From a1bc2f2da14b6177ee0d840e47647a96a9f07355 Mon Sep 17 00:00:00 2001
From: nelsonic <contact.nelsonic+github@gmail.com>
Date: Thu, 17 Dec 2015 18:56:48 +0000
Subject: [PATCH] adds test attempting to bypass validation. see:
 https://github.com/dwyl/hapi-auth-jwt2/issues/130

---
 test/verify_bypass_server.js | 54 ++++++++++++++++++++++++++++++++++++
 test/verify_bypass_test.js   | 33 ++++++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 test/verify_bypass_server.js
 create mode 100644 test/verify_bypass_test.js

diff --git a/test/verify_bypass_server.js b/test/verify_bypass_server.js
new file mode 100644
index 0000000..7d2e923
--- /dev/null
+++ b/test/verify_bypass_server.js
@@ -0,0 +1,54 @@
+var Hapi   = require('hapi');
+var secret = 'NeverShareYourSecret';
+
+// for debug options see: http://hapijs.com/tutorials/logging
+var server = new Hapi.Server({ debug: { 'request': ['error', 'uncaught'] } });
+server.connection();
+
+// defining our own validate function lets us do something
+// useful/custom with the decodedToken before reply(ing)
+var validate = function (decoded, request, callback) {
+  // don't need to add anything here
+};
+
+// see discussion in https://github.com/dwyl/hapi-auth-jwt2/issues/130
+// var bypass_validation = function(decoded, callback) {
+//   console.log(' - - - - - - - - - - - - - - - - > hello');
+//   console.log(decoded);
+//   // console.log(req);
+//   // can we simply short-circuit the verification?
+//   return reply.continue({ credentials: decoded});
+// }
+
+var sendToken = function(req, reply) {
+  return reply(req.auth.token);
+};
+
+var home = function(req, reply) {
+  return reply('Hai!');
+};
+
+var privado = function(req, reply) {
+  return reply('worked');
+};
+
+server.register(require('../'), function () {
+
+  server.auth.strategy('jwt', 'jwt', {
+    key: 'bypass_validation',
+    validateFunc: validate,
+    verifyOptions: { algorithms: [ 'HS256' ] } // only allow HS256 algorithm
+  });
+
+  server.route([
+    { method: 'GET',  path: '/', handler: home, config: { auth: false } },
+    { method: 'GET', path: '/token', handler: sendToken, config: { auth: 'jwt' } },
+    { method: 'POST', path: '/privado', handler: privado, config: { auth: 'jwt' } },
+    { method: 'POST', path: '/required', handler: privado, config: { auth: { mode: 'required', strategy: 'jwt' } } },
+    { method: 'POST', path: '/optional', handler: privado, config: { auth: { mode: 'optional', strategy: 'jwt' } } },
+    { method: 'GET', path: '/try', handler: privado, config: { auth: { mode: 'try', strategy: 'jwt' } } }
+  ]);
+
+});
+
+module.exports = server;
diff --git a/test/verify_bypass_test.js b/test/verify_bypass_test.js
new file mode 100644
index 0000000..5a9a9b7
--- /dev/null
+++ b/test/verify_bypass_test.js
@@ -0,0 +1,33 @@
+var test   = require('tape');
+var JWT    = require('jsonwebtoken');
+// var secret = 'NeverShareYourSecret';
+
+var server = require('./verify_bypass_server'); // test server which in turn loads our module
+
+test("Access a route that has no auth strategy", function(t) {
+  var options = {
+    method: "GET",
+    url: "/"
+  };
+  // server.inject lets us similate an http request
+  server.inject(options, function(response) {
+    t.equal(response.statusCode, 200, "GET / works without token");
+
+    t.end();
+  });
+});
+
+test("Access route configured in 'try' mode ", function(t) {
+  var token = JWT.sign({ id: 123, "name": "Charlie" }, 'NoSecret');
+  var options = {
+    method: "GET",
+    url: "/try",
+    headers: { authorization: "Bearer " + token  }
+  };
+  // server.inject lets us similate an http request
+  server.inject(options, function(response) {
+    console.log(response.result);
+    t.equal(response.statusCode, 200, "GET /try should pass");
+    t.end();
+  });
+});