Validation

on socket authenticate, should check that the data.token exists and if it is the desired type? 
socket.emit( 'authenticate', {token: {} }); // will crash server if sent from client-side.
This commit is contained in:
gfetco 2015-11-01 20:44:25 +01:00
parent 5532ff03fd
commit 170c23306f

View File

@ -27,9 +27,8 @@ function noQsMethod(options) {
if(options.required){ if(options.required){
clearTimeout(auth_timeout); clearTimeout(auth_timeout);
} }
jwt.verify(data.token, options.secret, options, function(err, decoded) { // error handler
// error handler var onError = function(err, code) {
var onError = function(err, code) {
if (err) { if (err) {
code = code || 'unknown'; code = code || 'unknown';
var error = new UnauthorizedError(code, { var error = new UnauthorizedError(code, {
@ -40,7 +39,13 @@ function noQsMethod(options) {
}); });
return; // stop logic, socket will be close on next tick return; // stop logic, socket will be close on next tick
} }
}; };
if(typeof data.token !== "string") {
return onError({message: 'invalid token datatype'}, 'invalid_token');
}
jwt.verify(data.token, options.secret, options, function(err, decoded) {
if (err) { if (err) {
return onError(err, 'invalid_token'); return onError(err, 'invalid_token');