You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've created a following two functions that create Express middleware:
authenticate - checks for presence of a valid access token, returns HTTP Unauthorized response if it doesn't, otherwise calls next()
authorize(permissions) - checks if logged in user (as verified in authenticate) has required permissions, returns HTTP Forbidden response if it doesn't, otherwise calls next().
Here's the code: (note the logger.verbose usages)
import{header}from'express-validator';//...exportfunctionauthenticate(){return[header('authorization').isLength({min: 1}).withMessage('Authorization header required'),(req,res,next)=>{consttoken=req.headers.authorization?.split(' ')??[];if(token.length!==2||token[0].toLowerCase()!=='bearer'){logger.verbose('Invalid access token type (only "bearer" accepted)');res.status(StatusCode.UNAUTHORIZED).send({'error': 'Invalid access token'});return;}constaccessToken: Promise<AccessToken|null>=AccessToken.findOne({// database access});accessToken.then((at: AccessToken|null)=>{if(!at){logger.verbose('Access token not found');res.status(StatusCode.UNAUTHORIZED).send({'error': 'Invalid access token'});}else{req.user=at.user;logger.verbose(`User ${at.user.uuid} detected`);next();}}).catch((e)=>{logger.error('ERROR!',e);res.status(StatusCode.INTERNAL_SERVER_ERROR).send();});}];}exportfunctionauthorize(...permissions: Permission[]): ExpressMiddleware{return(req,res,next)=>{logger.verbose(`Authorizing for permissions ${permissions}`);constuser: User|null=req.user;if(!user){logger.verbose('User is not authorized');res.status(StatusCode.UNAUTHORIZED).send({'error': 'Invalid access token'});return;}userHasPermission(user, ...permissions).then((allow: boolean)=>{if(allow){logger.verbose('Permission granted!');next();}else{logger.verbose('Permission denied');res.status(StatusCode.FORBIDDEN).send({'error': 'Forbidden'});}}).catch((e)=>{logger.error('ERROR!',e);res.status(StatusCode.INTERNAL_SERVER_ERROR).send();});};}
Here's an example usage:
router.get('/users',authenticate(),authorize(Permission.USER_READ,Permission.USER_ALL),(req,res)=>{// logic for the route});
I'm writing a test for API using Jest and sending requests with Axios, like this:
When I manually test the endpoint with Postman, it works as expected: I get HTTP Unauthorized when the token is invalid, HTTP Forbidden when I don't have required permissions, otherwise the endpoint continues with its logic. All calls of logger.verbose are visible in the server console.
But when running Jest tests, while the first middleware, authenticate, works properly the second one, authorize, is not executed - the permissions of a user are ignored and all requests result with HTTP OK status. Even the log messages (like "Authorizing for permissions...") are not displayed in the server logs, while log messages from the first middleware are still printed.
The text was updated successfully, but these errors were encountered:
Context
I'm using
express
in version4.18.2
.I've created a following two functions that create Express middleware:
authenticate
- checks for presence of a valid access token, returns HTTP Unauthorized response if it doesn't, otherwise callsnext()
authorize(permissions)
- checks if logged in user (as verified inauthenticate
) has required permissions, returns HTTP Forbidden response if it doesn't, otherwise callsnext()
.Here's the code: (note the
logger.verbose
usages)Here's an example usage:
I'm writing a test for API using Jest and sending requests with Axios, like this:
Problem
When I manually test the endpoint with Postman, it works as expected: I get
HTTP Unauthorized
when the token is invalid,HTTP Forbidden
when I don't have required permissions, otherwise the endpoint continues with its logic. All calls oflogger.verbose
are visible in the server console.But when running Jest tests, while the first middleware,
authenticate
, works properly the second one,authorize
, is not executed - the permissions of a user are ignored and all requests result withHTTP OK
status. Even the log messages (like "Authorizing for permissions...") are not displayed in the server logs, while log messages from the first middleware are still printed.The text was updated successfully, but these errors were encountered: