Secret callback revisited

.editorconfig

@@ -0,0 +1,3 @@
+[*]
+indent_style = space
+indent_size = 2

README.md

@@ -122,6 +122,7 @@ jwt.sign({
 
 `secretOrPublicKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM
 encoded public key for RSA and ECDSA.
+If `jwt.verify` is called asynchronous, `secretOrPublicKey` can be a function that should fetch the secret or public key. See below for a detailed example
 
 As mentioned in [this comment](https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138), there are other libraries that expect base64 encoded secrets (random bytes encoded using base64), if that is your case you can pass `Buffer.from(secret, 'base64')`, by doing this the secret will be decoded using base64 and the token verification will use the original random bytes.
 
@@ -197,6 +198,17 @@ jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {
   // if token alg != RS256,  err == invalid signature
 });
 
+// Verify using getKey callback
+function getKey(header, callback) {
+  // fetch secret or public key
+  const key = ...;
+  callback(null, key);
+}
+
+verify(token, getKey, options, function(err, decoded) {
+  console.log(decoded.foo) // bar
+});
+
 ```
 
 ### jwt.decode(token [, options])

package.json

@@ -27,8 +27,7 @@
     "lodash.isplainobject": "^4.0.6",
     "lodash.isstring": "^4.0.1",
     "lodash.once": "^4.0.0",
-    "ms": "^2.1.1",
-    "xtend": "^4.0.1"
+    "ms": "^2.1.1"
   },
   "devDependencies": {
     "atob": "^1.1.2",

sign.js

@@ -1,5 +1,4 @@
 var timespan = require('./lib/timespan');
-var xtend = require('xtend');
 var jws = require('jws');
 var includes = require('lodash.includes');
 var isBoolean = require('lodash.isboolean');
@@ -85,7 +84,7 @@ module.exports = function (payload, secretOrPrivateKey, options, callback) {
   var isObjectPayload = typeof payload === 'object' &&
                         !Buffer.isBuffer(payload);
 
-  var header = xtend({
+  var header = Object.assign({
     alg: options.algorithm || 'HS256',
     typ: isObjectPayload ? 'JWT' : undefined,
     kid: options.keyid
@@ -112,7 +111,7 @@ module.exports = function (payload, secretOrPrivateKey, options, callback) {
       return failure(error);
     }
     if (!options.mutatePayload) {
-      payload = xtend(payload);
+      payload = Object.assign({},payload);
     }
   } else {
     var invalid_options = options_for_objects.filter(function (opt) {

test/verify.tests.js

@@ -3,8 +3,10 @@ var jws = require('jws');
 var fs = require('fs');
 var path = require('path');
 var sinon = require('sinon');
+var JsonWebTokenError = require('../lib/JsonWebTokenError');
 
 var assert = require('chai').assert;
+var expect = require('chai').expect;
 
 describe('verify', function() {
   var pub = fs.readFileSync(path.join(__dirname, 'pub.pem'));
@@ -67,6 +69,90 @@ describe('verify', function() {
     });
   });
 
+  describe('secret or token as callback', function () {
+      var token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE0MzcwMTg1ODIsImV4cCI6MTQzNzAxODU5Mn0.3aR3vocmgRpG05rsI9MpR6z2T_BGtMQaPq2YR6QaroU';
+      var key = 'key';
+
+      var payload = { foo: 'bar', iat: 1437018582, exp: 1437018592 };
+      var options = {algorithms: ['HS256'], ignoreExpiration: true};
+
+      it('without callback', function (done) {
+          jwt.verify(token, key, options, function (err, p) {
+              assert.isNull(err);
+              assert.deepEqual(p, payload);
+              done();
+          });
+      });
+
+      it('simple callback', function (done) {
+          var keyFunc = function(header, callback) {
+              assert.deepEqual(header, { alg: 'HS256', typ: 'JWT' });
+
+              callback(undefined, key);
+          };
+
+          jwt.verify(token, keyFunc, options, function (err, p) {
+              assert.isNull(err);
+              assert.deepEqual(p, payload);
+              done();
+          });
+      });
+
+      it('should error if called synchronously', function (done) {
+          var keyFunc = function(header, callback) {
+              callback(undefined, key);
+          };
+
+          expect(function () {
+              jwt.verify(token, keyFunc, options);
+          }).to.throw(JsonWebTokenError, /verify must be called asynchronous if secret or public key is provided as a callback/);
+
+          done();
+      });
+
+      it('simple error', function (done) {
+          var keyFunc = function(header, callback) {
+              callback(new Error('key not found'));
+          };
+
+          jwt.verify(token, keyFunc, options, function (err, p) {
+              assert.equal(err.name, 'JsonWebTokenError');
+              assert.match(err.message, /error in secret or public key callback/);
+              assert.isUndefined(p);
+              done();
+          });
+      });
+
+      it('delayed callback', function (done) {
+          var keyFunc = function(header, callback) {
+              setTimeout(function() {
+                  callback(undefined, key);
+              }, 25);
+          };
+
+          jwt.verify(token, keyFunc, options, function (err, p) {
+              assert.isNull(err);
+              assert.deepEqual(p, payload);
+              done();
+          });
+      });
+
+      it('delayed error', function (done) {
+          var keyFunc = function(header, callback) {
+              setTimeout(function() {
+                  callback(new Error('key not found'));
+              }, 25);
+          };
+
+          jwt.verify(token, keyFunc, options, function (err, p) {
+              assert.equal(err.name, 'JsonWebTokenError');
+              assert.match(err.message, /error in secret or public key callback/);
+              assert.isUndefined(p);
+              done();
+          });
+      });
+  });
+
   describe('expiration', function () {
     // { foo: 'bar', iat: 1437018582, exp: 1437018592 }
     var token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE0MzcwMTg1ODIsImV4cCI6MTQzNzAxODU5Mn0.3aR3vocmgRpG05rsI9MpR6z2T_BGtMQaPq2YR6QaroU';