From 64c69c6a39f507fb6ad8fb65cb6a703aaa4afea4 Mon Sep 17 00:00:00 2001 From: Robert Date: Thu, 24 Mar 2016 15:44:58 -0700 Subject: [PATCH] Fix: local validation forced on client-credential tokens If local validation was specified for the JwtAuthenticator, it would also force the client-credential-based tokens through the JwtAuthenticator, which is not what we want --- lib/jwt/jwt-authenticator.js | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/lib/jwt/jwt-authenticator.js b/lib/jwt/jwt-authenticator.js index c02126de..4cde03d0 100644 --- a/lib/jwt/jwt-authenticator.js +++ b/lib/jwt/jwt-authenticator.js @@ -43,17 +43,20 @@ JwtAuthenticator.prototype.authenticate = function authenticate(token,cb){ err.statusCode = 401; cb(err); }else{ - if(self.localValidation){ - cb(null, new JwtAuthenticationResult(self.application,{ - jwt: token, - expandedJwt: jwt, - localValidation: true, - account: { - href: jwt.body.sub - } - })); - }else if(jwt.header.kid){ - // If the KID exists, this was issued by our API + + // If the KID exists, this was issued by our API from a password grant + + if(jwt.header.kid){ + if(self.localValidation){ + return cb(null, new JwtAuthenticationResult(self.application,{ + jwt: token, + expandedJwt: jwt, + localValidation: true, + account: { + href: jwt.body.sub + } + })); + } var href = self.application.href + '/authTokens/' + token; self.application.dataStore.getResource(href,function(err,response){ if(err){ @@ -64,9 +67,9 @@ JwtAuthenticator.prototype.authenticate = function authenticate(token,cb){ }); }else{ - // If there is no KID, this means it was - // issued by the SDK (not the API) so we have - // to do remote validation in a different way + // If there is no KID, this means it was issued by the SDK (not the + // API) from a client credentials grant so we have to do remote + // validation in a different way. var authenticator = new OauthAccessTokenAuthenticator(self.application, token); authenticator.authenticate(cb); }