Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
b4b7ff6
added oauth 2.1 check
mooreds Mar 27, 2026
706534a
added readme for oauth 2.1 check
mooreds Mar 27, 2026
ce233bd
upgrade typescript client version to grab new features
mooreds Mar 27, 2026
7b6a8ca
accurate handling of dpop
mooreds Mar 27, 2026
3412438
upgrade typescript client version to grab new features
mooreds Mar 27, 2026
07ef7f3
fixing audit warnings
mooreds Mar 27, 2026
476aa70
Merge branch 'main' into mooreds/add-oauth-2-1-check
mooreds Mar 27, 2026
b2fe23c
updated to 1.64 for realz
mooreds Mar 27, 2026
0ddd263
handle single application better
mooreds Apr 7, 2026
baea395
remove internal import
mooreds Apr 7, 2026
d07520a
more doco
mooreds Apr 7, 2026
318259b
Apply suggestions from code review
mooreds Apr 7, 2026
18d2609
make sure that an application belongs to a tenant
mooreds Apr 7, 2026
3f405fd
Merge branch 'main' into mooreds/add-oauth-2-1-check
mooreds Apr 17, 2026
f249ced
Apply suggestion from @Copilot
mooreds Apr 17, 2026
3d03abf
Merge branch 'mooreds/add-oauth-2-1-check' of github.com:FusionAuth/f…
mooreds Apr 17, 2026
6fc7dca
updated dpop reference
mooreds Apr 17, 2026
ee24980
updated the limitations to reflect reality
mooreds Apr 17, 2026
afd9a53
limit checks to the containing tenant if the application id is provided
mooreds Apr 17, 2026
41508fc
merge in main
mooreds May 8, 2026
46a3460
updated to include telemetry
mooreds May 8, 2026
5fc5e0c
updated version
mooreds May 8, 2026
6950512
import telemetry method
mooreds May 8, 2026
d3081b6
chore(release): First general setup for conventional commits
brob Jun 12, 2026
932a247
Gets rid of husky due to commit bug
brob Jun 12, 2026
b4538f8
Adds this testing branch to the prelease ability
brob Jun 12, 2026
a700481
Adds next-release to action for testing
brob Jun 12, 2026
6f69924
Adds pull_request check
brob Jun 12, 2026
ac51e58
fix(release): fixes commitlint issues
brob Jun 12, 2026
5a1059a
fix(release): removes PR action and corrects branch for testing push
brob Jun 12, 2026
32a3a77
test(release): only fires on next-setup branch for now
brob Jun 12, 2026
a19efc5
test(release): tests the build without tests and linting
brob Jun 12, 2026
ccefcad
fix(release): makes release config common js
brob Jun 12, 2026
d66921b
fix(release): adds permissions to action
brob Jun 15, 2026
fdac965
fix(release): adds defaults
brob Jun 15, 2026
cd34c52
fix(release): adds back github token
brob Jun 16, 2026
1dcd70b
test: update actions versions
johnjeffers Jul 8, 2026
56ca579
test: package updates, workflow updates
johnjeffers Jul 8, 2026
25ee039
chore(release): set `package.json` to 1.8.3-next-setup.1 [skip ci]
semantic-release-bot Jul 8, 2026
d64ac2c
fix(release): stop committing build output and drop unused deps
johnjeffers Jul 8, 2026
0dda575
chore(release): set `package.json` to 1.8.3-next-setup.2 [skip ci]
semantic-release-bot Jul 8, 2026
af7ac13
Merge branch 'main' into next-setup
johnjeffers Jul 8, 2026
1b7939c
test: remove ts-node in favor of tsx, switch enums to const
johnjeffers Jul 8, 2026
8a8e05d
test: update node version for publish
johnjeffers Jul 8, 2026
725d29c
fix(release): updates branches for workflow for main and next
brob Jul 9, 2026
687bbd6
fix(release): removes extraneous test that was causing failure in bui…
brob Jul 9, 2026
d5b77b7
fix(release): replaces inline testing with test workflow chaining
brob Jul 9, 2026
53d1443
fix(release): fixes typo in workflow
brob Jul 9, 2026
c6dbd1a
fix(release): updates workflow away from quotations as per the github…
brob Jul 9, 2026
94551bd
fix(release): brings testing job into release action
brob Jul 9, 2026
1b9d271
chore(release): set `package.json` to 1.9.1-next-setup.1 [skip ci]
semantic-release-bot Jul 9, 2026
3cd41cf
fix(release): adds dependency of test job
brob Jul 9, 2026
272f218
chore(release): set `package.json` to 1.9.1-next-setup.2 [skip ci]
semantic-release-bot Jul 9, 2026
58fd424
fix: merges current into old branch
brob Jul 13, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ name: Publish to NPM
on:
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
- "v[0-9]+.[0-9]+.[0-9]+"

permissions:
contents: read
Expand All @@ -20,7 +20,7 @@ jobs:
- name: checkout
uses: actions/checkout@v6
with:
fetch-depth: 0 # Fetch full history for branch verification
fetch-depth: 0 # Fetch full history for branch verification

- name: verify tag is on main branch
run: |
Expand All @@ -33,8 +33,8 @@ jobs:
- name: setup node
uses: actions/setup-node@v6
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'
node-version: 22.x
registry-url: "https://registry.npmjs.org"

- name: build and publish
run: |
Expand Down
80 changes: 80 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
name: Release

on:
push:
branches: [main, next, next-setup]
permissions:
id-token: write
contents: write

jobs:
test:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
node-version: ["22.x", "24.x", "26.x"]

name: Test on Node ${{ matrix.node-version }}
steps:
- name: Checkout
uses: actions/checkout@v7

- name: Set up Docker
uses: docker/setup-buildx-action@v4

- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node-version }}

- name: Install dependencies
run: npm ci

- name: Build
run: npm run build

- name: Run integration tests
env:
SKIP_TEARDOWN: false
REUSE_CONTAINER: false
NODE_ENV: test
FUSIONAUTH_TELEMETRY: false
run: npm test
timeout-minutes: 15

release:
name: Release
needs: test
runs-on: ubuntu-latest
defaults:
run:
shell: /usr/bin/bash -l -e -o pipefail {0}
steps:
- name: Checkout
uses: actions/checkout@v7
with:
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 22.x
registry-url: "https://registry.npmjs.org"

- name: Install dependencies
run: npm ci

- name: Install semantic-release extra plugins
run: npm install --save-dev @semantic-release/changelog @semantic-release/git

# - name: Lint
# run: npm run lint-fix

- name: Build
run: npm run build

- name: Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: npx semantic-release
Original file line number Diff line number Diff line change
@@ -1,34 +1,42 @@
name: Integration Tests
name: Tests

on:
push:
pull_request:
workflow_dispatch:

jobs:
integration-tests:
test:
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
node-version: ["22.x", "24.x", "26.x"]

name: Test on Node ${{ matrix.node-version }}
steps:
- uses: actions/checkout@v6

- name: Checkout
uses: actions/checkout@v7

- name: Set up Docker
uses: docker/setup-buildx-action@v4
- name: Setup Node.js

- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6
with:
node-version: '22'
node-version: ${{ matrix.node-version }}

- name: Install dependencies
run: npm install
run: npm ci

- name: Build
run: npm run build

- name: Run integration tests
env:
SKIP_TEARDOWN: false
REUSE_CONTAINER: false
NODE_ENV: test
FUSIONAUTH_TELEMETRY: false
run: npm run test
run: npm test
timeout-minutes: 15
1 change: 1 addition & 0 deletions .husky/commit-msg
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
npx --no-install commitlint --edit "$1"
Empty file added .husky/pre-commit
Empty file.
1 change: 0 additions & 1 deletion .npmrc
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
tag-version-prefix=""
min-release-age=7
44 changes: 44 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
## [1.9.1-next-setup.2](https://github.com/FusionAuth/fusionauth-node-cli/compare/v1.9.1-next-setup.1...v1.9.1-next-setup.2) (2026-07-09)


### Bug Fixes

* **release:** adds dependency of test job ([3cd41cf](https://github.com/FusionAuth/fusionauth-node-cli/commit/3cd41cf2465965658abb6d07ce5e116da402fedd))

## [1.9.1-next-setup.1](https://github.com/FusionAuth/fusionauth-node-cli/compare/v1.9.0...v1.9.1-next-setup.1) (2026-07-09)


### Bug Fixes

* **release:** adds back github token ([cd34c52](https://github.com/FusionAuth/fusionauth-node-cli/commit/cd34c52382950ebea18dc6a6e07f68fb8b5e0697))
* **release:** adds defaults ([fdac965](https://github.com/FusionAuth/fusionauth-node-cli/commit/fdac965d591b21a657fb105285b6c0898322c387))
* **release:** adds permissions to action ([d66921b](https://github.com/FusionAuth/fusionauth-node-cli/commit/d66921ba6c2289bdeacb9388c2d1b48ec474845d))
* **release:** brings testing job into release action ([94551bd](https://github.com/FusionAuth/fusionauth-node-cli/commit/94551bdce7c7baafaae59c615b8e375329b122f5))
* **release:** fixes commitlint issues ([ac51e58](https://github.com/FusionAuth/fusionauth-node-cli/commit/ac51e588f5c879c2580f1fa0ade6c7ccfed20884))
* **release:** fixes typo in workflow ([53d1443](https://github.com/FusionAuth/fusionauth-node-cli/commit/53d1443b34cd24e177f9fd8964741519a6352de8))
* **release:** makes release config common js ([ccefcad](https://github.com/FusionAuth/fusionauth-node-cli/commit/ccefcad70568436994732baedbb21d4c4fabeb5d))
* **release:** removes extraneous test that was causing failure in build not local ([687bbd6](https://github.com/FusionAuth/fusionauth-node-cli/commit/687bbd6e766909aae65f5f50a550449c514f0c58))
* **release:** removes PR action and corrects branch for testing push ([5a1059a](https://github.com/FusionAuth/fusionauth-node-cli/commit/5a1059a0c36313b2ba5c713288735f89973faee6))
* **release:** replaces inline testing with test workflow chaining ([d5b77b7](https://github.com/FusionAuth/fusionauth-node-cli/commit/d5b77b7326925295e50ac3606194033c27e70e76))
* **release:** stop committing build output and drop unused deps ([d64ac2c](https://github.com/FusionAuth/fusionauth-node-cli/commit/d64ac2c3b37c3a260e3f9e5f31464a2b873a8bfd)), closes [#45](https://github.com/FusionAuth/fusionauth-node-cli/issues/45)
* **release:** updates branches for workflow for main and next ([725d29c](https://github.com/FusionAuth/fusionauth-node-cli/commit/725d29c4216a3729c0d010cdcebf3b73aae508b9))
* **release:** updates workflow away from quotations as per the github docs ([c6dbd1a](https://github.com/FusionAuth/fusionauth-node-cli/commit/c6dbd1a53ac9ad1d22cd11256446c9893a8ea132))

## [1.8.3-next-setup.2](https://github.com/FusionAuth/fusionauth-node-cli/compare/v1.8.3-next-setup.1...v1.8.3-next-setup.2) (2026-07-08)


### Bug Fixes

* **release:** stop committing build output and drop unused deps ([d64ac2c](https://github.com/FusionAuth/fusionauth-node-cli/commit/d64ac2c3b37c3a260e3f9e5f31464a2b873a8bfd)), closes [#45](https://github.com/FusionAuth/fusionauth-node-cli/issues/45)

## [1.8.3-next-setup.1](https://github.com/FusionAuth/fusionauth-node-cli/compare/v1.8.2...v1.8.3-next-setup.1) (2026-07-08)


### Bug Fixes

* **release:** adds back github token ([cd34c52](https://github.com/FusionAuth/fusionauth-node-cli/commit/cd34c52382950ebea18dc6a6e07f68fb8b5e0697))
* **release:** adds defaults ([fdac965](https://github.com/FusionAuth/fusionauth-node-cli/commit/fdac965d591b21a657fb105285b6c0898322c387))
* **release:** adds permissions to action ([d66921b](https://github.com/FusionAuth/fusionauth-node-cli/commit/d66921ba6c2289bdeacb9388c2d1b48ec474845d))
* **release:** fixes commitlint issues ([ac51e58](https://github.com/FusionAuth/fusionauth-node-cli/commit/ac51e588f5c879c2580f1fa0ade6c7ccfed20884))
* **release:** makes release config common js ([ccefcad](https://github.com/FusionAuth/fusionauth-node-cli/commit/ccefcad70568436994732baedbb21d4c4fabeb5d))
* **release:** removes PR action and corrects branch for testing push ([5a1059a](https://github.com/FusionAuth/fusionauth-node-cli/commit/5a1059a0c36313b2ba5c713288735f89973faee6))
67 changes: 64 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ The FusionAuth CLI is a command line tool for interacting with FusionAuth. It is

## Requirements

* A modern version of node (tested on 19, 20 and 22)
* A supported LTS version of Node.js — 22.22.0 or newer (tested in CI on 22, 24 and 26)
* A FusionAuth instance (download it here: https://fusionauth.io/download)

## Installation & usage
Expand All @@ -24,6 +24,8 @@ fusionauth --help;
Currently, the CLI supports the following commands:
- Common config check
- `fusionauth check:common-config` - Checks to make sure common configuration settings are set.
- OAuth 2.1 compliance check
- `fusionauth check:oauth-2-1` - Checks FusionAuth configuration for OAuth 2.1 compliance.
- Emails
- `fusionauth email:download` - Download a specific template or all email templates from a FusionAuth server.
- `fusionauth email:duplicate` - Duplicate an email template locally.
Expand Down Expand Up @@ -123,12 +125,71 @@ npm run build;
npx fusionauth -h;
```

To run commands directly from source during development (without installing globally):
```bash
npm run build && node dist/index.js <command> [options]

# Example:
node dist/index.js check:oauth-2-1 --key <api-key> --host http://localhost:9011
```

To see examples of use: https://fusionauth.io/docs/extend/code/lambdas/testing

## Troubleshooting

If you run this multiple times in a row against a local instance, the number of admin users may be incorrect until you re-index. See [this issue for more](https://github.com/FusionAuth/fusionauth-issues/issues/3271).

## License
## OAuth 2.1 Compliance

The `check:oauth-2-1` command validates your FusionAuth instance against OAuth 2.1 specification requirements ([draft-ietf-oauth-v2-1-15](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15)).

### Usage

```bash
# Check all applications across all tenants
fusionauth check:oauth-2-1 --key <api-key> --host <url>

# Check a specific application
fusionauth check:oauth-2-1 --key <api-key> --host <url> --application-id <app-id>

# Check all applications in a specific tenant
fusionauth check:oauth-2-1 --key <api-key> --host <url> --tenant-id <tenant-id>

# Enforce strict mode (fail on deprecated grants)
fusionauth check:oauth-2-1 --key <api-key> --host <url> --strict

# Output as JSON
fusionauth check:oauth-2-1 --key <api-key> --host <url> --json

# Show verbose per-application breakdown
fusionauth check:oauth-2-1 --key <api-key> --host <url> --verbose
```

### What It Checks

Only applications with both the `authorization_code` and `refresh_token` grants enabled are checked.

**REQUIRED (causes exit 1 if failed):**
- PKCE enforcement set to "Required" on all applications (§7.5)
- Redirect URI validation set to "ExactMatch" — no wildcards (§4.1.3)
- HTTPS enforcement for all redirect URIs except localhost (§1.5)
- Refresh token rotation enabled via "OneTimeUse" usage policy (§4.3)
- Refresh token revocation on one-time token reuse enabled at the tenant level (§4.3)
- Tenant issuer properly configured — not default "acme.com"

**WARNINGS (informational, does not cause exit 1):**
- DPoP (sender-constrained tokens) available for applications (§1.4.3)
- Authorization code lifetime ≤ 600 seconds (§7.5)
- No deprecated grants enabled — Implicit, Password (§10); use `--strict` to make this a failure

### Known FusionAuth OAuth 2.1 Limitations

FusionAuth does not fully implement all OAuth 2.1 security requirements. The following gaps exist:

1. **Missing `iss` authorization response parameter** ([§7.14](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15#section-7.14))
The `iss` authorization response parameter for mix-up mitigation doesn't appear to be supported — use distinct redirect URIs per authorization server as a workaround (§7.14.2). See [fusionauth-issues#1383](https://github.com/FusionAuth/fusionauth-issues/issues/1383).

This code is available as open source under the terms of the [Apache v2.0 License](https://opensource.org/licenses/Apache-2.0).
For more information:
- [OAuth 2.1 Specification (draft-ietf-oauth-v2-1-15)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15)
- [FusionAuth OAuth Configuration](https://fusionauth.io/docs/apis/applications)
- [FusionAuth Tenant Configuration](https://fusionauth.io/docs/apis/tenants)
4 changes: 2 additions & 2 deletions __tests__/telemetry/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ import nock from 'nock'

export function telemetry() {
const mockedTrueConfig = {
id: '8c0a77f2-27e4-4284-b5d3-5618ec2a56eb',
id: '8c0a77f2-27e4-4284-b5d3-5618ec2a56eb',
telemetry: true,
version: '1.0'
}
const mockedFalseConfig = {
id: '8c0a77f2-27e4-4284-b5d3-5618ec2a56eb',
id: '8c0a77f2-27e4-4284-b5d3-5618ec2a56eb',
telemetry: false,
version: '1.0'
}
Expand Down
14 changes: 0 additions & 14 deletions __tests__/telemetry/telemetry.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -100,20 +100,6 @@ describe('telemetry runs properly', () => {
delete process.env.FUSIONAUTH_TELEMETRY
}
})

test("If FUSIONAUTH_TELEMETRY === true DO run", async () => {
process.env.FUSIONAUTH_TELEMETRY = 'true'
nock('https://us.i.posthog.com')
.post('/batch/')
.reply(200)
try {
const response = await logEvent('test event')
assert.equal(response, true, "logEvent didn't fire")
} finally {
nock.cleanAll()
delete process.env.FUSIONAUTH_TELEMETRY
}
})
test("If no .env, event submits", async () => {
nock('https://us.i.posthog.com')
.post('/batch/')
Expand Down
Loading