socketio-jwt/test/authorizer.test.js

const Q = require('q');
const fixture = require('./fixture');
const request = require('request');
const io = require('socket.io-client');

describe('authorizer', function() {
  //start and stop the server
  before(function(done) { fixture.start({ }, done) });
  after(fixture.stop);

  describe('when the user is not logged in', function () {
    it('should emit error with unauthorized handshake', function (done) {
      const socket = io.connect('http://localhost:9000?token=boooooo', {
        forceNew: true
      });

      socket.on('error', function(err) {
        err.message.should.eql("jwt malformed");
        err.code.should.eql("invalid_token");
        socket.close();
        done();
      });
    });
  });

  describe('when the user is logged in', function() {
    before(function (done) {
      request.post({
        url: 'http://localhost:9000/login',
        form: { username: 'jose', password: 'Pa123' },
        json: true
      }, function (err, resp, body) {
        this.token = body.token;
        done();
      }.bind(this));
    });

    describe('authorizer disallows query string token when specified in startup options', function() {
      before(function(done) {
        Q.ninvoke(fixture, 'stop')
          .then(function() { return Q.ninvoke(fixture, 'start', { auth_header_required: true })})
          .done(done);
      });

      after(function(done) {
        Q.ninvoke(fixture, 'stop')
          .then(function() { return Q.ninvoke(fixture, 'start', { })})
          .done(done);
      });

      it('auth headers are supported', function (done) {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          extraHeaders: { Authorization: 'Bearer ' + this.token}
        });

        socket
          .on('connect', function() {
            socket.close();
            done();
          })
          .on('error', done);
      });

      it('auth token in query string is disallowed', function (done) {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          query: 'token=' + this.token
        });

        socket.on('error', function(err) {
          err.message.should.eql("Server requires Authorization Header");
          err.code.should.eql("missing_authorization_header");
          socket.close();
          done();
        });
      });
    })

    describe('authorizer all auth types allowed', function() {
      before(function(done) {
        Q.ninvoke(fixture, 'stop')
          .then(function() { return Q.ninvoke(fixture, 'start', {})})
          .done(done);
      })

      it('auth headers are supported', function (done) {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          extraHeaders: { Authorization: 'Bearer ' + this.token }
        });

        socket
          .on('connect', function() {
            socket.close();
            done();
          })
          .on('error', done);
      });

      it('should do the handshake and connect', function (done) {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          query: 'token=' + this.token
        });

        socket
          .on('connect', function() {
            socket.close();
            done();
          })
          .on('error', done);
      });

    });
  });

  describe('unsigned token', function() {
    beforeEach(function () {
      this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.';
    });

    it('should not do the handshake and connect', function (done) {
      const socket = io.connect('http://localhost:9000', {
        forceNew: true,
        query: 'token=' + this.token
      });

      socket
        .on('connect', function () {
          socket.close();
          done(new Error('this shouldnt happen'));
        })
        .on('error', function (err) {
          socket.close();
          err.message.should.eql("jwt signature is required");
          done();
        });
    });
  });
});
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const Q = require('q');`
			`const fixture = require('./fixture');`
			`const request = require('request');`
			`const io = require('socket.io-client');`
add basic integration tests 2012-11-16 16:43:12 +01:00
changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`describe('authorizer', function() {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`//start and stop the server`
changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`before(function(done) { fixture.start({ }, done) });`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`after(fixture.stop);`
add basic integration tests 2012-11-16 16:43:12 +01:00
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`describe('when the user is not logged in', function () {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`it('should emit error with unauthorized handshake', function (done) {`
			`const socket = io.connect('http://localhost:9000?token=boooooo', {`
			`forceNew: true`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`

Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`socket.on('error', function(err) {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`err.message.should.eql("jwt malformed");`
			`err.code.should.eql("invalid_token");`
			`socket.close();`
			`done();`
			`});`
			`});`
			`});`
initial commit after fork of passport-socketio 2014-01-13 20:00:21 +01:00
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`describe('when the user is logged in', function() {`
			`before(function (done) {`
			`request.post({`
			`url: 'http://localhost:9000/login',`
			`form: { username: 'jose', password: 'Pa123' },`
			`json: true`
			`}, function (err, resp, body) {`
			`this.token = body.token;`
			`done();`
			`}.bind(this));`
add basic integration tests 2012-11-16 16:43:12 +01:00			`});`

changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`describe('authorizer disallows query string token when specified in startup options', function() {`
			`before(function(done) {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`Q.ninvoke(fixture, 'stop')`
changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`.then(function() { return Q.ninvoke(fixture, 'start', { auth_header_required: true })})`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`.done(done);`
initial commit after fork of passport-socketio 2014-01-13 20:00:21 +01:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`after(function(done) {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`Q.ninvoke(fixture, 'stop')`
changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`.then(function() { return Q.ninvoke(fixture, 'start', { })})`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`.done(done);`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`});`
add basic integration tests 2012-11-16 16:43:12 +01:00
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`it('auth headers are supported', function (done) {`
			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`extraHeaders: { Authorization: 'Bearer ' + this.token}`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
			`.on('connect', function() {`
			`socket.close();`
			`done();`
			`})`
			`.on('error', done);`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`it('auth token in query string is disallowed', function (done) {`
			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`query: 'token=' + this.token`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket.on('error', function(err) {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`err.message.should.eql("Server requires Authorization Header");`
			`err.code.should.eql("missing_authorization_header");`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`socket.close();`
			`done();`
			`});`
			`});`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`})`
add basic integration tests 2012-11-16 16:43:12 +01:00
changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`describe('authorizer all auth types allowed', function() {`
			`before(function(done) {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`Q.ninvoke(fixture, 'stop')`
changed tests to Node 0.10 style - DK/MW 2016-10-20 18:48:52 +02:00			`.then(function() { return Q.ninvoke(fixture, 'start', {})})`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`.done(done);`
			`})`
testing lines of code that are not documented...and documenting them - DK/MW 2016-10-20 17:22:11 +02:00
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`it('auth headers are supported', function (done) {`
			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`extraHeaders: { Authorization: 'Bearer ' + this.token }`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
			`.on('connect', function() {`
			`socket.close();`
			`done();`
			`})`
			`.on('error', done);`
initial commit after fork of passport-socketio 2014-01-13 20:00:21 +01:00			`});`

Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`it('should do the handshake and connect', function (done) {`
			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`query: 'token=' + this.token`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
			`.on('connect', function() {`
			`socket.close();`
			`done();`
			`})`
			`.on('error', done);`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00			`});`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`describe('unsigned token', function() {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`beforeEach(function () {`
			`this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.';`
			`});`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`it('should not do the handshake and connect', function (done) {`
			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`query: 'token=' + this.token`
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
			`.on('connect', function () {`
			`socket.close();`
			`done(new Error('this shouldnt happen'));`
			`})`
			`.on('error', function (err) {`
			`socket.close();`
			`err.message.should.eql("jwt signature is required");`
			`done();`
			`});`
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00			`});`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
test fixes 2014-07-17 03:14:07 +02:00			`});`