update to later version of jsonwebtoken to fix security vulnerabilities - DK/BM
Changes by Root-Core: - Whitespaces - Code-Smells - Some Deps were devDeps - Little bug fixes (merge errors) - etc..
This commit is contained in:
parent
173e02bbfc
commit
f3becae0a9
98
lib/index.js
98
lib/index.js
@ -1,40 +1,41 @@
|
|||||||
var xtend = require('xtend');
|
const xtend = require('xtend');
|
||||||
var jwt = require('jsonwebtoken');
|
const jwt = require('jsonwebtoken');
|
||||||
var UnauthorizedError = require('./UnauthorizedError');
|
const UnauthorizedError = require('./UnauthorizedError');
|
||||||
|
|
||||||
function noQsMethod(options) {
|
function noQsMethod (options) {
|
||||||
var defaults = { required: true };
|
const defaults = { required: true };
|
||||||
options = xtend(defaults, options);
|
options = xtend(defaults, options);
|
||||||
|
|
||||||
return function (socket) {
|
return function (socket) {
|
||||||
var server = this.server || socket.server;
|
const server = this.server || socket.server;
|
||||||
|
|
||||||
if (!server.$emit) {
|
if (!server.$emit) {
|
||||||
//then is socket.io 1.0
|
//then is socket.io 1.0
|
||||||
var Namespace = Object.getPrototypeOf(server.sockets).constructor;
|
const Namespace = Object.getPrototypeOf(server.sockets).constructor;
|
||||||
if (!~Namespace.events.indexOf('authenticated')) {
|
if (!~Namespace.events.indexOf('authenticated')) {
|
||||||
Namespace.events.push('authenticated');
|
Namespace.events.push('authenticated');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(options.required){
|
|
||||||
var auth_timeout = setTimeout(function () {
|
|
||||||
socket.disconnect('unauthorized');
|
|
||||||
}, options.timeout || 5000);
|
|
||||||
}
|
|
||||||
|
|
||||||
socket.on('authenticate', function (data) {
|
socket.on('authenticate', function (data) {
|
||||||
if(options.required){
|
if (options.required) {
|
||||||
|
let auth_timeout = setTimeout(function () {
|
||||||
|
socket.disconnect('unauthorized');
|
||||||
|
}, options.timeout || 5000);
|
||||||
|
|
||||||
clearTimeout(auth_timeout);
|
clearTimeout(auth_timeout);
|
||||||
}
|
}
|
||||||
|
|
||||||
// error handler
|
// error handler
|
||||||
var onError = function(err, code) {
|
const onError = function (err, code) {
|
||||||
if (err) {
|
if (err) {
|
||||||
code = code || 'unknown';
|
code = code || 'unknown';
|
||||||
var error = new UnauthorizedError(code, {
|
|
||||||
|
const error = new UnauthorizedError(code, {
|
||||||
message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err
|
message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err
|
||||||
});
|
});
|
||||||
var callback_timeout;
|
|
||||||
|
let callback_timeout;
|
||||||
// If callback explicitely set to false, start timeout to disconnect socket
|
// If callback explicitely set to false, start timeout to disconnect socket
|
||||||
if (options.callback === false || typeof options.callback === 'number') {
|
if (options.callback === false || typeof options.callback === 'number') {
|
||||||
if (typeof options.callback === 'number') {
|
if (typeof options.callback === 'number') {
|
||||||
@ -47,6 +48,7 @@ function noQsMethod(options) {
|
|||||||
socket.disconnect('unauthorized');
|
socket.disconnect('unauthorized');
|
||||||
}, (options.callback === false ? 0 : options.callback));
|
}, (options.callback === false ? 0 : options.callback));
|
||||||
}
|
}
|
||||||
|
|
||||||
socket.emit('unauthorized', error, function() {
|
socket.emit('unauthorized', error, function() {
|
||||||
if (typeof options.callback === 'number') {
|
if (typeof options.callback === 'number') {
|
||||||
clearTimeout(callback_timeout);
|
clearTimeout(callback_timeout);
|
||||||
@ -57,30 +59,29 @@ function noQsMethod(options) {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
var token = options.cookie ? socket.request.cookies[options.cookie] : (data ? data.token : undefined);
|
const token = options.cookie ? socket.request.cookies[options.cookie] : (data ? data.token : undefined);
|
||||||
|
|
||||||
if(!token || typeof token !== "string") {
|
if (!token || typeof token !== "string") {
|
||||||
return onError({message: 'invalid token datatype'}, 'invalid_token');
|
return onError({ message: 'invalid token datatype' }, 'invalid_token');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Store encoded JWT
|
// Store encoded JWT
|
||||||
socket[options.encodedPropertyName] = data.token;
|
socket[options.encodedPropertyName] = token;
|
||||||
|
|
||||||
var onJwtVerificationReady = function(err, decoded) {
|
|
||||||
|
|
||||||
|
const onJwtVerificationReady = function (err, decoded) {
|
||||||
if (err) {
|
if (err) {
|
||||||
return onError(err, 'invalid_token');
|
return onError(err, 'invalid_token');
|
||||||
}
|
}
|
||||||
|
|
||||||
// success handler
|
// success handler
|
||||||
var onSuccess = function() {
|
const onSuccess = function () {
|
||||||
socket[options.decodedPropertyName] = decoded;
|
socket[options.decodedPropertyName] = decoded;
|
||||||
socket.emit('authenticated');
|
socket.emit('authenticated');
|
||||||
if (server.$emit) {
|
if (server.$emit) {
|
||||||
server.$emit('authenticated', socket);
|
server.$emit('authenticated', socket);
|
||||||
} else {
|
} else {
|
||||||
//try getting the current namespace otherwise fallback to all sockets.
|
//try getting the current namespace otherwise fallback to all sockets.
|
||||||
var namespace = (server.nsps && socket.nsp &&
|
const namespace = (server.nsps && socket.nsp &&
|
||||||
server.nsps[socket.nsp.name]) ||
|
server.nsps[socket.nsp.name]) ||
|
||||||
server.sockets;
|
server.sockets;
|
||||||
|
|
||||||
@ -89,14 +90,14 @@ function noQsMethod(options) {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
if(options.additional_auth && typeof options.additional_auth === 'function') {
|
if (options.additional_auth && typeof options.additional_auth === 'function') {
|
||||||
options.additional_auth(decoded, onSuccess, onError);
|
options.additional_auth(decoded, onSuccess, onError);
|
||||||
} else {
|
} else {
|
||||||
onSuccess();
|
onSuccess();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
var onSecretReady = function(err, secret) {
|
const onSecretReady = function (err, secret) {
|
||||||
if (err || !secret) {
|
if (err || !secret) {
|
||||||
return onError(err, 'invalid_secret');
|
return onError(err, 'invalid_secret');
|
||||||
}
|
}
|
||||||
@ -109,22 +110,22 @@ function noQsMethod(options) {
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
function authorize(options, onConnection) {
|
function authorize (options, onConnection) {
|
||||||
options = xtend({ decodedPropertyName: 'decoded_token', encodedPropertyName: 'encoded_token' }, options);
|
options = xtend({ decodedPropertyName: 'decoded_token', encodedPropertyName: 'encoded_token' }, options);
|
||||||
|
|
||||||
if (!options.handshake) {
|
if (!options.handshake) {
|
||||||
return noQsMethod(options);
|
return noQsMethod(options);
|
||||||
}
|
}
|
||||||
|
|
||||||
var defaults = {
|
const defaults = {
|
||||||
success: function(socket, accept){
|
success: function (socket, accept) {
|
||||||
if (socket.request) {
|
if (socket.request) {
|
||||||
accept();
|
accept();
|
||||||
} else {
|
} else {
|
||||||
accept(null, true);
|
accept(null, true);
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
fail: function(error, socket, accept){
|
fail: function (error, socket, accept) {
|
||||||
if (socket.request) {
|
if (socket.request) {
|
||||||
accept(error);
|
accept(error);
|
||||||
} else {
|
} else {
|
||||||
@ -133,19 +134,19 @@ function authorize(options, onConnection) {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
var auth = xtend(defaults, options);
|
const auth = xtend(defaults, options);
|
||||||
|
|
||||||
return function(socket, accept){
|
return function (socket, accept) {
|
||||||
var token, error;
|
let token, error;
|
||||||
var handshake = data.handshake;
|
const handshake = socket.handshake;
|
||||||
var req = socket.request || socket;
|
const req = socket.request || socket;
|
||||||
var authorization_header = (req.headers || {}).authorization;
|
const authorization_header = (req.headers || {}).authorization;
|
||||||
|
|
||||||
if (authorization_header) {
|
if (authorization_header) {
|
||||||
var parts = authorization_header.split(' ');
|
const parts = authorization_header.split(' ');
|
||||||
if (parts.length == 2) {
|
if (parts.length == 2) {
|
||||||
var scheme = parts[0],
|
const scheme = parts[0],
|
||||||
credentials = parts[1];
|
credentials = parts[1];
|
||||||
|
|
||||||
if (scheme.toLowerCase() === 'bearer') {
|
if (scheme.toLowerCase() === 'bearer') {
|
||||||
token = credentials;
|
token = credentials;
|
||||||
@ -166,7 +167,7 @@ function authorize(options, onConnection) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Get the token from handshake or query string
|
// Get the token from handshake or query string
|
||||||
if (handshake && handshake.query.token){
|
if (handshake && handshake.query.token) {
|
||||||
token = handshake.query.token;
|
token = handshake.query.token;
|
||||||
}
|
}
|
||||||
else if (req._query && req._query.token) {
|
else if (req._query && req._query.token) {
|
||||||
@ -186,8 +187,7 @@ function authorize(options, onConnection) {
|
|||||||
// Store encoded JWT
|
// Store encoded JWT
|
||||||
socket[options.encodedPropertyName] = token;
|
socket[options.encodedPropertyName] = token;
|
||||||
|
|
||||||
var onJwtVerificationReady = function(err, decoded) {
|
const onJwtVerificationReady = function (err, decoded) {
|
||||||
|
|
||||||
if (err) {
|
if (err) {
|
||||||
error = new UnauthorizedError(err.code || 'invalid_token', err);
|
error = new UnauthorizedError(err.code || 'invalid_token', err);
|
||||||
return auth.fail(error, socket, accept);
|
return auth.fail(error, socket, accept);
|
||||||
@ -198,7 +198,7 @@ function authorize(options, onConnection) {
|
|||||||
return auth.success(socket, accept);
|
return auth.success(socket, accept);
|
||||||
};
|
};
|
||||||
|
|
||||||
var onSecretReady = function(err, secret) {
|
const onSecretReady = function (err, secret) {
|
||||||
if (err) {
|
if (err) {
|
||||||
error = new UnauthorizedError(err.code || 'invalid_secret', err);
|
error = new UnauthorizedError(err.code || 'invalid_secret', err);
|
||||||
return auth.fail(error, socket, accept);
|
return auth.fail(error, socket, accept);
|
||||||
@ -211,13 +211,13 @@ function authorize(options, onConnection) {
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
function getSecret(request, secret, token, callback) {
|
function getSecret (request, secret, token, callback) {
|
||||||
if (typeof secret === 'function') {
|
if (typeof secret === 'function') {
|
||||||
if (!token) {
|
if (!token) {
|
||||||
return callback({ code: 'invalid_token', message: 'jwt must be provided' });
|
return callback({ code: 'invalid_token', message: 'jwt must be provided' });
|
||||||
}
|
}
|
||||||
|
|
||||||
var parts = token.split('.');
|
const parts = token.split('.');
|
||||||
|
|
||||||
if (parts.length < 3) {
|
if (parts.length < 3) {
|
||||||
return callback({ code: 'invalid_token', message: 'jwt malformed' });
|
return callback({ code: 'invalid_token', message: 'jwt malformed' });
|
||||||
@ -227,7 +227,7 @@ function getSecret(request, secret, token, callback) {
|
|||||||
return callback({ code: 'invalid_token', message: 'jwt signature is required' });
|
return callback({ code: 'invalid_token', message: 'jwt signature is required' });
|
||||||
}
|
}
|
||||||
|
|
||||||
var decodedToken = jwt.decode(token);
|
let decodedToken = jwt.decode(token);
|
||||||
|
|
||||||
if (!decodedToken) {
|
if (!decodedToken) {
|
||||||
return callback({ code: 'invalid_token', message: 'jwt malformed' });
|
return callback({ code: 'invalid_token', message: 'jwt malformed' });
|
||||||
|
@ -23,6 +23,8 @@
|
|||||||
},
|
},
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
|
"jsonwebtoken": "^8.3.0",
|
||||||
|
"xtend": "~2.1.2"
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@types/socket.io": "~1.4.29",
|
"@types/socket.io": "~1.4.29",
|
||||||
@ -30,10 +32,8 @@
|
|||||||
"express": "~4.15.2",
|
"express": "~4.15.2",
|
||||||
"mocha": "~3.2.0",
|
"mocha": "~3.2.0",
|
||||||
"request": "~2.81.0",
|
"request": "~2.81.0",
|
||||||
"serve-static": "^1.12.1",
|
"serve-static": "^1.13.2",
|
||||||
"jsonwebtoken": "^8.3.0",
|
"q": "^1.5.1",
|
||||||
"xtend": "~2.1.2",
|
|
||||||
"q": "^1.4.1",
|
|
||||||
"server-destroy": "~1.0.1",
|
"server-destroy": "~1.0.1",
|
||||||
"should": "~11.2.1",
|
"should": "~11.2.1",
|
||||||
"socket.io": "^1.7.3",
|
"socket.io": "^1.7.3",
|
||||||
|
Reference in New Issue
Block a user