Fixed auth.required

Misc:
- Resolved conflicts
- Added test case, to fail if server grants prohibited admin access
- Simplified test logic
- Prevented usage of "var" (used const / let instead)
- Formatting
- Cleanup
- Typos
This commit is contained in:
Fabian Arndt 2019-10-13 15:52:14 +02:00
commit 27c59c3b0f
11 changed files with 222 additions and 236 deletions

View File

@ -52,7 +52,7 @@ io.sockets
**Client side** **Client side**
```javascript ```javascript
var socket = io.connect('http://localhost:9000'); const socket = io.connect('http://localhost:9000');
socket.on('connect', function () { socket.on('connect', function () {
socket socket
.emit('authenticate', {token: jwt}) //send the jwt .emit('authenticate', {token: jwt}) //send the jwt
@ -71,8 +71,8 @@ socket.on('connect', function () {
The previous approach uses a second roundtrip to send the jwt. There is a way you can authenticate on the handshake by sending the JWT as a query string, the caveat is that intermediary HTTP servers can log the url. The previous approach uses a second roundtrip to send the jwt. There is a way you can authenticate on the handshake by sending the JWT as a query string, the caveat is that intermediary HTTP servers can log the url.
```javascript ```javascript
var io = require('socket.io')(server); const io = require('socket.io')(server);
var socketioJwt = require('socketio-jwt'); const socketioJwt = require('socketio-jwt');
``` ```
With socket.io < 1.0: With socket.io < 1.0:
@ -108,7 +108,7 @@ For more validation options see [auth0/jsonwebtoken](https://github.com/auth0/no
Append the jwt token using query string: Append the jwt token using query string:
```javascript ```javascript
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', {
'query': 'token=' + your_jwt 'query': 'token=' + your_jwt
}); });
``` ```
@ -116,7 +116,7 @@ var socket = io.connect('http://localhost:9000', {
Append the jwt token using 'Authorization Header' (Bearer Token): Append the jwt token using 'Authorization Header' (Bearer Token):
```javascript ```javascript
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', {
'extraHeaders': { Authorization: `Bearer ${your_jwt}` } 'extraHeaders': { Authorization: `Bearer ${your_jwt}` }
}); });
``` ```
@ -144,7 +144,7 @@ io.use(socketioJwt.authorize({
When you sign the token with an expiration time (example: 60 minutes): When you sign the token with an expiration time (example: 60 minutes):
```javascript ```javascript
var token = jwt.sign(user_profile, jwt_secret, {expiresIn: 60*60}); const token = jwt.sign(user_profile, jwt_secret, {expiresIn: 60*60});
``` ```
Your client-side code should handle it as below: Your client-side code should handle it as below:
@ -234,7 +234,7 @@ the provided token.
**Server side** **Server side**
```javascript ```javascript
var SECRETS = { const SECRETS = {
'user1': 'secret 1', 'user1': 'secret 1',
'user2': 'secret 2' 'user2': 'secret 2'
} }

View File

@ -17,12 +17,15 @@ function noQsMethod (options) {
} }
} }
socket.on('authenticate', function (data) { let auth_timeout = null;
if (options.required) { if (options.required) {
let auth_timeout = setTimeout(function () { auth_timeout = setTimeout(function () {
socket.disconnect('unauthorized'); socket.disconnect('unauthorized');
}, options.timeout || 5000); }, options.timeout || 5000);
}
socket.on('authenticate', function (data) {
if (options.required) {
clearTimeout(auth_timeout); clearTimeout(auth_timeout);
} }
@ -30,13 +33,12 @@ function noQsMethod (options) {
const onError = function (err, code) { const onError = function (err, code) {
if (err) { if (err) {
code = code || 'unknown'; code = code || 'unknown';
const error = new UnauthorizedError(code, { const error = new UnauthorizedError(code, {
message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err
}); });
let callback_timeout; let callback_timeout;
// If callback explicitely set to false, start timeout to disconnect socket // If callback explicitly set to false, start timeout to disconnect socket
if (options.callback === false || typeof options.callback === 'number') { if (options.callback === false || typeof options.callback === 'number') {
if (typeof options.callback === 'number') { if (typeof options.callback === 'number') {
if (options.callback < 0) { if (options.callback < 0) {
@ -113,6 +115,10 @@ function noQsMethod (options) {
function authorize (options, onConnection) { function authorize (options, onConnection) {
options = xtend({ decodedPropertyName: 'decoded_token', encodedPropertyName: 'encoded_token' }, options); options = xtend({ decodedPropertyName: 'decoded_token', encodedPropertyName: 'encoded_token' }, options);
if (typeof options.secret !== 'string') {
throw new Error(`Provided secret "${options.secret}" is invalid, must be of type string.`)
}
if (!options.handshake) { if (!options.handshake) {
return noQsMethod(options); return noQsMethod(options);
} }
@ -163,7 +169,7 @@ function authorize (options, onConnection) {
if (options.auth_header_required && !token) { if (options.auth_header_required && !token) {
return auth.fail(new UnauthorizedError('missing_authorization_header', { return auth.fail(new UnauthorizedError('missing_authorization_header', {
message: 'Server requires Authorization Header' message: 'Server requires Authorization Header'
}), data, accept); }), socket, accept);
} }
// Get the token from handshake or query string // Get the token from handshake or query string

View File

@ -1,7 +1,7 @@
var Q = require('q'); const Q = require('q');
var fixture = require('./fixture'); const fixture = require('./fixture');
var request = require('request'); const request = require('request');
var io = require('socket.io-client'); const io = require('socket.io-client');
describe('authorizer', function() { describe('authorizer', function() {
//start and stop the server //start and stop the server
@ -9,19 +9,18 @@ describe('authorizer', function() {
after(fixture.stop); after(fixture.stop);
describe('when the user is not logged in', function () { describe('when the user is not logged in', function () {
it('should emit error with unauthorized handshake', function (done){ it('should emit error with unauthorized handshake', function (done) {
var socket = io.connect('http://localhost:9000?token=boooooo', { const socket = io.connect('http://localhost:9000?token=boooooo', {
'forceNew': true forceNew: true
}); });
socket.on('error', function(err){ socket.on('error', function(err) {
err.message.should.eql("jwt malformed"); err.message.should.eql("jwt malformed");
err.code.should.eql("invalid_token"); err.code.should.eql("invalid_token");
socket.close(); socket.close();
done(); done();
}); });
}); });
}); });
describe('when the user is logged in', function() { describe('when the user is logged in', function() {
@ -41,30 +40,35 @@ describe('authorizer', function() {
Q.ninvoke(fixture, 'stop') Q.ninvoke(fixture, 'stop')
.then(function() { return Q.ninvoke(fixture, 'start', { auth_header_required: true })}) .then(function() { return Q.ninvoke(fixture, 'start', { auth_header_required: true })})
.done(done); .done(done);
}) });
after(function(done) { after(function(done) {
Q.ninvoke(fixture, 'stop') Q.ninvoke(fixture, 'stop')
.then(function() { return Q.ninvoke(fixture, 'start', { })}) .then(function() { return Q.ninvoke(fixture, 'start', { })})
.done(done); .done(done);
})
it('auth headers are supported', function (done){
var socket = io.connect('http://localhost:9000', {
'forceNew':true,
'extraHeaders': {'Authorization': 'Bearer ' + this.token}
}); });
socket.on('connect', function(){
it('auth headers are supported', function (done) {
const socket = io.connect('http://localhost:9000', {
forceNew: true,
extraHeaders: { Authorization: 'Bearer ' + this.token}
});
socket
.on('connect', function() {
socket.close(); socket.close();
done(); done();
}).on('error', done); })
.on('error', done);
}); });
it('auth token in query string is disallowed', function (done){ it('auth token in query string is disallowed', function (done) {
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', {
'forceNew':true, forceNew: true,
'query': 'token=' + this.token query: 'token=' + this.token
}); });
socket.on('error', function(err){
socket.on('error', function(err) {
err.message.should.eql("Server requires Authorization Header"); err.message.should.eql("Server requires Authorization Header");
err.code.should.eql("missing_authorization_header"); err.code.should.eql("missing_authorization_header");
socket.close(); socket.close();
@ -80,44 +84,54 @@ describe('authorizer', function() {
.done(done); .done(done);
}) })
it('auth headers are supported', function (done){ it('auth headers are supported', function (done) {
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', {
'forceNew':true, forceNew: true,
'extraHeaders': {'Authorization': 'Bearer ' + this.token} extraHeaders: { Authorization: 'Bearer ' + this.token }
});
socket.on('connect', function(){
socket.close();
done();
}).on('error', done);
}); });
it('should do the handshake and connect', function (done){ socket
var socket = io.connect('http://localhost:9000', { .on('connect', function() {
'forceNew':true,
'query': 'token=' + this.token
});
socket.on('connect', function(){
socket.close(); socket.close();
done(); done();
}).on('error', done); })
.on('error', done);
}); });
it('should do the handshake and connect', function (done) {
const socket = io.connect('http://localhost:9000', {
forceNew: true,
query: 'token=' + this.token
});
socket
.on('connect', function() {
socket.close();
done();
})
.on('error', done);
});
}); });
}); });
describe('unsgined token', function() { describe('unsigned token', function() {
beforeEach(function () { beforeEach(function () {
this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.'; this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.';
}); });
it('should not do the handshake and connect', function (done){ it('should not do the handshake and connect', function (done) {
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', {
'forceNew':true, forceNew: true,
'query': 'token=' + this.token query: 'token=' + this.token
}); });
socket.on('connect', function () {
socket
.on('connect', function () {
socket.close(); socket.close();
done(new Error('this shouldnt happen')); done(new Error('this shouldnt happen'));
}).on('error', function (err) { })
.on('error', function (err) {
socket.close(); socket.close();
err.message.should.eql("jwt signature is required"); err.message.should.eql("jwt signature is required");
done(); done();

View File

@ -1,6 +1,6 @@
var fixture = require('./fixture/namespace'); const fixture = require('./fixture/namespace');
var request = require('request'); const request = require('request');
var io = require('socket.io-client'); const io = require('socket.io-client');
describe('authorizer with namespaces', function () { describe('authorizer with namespaces', function () {
@ -11,15 +11,16 @@ describe('authorizer with namespaces', function () {
describe('when the user is not logged in', function () { describe('when the user is not logged in', function () {
it('should be able to connect to the default namespace', function (done){ it('should be able to connect to the default namespace', function (done) {
var socket = io.connect('http://localhost:9000'); io.connect('http://localhost:9000')
socket.once('hi', done); .once('hi', done);
}); });
it('should not be able to connect to the admin namespace', function (done){ it('should not be able to connect to the admin namespace', function (done) {
var socket = io.connect('http://localhost:9000/admin'); io.connect('http://localhost:9000/admin')
socket.once('disconnect', function () { .once('disconnect', function() { done(); })
done(); .once('hi admin', function() {
done(new Error('unauthenticated client was able to connect to the admin namespace'));
}); });
}); });
@ -38,16 +39,10 @@ describe('authorizer with namespaces', function () {
}.bind(this)); }.bind(this));
}); });
it('should do the handshake and connect', function (done){ it('should do the handshake and connect', function (done) {
var socket = io.connect('http://localhost:9000/admin', { io.connect('http://localhost:9000/admin', { forceNew: true })
'forceNew': true, .on('authenticated', done)
}); .emit('authenticate', { token: this.token });
var token = this.token;
socket.on('connect', function(){
socket.on('authenticated', function () {
done();
}).emit('authenticate', { token: token });
});
}); });
}); });

View File

@ -1,6 +1,6 @@
var fixture = require('./fixture'); const fixture = require('./fixture');
var request = require('request'); const request = require('request');
var io = require('socket.io-client'); const io = require('socket.io-client');
describe('authorizer without querystring', function () { describe('authorizer without querystring', function () {
@ -15,23 +15,17 @@ describe('authorizer without querystring', function () {
describe('when the user is not logged in', function () { describe('when the user is not logged in', function () {
it('should close the connection after a timeout if no auth message is received', function (done){ it('should close the connection after a timeout if no auth message is received', function (done) {
var socket = io.connect('http://localhost:9000', { io.connect('http://localhost:9000', { forceNew: true })
forceNew: true .once('disconnect', function () { done(); });
});
socket.once('disconnect', function () {
done();
});
}); });
it('should not respond echo', function (done){ it('should not respond echo', function (done) {
var socket = io.connect('http://localhost:9000', { io.connect('http://localhost:9000', { forceNew: true })
'forceNew':true, .on('echo-response', function () {
});
socket.on('echo-response', function () {
done(new Error('this should not happen')); done(new Error('this should not happen'));
}).emit('echo', { hi: 123 }); })
.emit('echo', { hi: 123 });
setTimeout(done, 1200); setTimeout(done, 1200);
}); });
@ -51,19 +45,18 @@ describe('authorizer without querystring', function () {
}.bind(this)); }.bind(this));
}); });
it('should do the handshake and connect', function (done){ it('should do the handshake and connect', function (done) {
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', { forceNew: true });
'forceNew':true,
}); socket
var token = this.token; .on('echo-response', function () {
socket.on('connect', function(){
socket.on('echo-response', function () {
socket.close(); socket.close();
done(); done();
}).on('authenticated', function () { })
.on('authenticated', function () {
socket.emit('echo'); socket.emit('echo');
}).emit('authenticate', { token: token }); })
}); .emit('authenticate', { token: this.token });
}); });
}); });

View File

@ -1,6 +1,6 @@
var fixture = require('./fixture/secret_function'); const fixture = require('./fixture/secret_function');
var request = require('request'); const request = require('request');
var io = require('socket.io-client'); const io = require('socket.io-client');
describe('authorizer with secret function', function () { describe('authorizer with secret function', function () {
@ -8,7 +8,7 @@ describe('authorizer with secret function', function () {
before(function (done) { before(function (done) {
fixture.start({ fixture.start({
handshake: false handshake: false
} , done); }, done);
}); });
after(fixture.stop); after(fixture.stop);
@ -26,20 +26,10 @@ describe('authorizer with secret function', function () {
}.bind(this)); }.bind(this));
}); });
it('should emit unauthorized', function (done){ it('should emit unauthorized', function (done) {
var socket = io.connect('http://localhost:9000', { io.connect('http://localhost:9000', { forceNew: true })
'forceNew':true, .on('unauthorized', function() { done(); })
}); .emit('authenticate', { token: this.invalidToken + 'ass' })
var invalidToken = this.invalidToken;
socket.on('unauthorized', function() {
done();
});
socket.on('connect', function(){
socket
.emit('authenticate', { token: invalidToken + 'ass' })
});
}); });
}); });
@ -57,20 +47,18 @@ describe('authorizer with secret function', function () {
}.bind(this)); }.bind(this));
}); });
it('should do the handshake and connect', function (done){ it('should do the handshake and connect', function (done) {
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', { forceNew: true });
'forceNew':true,
}); socket
var token = this.token; .on('echo-response', function () {
socket.on('connect', function(){
socket.on('echo-response', function () {
socket.close(); socket.close();
done(); done();
}).on('authenticated', function () { })
.on('authenticated', function () {
socket.emit('echo'); socket.emit('echo');
}) })
.emit('authenticate', { token: token }) .emit('authenticate', { token: this.token });
});
}); });
}); });

View File

@ -1,6 +1,6 @@
var fixture = require('./fixture/secret_function'); const fixture = require('./fixture/secret_function');
var request = require('request'); const request = require('request');
var io = require('socket.io-client'); const io = require('socket.io-client');
describe('authorizer with secret function', function () { describe('authorizer with secret function', function () {
@ -10,12 +10,10 @@ describe('authorizer with secret function', function () {
describe('when the user is not logged in', function () { describe('when the user is not logged in', function () {
it('should emit error with unauthorized handshake', function (done){ it('should emit error with unauthorized handshake', function (done) {
var socket = io.connect('http://localhost:9000?token=boooooo', { const socket = io.connect('http://localhost:9000?token=boooooo', { forceNew: true });
'forceNew': true
});
socket.on('error', function(err){ socket.on('error', function(err) {
err.message.should.eql("jwt malformed"); err.message.should.eql("jwt malformed");
err.code.should.eql("invalid_token"); err.code.should.eql("invalid_token");
socket.close(); socket.close();
@ -37,15 +35,18 @@ describe('authorizer with secret function', function () {
}.bind(this)); }.bind(this));
}); });
it('should do the handshake and connect', function (done){ it('should do the handshake and connect', function (done) {
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', {
'forceNew':true, forceNew: true,
'query': 'token=' + this.token query: 'token=' + this.token
}); });
socket.on('connect', function(){
socket
.on('connect', function() {
socket.close(); socket.close();
done(); done();
}).on('error', done); })
.on('error', done);
}); });
}); });
@ -54,15 +55,18 @@ describe('authorizer with secret function', function () {
this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.'; this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.';
}); });
it('should not do the handshake and connect', function (done){ it('should not do the handshake and connect', function (done) {
var socket = io.connect('http://localhost:9000', { const socket = io.connect('http://localhost:9000', {
'forceNew':true, forceNew: true,
'query': 'token=' + this.token query: 'token=' + this.token
}); });
socket.on('connect', function () {
socket
.on('connect', function () {
socket.close(); socket.close();
done(new Error('this shouldnt happen')); done(new Error('this shouldnt happen'));
}).on('error', function (err) { })
.on('error', function (err) {
socket.close(); socket.close();
err.message.should.eql("jwt signature is required"); err.message.should.eql("jwt signature is required");
done(); done();

View File

@ -1,16 +1,15 @@
var express = require('express'); const express = require('express');
var http = require('http'); const http = require('http');
var socketIo = require('socket.io'); const socketIo = require('socket.io');
var socketio_jwt = require('../../lib'); const socketio_jwt = require('../../lib');
var jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const xtend = require('xtend');
const bodyParser = require('body-parser');
const enableDestroy = require('server-destroy');
var xtend = require('xtend'); let sio;
var bodyParser = require('body-parser');
var server, sio;
var enableDestroy = require('server-destroy');
exports.start = function (options, callback) { exports.start = function (options, callback) {
@ -25,12 +24,13 @@ exports.start = function (options, callback) {
handshake: true handshake: true
}, options); }, options);
var app = express(); const app = express();
const server = http.createServer(app);
sio = socketIo.listen(server);
app.use(bodyParser.json()); app.use(bodyParser.json());
app.post('/login', function (req, res) { app.post('/login', function (req, res) {
var profile = { const profile = {
first_name: 'John', first_name: 'John',
last_name: 'Doe', last_name: 'Doe',
email: 'john@doe.com', email: 'john@doe.com',
@ -38,14 +38,10 @@ exports.start = function (options, callback) {
}; };
// We are sending the profile inside the token // We are sending the profile inside the token
var token = jwt.sign(profile, options.secret, { expiresIn: 60*60*5 }); const token = jwt.sign(profile, options.secret, { expiresIn: 60*60*5 });
res.json({token: token}); res.json({token: token});
}); });
server = http.createServer(app);
sio = socketIo.listen(server);
if (options.handshake) { if (options.handshake) {
sio.use(socketio_jwt.authorize(options)); sio.use(socketio_jwt.authorize(options));

View File

@ -1,16 +1,14 @@
var express = require('express'); const express = require('express');
var http = require('http'); const http = require('http');
var socketIo = require('socket.io'); const socketIo = require('socket.io');
var socketio_jwt = require('../../lib'); const socketio_jwt = require('../../lib');
var jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const enableDestroy = require('server-destroy');
const bodyParser = require('body-parser');
var xtend = require('xtend'); let sio;
var bodyParser = require('body-parser');
var server, sio;
var enableDestroy = require('server-destroy');
/** /**
* This is an example server that shows how to do namespace authentication. * This is an example server that shows how to do namespace authentication.
@ -19,18 +17,19 @@ var enableDestroy = require('server-destroy');
*/ */
exports.start = function (callback) { exports.start = function (callback) {
options = { const options = {
secret: 'aaafoo super sercret', secret: 'aaafoo super sercret',
timeout: 1000, timeout: 1000,
handshake: false handshake: false
}; };
var app = express(); const app = express();
const server = http.createServer(app);
sio = socketIo.listen(server);
app.use(bodyParser.json()); app.use(bodyParser.json());
app.post('/login', function (req, res) { app.post('/login', function (req, res) {
var profile = { const profile = {
first_name: 'John', first_name: 'John',
last_name: 'Doe', last_name: 'Doe',
email: 'john@doe.com', email: 'john@doe.com',
@ -38,20 +37,17 @@ exports.start = function (callback) {
}; };
// We are sending the profile inside the token // We are sending the profile inside the token
var token = jwt.sign(profile, options.secret, { expiresIn: 60*60*5 }); const token = jwt.sign(profile, options.secret, { expiresIn: 60*60*5 });
res.json({ token: token });
res.json({token: token});
}); });
server = http.createServer(app);
sio = socketIo.listen(server);
sio.on('connection', function (socket) { sio.on('connection', function (socket) {
socket.emit('hi'); socket.emit('hi');
}); });
var admin_nsp = sio.of('/admin'); const admin_nsp = sio.of('/admin');
admin_nsp.on('connection', socketio_jwt.authorize(options)) admin_nsp.on('connection', socketio_jwt.authorize(options))
.on('authenticated', function (socket) { .on('authenticated', function (socket) {

View File

@ -1,19 +1,18 @@
var express = require('express'); const express = require('express');
var http = require('http'); const http = require('http');
var socketIo = require('socket.io'); const socketIo = require('socket.io');
var socketio_jwt = require('../../lib'); const socketio_jwt = require('../../lib');
var jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const xtend = require('xtend');
const bodyParser = require('body-parser');
const enableDestroy = require('server-destroy');
var xtend = require('xtend'); let sio;
var bodyParser = require('body-parser');
var server, sio;
var enableDestroy = require('server-destroy');
exports.start = function (options, callback) { exports.start = function (options, callback) {
var SECRETS = { const SECRETS = {
123: 'aaafoo super sercret', 123: 'aaafoo super sercret',
555: 'other' 555: 'other'
}; };
@ -31,12 +30,13 @@ exports.start = function (options, callback) {
handshake: true handshake: true
}, options); }, options);
var app = express(); const app = express();
const server = http.createServer(app);
sio = socketIo.listen(server);
app.use(bodyParser.json()); app.use(bodyParser.json());
app.post('/login', function (req, res) { app.post('/login', function (req, res) {
var profile = { const profile = {
first_name: 'John', first_name: 'John',
last_name: 'Doe', last_name: 'Doe',
email: 'john@doe.com', email: 'john@doe.com',
@ -44,15 +44,10 @@ exports.start = function (options, callback) {
}; };
// We are sending the profile inside the token // We are sending the profile inside the token
var token = jwt.sign(profile, SECRETS[123], { expiresIn: 60*60*5 }); const token = jwt.sign(profile, SECRETS[123], { expiresIn: 60*60*5 });
res.json({token: token}); res.json({token: token});
}); });
server = http.createServer(app);
sio = socketIo.listen(server);
if (options.handshake) { if (options.handshake) {
sio.use(socketio_jwt.authorize(options)); sio.use(socketio_jwt.authorize(options));
@ -86,4 +81,3 @@ exports.stop = function (callback) {
callback(); callback();
}; };