New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for reading token from cookie #43
add support for reading token from cookie #43
Conversation
Ouch. Ok will fix this up. Are these tests same as the local tests ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution. I'm sure it is a useful feature. However, this needs another pass including tests and docs before it can be merged.
lib/plugin.js
Outdated
// authorization header as the default | ||
const authorization = | ||
request.headers[settings.headerName] | ||
|| getTokenFromCookie(request.headers.cookie, settings.cookieName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of the custom cookie header parsing. I would prefer that the existing hapi parser is used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you use the existing parser to parse the cookie header value ? Like we need to be able to read the field and its value from something like token=ejTdsfsdhfsdjfsdjfsdfs.sdfsjdflkjsldfkjsdf.sdflsjdlfjlsdf; another=gibberish
, so that we get token field's value right ? Could give me some pointers on this ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can also check out https://github.com/hapijs/cookie/blob/master/lib/index.js for an example of how another plugin handles cookies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok I will read these and do the changes. This was something I had some doubts about earlier, so thank you for clearing that up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh the cookies are already parsed for us to use 😃. I didn't know that. I have done the changes and will push the changes now
lib/plugin.js
Outdated
.required() | ||
.required(), | ||
|
||
headerName: Joi.alternatives() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally the string would be restricted to valid header names using an appropriate regex.
lib/plugin.js
Outdated
.try(Joi.string(), Joi.boolean()).default('authorization').optional(), | ||
|
||
cookieName: Joi.alternatives() | ||
.try(Joi.string(), Joi.boolean()).default('token').optional() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally the string would be restricted to valid cookie names using an appropriate regex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But doesn't that reduce flexibility? Also the issue author and also a lot of other people actually have a requirement to use the names that they need. Like for example if they have a refresh token and an auth token then it makes sense for them to have two cookies in which the authentication one might be better named as auth_token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm talking about verifying that the string value is valid to include as a cookie name, eg. no spaces, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now added, now only valid cookie names and header names are accepted
lib/plugin.js
Outdated
.try(Joi.string(), Joi.boolean()).default('authorization').optional(), | ||
|
||
cookieName: Joi.alternatives() | ||
.try(Joi.string(), Joi.boolean()).default('token').optional() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why a default value? That does not seem safe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a default value for providing a sane default. Having the header named authorization and cookie named token is a common usage that's why I did that. Also it would ensure parity with the current behaviour of using the authorization header
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a breaking change, since existing implementations will suddenly also validate tokens provided in Cookie: token=<jwt>
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated this so that by default it only reads from authorization header but not from cookie
- make settings be specified in alphabetic order - ditch using custom parser and just use the parsed tokens from the request object - make sure everything follow the styleguide
I have done all the changes that I have given thumbs up. Some of the changes that you requested are no longer relevant as they were related to parsing the cookies, but rest of the thumbs upped are done |
The checks are shown as failed because of test coverage right ? |
Yes. Hapi requires all merged code to have 100% test coverage. You can run the tests locally using: For more coverage details you can do |
Is there something I can do about |
@lallenfrancisl my guess is that you may have been seeing JWKS errors on node v17+. If you use node v16 to write the tests, then you shouldn't run into any JWKS errors 👍 These will be resolved in the next version of @hapi/jwt which will support node v18 (#47). |
Oh hey @devinivy kind of forgot about this pr, I will brush this up and do the updates and also try running the tests with node v16 |
Ok the issue was that the host when running from macos is set to something else instead of localhost so that was the reason for failing tests. So I set the host to localhost explicitly on everywhere its mocked |
I personally, perhaps selfishly, would like the defaults to currently work as is. I have not tested it out yet, but it looks like I will have no issues with Basically, if you are sending your JWT as |
Ok cool, then I will make the pr like this. The default behavior will be kept. That is it will accept authorization header by default but it will not read from any cookie by default. Then if cookie name is specified it does not allow you to specify the header name and will only read from cookie name |
…ding to settings specified
…hentication works
The lint seems to be the one failing not tests right ? Or is it some issue from my side ? |
Ok bumped |
@kanongil could you do the review again with all the changes that happened ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me—thank you for the contribution! I just left some final touchups for consistency.
Thanks @devinivy will definitely try to keep these changes next time in mind |
This PR aims to fix #28 by adding two fields in settings to set the header name and cookie name. Then while reading the token instead of hardcoding the header name or cookie name we read from what is specified in the settings.
Let me know if there is any changes that should be done in the PR
Thank you