Skip to content

Commit

Permalink
fix jwt decoded with missing characters in body
Browse files Browse the repository at this point in the history
  • Loading branch information
akanass committed Aug 20, 2015
1 parent bb0ce95 commit 306c9fd
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 2 deletions.
14 changes: 12 additions & 2 deletions lib/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ internals.implementation = function (server, options) {
return {
authenticate: function (request, reply) {
var token = extract(request, options);

if (!token && request.auth.mode === 'optional') {
return reply.continue({ credentials: {} });
}
Expand All @@ -41,7 +41,17 @@ internals.implementation = function (server, options) {
}

var keyFunc = (internals.isFunction(options.key)) ? options.key : function (decoded, callback) { callback(null, options.key); };
keyFunc(JWT.decode(token), function (err, key, extraInfo) {

var decoded;
try {
decoded = JWT.decode(token);
}
catch(e)
{
return reply(Boom.unauthorized('Invalid token format', 'Token'));
}

keyFunc(decoded, function (err, key, extraInfo) {
if (err) {
return reply(Boom.wrap(err));
}
Expand Down
23 changes: 23 additions & 0 deletions test/test.js
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,29 @@ test("Malformed JWT", function(t) {
});
});

test("Try using a token with missing characters in body", function(t) {
// use the token as the 'authorization' header in requests
var token = JWT.sign({ id:123,"name":"Charlie" }, secret);
// delete some characters in body
var tokenData = token.split('.');
var header = tokenData[0],
body = tokenData[1],
signature = tokenData[2];
token = header + '.' + body.substring(0, body.length - 1) + '.' + signature;
/*console.log(" - - - - - - token - - - - -");
console.log(token);*/
var options = {
method: "POST",
url: "/privado",
headers: { authorization: "Bearer "+token }
};
// server.inject lets us similate an http request
server.inject(options, function(response) {
t.equal(response.statusCode, 401, "INVALID Token should fail");
t.end();
});
});

test("Try using an incorrect secret to sign the JWT", function(t) {
// use the token as the 'authorization' header in requests
var token = JWT.sign({ id:123,"name":"Charlie" }, 'incorrectSecret');
Expand Down

0 comments on commit 306c9fd

Please sign in to comment.