Merge pull request #375 from dwyl/v10.3.0

V10.4.0

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+- package-ecosystem: npm
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "07:00"
+    timezone: Europe/London

.github/workflows/ci.yml

@@ -0,0 +1,33 @@
+# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Node.js CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [14.x, 16.x, 18.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v2
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: 'npm'
+    - run: npm ci
+    - run: npm run lint
+    - run: npm test
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v1 

.gitignore

@@ -34,6 +34,5 @@ node_modules
 
 # Vagrant VM (temporary files)
 .vagrant
-package-lock.json
 
 /.idea/

CHANGELOG.md

@@ -7,6 +7,13 @@ is documented on the Github [Releases](https://github.com/dwyl/hapi-auth-jwt2/re
 If anything is unclear in the project documentation, please
 raise an issue: https://github.com/dwyl/hapi-auth-jwt2/issues (_we are here to help!_)
 
+# Version 10.3.0 - Security Update to `jsonwebtoken` Dependency
+
+Update version of `jsonwebtoken` dependency to latest
+to avoid security issues. 
+See: https://github.com/dwyl/hapi-auth-jwt2/pull/374 thanks @AntoineAA 
+More detail in: https://github.com/dwyl/hapi-auth-jwt2/pull/373 thanks Snyk. 
+
 # Version 10.0.0
 
 Version 10.0.0 introduces a ***breaking change***

README.md

@@ -1,21 +1,20 @@
-[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json&style=flat-square)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)
-[![Build Status](https://img.shields.io/travis/dwyl/hapi-auth-jwt2/master.svg?style=flat-square)](https://travis-ci.org/dwyl/hapi-auth-jwt2)
-[![codecov.io](https://img.shields.io/codecov/c/github/dwyl/hapi-auth-jwt2/master.svg?style=flat-square)](https://codecov.io/github/dwyl/hapi-auth-jwt2?branch=master)
-[![Inline docs](https://inch-ci.org/github/dwyl/hapi-auth-jwt2.svg?branch=master&style=flat-square)](https://inch-ci.org/github/dwyl/hapi-auth-jwt2)
-[![HAPI 19.1.0](https://img.shields.io/badge/hapi-19.1.0-brightgreen.svg?style=flat-square "Latest Hapi.js")](https://hapijs.com)
-[![Node.js Version](https://img.shields.io/node/v/hapi-auth-jwt2.svg?style=flat-square "Node.js 10 & 12 and io.js latest both supported")](https://nodejs.org/download/)
-[![Dependencies Status](https://david-dm.org/dwyl/hapi-auth-jwt2/status.svg?style=flat-square)](https://david-dm.org/dwyl/hapi-auth-jwt2)
-[![devDependencies Status](https://david-dm.org/dwyl/hapi-auth-jwt2/dev-status.svg?style=flat-square)](https://david-dm.org/dwyl/hapi-auth-jwt2?type=dev)
-[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square)](https://github.com/dwyl/hapi-auth-jwt2/issues)
-[![HitCount](https://hits.dwyl.com/dwyl/hapi-auth-jwt2.svg)](https://github.com/dwyl/hapi-auth-jwt2)
-[![npm package version](https://img.shields.io/npm/v/hapi-auth-jwt2.svg?style=flat-square)](https://www.npmjs.com/package/hapi-auth-jwt2)
 # Hapi Auth using JSON Web Tokens (JWT)
 
 ***The*** authentication scheme/plugin for
 [**Hapi.js**](https://hapi.dev/) apps using **JSON Web Tokens**
 
 ![hapi-auth-jwt2-diagram-verify](https://cloud.githubusercontent.com/assets/194400/11937081/00f9b4bc-a80a-11e5-9f71-a7e05e92f1ae.png)
 
+[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json&style=flat-square)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)
+![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/dwyl/hapi-auth-jwt2/ci.yml?label=build&style=flat-square&branch=main)
+[![codecov.io](https://img.shields.io/codecov/c/github/dwyl/hapi-auth-jwt2/main.svg?style=flat-square)](http://codecov.io/github/dwyl/hapi-auth-jwt2?branch=main)
+[![Inline docs](http://inch-ci.org/github/dwyl/hapi-auth-jwt2.svg?branch=main&style=flat-square)](http://inch-ci.org/github/dwyl/hapi-auth-jwt2)
+[![HAPI 21.1.0](http://img.shields.io/badge/hapi-21.1.0-brightgreen.svg?style=flat-square "Latest Hapi.js")](http://hapijs.com)
+[![Node.js Version](https://img.shields.io/node/v/hapi-auth-jwt2.svg?style=flat-square "Node.js 14.x, 16.x & 18.x supported")](http://nodejs.org/download/)
+[![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square)](https://github.com/dwyl/hapi-auth-jwt2/issues)
+[![HitCount](http://hits.dwyl.com/dwyl/hapi-auth-jwt2.svg)](http://hits.dwyl.com/dwyl/hapi-auth-jwt2)
+[![npm package version](https://img.shields.io/npm/v/hapi-auth-jwt2.svg?style=flat-square)](https://www.npmjs.com/package/hapi-auth-jwt2)
+
 This node.js module (Hapi plugin) lets you use JSON Web Tokens (JWTs)
 for authentication in your [Hapi.js](https://hapi.dev/)
 web application.
@@ -170,8 +169,8 @@ signature `async function(decoded)` where:
         - `key` - the secret key (or array of keys to try)
         - `extraInfo` - (***optional***) any additional information that you would like to use in `validate` which can be accessed
         via `request.plugins['hapi-auth-jwt2'].extraInfo`
-    - Throws a Boom error when key lookup fails.  Refer to [this example implementation](https://github.com/dwyl/hapi-auth-jwt2/blob/master/test/dynamic_key_server.js)
-    and [its associated test](https://github.com/dwyl/hapi-auth-jwt2/blob/master/test/dynamic_key.test.js) for a working example.
+    - Throws a Boom error when key lookup fails.  Refer to [this example implementation](https://github.com/dwyl/hapi-auth-jwt2/blob/main/test/dynamic_key_server.js)
+    and [its associated test](https://github.com/dwyl/hapi-auth-jwt2/blob/main/test/dynamic_key.test.js) for a working example.
 - `validate` - (***required***) the function which is run once the Token has been decoded with
  signature `async function(decoded, request, h)` where:
     - `decoded` - (***required***) is the decoded and verified JWT received in the request
@@ -397,7 +396,7 @@ For a *detailed* example please see:
 
 - Wikipedia has a good intro (general):
 [https://en.wikipedia.org/wiki/HTTP_cookie](https://en.wikipedia.org/wiki/HTTP_cookie)
-- Cookies Explained (by Nicholas C. Zakas - JavaScript über-master)
+- Cookies Explained (by Nicholas C. Zakas - JavaScript über-main)
 [https://www.nczonline.net/blog/2009/05/05/http-cookies-explained/](https://www.nczonline.net/blog/2009/05/05/http-cookies-explained/)
 - The Unofficial Cookie FAQ:
 [http://www.cookiecentral.com/faq/](http://www.cookiecentral.com/faq/)
@@ -687,7 +686,7 @@ Having a more real-world example was *seconded* by [@manonthemat](https://github
 
 If you would like to see a "***real world example***" of this plugin in use
 in a ***production*** web app (API)
-please see: https://github.com/dwyl/time/tree/master/api/lib
+please see: https://github.com/dwyl/time/tree/main/api/lib
 
 - **app.js** ***registering*** the **hapi-auth-jwt2 plugin**:
 [app.js#L13](https://github.com/dwyl/time/blob/0a5ec8711840528a4960c388825fb883fabddd76/app.js#L13)

lib/index.js

@@ -17,7 +17,7 @@ const internals = {}; // see: https://hapi.dev/policies/styleguide/#module-globa
  * @returns {Function} next - returns (calls) the callback when complete.
  */
 exports.plugin = {
-  register: function(server, options) {
+  register: (server, options) => {
     server.auth.scheme('jwt', internals.implementation); // hapijs.com/api#serverauthapi
   },
 };
@@ -43,7 +43,7 @@ internals.FIRST_PASS_AUTHENTICATION_FAILED = 'firstPassAuthenticationFailed';
  * @param {Object} objectToCheck - the object for which we want to check the type
  * @returns {String} - the string of the object class
  */
-internals.checkObjectType = function(objectToCheck) {
+internals.checkObjectType = (objectToCheck) => {
   const toString = Object.prototype.toString;
   return toString.call(objectToCheck);
 };
@@ -53,15 +53,15 @@ internals.checkObjectType = function(objectToCheck) {
  * @param {Object} functionToCheck - the object we want to confirm is a function
  * @returns {Boolean} - true if the functionToCheck is a function. :-)
  */
-internals.isFunction = function(functionToCheck) {
+internals.isFunction = (functionToCheck) => {
   return (
     functionToCheck &&
     (internals.checkObjectType(functionToCheck) === '[object Function]' ||
       internals.checkObjectType(functionToCheck) === '[object AsyncFunction]')
   );
 };
 
-internals.getKeys = async function(decoded, options) {
+internals.getKeys = async (decoded, options) => {
   // if keyFunc is function allow dynamic key lookup: https://git.io/vXjvY
   const { key, ...extraInfo } = internals.isFunction(options.key)
     ? await options.key(decoded)
@@ -70,7 +70,7 @@ internals.getKeys = async function(decoded, options) {
   return { keys, extraInfo };
 };
 
-internals.verifyJwt = function(token, keys, options) {
+internals.verifyJwt = (token, keys, options) => {
   let error;
   for (const k of keys) {
     try {
@@ -82,7 +82,7 @@ internals.verifyJwt = function(token, keys, options) {
   throw error;
 };
 
-internals.authenticate = async function(token, options, request, h) {
+internals.authenticate = async (token, options, request, h) => {
   let tokenType = options.tokenType || 'Token'; // see: https://git.io/vXje9
   let decoded;
 
@@ -181,12 +181,8 @@ internals.authenticate = async function(token, options, request, h) {
     }
 
     try {
-      let {
-        isValid,
-        credentials,
-        response,
-        errorMessage,
-      } = await options.validate(verify_decoded, request, h);
+      let { isValid, credentials, response, errorMessage } =
+        await options.validate(verify_decoded, request, h);
       if (response !== undefined) {
         return { response };
       }
@@ -321,7 +317,7 @@ internals.raiseError = function raiseError(
  * @returns {Function} authenicate - we return the authenticate method after
  * registering the plugin as that's the method that gets called for each route.
  */
-internals.implementation = function(server, options) {
+internals.implementation = (server, options) => {
   assert(options, 'options are required for jwt auth scheme'); // pre-auth checks
   assert(
     options.validate || options.verify,
@@ -337,7 +333,7 @@ internals.implementation = function(server, options) {
      * @returns {Boolean} if the JWT is valid we return a credentials object
      * otherwise throw an error to inform the app & client of unauthorized req.
      */
-    authenticate: async function(request, h) {
+    authenticate: async (request, h) => {
       let token = extract(request, options); // extract token Header/Cookie/Query
       if (
         token == null &&
@@ -368,7 +364,7 @@ internals.implementation = function(server, options) {
      * the next plugin in the list.
      * @returns {Boolean} true. always return true (unless there's an error...)
      */
-    payload: async function(request, h) {
+    payload: async (request, h) => {
       if (
         options.attemptToExtractTokenInPayload &&
         request.auth.credentials.error ===
@@ -399,15 +395,15 @@ internals.implementation = function(server, options) {
      * the next plugin in the list.
      * @returns {Boolean} true. always return true (unless there's an error...)
      */
-    response: function(request, h) {
+    response: (request, h) => {
       const responseFunc = options.responseFunc;
       if (responseFunc && typeof responseFunc === 'function') {
         if (
           internals.checkObjectType(responseFunc) === '[object AsyncFunction]'
         ) {
           return responseFunc(request, h)
             .then(() => h.continue)
-            .catch(err =>
+            .catch((err) =>
               internals.raiseError(options, request, h, 'boomify', err)
             );
         }
@@ -421,7 +417,7 @@ internals.implementation = function(server, options) {
       return h.continue;
     },
 
-    verify: async function(auth) {
+    verify: async (auth) => {
       const token = auth.artifacts.token;
       const decoded = JWT.decode(token, {
         complete: options.complete || false,