adds test attempting to bypass validation. see: #130

dwyl · Dec 17, 2015 · a1bc2f2 · a1bc2f2
1 parent eb9fff9
commit a1bc2f2
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 0 deletions.
diff --git a/test/verify_bypass_server.js b/test/verify_bypass_server.js
@@ -0,0 +1,54 @@
+var Hapi   = require('hapi');
+var secret = 'NeverShareYourSecret';
+
+// for debug options see: http://hapijs.com/tutorials/logging
+var server = new Hapi.Server({ debug: { 'request': ['error', 'uncaught'] } });
+server.connection();
+
+// defining our own validate function lets us do something
+// useful/custom with the decodedToken before reply(ing)
+var validate = function (decoded, request, callback) {
+  // don't need to add anything here
+};
+
+// see discussion in https://github.com/dwyl/hapi-auth-jwt2/issues/130
+// var bypass_validation = function(decoded, callback) {
+//   console.log(' - - - - - - - - - - - - - - - - > hello');
+//   console.log(decoded);
+//   // console.log(req);
+//   // can we simply short-circuit the verification?
+//   return reply.continue({ credentials: decoded});
+// }
+
+var sendToken = function(req, reply) {
+  return reply(req.auth.token);
+};
+
+var home = function(req, reply) {
+  return reply('Hai!');
+};
+
+var privado = function(req, reply) {
+  return reply('worked');
+};
+
+server.register(require('../'), function () {
+
+  server.auth.strategy('jwt', 'jwt', {
+    key: 'bypass_validation',
+    validateFunc: validate,
+    verifyOptions: { algorithms: [ 'HS256' ] } // only allow HS256 algorithm
+  });
+
+  server.route([
+    { method: 'GET',  path: '/', handler: home, config: { auth: false } },
+    { method: 'GET', path: '/token', handler: sendToken, config: { auth: 'jwt' } },
+    { method: 'POST', path: '/privado', handler: privado, config: { auth: 'jwt' } },
+    { method: 'POST', path: '/required', handler: privado, config: { auth: { mode: 'required', strategy: 'jwt' } } },
+    { method: 'POST', path: '/optional', handler: privado, config: { auth: { mode: 'optional', strategy: 'jwt' } } },
+    { method: 'GET', path: '/try', handler: privado, config: { auth: { mode: 'try', strategy: 'jwt' } } }
+  ]);
+
+});
+
+module.exports = server;
diff --git a/test/verify_bypass_test.js b/test/verify_bypass_test.js
@@ -0,0 +1,33 @@
+var test   = require('tape');
+var JWT    = require('jsonwebtoken');
+// var secret = 'NeverShareYourSecret';
+
+var server = require('./verify_bypass_server'); // test server which in turn loads our module
+
+test("Access a route that has no auth strategy", function(t) {
+  var options = {
+    method: "GET",
+    url: "/"
+  };
+  // server.inject lets us similate an http request
+  server.inject(options, function(response) {
+    t.equal(response.statusCode, 200, "GET / works without token");
+
+    t.end();
+  });
+});
+
+test("Access route configured in 'try' mode ", function(t) {
+  var token = JWT.sign({ id: 123, "name": "Charlie" }, 'NoSecret');
+  var options = {
+    method: "GET",
+    url: "/try",
+    headers: { authorization: "Bearer " + token  }
+  };
+  // server.inject lets us similate an http request
+  server.inject(options, function(response) {
+    console.log(response.result);
+    t.equal(response.statusCode, 200, "GET /try should pass");
+    t.end();
+  });
+});