Merge pull request #14 from marttinen/3.3.0-rc

Support hapi auth "modes"

Author: felixheck

src/index.js

@@ -139,11 +139,15 @@ async function handleKeycloakValidation (tkn, h) {
  * @throws {Boom.unauthorized} If header is missing or has an invalid format
  */
 async function validate (field, h = (data) => data) {
+  if (!field) {
+    throw raiseUnauthorized(errorMessages.missing)
+  }
+
   const tkn = token.create(field)
   const reply = fakeToolkit(h)
 
   if (!tkn) {
-    throw raiseUnauthorized(errorMessages.missing)
+    throw raiseUnauthorized(errorMessages.invalid)
   }
 
   const cached = await cache.get(store, tkn)

src/utils.js

@@ -117,11 +117,15 @@ function verify (opts) {
  * @returns {Boom.unauthorized} The created `Boom` error
  */
 function raiseUnauthorized (error, reason, scheme = 'Bearer') {
-  return boom.unauthorized(null, scheme, {
-    strategy: 'keycloak-jwt',
-    ...(error ? { error } : {}),
-    ...(reason && error !== reason ? { reason } : {})
-  })
+  return boom.unauthorized(
+    error !== errorMessages.missing ? error : null,
+    scheme,
+    {
+      strategy: 'keycloak-jwt',
+      ...(error === errorMessages.missing ? { error } : {}),
+      ...(reason && error !== reason ? { reason } : {})
+    }
+  )
 }
 
 /**
@@ -132,7 +136,7 @@ function raiseUnauthorized (error, reason, scheme = 'Bearer') {
  */
 const errorMessages = {
   invalid: 'Invalid credentials',
-  missing: 'Missing or invalid authorization header',
+  missing: 'Missing authorization header',
   rpt: 'Retrieving the RPT failed',
   apiKey: 'Retrieving the token with the api key failed'
 }

test/_helpers.js

@@ -184,6 +184,32 @@ function registerRoutes (server) {
           }
         }
       }
+    },
+    {
+      method: 'GET',
+      path: '/mode-optional',
+      options: {
+        auth: { strategy: 'keycloak-jwt', mode: 'optional' },
+        handler (req) {
+          return {
+            headers: req.headers,
+            query: req.query
+          }
+        }
+      }
+    },
+    {
+      method: 'GET',
+      path: '/mode-try',
+      options: {
+        auth: { strategy: 'keycloak-jwt', mode: 'try' },
+        handler (req) {
+          return {
+            headers: req.headers,
+            query: req.query
+          }
+        }
+      }
     }
   ])
 }

test/index.entitlement.spec.js

@@ -84,7 +84,7 @@ test('authentication does fail – invalid token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="Retrieving the RPT failed"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="Retrieving the RPT failed", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -95,5 +95,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.hapi-modes.spec.js

@@ -0,0 +1,39 @@
+const nock = require('nock')
+const test = require('ava')
+const helpers = require('./_helpers')
+const fixtures = require('./fixtures')
+
+const cfg = helpers.getOptions({ secret: fixtures.common.secret })
+
+test.afterEach.always('reset instances and prototypes', () => {
+  nock.cleanAll()
+})
+
+test('server method – authentication supports mode: "optional" - will succeed without auth', async (t) => {
+  const server = await helpers.getServer(cfg)
+  const res = await server.inject({
+    method: 'GET',
+    url: '/mode-optional'
+  })
+
+  t.truthy(res)
+  t.is(res.statusCode, 200)
+})
+
+test('server method – authentication supports mode: "optional" - will fail with invalid auth', async (t) => {
+  const mockReq = helpers.mockRequest(fixtures.common.token, '/mode-optional')
+  const server = await helpers.getServer(cfg)
+  const res = await server.inject(mockReq)
+
+  t.truthy(res)
+  t.is(res.statusCode, 401)
+})
+
+test('server method – authentication supports mode: "try" - will succeed with invalid auth', async (t) => {
+  const mockReq = helpers.mockRequest(fixtures.common.token, '/mode-try')
+  const server = await helpers.getServer(cfg)
+  const res = await server.inject(mockReq)
+
+  t.truthy(res)
+  t.is(res.statusCode, 200)
+})

test/index.introspect.spec.js

@@ -77,5 +77,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.server.spec.js

@@ -52,7 +52,7 @@ test('server method – authentication does fail – invalid header', async (t)
   t.truthy(err)
   t.truthy(err.isBoom)
   t.is(err.output.statusCode, 401)
-  t.is(err.output.headers['WWW-Authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(err.output.headers['WWW-Authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })
 
 test('server method – authentication does fail – error', async (t) => {

test/index.verify.buffer.spec.js

@@ -49,7 +49,7 @@ test('authentication does fail – expired token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="invalid token (expired)"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="invalid token (expired)", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -59,5 +59,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.verify.jwk.spec.js

@@ -53,7 +53,7 @@ test('authentication does fail – expired token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="invalid token (expired)"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="invalid token (expired)", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -63,5 +63,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.verify.pem.spec.js

@@ -49,7 +49,7 @@ test('authentication does fail – expired token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="invalid token (expired)"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="invalid token (expired)", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -59,5 +59,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })