From d8104a19ee9181e6a5ea81014af29ff9a3c28a8a Mon Sep 17 00:00:00 2001
From: David Luecke <daff@neyeon.com>
Date: Sat, 11 Jun 2022 09:27:55 -0700
Subject: [PATCH] fix(authentication): Add safe dispatch data for
 authentication requests (#2662)

---
 packages/authentication/package.json         |  2 +-
 packages/authentication/src/service.ts       | 13 ++++++----
 packages/authentication/test/jwt.test.ts     | 25 ++++++++++++++++++++
 packages/express/test/authentication.test.ts |  3 +--
 4 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/packages/authentication/package.json b/packages/authentication/package.json
index fb3a7996c0..ac58de0a1a 100644
--- a/packages/authentication/package.json
+++ b/packages/authentication/package.json
@@ -56,6 +56,7 @@
     "@feathersjs/errors": "^5.0.0-pre.23",
     "@feathersjs/feathers": "^5.0.0-pre.23",
     "@feathersjs/transport-commons": "^5.0.0-pre.23",
+    "@feathersjs/schema": "^5.0.0-pre.23",
     "@types/jsonwebtoken": "^8.5.8",
     "jsonwebtoken": "^8.5.1",
     "lodash": "^4.17.21",
@@ -64,7 +65,6 @@
   },
   "devDependencies": {
     "@feathersjs/memory": "^5.0.0-pre.23",
-    "@feathersjs/schema": "^5.0.0-pre.23",
     "@types/lodash": "^4.14.182",
     "@types/mocha": "^9.1.1",
     "@types/node": "^17.0.40",
diff --git a/packages/authentication/src/service.ts b/packages/authentication/src/service.ts
index 20e412ebe4..9ee690bf3d 100644
--- a/packages/authentication/src/service.ts
+++ b/packages/authentication/src/service.ts
@@ -5,6 +5,7 @@ import { connection, event } from './hooks'
 import '@feathersjs/transport-commons'
 import { createDebug } from '@feathersjs/commons'
 import { ServiceMethods, ServiceAddons } from '@feathersjs/feathers'
+import { resolveDispatch } from '@feathersjs/schema'
 import jsonwebtoken from 'jsonwebtoken'
 
 const debug = createDebug('@feathersjs/authentication/service')
@@ -120,12 +121,14 @@ export class AuthenticationService
 
     const accessToken = await this.createAccessToken(payload, jwtOptions, params.secret)
 
-    return merge({ accessToken }, authResult, {
+    return {
+      accessToken,
+      ...authResult,
       authentication: {
-        accessToken,
+        ...authResult.authentication,
         payload: jsonwebtoken.decode(accessToken)
       }
-    })
+    }
   }
 
   /**
@@ -182,8 +185,8 @@ export class AuthenticationService
     }
 
     this.hooks({
-      create: [connection('login'), event('login')],
-      remove: [connection('logout'), event('logout')]
+      create: [resolveDispatch(), connection('login'), event('login')],
+      remove: [resolveDispatch(), connection('logout'), event('logout')]
     } as any)
 
     this.app.on('disconnect', async (connection) => {
diff --git a/packages/authentication/test/jwt.test.ts b/packages/authentication/test/jwt.test.ts
index e9df2647e5..526cbe02b4 100644
--- a/packages/authentication/test/jwt.test.ts
+++ b/packages/authentication/test/jwt.test.ts
@@ -2,6 +2,7 @@ import assert from 'assert'
 import merge from 'lodash/merge'
 import { feathers, Application, Service } from '@feathersjs/feathers'
 import { memory } from '@feathersjs/memory'
+import { getDispatch, resolve, resolveDispatch } from '@feathersjs/schema'
 
 import { AuthenticationService, JWTStrategy, hooks } from '../src'
 import { ServerResponse } from 'http'
@@ -19,6 +20,16 @@ describe('authentication/jwt', () => {
   let accessToken: string
   let payload: any
 
+  const userDispatchResolver = resolve({
+    converter: async () => {
+      return {
+        dispatch: true,
+        message: 'Hello world'
+      }
+    },
+    properties: {}
+  })
+
   beforeEach(async () => {
     app = feathers()
 
@@ -51,6 +62,9 @@ describe('authentication/jwt', () => {
     })
 
     app.service('users').hooks({
+      around: {
+        all: [resolveDispatch(userDispatchResolver)]
+      },
       after: {
         get: [
           (context) => {
@@ -119,6 +133,17 @@ describe('authentication/jwt', () => {
       })
     })
 
+    it('resolves safe dispatch data in authentication result', async () => {
+      const authResult = await app.service('authentication').create({
+        strategy: 'jwt',
+        accessToken
+      })
+
+      const dispatch = getDispatch(authResult)
+
+      assert.deepStrictEqual(dispatch.user, { dispatch: true, message: 'Hello world' })
+    })
+
     it('sends disconnect event when connection token expires and removes all connection information', async () => {
       const connection: any = {}
       const token: string = await app.service('authentication').createAccessToken(
diff --git a/packages/express/test/authentication.test.ts b/packages/express/test/authentication.test.ts
index 44d215b2ad..9a342f39de 100644
--- a/packages/express/test/authentication.test.ts
+++ b/packages/express/test/authentication.test.ts
@@ -67,8 +67,7 @@ describe('@feathersjs/express/authentication', () => {
     it('successful local authentication', () => {
       assert.ok(authResult.accessToken)
       assert.deepStrictEqual(omit(authResult.authentication, 'payload'), {
-        strategy: 'local',
-        accessToken: authResult.accessToken
+        strategy: 'local'
       })
       assert.strictEqual(authResult.user.email, email)
       assert.strictEqual(authResult.user.password, undefined)