Validation

on socket authenticate, should check that the data.token exists and if it is the desired type? socket.emit( 'authenticate', {token: {} }); // will crash server if sent from client-side.
2024-07-21 09:38:31 +02:00 · 2015-11-01 20:44:25 +01:00 · 2015-11-01 20:44:25 +01:00 · 170c23306f
commit 170c23306f
parent 5532ff03fd
1 changed files with 9 additions and 4 deletions
--- a/lib/index.js
+++ b/lib/index.js
@ -27,9 +27,8 @@ function noQsMethod(options) {
      if(options.required){
        clearTimeout(auth_timeout);
      }
-      jwt.verify(data.token, options.secret, options, function(err, decoded) {
-        // error handler
-        var onError = function(err, code) {
+      // error handler
+      var onError = function(err, code) {
          if (err) {
            code = code || 'unknown';
            var error = new UnauthorizedError(code, {
@ -40,7 +39,13 @@ function noQsMethod(options) {
            });
            return; // stop logic, socket will be close on next tick
          }
-        };
+      };
+      
+      if(typeof data.token !== "string") {
+        return onError({message: 'invalid token datatype'}, 'invalid_token');
+      }
+      
+      jwt.verify(data.token, options.secret, options, function(err, decoded) {

        if (err) {
          return onError(err, 'invalid_token');