hapi-auth-jwt2 - npm Package Compare versions

Comparing version 10.1.0 to 10.2.0

example/server.js

@@ -37,3 +37,3 @@ const Hapi        = require('@hapi/hapi');
 const init = async() => {
-  const server = new Hapi.Server({ port: port });
+  const server = new Hapi.server({ port: port });
   await server.register(hapiAuthJWT);
@@ -40,0 +40,0 @@ // see: http://hapijs.com/api#serverauthschemename-scheme

example/simple_server.js

@@ -23,4 +23,4 @@ const Hapi = require('@hapi/hapi');
 const init = async () => {
-  const server = new Hapi.Server({ port: 8000 });
-  // include our module here ↓↓
+  const server = new Hapi.server({ port: 8000 });
+  // include our module here ↓↓, for example, require('hapi-auth-jwt2')
   await server.register(require('../lib'));
@@ -27,0 +27,0 @@ server.auth.strategy('jwt', 'jwt',

lib/index.js

@@ -131,2 +131,10 @@ 'use strict';
   } catch (e) {
+    // fix for https://github.com/dwyl/hapi-auth-jwt2/issues/328 -
+    // JWT.decode() can fail either by throwing an exception or by
+    // returning null, so here we just fall through to the following
+    // block that tests if decoded is not set, so that we can handle
+    // both failure types at once
+  }
+
+  if (!decoded) {
     return {
@@ -230,2 +238,7 @@ error: internals.raiseError(
   try {
+    // note: at this point, we know options.verify must be non-null,
+    // because options.validate or options.verify are required to have
+    // been provided, and if options.validate were non-null, then we
+    // would have hit the above block and already returned out of this
+    // function
     let { isValid, credentials } = await options.verify(decoded, request);
@@ -232,0 +245,0 @@ if (!isValid) {

package.json

 {
   "name": "hapi-auth-jwt2",
-  "version": "10.1.0",
+  "version": "10.2.0",
   "description": "Hapi.js Authentication Plugin/Scheme using JSON Web Tokens (JWT)",
@@ -5,0 +5,0 @@ "main": "lib/index.js",

README.md

@@ -71,4 +71,4 @@ # Hapi Auth using JSON Web Tokens (JWT)
 const init = async () => {
-  const server = new Hapi.Server({ port: 8000 });
-  // include our module here ↓↓
+  const server = new Hapi.server({ port: 8000 });
+  // include our module here ↓↓, for example, require('hapi-auth-jwt2')
   await server.register(require('../lib'));
@@ -75,0 +75,0 @@ server.auth.strategy('jwt', 'jwt',

test/basic_server.js

@@ -5,3 +5,3 @@ const Hapi   = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const db = {

test/basic.test.js

@@ -44,3 +44,7 @@ const test   = require('tape');
   t.equal(response.statusCode, 401, "INVALID Token should fail");
-  // t.equal(JSON.parse(response.result).msg, 'Invalid Token', "INVALID Token should fail");
+
+  // assert on the response message, so we can ensure this case fails
+  // early (after decode()) with "Invalid token format" instead of too
+  // late (after verify) with "Invalid token"
+  t.equal(response.result.message, 'Invalid token format', 'Message should be "Invalid token format"');
   t.end();
@@ -47,0 +51,0 @@ });

test/complete_token.test.js

@@ -8,3 +8,3 @@ const test   = require('tape');
 
-const server = new Hapi.Server();
+const server = new Hapi.server();
 // server.connection();
@@ -11,0 +11,0 @@

test/custom_extraction_auth_server.js

@@ -5,3 +5,3 @@ const Hapi   = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const db = {

test/custom_parameters_server.js

@@ -5,3 +5,3 @@ const Hapi   = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const db = {

test/dynamic_header_key.test.js

@@ -10,3 +10,3 @@ const test   = require('tape');
 
-  const server = new Hapi.Server();
+  const server = new Hapi.server();
   try {
@@ -13,0 +13,0 @@ await server.register(require('../'));

test/dynamic_key_server.js

@@ -5,3 +5,3 @@ const Hapi = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const multiTenantSecretKeys = {

test/error_func_server.js

@@ -8,3 +8,3 @@ const Hapi   = require('@hapi/hapi');
 debug = { debug: false };
-const server = new Hapi.Server(debug);
+const server = new Hapi.server(debug);
 
@@ -11,0 +11,0 @@ const sendToken = function(req, reply) {

test/multi_auth_server.js

@@ -5,3 +5,3 @@ const Hapi = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const db = {

test/multiple_key_server.js

@@ -5,3 +5,3 @@ const Hapi = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const multiTenantSecretKeys = {

test/options_payload_validation.js

@@ -42,3 +42,3 @@ var test = require('tape');
 
-var server = new Hapi.Server();
+var server = new Hapi.server();
 server.connection();
@@ -45,0 +45,0 @@

test/payload_auth_server.js

@@ -5,3 +5,3 @@ const Hapi   = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const db = {

test/scheme-payload-server.js

@@ -6,3 +6,3 @@ const Hapi = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -9,0 +9,0 @@ // payload is not available to validate, so payloadFunc offers a chance use it for validation

test/scheme-response-server.js

@@ -5,3 +5,3 @@ const Hapi   = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const db = {

test/scopes_server.js

@@ -5,3 +5,3 @@ const Hapi   = require('@hapi/hapi');
 // for debug options see: http://hapijs.com/tutorials/logging
-const server = new Hapi.Server({ debug: false });
+const server = new Hapi.server({ debug: false });
 
@@ -8,0 +8,0 @@ const db = {

test/try_and_optional_auth_mode.test.js

@@ -9,3 +9,3 @@ const test   = require('tape');
 
-  const server = new Hapi.Server({ debug: {"request": ["error", "uncaught"]} });
+  const server = new Hapi.server({ debug: {"request": ["error", "uncaught"]} });
   
@@ -54,3 +54,3 @@ try {
 
-  const server = new Hapi.Server();
+  const server = new Hapi.server();
 
@@ -57,0 +57,0 @@ try{

test/validate_func.test.js

@@ -8,3 +8,3 @@ const test   = require('tape');
 
-  const server = new Hapi.Server({ debug: false });
+  const server = new Hapi.server({ debug: false });
   try {
@@ -11,0 +11,0 @@ await server.register(require('../'));

test/verify_func_server.js

@@ -8,3 +8,3 @@ const Hapi   = require('@hapi/hapi');
 debug = { debug: false };
-const server = new Hapi.Server(debug);
+const server = new Hapi.server(debug);
 
@@ -11,0 +11,0 @@ const sendToken = function(req, h) {

test/verify_func.test.js

@@ -18,2 +18,23 @@ const test   = require('tape');
 
+test("customVerify malformed JWT", async function(t) {
+  // this test verifies the fix for
+  // https://github.com/dwyl/hapi-auth-jwt2/issues/328
+
+  const options = {
+    method: "GET",
+    url: "/required",
+    headers: { authorization: "Bearer my.invalid.token" }
+  };
+  // server.inject lets us simulate an http request
+  const response = await server.inject(options);
+  // console.log(response.result);
+  t.equal(response.statusCode, 401, "INVALID Token should fail");
+
+  // assert on the response message, so we can ensure this case fails
+  // early (after decode()) with "Invalid token format" before it ever
+  // even attempts to call our customVerify function
+  t.equal(response.result.message, 'Invalid token format', "INVALID Token should fail");
+  t.end();
+});
+
 test("customVerify simulate error condition", async function(t) {
@@ -44,2 +65,3 @@ const payload = { id: 123, "name": "Charlie", error: true }
     t.equal(response.statusCode, 401, "GET /required with customVerify rejected");
+    t.equal(response.result.message, 'Invalid credentials', "GET /required with customVerify rejected");
     t.end();
@@ -46,0 +68,0 @@ });

No alert changes

Improved metrics

Total package byte prevSize

170943

increased by1.05%

Lines of code

3453

increased by0.99%

No dependency changes