handle error on invalid tokens. Closes #134

auth0 · Oct 4, 2016 · 4617101 · 4617101
1 parent 1dc2736
commit 4617101
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/lib/index.js b/lib/index.js
@@ -75,7 +75,13 @@ module.exports = function(options) {
       }
     }
 
-    var dtoken = jwt.decode(token, { complete: true }) || {};
+    var dtoken;
+
+    try {
+      dtoken = jwt.decode(token, { complete: true }) || {};
+    } catch (err) {
+      return next(new UnauthorizedError('invalid_token', err));
+    }
 
     async.waterfall([
       function getSecret(callback){

diff --git a/test/jwt.test.js b/test/jwt.test.js
@@ -69,6 +69,15 @@ describe('failure tests', function () {
     });
   });
 
+  it('should throw if jwt is an invalid json', function() {
+    req.headers = {};
+    req.headers.authorization = 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.yJ1c2VybmFtZSI6InNhZ3VpYXIiLCJpYXQiOjE0NzEwMTg2MzUsImV4cCI6MTQ3MzYxMDYzNX0.foo';
+    expressjwt({secret: 'shhhh'})(req, res, function(err) {
+      assert.ok(err);
+      assert.equal(err.code, 'invalid_token');
+    });
+  });
+
   it('should throw if authorization header is not valid jwt', function() {
     var secret = 'shhhhhh';
     var token = jwt.sign({foo: 'bar'}, secret);