UNPKG

hapi-auth-jwt2

Version:

Hapi.js Authentication Plugin/Scheme using JSON Web Tokens (JWT)

github.com/dwyl/hapi-auth-jwt2

dwyl/hapi-auth-jwt2

102 lines (93 loc) 3.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
const test = require('tape'); const JWT = require('jsonwebtoken'); const secret = 'NeverShareYourSecret'; const server = require('./basic_server.cjs'); test("Attempt to access restricted content (without auth token)", async function(t) { const options = { method: "POST", url: "/privado" }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "No Token supplied > fails (as expected)"); t.end(); }); test("Attempt to access restricted content (with an INVALID URL Token)", async function(t) { const token = "?token=my.invalid.token"; const options = { method: "POST", url: "/privado" + token }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "INVALID Token should fail"); t.end(); }); test("Try using an incorrect secret to sign the JWT", async function(t) { // use the token as the 'authorization' header in requests let token = JWT.sign({ id: 123, "name": "Charlie" }, 'incorrectSecret'); token = "?token=" + token; // console.log(" - - - - - - token - - - - -") // console.log(token); const options = { method: "POST", url: "/privado" + token }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "URL Token signed with incorrect key fails"); t.end(); }); test("URL Token is well formed but is allowed=false so should be denied", async function(t) { // use the token as the 'authorization' header in requests // const token = jwt.sign({ "id": 1 ,"name":"Old Greg" }, 'incorrectSecret'); let token = JWT.sign({ id: 321, "name": "Old Gregg" }, secret); token = "?token=" + token; const options = { method: "POST", url: "/privado" + token }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "User is Denied"); t.end(); }); test("Access restricted content (with VALID Token)", async function(t) { // use the token as the 'authorization' header in requests let token = JWT.sign({ id: 123, "name": "Charlie" }, secret); token = "?token=" + token; const options = { method: "POST", url: "/privado" + token }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 200, "VALID Token should succeed!"); t.end(); }); test("Using route with urlKey=false should be denied", async function(t) { // use the token as the 'authorization' header in requests let token = JWT.sign({ id: 123, "name": "Charlie" }, secret); token = "?token=" + token; const options = { method: "POST", url: "/privadonourl" + token }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "No urlKey configured so URL-Tokens should be denied"); t.end(); }); test("Using route with urlKey='' should be denied", async function(t) { // use the token as the 'authorization' header in requests let token = JWT.sign({ id: 123, "name": "Charlie" }, secret); token = "?=" + token; const options = { method: "POST", url: "/privadonourl2" + token }; // server.inject lets us simulate an http request const response = await server.inject(options); t.equal(response.statusCode, 401, "No urlKey configured so URL-Tokens should be denied"); t.end(); });