added ability to enforce only header authorization versus query string authorization - DK/MW
This commit is contained in:
parent
2d390e66e6
commit
ef0983a702
@ -158,7 +158,14 @@ function authorize(options, onConnection) {
|
||||
}
|
||||
}
|
||||
|
||||
//get the token from handshake or query string
|
||||
// Check if the header has to include authentication
|
||||
if (options.auth_header_required && !token) {
|
||||
return auth.fail(new UnauthorizedError('missing_authorization_header', {
|
||||
message: 'Server requires Authorization Header'
|
||||
}), data, accept);
|
||||
}
|
||||
|
||||
// Get the token from handshake or query string
|
||||
if (handshake && handshake.query.token){
|
||||
token = handshake.query.token;
|
||||
}
|
||||
|
@ -33,6 +33,7 @@
|
||||
"serve-static": "^1.12.1",
|
||||
"jsonwebtoken": "^8.3.0",
|
||||
"xtend": "~2.1.2",
|
||||
"q": "^1.4.1",
|
||||
"server-destroy": "~1.0.1",
|
||||
"should": "~11.2.1",
|
||||
"socket.io": "^1.7.3",
|
||||
|
@ -1,19 +1,14 @@
|
||||
var Q = require('q');
|
||||
var fixture = require('./fixture');
|
||||
var request = require('request');
|
||||
var io = require('socket.io-client');
|
||||
|
||||
describe('authorizer', () => {
|
||||
|
||||
describe('authorizer all auth types allowed', () => {
|
||||
|
||||
//start and stop the server
|
||||
before(done => {
|
||||
fixture.start({ }, done)
|
||||
});
|
||||
before(done => { fixture.start({ }, done) });
|
||||
after(fixture.stop);
|
||||
|
||||
describe('when the user is not logged in', function () {
|
||||
|
||||
it('should emit error with unauthorized handshake', function (done){
|
||||
var socket = io.connect('http://localhost:9000?token=boooooo', {
|
||||
'forceNew': true
|
||||
@ -30,7 +25,6 @@ describe('authorizer', () => {
|
||||
});
|
||||
|
||||
describe('when the user is logged in', function() {
|
||||
|
||||
before(function (done) {
|
||||
request.post({
|
||||
url: 'http://localhost:9000/login',
|
||||
@ -42,6 +36,50 @@ describe('authorizer', () => {
|
||||
}.bind(this));
|
||||
});
|
||||
|
||||
describe('authorizer disallows query string token when specified in startup options', () => {
|
||||
before(done => {
|
||||
Q.ninvoke(fixture, 'stop')
|
||||
.then(() => Q.ninvoke(fixture, 'start', { auth_header_required: true }))
|
||||
.done(done);
|
||||
})
|
||||
after(done => {
|
||||
Q.ninvoke(fixture, 'stop')
|
||||
.then(() => Q.ninvoke(fixture, 'start', { }))
|
||||
.done(done);
|
||||
})
|
||||
|
||||
it('auth headers are supported', function (done){
|
||||
var socket = io.connect('http://localhost:9000', {
|
||||
'forceNew':true,
|
||||
'extraHeaders': {'Authorization': `Bearer ${this.token}`}
|
||||
});
|
||||
socket.on('connect', function(){
|
||||
socket.close();
|
||||
done();
|
||||
}).on('error', done);
|
||||
});
|
||||
|
||||
it('auth token in query string is disallowed', function (done){
|
||||
var socket = io.connect('http://localhost:9000', {
|
||||
'forceNew':true,
|
||||
'query': 'token=' + this.token
|
||||
});
|
||||
socket.on('error', function(err){
|
||||
err.message.should.eql("Server requires Authorization Header");
|
||||
err.code.should.eql("missing_authorization_header");
|
||||
socket.close();
|
||||
done();
|
||||
});
|
||||
});
|
||||
})
|
||||
|
||||
describe('authorizer all auth types allowed', () => {
|
||||
before(done => {
|
||||
Q.ninvoke(fixture, 'stop')
|
||||
.then(() => Q.ninvoke(fixture, 'start', {}))
|
||||
.done(done);
|
||||
})
|
||||
|
||||
it('auth headers are supported', function (done){
|
||||
var socket = io.connect('http://localhost:9000', {
|
||||
'forceNew':true,
|
||||
@ -64,6 +102,7 @@ describe('authorizer', () => {
|
||||
}).on('error', done);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('unsgined token', function() {
|
||||
beforeEach(function () {
|
||||
@ -85,6 +124,4 @@ describe('authorizer', () => {
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
});
|
||||
});
|
||||
|
Reference in New Issue
Block a user