Null token not allowed (#4)

* Null token not allowed

* Move the tapP to avoid anonymous functions

index.js

@@ -7,7 +7,7 @@ const {
   applyTo: thrush, curryN, dissoc, partialRight, prop
 } = require('ramda')
 
-const { promisify, rename } = require('@articulate/funky')
+const { promisify, rename, tapP } = require('@articulate/funky')
 
 const wellKnown = '/.well-known/openid-configuration'
 
@@ -26,6 +26,9 @@ const chooseKey = key =>
 
 const decode = partialRight(jwt.decode, [{ complete: true }])
 
+const enforce = token =>
+  token || Promise.reject(new Error('null token not allowed'))
+
 const unauthorized = err =>
   Promise.reject(Boom.wrap(err, 401))
 
@@ -37,9 +40,8 @@ const factory = opts => {
     clients[iss] = client
 
   const checkIss = token =>
-    opts.issWhitelist.indexOf(token.payload.iss) > -1
-      ? Promise.resolve(token)
-      : Promise.reject(new Error(`iss '${token.payload.iss}' not in issWhitelist`))
+    opts.issWhitelist.indexOf(token.payload.iss) > -1 ||
+    Promise.reject(new Error(`iss '${token.payload.iss}' not in issWhitelist`))
 
   const getSigningKey = ({ header: { kid }, payload: { iss } }) =>
     clients[iss]
@@ -52,8 +54,9 @@ const factory = opts => {
 
   const authentic = token =>
     Promise.resolve(token)
+      .then(tapP(enforce))
       .then(decode)
-      .then(checkIss)
+      .then(tapP(checkIss))
       .then(getSigningKey)
       .then(chooseKey)
       .then(verify(token))

test/index.js

@@ -72,4 +72,19 @@ describe('authentic', () => {
       expect(res().output.payload.message).to.contain(badIss)
     )
   })
+
+  describe('with a null token', () => {
+    beforeEach(() =>
+      authentic(null).catch(res)
+    )
+
+    it('booms with a 401', () => {
+      expect(res().isBoom).to.be.true
+      expect(res().output.statusCode).to.equal(401)
+    })
+
+    it('mentions that the token was null', () =>
+      expect(res().output.payload.message).to.contain('null token')
+    )
+  })
 })