update to later version of jsonwebtoken to fix security vulnerabilities - DK/BM

Changes by Root-Core:
- Whitespaces
- Code-Smells
- Some Deps were devDeps
- Little bug fixes (merge errors)
- etc..
This commit is contained in:
Andrew Kutta 2019-01-31 11:09:41 -06:00 committed by Fabian Arndt
parent 173e02bbfc
commit f3becae0a9
2 changed files with 53 additions and 53 deletions

View File

@ -1,40 +1,41 @@
var xtend = require('xtend'); const xtend = require('xtend');
var jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
var UnauthorizedError = require('./UnauthorizedError'); const UnauthorizedError = require('./UnauthorizedError');
function noQsMethod(options) { function noQsMethod (options) {
var defaults = { required: true }; const defaults = { required: true };
options = xtend(defaults, options); options = xtend(defaults, options);
return function (socket) { return function (socket) {
var server = this.server || socket.server; const server = this.server || socket.server;
if (!server.$emit) { if (!server.$emit) {
//then is socket.io 1.0 //then is socket.io 1.0
var Namespace = Object.getPrototypeOf(server.sockets).constructor; const Namespace = Object.getPrototypeOf(server.sockets).constructor;
if (!~Namespace.events.indexOf('authenticated')) { if (!~Namespace.events.indexOf('authenticated')) {
Namespace.events.push('authenticated'); Namespace.events.push('authenticated');
} }
} }
if(options.required){
var auth_timeout = setTimeout(function () {
socket.disconnect('unauthorized');
}, options.timeout || 5000);
}
socket.on('authenticate', function (data) { socket.on('authenticate', function (data) {
if(options.required){ if (options.required) {
let auth_timeout = setTimeout(function () {
socket.disconnect('unauthorized');
}, options.timeout || 5000);
clearTimeout(auth_timeout); clearTimeout(auth_timeout);
} }
// error handler // error handler
var onError = function(err, code) { const onError = function (err, code) {
if (err) { if (err) {
code = code || 'unknown'; code = code || 'unknown';
var error = new UnauthorizedError(code, {
const error = new UnauthorizedError(code, {
message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err message: (Object.prototype.toString.call(err) === '[object Object]' && err.message) ? err.message : err
}); });
var callback_timeout;
let callback_timeout;
// If callback explicitely set to false, start timeout to disconnect socket // If callback explicitely set to false, start timeout to disconnect socket
if (options.callback === false || typeof options.callback === 'number') { if (options.callback === false || typeof options.callback === 'number') {
if (typeof options.callback === 'number') { if (typeof options.callback === 'number') {
@ -47,6 +48,7 @@ function noQsMethod(options) {
socket.disconnect('unauthorized'); socket.disconnect('unauthorized');
}, (options.callback === false ? 0 : options.callback)); }, (options.callback === false ? 0 : options.callback));
} }
socket.emit('unauthorized', error, function() { socket.emit('unauthorized', error, function() {
if (typeof options.callback === 'number') { if (typeof options.callback === 'number') {
clearTimeout(callback_timeout); clearTimeout(callback_timeout);
@ -57,30 +59,29 @@ function noQsMethod(options) {
} }
}; };
var token = options.cookie ? socket.request.cookies[options.cookie] : (data ? data.token : undefined); const token = options.cookie ? socket.request.cookies[options.cookie] : (data ? data.token : undefined);
if(!token || typeof token !== "string") { if (!token || typeof token !== "string") {
return onError({message: 'invalid token datatype'}, 'invalid_token'); return onError({ message: 'invalid token datatype' }, 'invalid_token');
} }
// Store encoded JWT // Store encoded JWT
socket[options.encodedPropertyName] = data.token; socket[options.encodedPropertyName] = token;
var onJwtVerificationReady = function(err, decoded) {
const onJwtVerificationReady = function (err, decoded) {
if (err) { if (err) {
return onError(err, 'invalid_token'); return onError(err, 'invalid_token');
} }
// success handler // success handler
var onSuccess = function() { const onSuccess = function () {
socket[options.decodedPropertyName] = decoded; socket[options.decodedPropertyName] = decoded;
socket.emit('authenticated'); socket.emit('authenticated');
if (server.$emit) { if (server.$emit) {
server.$emit('authenticated', socket); server.$emit('authenticated', socket);
} else { } else {
//try getting the current namespace otherwise fallback to all sockets. //try getting the current namespace otherwise fallback to all sockets.
var namespace = (server.nsps && socket.nsp && const namespace = (server.nsps && socket.nsp &&
server.nsps[socket.nsp.name]) || server.nsps[socket.nsp.name]) ||
server.sockets; server.sockets;
@ -89,14 +90,14 @@ function noQsMethod(options) {
} }
}; };
if(options.additional_auth && typeof options.additional_auth === 'function') { if (options.additional_auth && typeof options.additional_auth === 'function') {
options.additional_auth(decoded, onSuccess, onError); options.additional_auth(decoded, onSuccess, onError);
} else { } else {
onSuccess(); onSuccess();
} }
}; };
var onSecretReady = function(err, secret) { const onSecretReady = function (err, secret) {
if (err || !secret) { if (err || !secret) {
return onError(err, 'invalid_secret'); return onError(err, 'invalid_secret');
} }
@ -109,22 +110,22 @@ function noQsMethod(options) {
}; };
} }
function authorize(options, onConnection) { function authorize (options, onConnection) {
options = xtend({ decodedPropertyName: 'decoded_token', encodedPropertyName: 'encoded_token' }, options); options = xtend({ decodedPropertyName: 'decoded_token', encodedPropertyName: 'encoded_token' }, options);
if (!options.handshake) { if (!options.handshake) {
return noQsMethod(options); return noQsMethod(options);
} }
var defaults = { const defaults = {
success: function(socket, accept){ success: function (socket, accept) {
if (socket.request) { if (socket.request) {
accept(); accept();
} else { } else {
accept(null, true); accept(null, true);
} }
}, },
fail: function(error, socket, accept){ fail: function (error, socket, accept) {
if (socket.request) { if (socket.request) {
accept(error); accept(error);
} else { } else {
@ -133,19 +134,19 @@ function authorize(options, onConnection) {
} }
}; };
var auth = xtend(defaults, options); const auth = xtend(defaults, options);
return function(socket, accept){ return function (socket, accept) {
var token, error; let token, error;
var handshake = data.handshake; const handshake = socket.handshake;
var req = socket.request || socket; const req = socket.request || socket;
var authorization_header = (req.headers || {}).authorization; const authorization_header = (req.headers || {}).authorization;
if (authorization_header) { if (authorization_header) {
var parts = authorization_header.split(' '); const parts = authorization_header.split(' ');
if (parts.length == 2) { if (parts.length == 2) {
var scheme = parts[0], const scheme = parts[0],
credentials = parts[1]; credentials = parts[1];
if (scheme.toLowerCase() === 'bearer') { if (scheme.toLowerCase() === 'bearer') {
token = credentials; token = credentials;
@ -166,7 +167,7 @@ function authorize(options, onConnection) {
} }
// Get the token from handshake or query string // Get the token from handshake or query string
if (handshake && handshake.query.token){ if (handshake && handshake.query.token) {
token = handshake.query.token; token = handshake.query.token;
} }
else if (req._query && req._query.token) { else if (req._query && req._query.token) {
@ -186,8 +187,7 @@ function authorize(options, onConnection) {
// Store encoded JWT // Store encoded JWT
socket[options.encodedPropertyName] = token; socket[options.encodedPropertyName] = token;
var onJwtVerificationReady = function(err, decoded) { const onJwtVerificationReady = function (err, decoded) {
if (err) { if (err) {
error = new UnauthorizedError(err.code || 'invalid_token', err); error = new UnauthorizedError(err.code || 'invalid_token', err);
return auth.fail(error, socket, accept); return auth.fail(error, socket, accept);
@ -198,7 +198,7 @@ function authorize(options, onConnection) {
return auth.success(socket, accept); return auth.success(socket, accept);
}; };
var onSecretReady = function(err, secret) { const onSecretReady = function (err, secret) {
if (err) { if (err) {
error = new UnauthorizedError(err.code || 'invalid_secret', err); error = new UnauthorizedError(err.code || 'invalid_secret', err);
return auth.fail(error, socket, accept); return auth.fail(error, socket, accept);
@ -211,13 +211,13 @@ function authorize(options, onConnection) {
}; };
} }
function getSecret(request, secret, token, callback) { function getSecret (request, secret, token, callback) {
if (typeof secret === 'function') { if (typeof secret === 'function') {
if (!token) { if (!token) {
return callback({ code: 'invalid_token', message: 'jwt must be provided' }); return callback({ code: 'invalid_token', message: 'jwt must be provided' });
} }
var parts = token.split('.'); const parts = token.split('.');
if (parts.length < 3) { if (parts.length < 3) {
return callback({ code: 'invalid_token', message: 'jwt malformed' }); return callback({ code: 'invalid_token', message: 'jwt malformed' });
@ -227,7 +227,7 @@ function getSecret(request, secret, token, callback) {
return callback({ code: 'invalid_token', message: 'jwt signature is required' }); return callback({ code: 'invalid_token', message: 'jwt signature is required' });
} }
var decodedToken = jwt.decode(token); let decodedToken = jwt.decode(token);
if (!decodedToken) { if (!decodedToken) {
return callback({ code: 'invalid_token', message: 'jwt malformed' }); return callback({ code: 'invalid_token', message: 'jwt malformed' });

View File

@ -23,6 +23,8 @@
}, },
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"jsonwebtoken": "^8.3.0",
"xtend": "~2.1.2"
}, },
"devDependencies": { "devDependencies": {
"@types/socket.io": "~1.4.29", "@types/socket.io": "~1.4.29",
@ -30,10 +32,8 @@
"express": "~4.15.2", "express": "~4.15.2",
"mocha": "~3.2.0", "mocha": "~3.2.0",
"request": "~2.81.0", "request": "~2.81.0",
"serve-static": "^1.12.1", "serve-static": "^1.13.2",
"jsonwebtoken": "^8.3.0", "q": "^1.5.1",
"xtend": "~2.1.2",
"q": "^1.4.1",
"server-destroy": "~1.0.1", "server-destroy": "~1.0.1",
"should": "~11.2.1", "should": "~11.2.1",
"socket.io": "^1.7.3", "socket.io": "^1.7.3",