Thank you for your interest in this project and your aims to improving it. This guide will give you the most important info on how to contribute properly in order to get your pull requests accepted.
First things first: This project has strong security implications, and we appreciate every help to improve security.
However, please read our security policy, before taking actions.
Before contributing to this project it is important to understand how this project and it's collaborators views itself regarding its scope and purpose.
This project aims full standard compliance. All improvements on functionality, as well as security implications, are done in a way that the standard remains as the highest reference of choice.
If you are not familiar with the OAuth2 standards, please consult at least the following documents:
Extended readings:
- RFC 6819 - OAuth 2.0 Threat Model and Security Considerations
- RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
- RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol
Design decisions and implementations are always done with keeping in mind, that there are multiple frameworks out there that use this project.
If you want to fix bugs or add new features, please read this chapter and it's sections carefully!
Please make sure your commitment will be appreciated by first opening an issue and discuss, whether this is a useful addition to the project.
First, clone and install this project from source via
git clone git@github.com:node-oauth/node-oauth2-server.git
cd node-oauth2-server
npm installNote: CI runs on Node 24 (npm 11). Use a matching version locally, and regenerate
package-lock.jsonwith npm 11 if you change dependencies. Older npm versions rewrite the lock file — dropping the cross-platform optional dependencies thatnpm cineeds — which breaks CI even when it installs fine on your machine.
From here you can run several scripts for development purposes:
npm run test # runs the linter, then the tests once
npm run test:coverage # runs the tests including coverage
npm run lint # runs the linter
npm run lint:fix # runs the linter and auto-fixes what it can
npm run docs:api # regenerates the API docs from JSDoc comments
npm run docs:dev # serves the documentation site locallyMake sure your master is up to date, then create a branch for your work:
git switch master && git pull
git switch -c feature-xyz # or fix-xyz- Unit-testing: all features or bug fixes must be tested by specs
- Documentation: all public API methods must be documented
We follow Conventional Commits. Every
commit is linted in CI against
@commitlint/config-conventional,
and releases are produced automatically from the commit history by
semantic-release — so the
format is required, not just a style preference. Non-conforming commits fail
CI.
<type>(<optional scope>): <short summary>
The summary is written in the imperative mood, lower-case, with no trailing
period. The <type> and <summary> are mandatory; the (<scope>) is optional.
Release-triggering types — these appear in the changelog and, on merge to
master, trigger a release:
fix:— patch releasefeat:— minor releasefeat!:(or any commit with aBREAKING CHANGE:footer) — major release
Non-release types: docs, test, refactor, perf, style, build,
ci, chore.
Do not reference issues or PRs in the commit summary or body — link them from the pull request description instead. References in commit messages get replayed (re-notifying the linked thread) every time history is rebased or squashed.
Please always make sure your code is passing linter and tests before committing. By doing so you help to make reviews much easier and don't pollute the history with commits, that are solely targeting lint fixes.
You can run the tests via
npm run testor
npm run test:coverageto see your coverage.
Once you have implemented your changes and tested them locally, please open a pull request.
Note: sometimes a pull request (PR) is also referred to as merge request (MR).
There are a few basic requirements for your pull request to become accepted:
- Open your pull request against the
masterbranch - Make sure you are working on a dedicated branch, not
master; usually you can name the branch after the feature or fix you want to provide - Resolve any merge conflicts by keeping your branch up to date with
master - Have a clear description on what the PR does, including any steps necessary for testing, reviewing, reproduction etc.
- Link to the existing issue
- Added functions or changed functions need to get documented in compliance with JSDoc
- Make sure all CI Tests are passing
Also make sure, to comply with the following list:
- Do not work on
masterdirectly - Do not implement multiple features in one pull request (this includes bumping versions of dependencies that are not related to the PR/issue)
- Do not bump the release version or edit
CHANGELOG.md— both are produced automatically by semantic-release when your PR is merged - Do not introduce tight dependencies to a certain package that has not been approved during the discussion in the issue
Finally, your PR needs to pass the review process:
- A certain amount of maintainers needs to review and accept your PR
- Please expect change requests! They will occur and are intended to improve the overall code quality.
- If your changes have been updated please re-assign the reviewer who asked for the changes
- Once all reviewers have approved your PR it will be merged by one of the maintainers 🎉
Please delete your branch after merge.
We use Vitepress+Markdown for our documentation. If you want to contribute to the docs, please get familiar with Vitepress: https://vitepress.dev
You need NPM to set up the docs using the following:
npm install
npm run docs:setupYou can then edit the guide section manually.
DO NOT edit the api section, as API docs are automatically
generated from our internal JSDoc comments.
Instead, update the comments directly within the code and run npm run docs:api
to generate the api docs.
Run npm run docs:build to build the docs.