Add ability to generate secret dynamically

This allow you to pass a function instead of an string in order to
generate secret based on the new connection features.
This commit is contained in:
Damian Fortuna 2015-11-18 17:36:24 -03:00
parent d06501e315
commit e094d231b2
5 changed files with 321 additions and 9 deletions

View File

@ -101,6 +101,31 @@ socket.on("error", function(error) {
console.log("User's token has expired");
}
});
```
## Getting the secret dynamically
You can pass a function instead of an string when configuring secret.
This function receives the request, the decoded token and a callback. This
way, you are allowed to use a different secret based on the request and / or
the provided token.
__Server side__:
```javascript
var SECRETS = {
'user1': 'secret 1',
'user2': 'secret 2'
}
io.use(socketioJwt.authorize({
secret: function(request, decodedToken, callback) {
// SECRETS[decodedToken.userId] will be used a a secret or
// public key for connection user.
callback(null, SECRETS[decodedToken.userId]);
},
handshake: false
}));
```
## Contribute

View File

@ -45,7 +45,7 @@ function noQsMethod(options) {
return onError({message: 'invalid token datatype'}, 'invalid_token');
}
jwt.verify(data.token, options.secret, options, function(err, decoded) {
var onJwtVerificationReady = function(err, decoded) {
if (err) {
return onError(err, 'invalid_token');
@ -73,9 +73,18 @@ function noQsMethod(options) {
} else {
onSuccess();
}
});
});
};
var onSecretReady = function(err, secret) {
if (err || !secret) {
return onError(err, 'invalid_secret');
}
jwt.verify(data.token, secret, options, onJwtVerificationReady);
};
getSecret(socket.request, options.secret, data.token, onSecretReady);
});
};
}
@ -140,18 +149,57 @@ function authorize(options, onConnection) {
return auth.fail(error, data, accept);
}
jwt.verify(token, options.secret, options, function(err, decoded) {
var onJwtVerificationReady = function(err, decoded) {
if (err) {
error = new UnauthorizedError('invalid_token', err);
error = new UnauthorizedError(err.code || 'invalid_token', err);
return auth.fail(error, data, accept);
}
data.decoded_token = decoded;
return auth.success(data, accept);
});
};
var onSecretReady = function(err, secret) {
if (err) {
error = new UnauthorizedError(err.code || 'invalid_secret', err);
return auth.fail(error, data, accept);
}
jwt.verify(token, secret, options, onJwtVerificationReady);
};
getSecret(req, options.secret, token, onSecretReady);
};
}
function getSecret(request, secret, token, callback) {
if (typeof secret === 'function') {
if (!token) {
return callback({ code: 'invalid_token', message: 'jwt must be provided' });
}
var parts = token.split('.');
if (parts.length < 3) {
return callback({ code: 'invalid_token', message: 'jwt malformed' });
}
if (parts[2].trim() === '') {
return callback({ code: 'invalid_token', message: 'jwt signature is required' });
}
var decodedToken = jwt.decode(token);
if (!decodedToken) {
return callback({ code: 'invalid_token', message: 'jwt malformed' });
}
secret(request, decodedToken, callback);
} else {
callback(null, secret);
}
};
exports.authorize = authorize;

View File

@ -0,0 +1,77 @@
var fixture = require('./fixture/secret_function');
var request = require('request');
var io = require('socket.io-client');
describe('authorizer with secret function', function () {
//start and stop the server
before(function (done) {
fixture.start({
handshake: false
} , done);
});
after(fixture.stop);
describe('when the user is not logged in', function () {
describe('and when token is not valid', function() {
beforeEach(function (done) {
request.post({
url: 'http://localhost:9000/login',
json: { username: 'invalid_signature', password: 'Pa123' }
}, function (err, resp, body) {
this.invalidToken = body.token;
done();
}.bind(this));
});
it('should emit unauthorized', function (done){
var socket = io.connect('http://localhost:9000', {
'forceNew':true,
});
var invalidToken = this.invalidToken;
socket.on('unauthorized', function() {
done();
});
socket.on('connect', function(){
socket
.emit('authenticate', { token: invalidToken + 'ass' })
});
});
});
});
describe('when the user is logged in', function() {
beforeEach(function (done) {
request.post({
url: 'http://localhost:9000/login',
json: { username: 'valid_signature', password: 'Pa123' }
}, function (err, resp, body) {
this.token = body.token;
done();
}.bind(this));
});
it('should do the handshake and connect', function (done){
var socket = io.connect('http://localhost:9000', {
'forceNew':true,
});
var token = this.token;
socket.on('connect', function(){
socket.on('echo-response', function () {
socket.close();
done();
}).on('authenticated', function () {
socket.emit('echo');
})
.emit('authenticate', { token: token })
});
});
});
});

View File

@ -0,0 +1,73 @@
var fixture = require('./fixture/secret_function');
var request = require('request');
var io = require('socket.io-client');
describe('authorizer with secret function', function () {
//start and stop the server
before(fixture.start);
after(fixture.stop);
describe('when the user is not logged in', function () {
it('should emit error with unauthorized handshake', function (done){
var socket = io.connect('http://localhost:9000?token=boooooo', {
'forceNew': true
});
socket.on('error', function(err){
err.message.should.eql("jwt malformed");
err.code.should.eql("invalid_token");
socket.close();
done();
});
});
});
describe('when the user is logged in', function() {
beforeEach(function (done) {
request.post({
url: 'http://localhost:9000/login',
json: { username: 'valid_signature', password: 'Pa123' }
}, function (err, resp, body) {
this.token = body.token;
done();
}.bind(this));
});
it('should do the handshake and connect', function (done){
var socket = io.connect('http://localhost:9000', {
'forceNew':true,
'query': 'token=' + this.token
});
socket.on('connect', function(){
socket.close();
done();
}).on('error', done);
});
});
describe('unsigned token', function() {
beforeEach(function () {
this.token = 'eyJhbGciOiJub25lIiwiY3R5IjoiSldUIn0.eyJuYW1lIjoiSm9obiBGb28ifQ.';
});
it('should not do the handshake and connect', function (done){
var socket = io.connect('http://localhost:9000', {
'forceNew':true,
'query': 'token=' + this.token
});
socket.on('connect', function () {
socket.close();
done(new Error('this shouldnt happen'));
}).on('error', function (err) {
socket.close();
err.message.should.eql("jwt signature is required");
done();
});
});
});
});

View File

@ -0,0 +1,89 @@
var express = require('express');
var http = require('http');
var socketIo = require('socket.io');
var socketio_jwt = require('../../lib');
var jwt = require('jsonwebtoken');
var xtend = require('xtend');
var bodyParser = require('body-parser');
var server, sio;
var enableDestroy = require('server-destroy');
exports.start = function (options, callback) {
var SECRETS = {
123: 'aaafoo super sercret',
555: 'other'
};
if(typeof options == 'function'){
callback = options;
options = {};
}
options = xtend({
secret: function(request, decodedToken, callback) {
callback(null, SECRETS[decodedToken.id]);
},
timeout: 1000,
handshake: true
}, options);
var app = express();
app.use(bodyParser.json());
app.post('/login', function (req, res) {
var profile = {
first_name: 'John',
last_name: 'Doe',
email: 'john@doe.com',
id: req.body.username === 'valid_signature' ? 123 : 555
};
// We are sending the profile inside the token
var token = jwt.sign(profile, SECRETS[123], { expiresIn: 60*60*5 });
res.json({token: token});
});
server = http.createServer(app);
sio = socketIo.listen(server);
if (options.handshake) {
sio.use(socketio_jwt.authorize(options));
sio.sockets.on('echo', function (m) {
sio.sockets.emit('echo-response', m);
});
} else {
sio.sockets
.on('connection', socketio_jwt.authorize(options))
.on('authenticated', function (socket) {
socket.on('echo', function (m) {
socket.emit('echo-response', m);
});
});
}
server.__sockets = [];
server.on('connection', function (c) {
server.__sockets.push(c);
});
server.listen(9000, callback);
enableDestroy(server);
};
exports.stop = function (callback) {
sio.close();
try {
server.destroy();
} catch (er) {}
callback();
};