socketio-jwt/test/authorizer.test.js

const Q = require('q');
const fixture = require('./fixture');
const request = require('request');
const io = require('socket.io-client');

describe('authorizer', () => {
  //start and stop the server
  before((done) => { fixture.start({ }, done) });
  after(fixture.stop);

  describe('when the user is not logged in', () => {
    it('should emit error with unauthorized handshake', (done) => {
      const socket = io.connect('http://localhost:9000?token=boooooo', {
        forceNew: true
      });

      socket.on('error', (err) => {
        err.message.should.eql('jwt malformed');
        err.code.should.eql('invalid_token');
        socket.close();
        done();
      });
    });
  });

  describe('when the user is logged in', () => {
    before((done) => {
      request.post({
        url: 'http://localhost:9000/login',
        form: { username: 'jose', password: 'Pa123' },
        json: true
      }, (err, resp, body) => {
        this.token = body.token;
        done();
      });
    });

    describe('authorizer disallows query string token when specified in startup options', () => {
      before((done) => {
        Q.ninvoke(fixture, 'stop')
          .then(() => Q.ninvoke(fixture, 'start', { auth_header_required: true }))
          .done(done);
      });

      after((done) => {
        Q.ninvoke(fixture, 'stop')
          .then(() => Q.ninvoke(fixture, 'start', { }))
          .done(done);
      });

      it('auth headers are supported', (done) => {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          extraHeaders: { Authorization: 'Bearer ' + this.token}
        });

        socket
          .on('connect', () => {
            socket.close();
            done();
          })
          .on('error', done);
      });

      it('auth token in query string is disallowed', (done) => {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          query: 'token=' + this.token
        });

        socket.on('error', (err) => {
          err.message.should.eql('Server requires Authorization Header');
          err.code.should.eql('missing_authorization_header');
          socket.close();
          done();
        });
      });
    })

    describe('authorizer all auth types allowed', () => {
      before((done) => {
        Q.ninvoke(fixture, 'stop')
          .then(() => Q.ninvoke(fixture, 'start', {}))
          .done(done);
      })

      it('auth headers are supported', (done) => {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          extraHeaders: { Authorization: 'Bearer ' + this.token }
        });

        socket
          .on('connect', () => {
            socket.close();
            done();
          })
          .on('error', done);
      });

      it('should do the handshake and connect', (done) => {
        const socket = io.connect('http://localhost:9000', {
          forceNew: true,
          query: 'token=' + this.token
        });

        socket
          .on('connect', () => {
            socket.close();
            done();
          })
          .on('error', done);
      });

    });
  });

  describe('unsigned token', () => {
    beforeEach(() => {
      this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.';
    });

    it('should not do the handshake and connect', (done) => {
      const socket = io.connect('http://localhost:9000', {
        forceNew: true,
        query: 'token=' + this.token
      });

      socket
        .on('connect', () => {
          socket.close();
          done(new Error('this shouldnt happen'));
        })
        .on('error', (err) => {
          socket.close();
          err.message.should.eql('jwt signature is required');
          done();
        });
    });
  });
});
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const Q = require('q');`
			`const fixture = require('./fixture');`
			`const request = require('request');`
			`const io = require('socket.io-client');`
add basic integration tests 2012-11-16 16:43:12 +01:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`describe('authorizer', () => {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`//start and stop the server`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`before((done) => { fixture.start({ }, done) });`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`after(fixture.stop);`
add basic integration tests 2012-11-16 16:43:12 +01:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`describe('when the user is not logged in', () => {`
			`it('should emit error with unauthorized handshake', (done) => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const socket = io.connect('http://localhost:9000?token=boooooo', {`
			`forceNew: true`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`

Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`socket.on('error', (err) => {`
			`err.message.should.eql('jwt malformed');`
			`err.code.should.eql('invalid_token');`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`socket.close();`
			`done();`
			`});`
			`});`
			`});`
initial commit after fork of passport-socketio 2014-01-13 20:00:21 +01:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`describe('when the user is logged in', () => {`
			`before((done) => {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`request.post({`
			`url: 'http://localhost:9000/login',`
			`form: { username: 'jose', password: 'Pa123' },`
			`json: true`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`}, (err, resp, body) => {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`this.token = body.token;`
			`done();`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`});`
add basic integration tests 2012-11-16 16:43:12 +01:00			`});`

Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`describe('authorizer disallows query string token when specified in startup options', () => {`
			`before((done) => {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`Q.ninvoke(fixture, 'stop')`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.then(() => Q.ninvoke(fixture, 'start', { auth_header_required: true }))`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`.done(done);`
initial commit after fork of passport-socketio 2014-01-13 20:00:21 +01:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`after((done) => {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`Q.ninvoke(fixture, 'stop')`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.then(() => Q.ninvoke(fixture, 'start', { }))`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`.done(done);`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`});`
add basic integration tests 2012-11-16 16:43:12 +01:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`it('auth headers are supported', (done) => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`extraHeaders: { Authorization: 'Bearer ' + this.token}`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.on('connect', () => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`socket.close();`
			`done();`
			`})`
			`.on('error', done);`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`it('auth token in query string is disallowed', (done) => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`query: 'token=' + this.token`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`socket.on('error', (err) => {`
			`err.message.should.eql('Server requires Authorization Header');`
			`err.code.should.eql('missing_authorization_header');`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`socket.close();`
			`done();`
			`});`
			`});`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`})`
add basic integration tests 2012-11-16 16:43:12 +01:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`describe('authorizer all auth types allowed', () => {`
			`before((done) => {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`Q.ninvoke(fixture, 'stop')`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.then(() => Q.ninvoke(fixture, 'start', {}))`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`.done(done);`
			`})`
testing lines of code that are not documented...and documenting them - DK/MW 2016-10-20 17:22:11 +02:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`it('auth headers are supported', (done) => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`extraHeaders: { Authorization: 'Bearer ' + this.token }`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.on('connect', () => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`socket.close();`
			`done();`
			`})`
			`.on('error', done);`
initial commit after fork of passport-socketio 2014-01-13 20:00:21 +01:00			`});`

Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`it('should do the handshake and connect', (done) => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`query: 'token=' + this.token`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.on('connect', () => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`socket.close();`
			`done();`
			`})`
			`.on('error', done);`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00			`});`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`});`
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`describe('unsigned token', () => {`
			`beforeEach(() => {`
added ability to enforce only header authorization versus query string authorization - DK/MW 2016-10-20 18:13:23 +02:00			`this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.';`
			`});`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`it('should not do the handshake and connect', (done) => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`const socket = io.connect('http://localhost:9000', {`
			`forceNew: true,`
			`query: 'token=' + this.token`
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00			`});`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00
			`socket`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.on('connect', () => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`socket.close();`
			`done(new Error('this shouldnt happen'));`
			`})`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`.on('error', (err) => {`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`socket.close();`
Fixed travis - Tests against Node 4, 8, 10, 12 and newest Modernized: - Use arrow functions - Use string templates in examples and some code - Use single quote for strings 2019-10-14 01:46:30 +02:00			`err.message.should.eql('jwt signature is required');`
Fixed auth.required Misc: - Resolved conflicts - Added test case, to fail if server grants prohibited admin access - Simplified test logic - Prevented usage of "var" (used const / let instead) - Formatting - Cleanup - Typos 2019-10-13 15:52:14 +02:00			`done();`
			`});`
update jsonwebtoken module to fix security issue 2014-07-17 01:29:39 +02:00			`});`
going to be adding new options but want it within the same general authorizer test suite - DK/MW 2016-10-20 17:38:43 +02:00			`});`
test fixes 2014-07-17 03:14:07 +02:00			`});`