added ability to enforce only header authorization versus query string authorization - DK/MW

This commit is contained in:
Mathew Woods 2016-10-20 11:13:23 -05:00 committed by Fabian Arndt
parent 2d390e66e6
commit ef0983a702
3 changed files with 90 additions and 45 deletions

View File

@ -158,7 +158,14 @@ function authorize(options, onConnection) {
} }
} }
//get the token from handshake or query string // Check if the header has to include authentication
if (options.auth_header_required && !token) {
return auth.fail(new UnauthorizedError('missing_authorization_header', {
message: 'Server requires Authorization Header'
}), data, accept);
}
// Get the token from handshake or query string
if (handshake && handshake.query.token){ if (handshake && handshake.query.token){
token = handshake.query.token; token = handshake.query.token;
} }

View File

@ -33,6 +33,7 @@
"serve-static": "^1.12.1", "serve-static": "^1.12.1",
"jsonwebtoken": "^8.3.0", "jsonwebtoken": "^8.3.0",
"xtend": "~2.1.2", "xtend": "~2.1.2",
"q": "^1.4.1",
"server-destroy": "~1.0.1", "server-destroy": "~1.0.1",
"should": "~11.2.1", "should": "~11.2.1",
"socket.io": "^1.7.3", "socket.io": "^1.7.3",

View File

@ -1,19 +1,14 @@
var Q = require('q');
var fixture = require('./fixture'); var fixture = require('./fixture');
var request = require('request'); var request = require('request');
var io = require('socket.io-client'); var io = require('socket.io-client');
describe('authorizer', () => { describe('authorizer', () => {
describe('authorizer all auth types allowed', () => {
//start and stop the server //start and stop the server
before(done => { before(done => { fixture.start({ }, done) });
fixture.start({ }, done)
});
after(fixture.stop); after(fixture.stop);
describe('when the user is not logged in', function () { describe('when the user is not logged in', function () {
it('should emit error with unauthorized handshake', function (done){ it('should emit error with unauthorized handshake', function (done){
var socket = io.connect('http://localhost:9000?token=boooooo', { var socket = io.connect('http://localhost:9000?token=boooooo', {
'forceNew': true 'forceNew': true
@ -30,7 +25,6 @@ describe('authorizer', () => {
}); });
describe('when the user is logged in', function() { describe('when the user is logged in', function() {
before(function (done) { before(function (done) {
request.post({ request.post({
url: 'http://localhost:9000/login', url: 'http://localhost:9000/login',
@ -42,6 +36,50 @@ describe('authorizer', () => {
}.bind(this)); }.bind(this));
}); });
describe('authorizer disallows query string token when specified in startup options', () => {
before(done => {
Q.ninvoke(fixture, 'stop')
.then(() => Q.ninvoke(fixture, 'start', { auth_header_required: true }))
.done(done);
})
after(done => {
Q.ninvoke(fixture, 'stop')
.then(() => Q.ninvoke(fixture, 'start', { }))
.done(done);
})
it('auth headers are supported', function (done){
var socket = io.connect('http://localhost:9000', {
'forceNew':true,
'extraHeaders': {'Authorization': `Bearer ${this.token}`}
});
socket.on('connect', function(){
socket.close();
done();
}).on('error', done);
});
it('auth token in query string is disallowed', function (done){
var socket = io.connect('http://localhost:9000', {
'forceNew':true,
'query': 'token=' + this.token
});
socket.on('error', function(err){
err.message.should.eql("Server requires Authorization Header");
err.code.should.eql("missing_authorization_header");
socket.close();
done();
});
});
})
describe('authorizer all auth types allowed', () => {
before(done => {
Q.ninvoke(fixture, 'stop')
.then(() => Q.ninvoke(fixture, 'start', {}))
.done(done);
})
it('auth headers are supported', function (done){ it('auth headers are supported', function (done){
var socket = io.connect('http://localhost:9000', { var socket = io.connect('http://localhost:9000', {
'forceNew':true, 'forceNew':true,
@ -64,6 +102,7 @@ describe('authorizer', () => {
}).on('error', done); }).on('error', done);
}); });
}); });
});
describe('unsgined token', function() { describe('unsgined token', function() {
beforeEach(function () { beforeEach(function () {
@ -85,6 +124,4 @@ describe('authorizer', () => {
}); });
}); });
}); });
});
}); });