fix: safer isUnauthorizedError type guard

fix: bump jsonwebtoken to v9.0.0
fixes #342 It introduces several security fixes to follow best practices.
2023-04-02 23:04:41 +02:00 · 2023-01-10 20:57:23 +01:00 · 2022-09-09 12:10:12 +02:00 · 2022-09-09 11:41:42 +02:00 · 2022-09-09 11:39:27 +02:00 · 2022-07-25 12:52:11 +02:00
24 changed files with 8832 additions and 16403 deletions
--- a/.eslintrc.json
+++ b/.eslintrc.json
@ -1,22 +1,14 @@
 {
-  "extends": ["standard-with-typescript", "prettier"],
+  "extends": ["conventions", "prettier"],
-  "plugins": ["unicorn", "import", "prettier"],
+  "plugins": ["prettier", "import", "unicorn"],
  "parserOptions": {
    "project": "./tsconfig.json"
  },
  "env": {
-    "node": true,
+    "node": true
    "jest": true
  },
  "rules": {
    "prettier/prettier": "error",
    "import/order": [
      "error",
      {
        "groups": ["builtin", "external", "internal"],
        "newlines-between": "always"
      }
    ],
    "import/extensions": ["error", "always"],
    "unicorn/prefer-node-protocol": "error"
  }
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -2,7 +2,7 @@ name: 'Build'
 on:
  push:
-    branches: [master, develop]
+    branches: [develop]
  pull_request:
    branches: [master, develop]
@ -10,10 +10,10 @@ jobs:
  build:
    runs-on: 'ubuntu-latest'
    steps:
-      - uses: 'actions/checkout@v2'
+      - uses: 'actions/checkout@v3.5.0'
      - name: 'Use Node.js'
-        uses: 'actions/setup-node@v2.5.1'
+        uses: 'actions/setup-node@v3.6.0'
        with:
          node-version: 'lts/*'
          cache: 'npm'
@ -21,5 +21,7 @@ jobs:
      - name: 'Install'
        run: 'npm install'
-      - name: 'Build Package'
+      - name: 'Build'
        run: 'npm run build'
      - run: 'npm run build:typescript'
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -2,7 +2,7 @@ name: 'Lint'
 on:
  push:
-    branches: [master, develop]
+    branches: [develop]
  pull_request:
    branches: [master, develop]
@ -10,10 +10,10 @@ jobs:
  lint:
    runs-on: 'ubuntu-latest'
    steps:
-      - uses: 'actions/checkout@v2'
+      - uses: 'actions/checkout@v3.5.0'
      - name: 'Use Node.js'
-        uses: 'actions/setup-node@v2.5.1'
+        uses: 'actions/setup-node@v3.6.0'
        with:
          node-version: 'lts/*'
          cache: 'npm'
@ -24,5 +24,5 @@ jobs:
      - run: 'npm run lint:commit -- --to "${{ github.sha }}"'
      - run: 'npm run lint:editorconfig'
      - run: 'npm run lint:markdown'
-      - run: 'npm run lint:typescript'
+      - run: 'npm run lint:eslint'
      - run: 'npm run lint:prettier'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -8,10 +8,10 @@ jobs:
  release:
    runs-on: 'ubuntu-latest'
    steps:
-      - uses: 'actions/checkout@v2'
+      - uses: 'actions/checkout@v3.5.0'
      - name: 'Use Node.js'
-        uses: 'actions/setup-node@v2.5.1'
+        uses: 'actions/setup-node@v3.6.0'
        with:
          node-version: 'lts/*'
          cache: 'npm'
@ -22,6 +22,8 @@ jobs:
      - name: 'Build Package'
        run: 'npm run build'
      - run: 'npm run build:typescript'
      - name: 'Release'
        run: 'npm run release'
        env:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -2,7 +2,7 @@ name: 'Test'
 on:
  push:
-    branches: [master, develop]
+    branches: [develop]
  pull_request:
    branches: [master, develop]
@ -10,10 +10,10 @@ jobs:
  test:
    runs-on: 'ubuntu-latest'
    steps:
-      - uses: 'actions/checkout@v2'
+      - uses: 'actions/checkout@v3.5.0'
      - name: 'Use Node.js'
-        uses: 'actions/setup-node@v2.5.1'
+        uses: 'actions/setup-node@v3.6.0'
        with:
          node-version: 'lts/*'
          cache: 'npm'
@ -21,8 +21,8 @@ jobs:
      - name: 'Install'
        run: 'npm install'
      - name: 'Build'
        run: 'npm run build'
      - name: 'Test'
        run: 'npm run test'
      - name: 'Upload Coverage'
        uses: 'codecov/codecov-action@v2.1.0'
--- a/.gitignore
+++ b/.gitignore
@ -10,6 +10,7 @@ build
 # testing
 coverage
 .nyc_output
 # debug
 npm-debug.log*
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -3,3 +3,4 @@
 npm run lint:staged
 npm run build
 npm run build:typescript
--- a/.lintstagedrc.json
+++ b/.lintstagedrc.json
@ -1,10 +1,6 @@
 {
  "*": ["editorconfig-checker"],
-  "*.{js,jsx,ts,tsx}": [
+  "*.{js,jsx,ts,tsx}": ["prettier --write", "eslint --fix"],
    "prettier --write",
    "eslint --fix",
    "jest --findRelatedTests"
  ],
  "*.{json,jsonc,yml,yaml}": ["prettier --write"],
-  "*.{md}": ["prettier --write", "markdownlint --dot --fix"]
+  "*.{md,mdx}": ["prettier --write", "markdownlint-cli2 --fix"]
 }
--- a/.markdownlint-cli2.jsonc
+++ b/.markdownlint-cli2.jsonc
@ -0,0 +1,5 @@
 {
  "globs": ["**/*.{md,mdx}"],
  "ignores": ["**/node_modules"],
  "customRules": ["markdownlint-rule-relative-links"]
 }
--- a/.markdownlint.json
+++ b/.markdownlint.json
@ -1,7 +1,7 @@
 {
  "default": true,
-  "MD013": false,
+  "relative-links": true,
-  "MD024": false,
+  "extends": "markdownlint/style/prettier",
  "MD033": false,
  "MD041": false
 }
--- a/.nycrc.json
+++ b/.nycrc.json
@ -0,0 +1,5 @@
 {
  "reporter": ["text", "cobertura"],
  "src": "./build",
  "all": true
 }
--- a/.swcrc
+++ b/.swcrc
@ -2,21 +2,11 @@
  "jsc": {
    "parser": {
      "syntax": "typescript",
      "decorators": true,
      "dynamicImport": true
    },
-    "transform": {
+    "target": "es2022"
      "legacyDecorator": true,
      "decoratorMetadata": true
    },
    "target": "es2022",
    "loose": true
  },
  "module": {
-    "type": "commonjs",
+    "type": "es6"
    "strict": false,
    "strictMode": true,
    "lazy": false,
    "noInterop": false
  }
 }
--- a/.taprc
+++ b/.taprc
@ -0,0 +1,9 @@
 ts: false
 jsx: false
 flow: false
 check-coverage: false
 coverage: false
 timeout: 10000
 files:
  - 'build/**/*.test.js'
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -6,5 +6,6 @@
  "editor.formatOnSave": true,
  "editor.codeActionsOnSave": {
    "source.fixAll": true
-  }
+  },
  "eslint.options": { "ignorePath": ".gitignore" }
 }
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -21,7 +21,7 @@ All work on **Thream** happens directly on [GitHub](https://github.com/Thream).
 - **Please first discuss** the change you wish to make via [issue](https://github.com/Thream/socketio-jwt/issues) before making a change. It might avoid a waste of your time.
- Ensure your code respect `eslint` and `prettier`.
+- Ensure your code respect linting.
 - Make sure your **code passes the tests**.
--- a/README.md
+++ b/README.md
@ -12,7 +12,6 @@
  <a href="https://github.com/Thream/socketio-jwt/actions/workflows/build.yml"><img src="https://github.com/Thream/socketio-jwt/actions/workflows/build.yml/badge.svg?branch=develop" /></a>
  <a href="https://github.com/Thream/socketio-jwt/actions/workflows/lint.yml"><img src="https://github.com/Thream/socketio-jwt/actions/workflows/lint.yml/badge.svg?branch=develop" /></a>
  <a href="https://github.com/Thream/socketio-jwt/actions/workflows/test.yml"><img src="https://github.com/Thream/socketio-jwt/actions/workflows/test.yml/badge.svg?branch=develop" /></a>
  <a href="https://codecov.io/gh/Thream/socketio-jwt"><img src="https://codecov.io/gh/Thream/socketio-jwt/branch/develop/graph/badge.svg" alt="codecov" /></a>
  <br />
  <a href="https://conventionalcommits.org"><img src="https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg" alt="Conventional Commits" /></a>
  <a href="https://github.com/semantic-release/semantic-release"><img src="https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg" alt="semantic-release" /></a>
@ -27,6 +26,10 @@ Compatible with `socket.io >= 3.0.0`.
 This repository was originally forked from [auth0-socketio-jwt](https://github.com/auth0-community/auth0-socketio-jwt) & it is not intended to take any credit but to improve the code from now on.
 ## Prerequisites
 - [Node.js](https://nodejs.org/) >= 16.0.0
 ## 💾 Install
 **Note:** It is a package that is recommended to use/install on both the client and server sides.
@ -129,7 +132,7 @@ io.on('connection', async (socket) => {
 ```ts
 import { io } from 'socket.io-client'
-import { isUnauthorizedError } from '@thream/socketio-jwt'
+import { isUnauthorizedError } from '@thream/socketio-jwt/build/UnauthorizedError.js'
 // Require Bearer Token
 const socket = io('http://localhost:9000', {
--- a/jest.config.json
+++ b/jest.config.json
@ -1,10 +0,0 @@
 {
  "testEnvironment": "node",
  "resolver": "jest-ts-webcompat-resolver",
  "transform": {
    "^.+\\.(t|j)sx?$": ["@swc/jest"]
  },
  "rootDir": "./src",
  "collectCoverage": true,
  "coverageDirectory": "../coverage/"
 }
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,7 @@
 {
  "name": "@thream/socketio-jwt",
  "version": "0.0.0-development",
  "type": "module",
  "public": true,
  "description": "Authenticate socket.io incoming connections with JWTs.",
  "license": "MIT",
@ -10,7 +11,7 @@
    "build"
  ],
  "engines": {
-    "node": ">=12.0.0"
+    "node": ">=16.0.0"
  },
  "publishConfig": {
    "access": "public"
@ -30,14 +31,16 @@
  },
  "homepage": "https://github.com/Thream/socketio-jwt#readme",
  "scripts": {
-    "build": "rimraf ./build && swc ./src --out-dir ./build && tsc",
+    "build": "rimraf ./build && swc ./src --out-dir ./build",
    "build:dev": "swc ./src --out-dir ./build --watch",
    "build:typescript": "tsc",
    "lint:commit": "commitlint",
    "lint:editorconfig": "editorconfig-checker",
-    "lint:markdown": "markdownlint \"**/*.md\" --dot --ignore-path \".gitignore\"",
+    "lint:markdown": "markdownlint-cli2",
-    "lint:typescript": "eslint \"**/*.{js,jsx,ts,tsx}\" --ignore-path \".gitignore\"",
+    "lint:eslint": "eslint \"**/*.{js,jsx,ts,tsx}\" --ignore-path \".gitignore\"",
    "lint:prettier": "prettier \".\" --check --ignore-path \".gitignore\"",
    "lint:staged": "lint-staged",
-    "test": "jest",
+    "test": "c8 tap",
    "release": "semantic-release",
    "postinstall": "husky install",
    "prepublishOnly": "pinst --disable",
@ -47,43 +50,41 @@
    "socket.io": ">=3.0.0"
  },
  "dependencies": {
-    "jsonwebtoken": "8.5.1"
+    "jsonwebtoken": "9.0.0"
  },
  "devDependencies": {
-    "@commitlint/cli": "16.2.1",
+    "@commitlint/cli": "17.5.1",
-    "@commitlint/config-conventional": "16.2.1",
+    "@commitlint/config-conventional": "17.4.4",
-    "@swc/cli": "0.1.55",
+    "@swc/cli": "0.1.62",
-    "@swc/core": "1.2.141",
+    "@swc/core": "1.3.44",
-    "@swc/jest": "0.2.17",
+    "@tsconfig/strictest": "2.0.0",
-    "@types/express": "4.17.13",
+    "@types/jsonwebtoken": "9.0.1",
-    "@types/jest": "27.4.0",
+    "@types/node": "18.15.11",
-    "@types/jsonwebtoken": "8.5.8",
+    "@types/tap": "15.0.8",
-    "@types/node": "17.0.18",
+    "@typescript-eslint/eslint-plugin": "5.57.0",
-    "@types/server-destroy": "1.0.1",
+    "@typescript-eslint/parser": "5.57.0",
-    "@typescript-eslint/eslint-plugin": "4.32.0",
+    "axios": "1.3.4",
-    "axios": "0.26.0",
+    "c8": "7.13.0",
-    "editorconfig-checker": "4.0.2",
+    "editorconfig-checker": "5.0.1",
-    "eslint": "7.32.0",
+    "eslint": "8.37.0",
-    "eslint-config-prettier": "8.3.0",
+    "eslint-config-conventions": "8.0.0",
-    "eslint-config-standard-with-typescript": "21.0.1",
+    "eslint-config-prettier": "8.8.0",
-    "eslint-plugin-import": "2.25.4",
+    "eslint-plugin-import": "2.27.5",
-    "eslint-plugin-node": "11.1.0",
+    "eslint-plugin-prettier": "4.2.1",
-    "eslint-plugin-prettier": "4.0.0",
+    "eslint-plugin-promise": "6.1.1",
-    "eslint-plugin-promise": "5.2.0",
+    "eslint-plugin-unicorn": "46.0.0",
-    "eslint-plugin-unicorn": "40.1.0",
+    "fastify": "4.15.0",
-    "express": "4.17.3",
+    "husky": "8.0.3",
-    "husky": "7.0.4",
+    "lint-staged": "13.2.0",
-    "jest": "27.5.1",
+    "markdownlint-cli2": "0.6.0",
-    "jest-ts-webcompat-resolver": "1.0.0",
+    "markdownlint-rule-relative-links": "1.1.2",
-    "lint-staged": "12.3.4",
+    "pinst": "3.0.0",
-    "markdownlint-cli": "0.31.1",
+    "prettier": "2.8.7",
-    "pinst": "2.1.6",
+    "rimraf": "4.4.1",
-    "rimraf": "3.0.2",
+    "semantic-release": "21.0.1",
-    "semantic-release": "19.0.2",
+    "socket.io": "4.6.1",
-    "server-destroy": "1.0.1",
+    "socket.io-client": "4.6.1",
-    "prettier": "2.5.1",
+    "tap": "16.3.4",
-    "socket.io": "4.4.1",
+    "typescript": "5.0.3"
    "socket.io-client": "4.4.1",
    "typescript": "4.5.5"
  }
 }
--- a/src/UnauthorizedError.ts
+++ b/src/UnauthorizedError.ts
@ -4,7 +4,7 @@ export class UnauthorizedError extends Error {
  constructor(code: string, error: { message: string }) {
    super(error.message)
-    this.message = error.message
+    this.name = 'UnauthorizedError'
    this.inner = error
    this.data = {
      message: this.message,
@ -15,6 +15,11 @@ export class UnauthorizedError extends Error {
  }
 }
-export const isUnauthorizedError = (error: any): error is UnauthorizedError => {
+export const isUnauthorizedError = (
-  return error.data.type === 'UnauthorizedError'
+  error: unknown
 ): error is UnauthorizedError => {
  return (
    error instanceof UnauthorizedError &&
    error.data.type === 'UnauthorizedError'
  )
 }
--- a/src/test/authorize.test.ts
+++ b/src/test/authorize.test.ts
@ -1,194 +1,205 @@
 import tap from 'tap'
 import axios from 'axios'
 import type { Socket } from 'socket.io-client'
 import { io } from 'socket.io-client'
 import { isUnauthorizedError } from '../UnauthorizedError.js'
 import type { Profile } from './fixture/index.js'
 import {
  API_URL,
  fixtureStart,
  fixtureStop,
  getSocket,
-  Profile
+  basicProfile
 } from './fixture/index.js'
-describe('authorize - with secret as string in options', () => {
+export const api = axios.create({
-  let token: string = ''
+  baseURL: API_URL,
-
+  headers: {
-  beforeEach((done) => {
+    'Content-Type': 'application/json'
    fixtureStart(async () => {
      const response = await axios.post('http://localhost:9000/login')
      token = response.data.token
    })
      .then(done)
      .catch((error) => {
        done(error)
      })
  })
  afterEach((done) => {
    fixtureStop(done)
  })
  it('should emit error with no token provided', (done) => {
    const socket = io('http://localhost:9000')
    socket.on('connect_error', (error) => {
      expect(isUnauthorizedError(error)).toBeTruthy()
      if (isUnauthorizedError(error)) {
        expect(error.data.message).toEqual('no token provided')
        expect(error.data.code).toEqual('credentials_required')
  }
      socket.close()
      done()
    })
  })
  it('should emit error with bad token format', (done) => {
    const socket = io('http://localhost:9000', {
      auth: { token: 'testing' }
    })
    socket.on('connect_error', (error) => {
      expect(isUnauthorizedError(error)).toBeTruthy()
      if (isUnauthorizedError(error)) {
        expect(error.data.message).toEqual(
          'Format is Authorization: Bearer [token]'
        )
        expect(error.data.code).toEqual('credentials_bad_format')
      }
      socket.close()
      done()
    })
  })
  it('should emit error with unauthorized handshake', (done) => {
    const socket = io('http://localhost:9000', {
      auth: { token: 'Bearer testing' }
    })
    socket.on('connect_error', (error) => {
      expect(isUnauthorizedError(error)).toBeTruthy()
      if (isUnauthorizedError(error)) {
        expect(error.data.message).toEqual(
          'Unauthorized: Token is missing or invalid Bearer'
        )
        expect(error.data.code).toEqual('invalid_token')
      }
      socket.close()
      done()
    })
  })
  it('should connect the user', (done) => {
    const socket = io('http://localhost:9000', {
      auth: { token: `Bearer ${token}` }
    })
    socket.on('connect', () => {
      socket.close()
      done()
    })
    socket.on('connect_error', (error) => {
      done(error)
    })
  })
 })
 const secretCallback = async (): Promise<string> => {
  return 'somesecret'
 }
-describe('authorize - with secret as callback in options', () => {
+await tap.test('authorize', async (t) => {
-  let token: string = ''
+  await t.test('with secret as string in options', async (t) => {
    let token = ''
    let socket: Socket | null = null
-  beforeEach((done) => {
+    t.beforeEach(async () => {
-    fixtureStart(
+      await fixtureStart()
-      async () => {
+      const response = await api.post('/login', {})
        const response = await axios.post('http://localhost:9000/login')
      token = response.data.token
      },
      { secret: secretCallback }
    )
      .then(done)
      .catch((error) => {
        done(error)
      })
    })
-  afterEach((done) => {
+    t.afterEach(async () => {
-    fixtureStop(done)
+      socket?.disconnect()
      await fixtureStop()
    })
-  it('should emit error with no token provided', (done) => {
+    await t.test('should emit error with no token provided', (t) => {
-    const socket = io('http://localhost:9000')
+      t.plan(4)
-    socket.on('connect_error', (error) => {
+      socket = io(API_URL)
-      expect(isUnauthorizedError(error)).toBeTruthy()
+      socket.on('connect_error', async (error) => {
        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
-        expect(error.data.message).toEqual('no token provided')
+          t.equal(error.data.message, 'no token provided')
-        expect(error.data.code).toEqual('credentials_required')
+          t.equal(error.data.code, 'credentials_required')
        }
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
-  it('should emit error with bad token format', (done) => {
+    await t.test('should emit error with bad token format', (t) => {
-    const socket = io('http://localhost:9000', {
+      t.plan(4)
      socket = io(API_URL, {
        auth: { token: 'testing' }
      })
-    socket.on('connect_error', (error) => {
+      socket.on('connect_error', async (error) => {
-      expect(isUnauthorizedError(error)).toBeTruthy()
+        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
-        expect(error.data.message).toEqual(
+          t.equal(error.data.message, 'Format is Authorization: Bearer [token]')
-          'Format is Authorization: Bearer [token]'
+          t.equal(error.data.code, 'credentials_bad_format')
        )
        expect(error.data.code).toEqual('credentials_bad_format')
        }
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
-  it('should emit error with unauthorized handshake', (done) => {
+    await t.test('should emit error with unauthorized handshake', (t) => {
-    const socket = io('http://localhost:9000', {
+      t.plan(4)
      socket = io(API_URL, {
        auth: { token: 'Bearer testing' }
      })
-    socket.on('connect_error', (error) => {
+      socket.on('connect_error', async (error) => {
-      expect(isUnauthorizedError(error)).toBeTruthy()
+        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
-        expect(error.data.message).toEqual(
+          t.equal(
            error.data.message,
            'Unauthorized: Token is missing or invalid Bearer'
          )
-        expect(error.data.code).toEqual('invalid_token')
+          t.equal(error.data.code, 'invalid_token')
        }
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
-  it('should connect the user', (done) => {
+    await t.test('should connect the user', (t) => {
-    const socket = io('http://localhost:9000', {
+      t.plan(1)
      socket = io(API_URL, {
        auth: { token: `Bearer ${token}` }
      })
-    socket.on('connect', () => {
+      socket.on('connect', async () => {
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect_error', async (error) => {
        t.fail(error.message)
      })
    socket.on('connect_error', (error) => {
      done(error)
    })
  })
 })
-describe('authorize - with onAuthentication callback in options', () => {
+  await t.test('with secret as callback in options', async (t) => {
-  let token: string = ''
+    let token = ''
-  let wrongToken: string = ''
+    let socket: Socket | null = null
-  beforeEach((done) => {
+    t.beforeEach(async () => {
-    fixtureStart(
+      await fixtureStart({ secret: secretCallback })
-      async () => {
+      const response = await api.post('/login', {})
        const response = await axios.post('http://localhost:9000/login')
      token = response.data.token
-        const responseWrong = await axios.post(
+    })
-          'http://localhost:9000/login-wrong'
+
    t.afterEach(async () => {
      socket?.disconnect()
      await fixtureStop()
    })
    await t.test('should emit error with no token provided', (t) => {
      t.plan(4)
      socket = io(API_URL)
      socket.on('connect_error', async (error) => {
        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
          t.equal(error.data.message, 'no token provided')
          t.equal(error.data.code, 'credentials_required')
        }
        t.pass()
      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
    await t.test('should emit error with bad token format', (t) => {
      t.plan(4)
      socket = io(API_URL, {
        auth: { token: 'testing' }
      })
      socket.on('connect_error', async (error) => {
        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
          t.equal(error.data.message, 'Format is Authorization: Bearer [token]')
          t.equal(error.data.code, 'credentials_bad_format')
        }
        t.pass()
      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
    await t.test('should emit error with unauthorized handshake', (t) => {
      t.plan(4)
      socket = io(API_URL, {
        auth: { token: 'Bearer testing' }
      })
      socket.on('connect_error', async (error) => {
        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
          t.equal(
            error.data.message,
            'Unauthorized: Token is missing or invalid Bearer'
          )
-        wrongToken = responseWrong.data.token
+          t.equal(error.data.code, 'invalid_token')
-      },
+        }
-      {
+        t.pass()
      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
    await t.test('should connect the user', (t) => {
      t.plan(1)
      socket = io(API_URL, {
        auth: { token: `Bearer ${token}` }
      })
      socket.on('connect', async () => {
        t.pass()
      })
      socket.on('connect_error', async (error) => {
        t.fail(error.message)
      })
    })
  })
  await t.test('with onAuthentication callback in options', async (t) => {
    let token = ''
    let wrongToken = ''
    let socket: Socket | null = null
    t.beforeEach(async () => {
      await fixtureStart({
        secret: secretCallback,
        onAuthentication: (decodedToken: Profile) => {
          if (!decodedToken.checkField) {
@ -198,102 +209,117 @@ describe('authorize - with onAuthentication callback in options', () => {
            email: decodedToken.email
          }
        }
      }
    )
      .then(done)
      .catch((error) => {
        done(error)
      })
      const response = await api.post('/login', {})
      token = response.data.token
      const responseWrong = await api.post('/login-wrong', {})
      wrongToken = responseWrong.data.token
    })
-  afterEach((done) => {
+    t.afterEach(async () => {
-    fixtureStop(done)
+      socket?.disconnect()
      await fixtureStop()
    })
-  it('should emit error with no token provided', (done) => {
+    await t.test('should emit error with no token provided', (t) => {
-    const socket = io('http://localhost:9000')
+      t.plan(4)
-    socket.on('connect_error', (error) => {
+      socket = io(API_URL)
-      expect(isUnauthorizedError(error)).toBeTruthy()
+      socket.on('connect_error', async (error) => {
        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
-        expect(error.data.message).toEqual('no token provided')
+          t.equal(error.data.message, 'no token provided')
-        expect(error.data.code).toEqual('credentials_required')
+          t.equal(error.data.code, 'credentials_required')
        }
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
-  it('should emit error with bad token format', (done) => {
+    await t.test('should emit error with bad token format', (t) => {
-    const socket = io('http://localhost:9000', {
+      t.plan(4)
      socket = io(API_URL, {
        auth: { token: 'testing' }
      })
-    socket.on('connect_error', (error) => {
+      socket.on('connect_error', async (error) => {
-      expect(isUnauthorizedError(error)).toBeTruthy()
+        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
-        expect(error.data.message).toEqual(
+          t.equal(error.data.message, 'Format is Authorization: Bearer [token]')
-          'Format is Authorization: Bearer [token]'
+          t.equal(error.data.code, 'credentials_bad_format')
        )
        expect(error.data.code).toEqual('credentials_bad_format')
        }
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
-  it('should emit error with unauthorized handshake', (done) => {
+    await t.test('should emit error with unauthorized handshake', (t) => {
-    const socket = io('http://localhost:9000', {
+      t.plan(4)
      socket = io(API_URL, {
        auth: { token: 'Bearer testing' }
      })
-    socket.on('connect_error', (error) => {
+      socket.on('connect_error', async (error) => {
-      expect(isUnauthorizedError(error)).toBeTruthy()
+        t.equal(isUnauthorizedError(error), true)
        if (isUnauthorizedError(error)) {
-        expect(error.data.message).toEqual(
+          t.equal(
            error.data.message,
            'Unauthorized: Token is missing or invalid Bearer'
          )
-        expect(error.data.code).toEqual('invalid_token')
+          t.equal(error.data.code, 'invalid_token')
        }
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect', async () => {
        t.fail()
      })
    })
-  it('should connect the user', (done) => {
+    await t.test('should connect the user', (t) => {
-    const socket = io('http://localhost:9000', {
+      t.plan(1)
      socket = io(API_URL, {
        auth: { token: `Bearer ${token}` }
      })
-    socket.on('connect', () => {
+      socket.on('connect', async () => {
-      socket.close()
+        t.pass()
-      done()
+      })
      socket.on('connect_error', async (error) => {
        t.fail(error.message)
      })
    })
-  it('should contain user property', (done) => {
+    await t.test('should contains user properties', (t) => {
      t.plan(2)
      const socketServer = getSocket()
      socketServer?.on('connection', (client: any) => {
-      expect(client.user.email).toEqual('john@doe.com')
+        t.equal(client.user.email, basicProfile.email)
        t.pass()
      })
-    const socket = io('http://localhost:9000', {
+      socket = io(API_URL, {
        auth: { token: `Bearer ${token}` }
      })
-    socket.on('connect', () => {
+      socket.on('connect_error', async (error) => {
-      socket.close()
+        t.fail(error.message)
      done()
      })
    })
-  it('should emit error when user validation fails', (done) => {
+    await t.test('should emit error when user validation fails', (t) => {
-    const socket = io('http://localhost:9000', {
+      t.plan(2)
      socket = io(API_URL, {
        auth: { token: `Bearer ${wrongToken}` }
      })
-    socket.on('connect_error', (err: any) => {
+      socket.on('connect_error', async (error) => {
        try {
-        expect(err.message).toEqual('Check Field validation failed')
+          t.equal(error.message, 'Check Field validation failed')
-      } catch (err) {
+          t.pass()
-        socket.close()
+        } catch {
-        done(err)
+          t.fail()
        }
-      socket.close()
+      })
-      done()
+      socket.on('connect', async () => {
        t.fail()
      })
    })
  })
 })
--- a/src/test/fixture/index.ts
+++ b/src/test/fixture/index.ts
@ -1,42 +1,43 @@
 import type { Server as HttpServer } from 'node:http'
 import type { Server as HttpsServer } from 'node:https'
 import express from 'express'
 import jwt from 'jsonwebtoken'
 import { Server as SocketIoServer } from 'socket.io'
-import enableDestroy from 'server-destroy'
+import type { FastifyInstance } from 'fastify'
 import fastify from 'fastify'
-import { authorize, AuthorizeOptions } from '../../index.js'
+import type { AuthorizeOptions } from '../../index.js'
 import { authorize } from '../../index.js'
-export interface Profile {
+interface FastifyIo {
  instance: SocketIoServer
 }
 declare module 'fastify' {
  export interface FastifyInstance {
    io: FastifyIo
  }
 }
 export interface BasicProfile {
  email: string
  id: number
 }
 export interface Profile extends BasicProfile {
  checkField: boolean
 }
-interface Socket {
+export const PORT = 9000
-  io: null | SocketIoServer
+export const API_URL = `http://localhost:${PORT}`
-  init: (httpServer: HttpServer | HttpsServer) => void
+export const basicProfile: BasicProfile = {
  email: 'john@doe.com',
  id: 123
 }
-const socket: Socket = {
+let application: FastifyInstance | null = null
  io: null,
  init(httpServer) {
    socket.io = new SocketIoServer(httpServer)
  }
 }
 let server: HttpServer | null = null
 export const fixtureStart = async (
  done: any,
  options: AuthorizeOptions = { secret: 'super secret' }
 ): Promise<void> => {
-  const profile: Profile = {
+  const profile: Profile = { ...basicProfile, checkField: true }
    email: 'john@doe.com',
    id: 123,
    checkField: true
  }
  let keySecret = ''
  if (typeof options.secret === 'string') {
    keySecret = options.secret
@ -46,35 +47,37 @@ export const fixtureStart = async (
      payload: profile
    })
  }
-  const app = express()
+  application = fastify()
-  app.use(express.json())
+  application.post('/login', async (_request, reply) => {
  app.post('/login', (_req, res) => {
    const token = jwt.sign(profile, keySecret, {
      expiresIn: 60 * 60 * 5
    })
-    return res.json({ token })
+    reply.statusCode = 201
    return { token }
  })
-  app.post('/login-wrong', (_req, res) => {
+  application.post('/login-wrong', async (_request, reply) => {
    profile.checkField = false
    const token = jwt.sign(profile, keySecret, {
      expiresIn: 60 * 60 * 5
    })
-    return res.json({ token })
+    reply.statusCode = 201
    return { token }
  })
  const instance = new SocketIoServer(application.server)
  instance.use(authorize(options))
  application.decorate('io', { instance })
  application.addHook('onClose', (fastify) => {
    fastify.io.instance.close()
  })
  await application.listen({
    port: PORT
  })
  server = app.listen(9000, done)
  socket.init(server)
  socket.io?.use(authorize(options))
  enableDestroy(server)
 }
-export const fixtureStop = (callback: Function): void => {
+export const fixtureStop = async (): Promise<void> => {
-  socket.io?.close()
+  await application?.close()
  try {
    server?.destroy()
  } catch {}
  callback()
 }
-export const getSocket = (): SocketIoServer | null => {
+export const getSocket = (): SocketIoServer | undefined => {
-  return socket.io
+  return application?.io.instance
 }
--- a/src/authorize.ts
+++ b/src/authorize.ts
@ -1,5 +1,6 @@
-import jwt, { Algorithm } from 'jsonwebtoken'
+import type { Algorithm } from 'jsonwebtoken'
-import { Socket } from 'socket.io'
+import jwt from 'jsonwebtoken'
 import type { Socket } from 'socket.io'
 import { UnauthorizedError } from './UnauthorizedError.js'
@ -61,7 +62,7 @@ export const authorize = (options: AuthorizeOptions): SocketIOMiddleware => {
    }
    socket.encodedToken = encodedToken
    let keySecret: string | null = null
-    let decodedToken: any
+    let decodedToken: any = null
    if (typeof secret === 'string') {
      keySecret = secret
    } else {
--- a/tsconfig.json
+++ b/tsconfig.json
@ -1,14 +1,13 @@
 {
  "extends": "@tsconfig/strictest/tsconfig.json",
  "compilerOptions": {
    "target": "ESNext",
-    "module": "commonjs",
+    "module": "ESNext",
    "lib": ["ESNext"],
    "moduleResolution": "node",
    "outDir": "./build",
    "rootDir": "./src",
-    "noEmit": true,
+    "emitDeclarationOnly": true,
-    "strict": true,
+    "declaration": true
    "skipLibCheck": true,
    "esModuleInterop": true
  }
 }
Author	SHA1	Message	Date
Divlo	71e0d82655	fix: safer `isUnauthorizedError` type guard	2023-04-02 23:04:41 +02:00
Divlo	03e8d51f9a	fix: bump jsonwebtoken to v9.0.0 fixes #342 It introduces several security fixes to follow best practices.	2023-01-10 20:57:23 +01:00
Divlo	bf234bd7b8	docs: client side usage, specify `build` in import	2022-09-09 12:10:12 +02:00
Divlo	ff6a84a8e1	fix: publish updated README	2022-09-09 11:41:42 +02:00
Divlo	c7c152a554	build(deps): update latest	2022-09-09 11:39:27 +02:00
dependabot[bot]	7977c42c20	build(deps): bump npm from 8.10.0 to 8.12.0 (#338 )	2022-07-25 12:52:11 +02:00
dependabot[bot]	05b9eea638	build(deps): bump semver-regex from 3.1.3 to 3.1.4 (#339 )	2022-07-25 12:51:59 +02:00
dependabot[bot]	e14b456d9a	build(deps-dev): bump semantic-release from 19.0.2 to 19.0.3 (#340 )	2022-07-25 12:51:41 +02:00
Divlo	f85595224f	build(deps): update latest	2022-05-12 21:26:33 +02:00
Divlo	1247a9b5f0	chore: remove codecov	2022-05-12 21:24:15 +02:00
Divlo	9a942c52c5	style: fix linting issue	2022-04-07 10:14:52 +02:00
Divlo	dbb363747d	feat: usage of ESM modules imports (instead of CommonJS) BREAKING CHANGE: This package is now pure ESM BREAKING CHANGE: minimum supported Node.js >= 16.0.0	2022-04-07 10:11:48 +02:00
Divlo	559ad8bd6d	ci: avoid duplicate runs	2022-03-01 09:02:21 +01:00
Divlo	e68ed3c432	fix: emit types declaration	2022-02-19 10:36:34 +01:00