UNPKG

hapi-auth-jwt2

Version:

Hapi.js Authentication Plugin/Scheme using JSON Web Tokens (JWT)

github.com/dwyl/hapi-auth-jwt2

dwyl/hapi-auth-jwt2

92 lines (83 loc) 3.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
const test = require('tape'); const JWT = require('jsonwebtoken'); const secret = 'NeverShareYourSecret'; const server = require('./payload_auth_server.cjs'); test("Attempt to access restricted content using inVALID Payload Token", async function(t) { const token = JWT.sign({ id: 123, "name": "Charlie" }, 'badsecret'); const options = { method: "POST", url: "/privado", payload: { token: token }, }; // console.log(options); const response = await server.inject(options); t.equal(response.statusCode, 401, "Invalid token should error!"); t.end(); }); test("Attempt to access restricted content with VALID Token but malformed Payload", async function(t) { const token = JWT.sign({ id: 123, "name": "Charlie" }, secret); const options = { method: "POST", url: "/privado", payload: { notTheRightTokenKey: token }, }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "Valid Token but inVALID PAYLOAD should fail!"); t.end(); }); test("Access restricted content with VALID Token Payload", async function(t) { const token = JWT.sign({ id: 123, "name": "Charlie" }, secret); const options = { method: "POST", url: "/privado", payload: { token: token }, }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 200, "VALID PAYLOAD Token should succeed!"); t.end(); }); /** Regressions Tests for https://github.com/dwyl/hapi-auth-jwt2/issues/65 **/ // supply valid Token Auth Header but invalid Payload // should succeed because Auth Header is first test("Authorization Header should take precedence over any payload", async function(t) { const token = JWT.sign({ id: 123, "name": "Charlie" }, secret); const options = { method: "POST", url: "/privado", headers: { authorization: "Bearer " + token }, payload: { token: "malformed.token" }, }; const response = await server.inject(options); // console.log(' - - - - - - - - - - - - - - - response:') // console.log(response); t.equal(response.statusCode, 200, "Ignores payload when Auth Header is set"); t.end(); }); test("Attempt to access restricted content with payloadKey=false", async function(t) { const token = JWT.sign({ id: 123, "name": "Charlie" }, secret); const options = { method: "POST", url: "/privadonopayload", payload: { token: token }, }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "Disabled payload auth shouldn't accept valid token!"); t.end(); }); test("Attempt to access restricted content with payloadKey=''", async function(t) { const token = JWT.sign({ id: 123, "name": "Charlie" }, secret); const options = { method: "POST", url: "/privadonopayload2", payload: { token: token }, }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "Disabled payload auth shouldn't accept valid token!"); t.end(); });