refactor: upgrade got from v9.x to v11.x

BREAKING CHANGE: upgraded got http request library dependency from
`v9.x` to `v11.x`. If you override some of the http request options
you will most certainly have to accomodate them.

.github/workflows/test.yml

@@ -43,7 +43,7 @@ jobs:
     strategy:
       matrix:
         node-version:
-          - 10.13.0
+          - 10.19.0
           - 10
           - 12.0.0
           - 12

README.md

@@ -81,7 +81,7 @@ or koa middlewares. Those can however be built using the exposed API.
 
 ## Install
 
-Node.js version **>=12.0.0** is recommended, but **^10.13.0** lts/dubnium is also supported.
+Node.js version **>=12.0.0** is recommended, but **^10.19.0** lts/dubnium is also supported.
 
 ```console
 npm install openid-client
@@ -260,7 +260,7 @@ private API and is subject to change between any versions.
 
 #### How do I use it outside of Node.js
 
-It is **only built for ^10.13.0 || >=12.0.0 Node.js** environment - including openid-client in
+It is **only built for ^10.19.0 || >=12.0.0 Node.js** environment - including openid-client in
 browser-environment targeted projects is not supported and may result in unexpected results.
 
 #### What's new in 3.x?

docs/README.md

@@ -360,7 +360,7 @@ Fetches an arbitrary resource with the provided Access Token in an Authorization
   - `method`: `<string>` The HTTP verb to use for the request. **Default:** 'GET'
   - `tokenType`: `<string>` The token type as the Authorization Header scheme. **Default:** 'Bearer'
     or the `token_type` property from a passed in TokenSet.
-- Returns: `Promise<Response>` Response is a [Got Response](https://github.com/sindresorhus/got/tree/v9.6.0#response)
+- Returns: `Promise<Response>` Response is a [Got Response](https://github.com/sindresorhus/got/tree/v11.5.2#response)
   with the `body` property being a `<Buffer>`
 
 
@@ -523,7 +523,7 @@ Performs Dynamic Client Read Request to retrieve a Client instance.
 #### Customizing HTTP requests
 
 The following are default [`got`][got-library] request
-[options](https://github.com/sindresorhus/got/tree/v9.6.0#options) that openid-client sets for all
+[options](https://github.com/sindresorhus/got/tree/v11.5.2#options) that openid-client sets for all
 requests.
 
 ```js
@@ -552,7 +552,7 @@ This is meant to change global request options such as `timeout` or the default
   <summary><em><strong>Example</strong></em> (Click to expand) debugging HTTP requests and responses</summary>
 
 You can use the [`got`][got-library] request
-[options.hooks](https://github.com/sindresorhus/got/tree/v9.6.0#options) to log outgoing requests and their responses.
+[options.hooks](https://github.com/sindresorhus/got/tree/v11.5.2#options) to log outgoing requests and their responses.
 
 ```js
 const { custom } = require('openid-client')
@@ -622,15 +622,15 @@ you need to work around, e.g. adding custom headers or body payload parameters.
 ```js
 const { custom } = require('openid-client');
 client[custom.http_options] = function (options) {
-  // see https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
-  // key, cert, ca, rejectUnauthorized
-  options.cert = cert; // <string> | <string[]> | <Buffer> | <Buffer[]>
-  options.key = key; // <string> | <string[]> | <Buffer> | <Buffer[]> | <Object[]>
+  // see https://github.com/sindresorhus/got/tree/v11.5.2#advanced-https-api
+  options.https = options.https || {};
+  options.https.cert = cert; // <string> | <string[]> | <Buffer> | <Buffer[]>
+  options.https.key = key; // <string> | <string[]> | <Buffer> | <Buffer[]> | <Object[]>
   // custom CA
-  // options.ca = ca; // <string> | <string[]> | <Buffer> | <Buffer[]>
+  // options.https.ca = ca; // <string> | <string[]> | <Buffer> | <Buffer[]>
 
   // use HTTP(S)_PROXY
-  // https://github.com/sindresorhus/got/tree/v9.6.0#agent
+  // https://github.com/sindresorhus/got/tree/v11.5.2#agent
   // options.agent = agent;
 
   return options;
@@ -644,20 +644,20 @@ client[custom.http_options] = function (options) {
 ```js
 const { custom } = require('openid-client');
 client[custom.http_options] = function (options) {
-  // https://github.com/sindresorhus/got/tree/v9.6.0#headers
+  // https://github.com/sindresorhus/got/tree/v11.5.2#headers
   // options.headers = Object.assign(options.headers, { 'custom': 'foo' });
 
-  // https://github.com/sindresorhus/got/tree/v9.6.0#timeout
+  // https://github.com/sindresorhus/got/tree/v11.5.2#timeout
   // options.timeout = timeout;
 
-  // https://github.com/sindresorhus/got/tree/v9.6.0#retry
+  // https://github.com/sindresorhus/got/tree/v11.5.2#retry
   // options.retry = retry;
 
-  // https://github.com/sindresorhus/got/tree/v9.6.0#followredirect
+  // https://github.com/sindresorhus/got/tree/v11.5.2#followredirect
   // options.followRedirect = false;
 
   // use HTTP(S)_PROXY
-  // https://github.com/sindresorhus/got/tree/v9.6.0#agent
+  // https://github.com/sindresorhus/got/tree/v11.5.2#agent
   // options.agent = agent;
 
   return options;
@@ -987,5 +987,5 @@ request instance.
 [support-sponsor]: https://github.com/sponsors/panva
 [jose]: https://github.com/panva/jose
 [webfinger-discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
-[got-library]: https://github.com/sindresorhus/got/tree/v9.6.0
+[got-library]: https://github.com/sindresorhus/got/tree/v11.5.2
 [client-authentication]: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

lib/client.js

@@ -1042,7 +1042,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
 
     return request.call(this, {
       ...requestOpts,
-      encoding: null,
+      responseType: 'buffer',
       method,
       url: resourceUrl,
     }, { mTLS });
@@ -1071,8 +1071,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       throw new TypeError('can only send body on POST');
     }
 
-    const jwt = !!(this.userinfo_signed_response_alg
-      || this.userinfo_encrypted_response_alg);
+    const jwt = !!(this.userinfo_signed_response_alg || this.userinfo_encrypted_response_alg);
 
     if (jwt) {
       options.headers = { Accept: 'application/jwt' };
@@ -1155,11 +1154,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       try {
         parsed = JSON.parse(response.body);
       } catch (error) {
-        const parseError = new ParseError(
-          error, response.statusCode, response.request.gotOptions, response.body,
-        );
-        Object.defineProperty(parseError, 'response', { value: response });
-        throw parseError;
+        throw new ParseError(error, response);
       }
     }
 
@@ -1239,9 +1234,8 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       this,
       'token',
       {
-        form: true,
-        body,
-        json: true,
+        form: body,
+        responseType: 'json',
       },
       { clientAssertionPayload },
     );
@@ -1269,9 +1263,8 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       this,
       'device_authorization',
       {
-        form: true,
-        body,
-        json: true,
+        responseType: 'json',
+        form: body,
       },
       { clientAssertionPayload, endpointAuthMethod: 'token' },
     );
@@ -1296,17 +1289,16 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       throw new TypeError('hint must be a string');
     }
 
-    const body = { ...revokeBody, token };
+    const form = { ...revokeBody, token };
 
     if (hint) {
-      body.token_type_hint = hint;
+      form.token_type_hint = hint;
     }
 
     const response = await authenticatedPost.call(
       this,
       'revocation', {
-        body,
-        form: true,
+        form,
       }, { clientAssertionPayload },
     );
     processResponse(response, { body: false });
@@ -1322,15 +1314,15 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       throw new TypeError('hint must be a string');
     }
 
-    const body = { ...introspectBody, token };
+    const form = { ...introspectBody, token };
     if (hint) {
-      body.token_type_hint = hint;
+      form.token_type_hint = hint;
     }
 
     const response = await authenticatedPost.call(
       this,
       'introspection',
-      { body, form: true, json: true },
+      { form, responseType: 'json' },
       { clientAssertionPayload },
     );
 
@@ -1443,8 +1435,8 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
       headers: initialAccessToken ? {
         Authorization: authorizationHeaderValue(initialAccessToken),
       } : undefined,
-      json: true,
-      body: metadata,
+      responseType: 'json',
+      json: metadata,
       url: this.issuer.registration_endpoint,
       method: 'POST',
     });
@@ -1473,7 +1465,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
     const response = await request.call(this, {
       method: 'GET',
       url: registrationClientUri,
-      json: true,
+      responseType: 'json',
       headers: { Authorization: authorizationHeaderValue(registrationAccessToken) },
     });
     const responseBody = processResponse(response, { bearer: true });

lib/device_flow_handle.js

@@ -42,13 +42,12 @@ class DeviceFlowHandle {
       instance(this).client,
       'token',
       {
-        form: true,
-        body: {
+        form: {
           ...instance(this).exchangeBody,
           grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
           device_code: this.device_code,
         },
-        json: true,
+        responseType: 'json',
       },
       { clientAssertionPayload: instance(this).clientAssertionPayload },
     );

lib/helpers/client.js

@@ -56,12 +56,12 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
     case 'self_signed_tls_client_auth':
     case 'tls_client_auth':
     case 'none':
-      return { body: { client_id: this.client_id } };
+      return { form: { client_id: this.client_id } };
     case 'client_secret_post':
       if (!this.client_secret) {
         throw new TypeError('client_secret_post client authentication method requires a client_secret');
       }
-      return { body: { client_id: this.client_id, client_secret: this.client_secret } };
+      return { form: { client_id: this.client_id, client_secret: this.client_secret } };
     case 'private_key_jwt':
     case 'client_secret_jwt': {
       const timestamp = now();
@@ -76,7 +76,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
       });
 
       return {
-        body: {
+        form: {
           client_id: this.client_id,
           client_assertion: assertion,
           client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
@@ -125,7 +125,7 @@ async function authenticatedPost(endpoint, opts, {
   clientAssertionPayload, endpointAuthMethod = endpoint,
 } = {}) {
   const auth = await authFor.call(this, endpointAuthMethod, { clientAssertionPayload });
-  const requestOpts = merge(opts, auth, { form: true });
+  const requestOpts = merge(opts, auth);
 
   const mTLS = this[`${endpointAuthMethod}_endpoint_auth_method`].includes('tls_client_auth')
     || (endpoint === 'token' && this.tls_client_certificate_bound_access_tokens);
@@ -137,10 +137,10 @@ async function authenticatedPost(endpoint, opts, {
 
   targetUrl = targetUrl || this.issuer[`${endpoint}_endpoint`];
 
-  if ('body' in requestOpts) {
-    for (const [key, value] of Object.entries(requestOpts.body)) { // eslint-disable-line no-restricted-syntax, max-len
+  if ('form' in requestOpts) {
+    for (const [key, value] of Object.entries(requestOpts.form)) { // eslint-disable-line no-restricted-syntax, max-len
       if (typeof value === 'undefined') {
-        delete requestOpts.body[key];
+        delete requestOpts.form[key];
       }
     }
   }

lib/helpers/request.js

@@ -33,7 +33,13 @@ module.exports = function request(options, { mTLS = false } = {}) {
     opts = options;
   }
 
-  if (mTLS && (!opts.key || !opts.cert)) {
+  if (
+    mTLS
+    && (
+      (!opts.key || !opts.cert)
+      && (!opts.https || !opts.https.key || !opts.https.certificate)
+    )
+  ) {
     throw new TypeError('mutual-TLS certificate and key not set');
   }
   return got(opts);

lib/issuer.js

@@ -85,7 +85,7 @@ class Issuer {
       cache.reset();
       const response = await request.call(this, {
         method: 'GET',
-        json: true,
+        responseType: 'json',
         url: this.jwks_uri,
       });
       const jwks = processResponse(response);
@@ -168,8 +168,8 @@ class Issuer {
     const response = await request.call(this, {
       method: 'GET',
       url: webfingerUrl,
-      json: true,
-      query: { resource, rel: REL },
+      responseType: 'json',
+      searchParams: { resource, rel: REL },
       followRedirect: true,
     });
     const body = processResponse(response);
@@ -214,7 +214,7 @@ class Issuer {
     if (parsed.pathname.includes('/.well-known/')) {
       const response = await request.call(this, {
         method: 'GET',
-        json: true,
+        responseType: 'json',
         url: uri,
       });
       const body = processResponse(response);
@@ -243,7 +243,7 @@ class Issuer {
       const wellKnownUri = url.format({ ...parsed, pathname });
       const response = await request.call(this, {
         method: 'GET',
-        json: true,
+        responseType: 'json',
         url: wellKnownUri,
       });
       const body = processResponse(response);

package.json

@@ -43,9 +43,8 @@
     "test": "mocha test/**/*.test.js"
   },
   "dependencies": {
-    "@types/got": "^9.6.9",
     "base64url": "^3.0.1",
-    "got": "^9.6.0",
+    "got": "^11.5.2",
     "jose": "^1.27.1",
     "lru-cache": "^6.0.0",
     "make-error": "^1.3.6",
@@ -70,7 +69,7 @@
     "timekeeper": "^2.2.0"
   },
   "engines": {
-    "node": "^10.13.0 || >=12.0.0"
+    "node": "^10.19.0 || >=12.0.0"
   },
   "commitlint": {
     "extends": [