feat: allow auth.required mapping without claims

FireBlinkLTD · Jan 12, 2024 · 2a83dd3 · 2a83dd3
1 parent c6a1b08
commit 2a83dd3
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 9 deletions.
diff --git a/.env b/.env
@@ -92,6 +92,12 @@ MAPPINGS_PAGES='[
         "realm": [ "rejected" ]
       }
     }
+  },
+  {
+    "pattern": "/auth-required-pages/.*",
+    "auth": {
+      "required": true
+    }
   }
 ]'
 

diff --git a/README.md b/README.md
@@ -145,7 +145,7 @@ Mappings format:
       #    "ALL" - only when all the claims are included access will be granted
       "mode": "ANY",
 
-      # [optional] list of JWT claims to match over, note: when "auth.required" is true "auth.claims" should be provided too
+      # [optional] list of JWT claims to match over
       "claims": {
         # claims can reference one or many named paths (refer to the JWT_AUTH_CLAIM_PATHS environment variable configuration)
         "name": [

diff --git a/src/config/Mapping.ts b/src/config/Mapping.ts
@@ -101,13 +101,7 @@ export const prepareMapping = (value: any): Mapping => {
   }
   value.auth.mode = value.auth.mode.toUpperCase();
 
-  // if no claims set, set default object
-  if (!value.auth.claims || JSON.stringify(value.auth.claims) === '{}') {
-    /* istanbul ignore next */
-    if (value.auth.required) {
-      throw new Error(`Invalid mapping provided for pattern: ${value.pattern}, configuration will cause rejection of all requests. Either provide auth.claims or set auth.required flag to false`);
-    }
-
+  if (!value.auth.claims) {
     value.auth.claims = {};
   }
 

diff --git a/src/handlers/WebsocketHandler.ts b/src/handlers/WebsocketHandler.ts
@@ -63,6 +63,7 @@ export class WebSocketHandler implements WebSocketHandlerConfig {
       _.debug('Meta token found', { metaPayload });
     }
 
+
     const proxyRequestHeaders: Record<string, string | string[] | null> = {};
     if (getConfig().headers.claims.auth.all) {
       const value = JSON.stringify(context.claims?.auth?.all || {});

diff --git a/src/utils/RequestUtils.ts b/src/utils/RequestUtils.ts
@@ -104,7 +104,7 @@ export class RequestUtils {
       });
     }
 
-    let pass = intersectionLength > 0;
+    let pass = intersectionLength > 0 || expectedLength === 0;
     if (auth.mode === MAPPING_MODE.ALL) {
       pass = intersectionLength === expectedLength;
     }

diff --git a/test/PageMapping.suite.ts b/test/PageMapping.suite.ts
@@ -23,6 +23,24 @@ class BasePageMappingSuite extends BaseSuite {
     });
   }
 
+  @test
+  async authRequiredWithoutClaims() {
+    const uri = '/auth-required-pages/test?q=str';
+    await this.withNewAuthenticatedPage(getConfig().hostURL + uri, async (page) => {
+      const json = await this.getJsonFromPage(page);
+
+      // validate query to be in place
+      strictEqual(json.http.url, uri);
+
+      // validate cookies
+      const cookies = json.headers.cookie ? parse(json.headers.cookie) : {};
+      ok(cookies[getConfig().cookies.names.accessToken]);
+      ok(cookies[getConfig().cookies.names.idToken]);
+      ok(cookies[getConfig().cookies.names.refreshToken]);
+      ok(!cookies[getConfig().cookies.names.originalPath]);
+    });
+  }
+
   @test()
   async e404Endpoint() {
     const uri = '/non-existing-mapping';