diff --git a/lib/jwt/jwt-authentication-result.js b/lib/jwt/jwt-authentication-result.js index 42657e02..676ab250 100644 --- a/lib/jwt/jwt-authentication-result.js +++ b/lib/jwt/jwt-authentication-result.js @@ -28,14 +28,22 @@ function JwtAuthenticationResult(application,data) { var apiKey = application.dataStore.requestExecutor.options.client.apiKey; if(this.accessToken){ - this.accessToken = nJwt.verify(this.accessToken, apiKey.secret); - this.account = { - href: this.accessToken.body.sub - }; + try { + this.accessToken = nJwt.verify(this.accessToken, apiKey.secret); + this.account = { + href: this.accessToken.body.sub + }; + } catch (err) { + this.error = err; + } } if(this.refreshToken){ - this.refreshToken = nJwt.verify(this.refreshToken, apiKey.secret); + try { + this.refreshToken = nJwt.verify(this.refreshToken, apiKey.secret); + } catch (err) { + this.error = err; + } } } @@ -46,6 +54,10 @@ JwtAuthenticationResult.prototype.jwt = null; JwtAuthenticationResult.prototype.expandedJwt = null; JwtAuthenticationResult.prototype.getAccount = function getAccount(callback) { + if (this.error) { + return callback(this.error); + } + // workaround because I don't have access to a stormpath client this.application.dataStore.getResource(this.account.href, require('../resource/Account'), callback); }; diff --git a/lib/jwt/jwt-authenticator.js b/lib/jwt/jwt-authenticator.js index 4f80a04e..357b9784 100644 --- a/lib/jwt/jwt-authenticator.js +++ b/lib/jwt/jwt-authenticator.js @@ -36,39 +36,43 @@ JwtAuthenticator.prototype.authenticate = function authenticate(token,cb){ var secret = self.application.dataStore.requestExecutor.options.client.apiKey.secret; - njwt.verify(token,secret,function(err,jwt){ - if(err){ - err.statusCode = 401; - cb(err); - }else{ - if(self.localValidation){ - cb(null, new JwtAuthenticationResult(self.application,{ - jwt: token, - expandedJwt: jwt, - localValidation: true, - account: { - href: jwt.body.sub - } - })); - }else if(jwt.header.kid){ - // If the KID exists, this was issued by our API - var href = self.application.href + '/authTokens/' + token; - self.application.dataStore.getResource(href,function(err,response){ - if(err){ - cb(err); - }else{ - cb(null, new JwtAuthenticationResult(self.application,response)); - } - }); + try { + njwt.verify(token,secret,function(err,jwt){ + if(err){ + err.statusCode = 401; + cb(err); }else{ + if(self.localValidation){ + cb(null, new JwtAuthenticationResult(self.application,{ + jwt: token, + expandedJwt: jwt, + localValidation: true, + account: { + href: jwt.body.sub + } + })); + }else if(jwt.header.kid){ + // If the KID exists, this was issued by our API + var href = self.application.href + '/authTokens/' + token; + self.application.dataStore.getResource(href,function(err,response){ + if(err){ + cb(err); + }else{ + cb(null, new JwtAuthenticationResult(self.application,response)); + } + }); + }else{ - // If there is no KID, this means it was - // issued by the SDK (not the API) so we have - // to do remote validation in a different way - throw new Error('not yet implemented - please use application.authenticateApiRequest() instead'); + // If there is no KID, this means it was + // issued by the SDK (not the API) so we have + // to do remote validation in a different way + throw new Error('not yet implemented - please use application.authenticateApiRequest() instead'); + } } - } - }); + }); + } catch (err) { + cb(err); + } return this; };