, and application-level settings relevant to OAuth 2.1 guidance. - Updates documentation to describe the new command, its options, and what is checked.
- Upgrades
@fusionauth/typescript-clientto support the new checks and updates lockfile accordingly.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/commands/index.ts | Exports the new check:oauth-2-1 command for auto-registration by the CLI. |
| src/commands/check-oauth-2-1.ts | Implements the OAuth 2.1 compliance checking logic and output formatting. |
| package.json | Bumps @fusionauth/typescript-client dependency version/range. |
| package-lock.json | Updates lockfile for new dependency versions and bumps package version. |
| README.md | Documents the new OAuth 2.1 compliance command and its behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (appsToCheck.length === 0 && !applicationId) { | ||
| if (!jsonOutput) { | ||
| console.log(chalk.yellow('No applications found using both authorization_code and refresh_token grants.')); | ||
| console.log(chalk.yellow('Nothing to check for OAuth 2.1 compliance.')); | ||
| } |
There was a problem hiding this comment.
When --application-id is provided and the selected app doesn’t meet shouldCheckApplication (e.g., it’s built-in or doesn’t have both authorization_code + refresh_token grants), appsToCheck.length becomes 0 and this guard won’t run due to && !applicationId. The command then continues and later prints 0/0 “success” summaries, which is misleading because the requested application was effectively skipped. Consider explicitly detecting this case (applicationId provided but not eligible) and either (a) emit a clear message and exit non-zero, or (b) include it in the skipped count/output and avoid reporting compliance based on 0 checked apps.
| - Tenant issuer properly configured — not default "acme.com" | ||
|
|
||
| **WARNINGS (informational, does not cause exit 1):** | ||
| - DPoP (sender-constrained tokens) enabled on applications (§1.4.3) |
There was a problem hiding this comment.
The warning bullet says “DPoP … enabled on applications”, but the implementation checks only whether the instance has an Enterprise license/feature active (DPoP has no per-application toggle). This doc line should be reworded to match the actual behavior (e.g., “DPoP available on this instance (Enterprise license)” or similar).
| - DPoP (sender-constrained tokens) enabled on applications (§1.4.3) | |
| - DPoP (sender-constrained tokens) available on this instance (Enterprise license) (§1.4.3) |
| "@commander-js/extra-typings": "11.0.0", | ||
| "@faker-js/faker": "^8.4.1", | ||
| "@fusionauth/typescript-client": "1.47.0", | ||
| "@fusionauth/typescript-client": "^1.64.0", |
There was a problem hiding this comment.
This switches @fusionauth/typescript-client to a caret range (^1.64.0). Given the codebase imports an internal module path from that package (src/utils.ts imports @fusionauth/typescript-client/build/src/ClientResponse.js), allowing automatic minor updates increases the risk of future installs breaking due to internal file layout changes. Consider pinning an exact version here, or (preferably) updating the code to rely only on public exports so semver ranges are safe.
| "@fusionauth/typescript-client": "^1.64.0", | |
| "@fusionauth/typescript-client": "1.64.0", |
This checks against the OAuth 2.1 recommendations for a given FusionAuth installation.