allow other auth schemes if credentialsRequired is false. closes #129

auth0 · Oct 4, 2016 · fbf15bd · fbf15bd
1 parent 4617101
commit fbf15bd
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/index.js b/lib/index.js
@@ -60,7 +60,11 @@ module.exports = function(options) {
         if (/^Bearer$/i.test(scheme)) {
           token = credentials;
         } else {
-          return next(new UnauthorizedError('credentials_bad_scheme', { message: 'Format is Authorization: Bearer [token]' }));
+          if (credentialsRequired) {
+            return next(new UnauthorizedError('credentials_bad_scheme', { message: 'Format is Authorization: Bearer [token]' }));
+          } else {
+            return next();
+          }
         }
       } else {
         return next(new UnauthorizedError('credentials_bad_format', { message: 'Format is Authorization: Bearer [token]' }));

diff --git a/test/jwt.test.js b/test/jwt.test.js
@@ -60,6 +60,14 @@ describe('failure tests', function () {
     });
   });
 
+  it('should next if authorization header is not Bearer and credentialsRequired is false', function() {
+    req.headers = {};
+    req.headers.authorization = 'Basic foobar';
+    expressjwt({secret: 'shhhh', credentialsRequired: false})(req, res, function(err) {
+      assert.ok(typeof err === 'undefined');
+    });
+  });
+
   it('should throw if authorization header is not well-formatted jwt', function() {
     req.headers = {};
     req.headers.authorization = 'Bearer wrongjwt';