UNPKG

express-jwt

Version:

JWT authentication middleware.

github.com/auth0/express-jwt

auth0/express-jwt

151 lines (125 loc) 4.58 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
var jwt = require('jsonwebtoken'); var assert = require('assert'); var expressjwt = require('../lib'); describe('failure tests', function () { var req = {}; var res = {}; it('should throw if options not sent', function() { try { expressjwt(); } catch(e) { assert.ok(e); assert.equal(e.message, 'secret should be set'); } }); it('should throw if no authorization header and credentials are required', function() { expressjwt({secret: 'shhhh', credentialsRequired: true})(req, res, function(err) { assert.ok(err); assert.equal(err.code, 'credentials_required'); }); }); it('support unless skip', function() { req.originalUrl = '/index.html'; expressjwt({secret: 'shhhh'}).unless({path: '/index.html'})(req, res, function(err) { assert.ok(!err); }); }); it('should skip on CORS preflight', function() { var corsReq = {}; corsReq.method = 'OPTIONS'; corsReq.headers = { 'access-control-request-headers': 'sasa, sras, authorization' }; expressjwt({secret: 'shhhh'})(corsReq, res, function(err) { assert.ok(!err); }); }); it('should throw if authorization header is malformed', function() { req.headers = {}; req.headers.authorization = 'wrong'; expressjwt({secret: 'shhhh'})(req, res, function(err) { assert.ok(err); assert.equal(err.code, 'credentials_bad_format'); }); }); it('should throw if authorization header is not well-formatted jwt', function() { req.headers = {}; req.headers.authorization = 'Bearer wrongjwt'; expressjwt({secret: 'shhhh'})(req, res, function(err) { assert.ok(err); assert.equal(err.code, 'invalid_token'); }); }); it('should throw if authorization header is not valid jwt', function() { var secret = 'shhhhhh'; var token = jwt.sign({foo: 'bar'}, secret); req.headers = {}; req.headers.authorization = 'Bearer ' + token; expressjwt({secret: 'different-shhhh'})(req, res, function(err) { assert.ok(err); assert.equal(err.code, 'invalid_token'); assert.equal(err.message, 'invalid signature'); }); }); it('should throw if audience is not expected', function() { var secret = 'shhhhhh'; var token = jwt.sign({foo: 'bar', aud: 'expected-audience'}, secret); req.headers = {}; req.headers.authorization = 'Bearer ' + token; expressjwt({secret: 'shhhhhh', audience: 'not-expected-audience'})(req, res, function(err) { assert.ok(err); assert.equal(err.code, 'invalid_token'); assert.equal(err.message, 'jwt audience invalid. expected: expected-audience'); }); }); it('should throw if token is expired', function() { var secret = 'shhhhhh'; var token = jwt.sign({foo: 'bar', exp: 1382412921 }, secret); req.headers = {}; req.headers.authorization = 'Bearer ' + token; expressjwt({secret: 'shhhhhh'})(req, res, function(err) { assert.ok(err); assert.equal(err.code, 'invalid_token'); assert.equal(err.message, 'jwt expired'); }); }); it('should throw if token issuer is wrong', function() { var secret = 'shhhhhh'; var token = jwt.sign({foo: 'bar', iss: 'http://foo' }, secret); req.headers = {}; req.headers.authorization = 'Bearer ' + token; expressjwt({secret: 'shhhhhh', issuer: 'http://wrong'})(req, res, function(err) { assert.ok(err); assert.equal(err.code, 'invalid_token'); assert.equal(err.message, 'jwt issuer invalid. expected: http://foo'); }); }); }); describe('work tests', function () { var req = {}; var res = {}; it('should work if authorization header is valid jwt', function() { var secret = 'shhhhhh'; var token = jwt.sign({foo: 'bar'}, secret); req.headers = {}; req.headers.authorization = 'Bearer ' + token; expressjwt({secret: secret})(req, res, function() { assert.equal('bar', req.user.foo); }); }); it('should set userProperty if option provided', function() { var secret = 'shhhhhh'; var token = jwt.sign({foo: 'bar'}, secret); req.headers = {}; req.headers.authorization = 'Bearer ' + token; expressjwt({secret: secret, userProperty: 'auth'})(req, res, function() { assert.equal('bar', req.auth.foo); }); }); it('should work if no authorization header and credentials are not required', function() { req = {}; expressjwt({secret: 'shhhh', credentialsRequired: false})(req, res, function(err) { assert(typeof err === 'undefined'); }); }); });