felixheck
diff --git a/‎README.md‎
Lines changed: 6 additions & 7 deletions b/‎README.md‎
Lines changed: 6 additions & 7 deletions
diff --git a/‎src/cache.js‎
Lines changed: 12 additions & 32 deletions b/‎src/cache.js‎
Lines changed: 12 additions & 32 deletions
diff --git a/‎src/index.js‎
Lines changed: 22 additions & 24 deletions b/‎src/index.js‎
Lines changed: 22 additions & 24 deletions
@@ -107,27 +107,25 @@ server.route([
 ## API
 #### Plugin Options
 
-> **Hint**: By default, the Keycloak server has built-in two ways to authenticate the client: client ID and client secret, or with a signed JWT. This plugin supports both. Check the description of `secret` and `publicKey` for further information.
->
-> If the signed JWTs are used as online strategy, ensure that the identifier of the related realm key (`kid`) is included in their header.
+> By default, the Keycloak server has built-in [two ways to authenticate][client-auth] the client: client ID and client secret, or with a signed JWT. This plugin supports both. Check the description of `secret` and `publicKey` for further information. If the signed JWTs are used as online strategy, ensure that the identifier of the related realm key is included in their header as `kid`.
 >
 > | Strategy    | Online | Option      |
 > |:------------|:------:|:------------|
 > | ID + Secret | x      | `secret`    |
 > | Signed JWT  | x      |             |
 > | Signed JWT  |        | `publicKey` |
 
-- `realmUrl {string}`: The absolute uri of the Keycloak realm.<br/>
+- `realmUrl {string}` – The absolute uri of the Keycloak realm.<br/>
 Required. Example: `https://localhost:8080/auth/realms/testme`<br/>
 
-- `clientId {string}` The identifier of the Keycloak client/application.<br/>
+- `clientId {string}` – The identifier of the Keycloak client/application.<br/>
 Required. Example: `foobar`<br/>
 
-- `secret {string}` The related secret of the Keycloak client/application.<br/>
+- `secret {string}` – The related secret of the Keycloak client/application.<br/>
 Defining this option enables the traditional method described in the OAuth2 specification. To perform an almost offline validation enable the cache — a simple offline verfication with symmetric keys is not provided for security reasons.<br/>
 Optional. Example: `1234-bar-4321-foo`<br/>
 
-- `publicKey {string}` The related public key of the Keycloak client/application.<br/>
+- `publicKey {string}` – The related public key of the Keycloak client/application.<br/>
 Defining this option enables the offline validation using signed JWTs. The public key has to be in [PEM][pem] or [JWK][jwk] format. If you define neither `secret` nor `public` key, the plugin assumes that a signed JWT has to be validated – it retrieves the public key itself from `{realmUrl}/protocol/openid-connect/certs`. The offline strategy its performance is higher but the online strategy is the most flexible one.<br/>
 Optional. 
 
@@ -242,3 +240,4 @@ For further information read the [contributing guideline](CONTRIBUTING.md).
 [hapi-route-options]: https://hapijs.com/api#route-options
 [jwk]: https://tools.ietf.org/html/rfc7517
 [pem]: https://tools.ietf.org/html/rfc1421
+[client-auth]: https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/client-authentication.html
@@ -1,25 +1,15 @@
-let instance
-
 /**
  * @function
  * @public
  *
- * Initiate a cache singleton
+ * Initiate a cache
  *
  * @param {Hapi.Server} server The created server instance
  * @param {Object|boolean} opts The instance its options
- * @returns {Object} The cache instance
+ * @returns {Object|false} The cache instance
  */
-function init (server, opts) {
-  if (instance === undefined) {
-    if (opts === false) {
-      instance = false
-    } else {
-      instance = server.cache(opts === true ? {} : opts)
-    }
-  }
-
-  return instance
+function create (server, opts) {
+  return opts ? server.cache(opts === true ? {} : opts) : false
 }
 
 /**
@@ -29,11 +19,12 @@ function init (server, opts) {
  * Get value out of cache by key.
  * Just if cache is initiated.
  *
+ * @param {Object} The cache instance
  * @param {*} key The key to be searched
  * @param {Function} done The callback handler
  */
-function get (key, done) {
-  instance ? instance.get(key, done) : done(null, false)
+function get (cache, key, done) {
+  cache ? cache.get(key, done) : done(null, false)
 }
 
 /**
@@ -43,29 +34,18 @@ function get (key, done) {
  * Set value specified by key in cache.
  * Just if cache is initiated.
  *
+ * @param {Object} The cache instance
  * @param {*} key The key to be indexed
  * @param {*} value The value to be stored
  * @param {number} ttl The time to live
  * @param {Function} done The callback handler
  */
-function set (key, value, ttl, done) {
-  instance && instance.set(key, value, ttl, done)
-}
-
-/**
- * @function
- * @public
- *
- * Reset the current cache instance
- *
- */
-function reset () {
-  instance = undefined
+function set (cache, key, value, ttl, done) {
+  cache && cache.set(key, value, ttl, done)
 }
 
 module.exports = {
-  init,
+  create,
   get,
-  set,
-  reset
+  set
 }
@@ -1,5 +1,5 @@
 const { GrantManager } = require('keycloak-auth-utils')
-const Token = require('keycloak-auth-utils/lib/token')
+const KeycloakToken = require('keycloak-auth-utils/lib/token')
 const cache = require('./cache')
 const token = require('./token')
 const { error, fakeReply, verify } = require('./utils')
@@ -9,10 +9,11 @@ const pkg = require('../package.json')
  * @type {Object|GrantManager}
  * @private
  *
- * The plugin related options and GrantManager instance.
+ * The plugin related options and instances.
  */
 let options
 let manager
+let store
 
 /**
  * @function
@@ -22,11 +23,12 @@ let manager
  * public key or online with help of the Keycloak server and
  * JWKS. Resolve if the verification succeeded.
  *
- * @param {string} token The token to be validated
+ * @param {string} tkn The token to be validated
  * @returns {Promise} The error-handled promise
  */
-function validateSignedJwt (token) {
-  return manager.validateToken(new Token(token, options.clientId))
+function validateSignedJwt (tkn) {
+  const kcTkn = new KeycloakToken(tkn, options.clientId)
+  return manager.validateToken(kcTkn)
 }
 
 /**
@@ -37,16 +39,16 @@ function validateSignedJwt (token) {
  * Keycloak server, the client identifier and its secret.
  * Resolve if the request succeeded and token is valid.
  *
- * @param {string} token The token to be validated
+ * @param {string} tkn The token to be validated
  * @returns {Promise} The error-handled promise
  */
-function validateSecret (token) {
-  return manager.validateAccessToken(token).then((res) => {
+function validateSecret (tkn) {
+  return manager.validateAccessToken(tkn).then((res) => {
     if (res === false) {
       throw Error(error.msg.invalid)
     }
 
-    return token
+    return tkn
   })
 }
 
@@ -64,11 +66,11 @@ function validateSecret (token) {
 function handleKeycloakValidation (tkn, reply) {
   const validateFn = options.secret ? validateSecret : validateSignedJwt
 
-  validateFn(tkn.get()).then(() => {
-    const { expiresIn, credentials } = tkn.getData(options.userInfo)
+  validateFn(tkn).then(() => {
+    const { expiresIn, credentials } = token.getData(tkn, options.userInfo)
     const userData = { credentials }
 
-    cache.set(tkn.get(), userData, expiresIn)
+    cache.set(store, tkn, userData, expiresIn)
     reply.continue(userData)
   }).catch((err) => {
     reply(error('unauthorized', err, error.msg.invalid))
@@ -83,18 +85,18 @@ function handleKeycloakValidation (tkn, reply) {
  * If yes, return cached user data. Otherwise
  * handle validation with help of Keycloak.
  *
- * @param {string} field The authorization field, e.g. the value of `Authorization`
- * @param {Function} reply The callback handler
+ * @param {string} d The authorization field, e.g. the value of `Authorization`
+ * @param {Function} done The callback handler
  */
-function validate (field, reply) {
-  const tkn = token(field)
-  fakeReply(reply)
+function validate (field, done) {
+  const tkn = token.create(field)
+  const reply = fakeReply(done)
 
   if (!tkn) {
     return reply(error('unauthorized', error.msg.missing))
   }
 
-  cache.get(tkn.get(), (err, cached) => {
+  cache.get(store, tkn, (err, cached) => {
     const isCached = cached && !err
     isCached ? reply.continue(cached) : handleKeycloakValidation(tkn, reply)
   })
@@ -115,10 +117,7 @@ function validate (field, reply) {
 function strategy (server) {
   return {
     authenticate (request, reply) {
-      return server.kjwt.validate(
-        request.raw.req.headers.authorization,
-        reply
-      )
+      return validate(request.raw.req.headers.authorization, reply)
     }
   }
 }
@@ -138,8 +137,7 @@ function strategy (server) {
 function plugin (server, opts, next) {
   options = verify(opts)
   manager = new GrantManager(options)
-
-  cache.init(server, options.cache)
+  store = cache.create(server, options.cache)
 
   server.auth.scheme('keycloak-jwt', strategy)
   server.decorate('server', 'kjwt', { validate })