implement mode:'optional' and fix broken tests

Author: Max Marttinen

src/index.js

@@ -139,11 +139,15 @@ async function handleKeycloakValidation (tkn, h) {
  * @throws {Boom.unauthorized} If header is missing or has an invalid format
  */
 async function validate (field, h = (data) => data) {
+  if (!field) {
+    throw raiseUnauthorized(errorMessages.missing)
+  }
+
   const tkn = token.create(field)
   const reply = fakeToolkit(h)
 
   if (!tkn) {
-    throw raiseUnauthorized(errorMessages.missing)
+    throw raiseUnauthorized(errorMessages.invalid)
   }
 
   const cached = await cache.get(store, tkn)

src/utils.js

@@ -117,11 +117,15 @@ function verify (opts) {
  * @returns {Boom.unauthorized} The created `Boom` error
  */
 function raiseUnauthorized (error, reason, scheme = 'Bearer') {
-  return boom.unauthorized(null, scheme, {
-    strategy: 'keycloak-jwt',
-    ...(error ? { error } : {}),
-    ...(reason && error !== reason ? { reason } : {})
-  })
+  return boom.unauthorized(
+    error !== errorMessages.missing ? error : null,
+    scheme,
+    {
+      strategy: 'keycloak-jwt',
+      ...(error === errorMessages.missing ? { error } : {}),
+      ...(reason && error !== reason ? { reason } : {})
+    }
+  )
 }
 
 /**
@@ -132,7 +136,7 @@ function raiseUnauthorized (error, reason, scheme = 'Bearer') {
  */
 const errorMessages = {
   invalid: 'Invalid credentials',
-  missing: 'Missing or invalid authorization header',
+  missing: 'Missing authorization header',
   rpt: 'Retrieving the RPT failed',
   apiKey: 'Retrieving the token with the api key failed'
 }

test/index.entitlement.spec.js

@@ -84,7 +84,7 @@ test('authentication does fail – invalid token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="Retrieving the RPT failed"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="Retrieving the RPT failed", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -95,5 +95,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.hapi-modes.spec.js

@@ -11,42 +11,28 @@ test.afterEach.always('reset instances and prototypes', () => {
 
 test('server method – authentication supports mode: "optional" - will succeed without auth', async (t) => {
   const server = await helpers.getServer(cfg)
-
   const res = await server.inject({
     method: 'GET',
-    url: '/mode-optional',
+    url: '/mode-optional'
   })
 
   t.truthy(res)
   t.is(res.statusCode, 200)
 })
 
 test('server method – authentication supports mode: "optional" - will fail with invalid auth', async (t) => {
+  const mockReq = helpers.mockRequest(fixtures.common.token, '/mode-optional')
   const server = await helpers.getServer(cfg)
-
-  const res = await server.inject({
-    method: 'GET',
-    url: '/mode-optional',
-    headers: {
-      authorization: `bearer invalid-token`
-    }
-  })
+  const res = await server.inject(mockReq)
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(err.output.headers['WWW-Authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })
 
 test('server method – authentication supports mode: "try" - will succeed with invalid auth', async (t) => {
+  const mockReq = helpers.mockRequest(fixtures.common.token, '/mode-try')
   const server = await helpers.getServer(cfg)
-
-  const res = await server.inject({
-    method: 'GET',
-    url: '/mode-try',
-    headers: {
-      authorization: `bearer ${fixtures.composeJwt('expired')}`
-    }
-  })
+  const res = await server.inject(mockReq)
 
   t.truthy(res)
   t.is(res.statusCode, 200)

test/index.introspect.spec.js

@@ -77,5 +77,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.server.spec.js

@@ -52,7 +52,7 @@ test('server method – authentication does fail – invalid header', async (t)
   t.truthy(err)
   t.truthy(err.isBoom)
   t.is(err.output.statusCode, 401)
-  t.is(err.output.headers['WWW-Authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(err.output.headers['WWW-Authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })
 
 test('server method – authentication does fail – error', async (t) => {

test/index.verify.buffer.spec.js

@@ -49,7 +49,7 @@ test('authentication does fail – expired token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="invalid token (expired)"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="invalid token (expired)", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -59,5 +59,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.verify.jwk.spec.js

@@ -53,7 +53,7 @@ test('authentication does fail – expired token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="invalid token (expired)"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="invalid token (expired)", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -63,5 +63,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/index.verify.pem.spec.js

@@ -49,7 +49,7 @@ test('authentication does fail – expired token', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials", reason="invalid token (expired)"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", reason="invalid token (expired)", error="Invalid credentials"')
 })
 
 test('authentication does fail – invalid header', async (t) => {
@@ -59,5 +59,5 @@ test('authentication does fail – invalid header', async (t) => {
 
   t.truthy(res)
   t.is(res.statusCode, 401)
-  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Missing or invalid authorization header"')
+  t.is(res.headers['www-authenticate'], 'Bearer strategy="keycloak-jwt", error="Invalid credentials"')
 })

test/utils.spec.js

@@ -27,21 +27,11 @@ test('get boom error with custom scheme', (t) => {
   }))
 })
 
-test('get boom error with default message', (t) => {
-  const result = utils.raiseUnauthorized('foobar')
-  t.truthy(result)
-  t.deepEqual(result, boom.unauthorized(null, 'Bearer', {
-    strategy: 'keycloak-jwt',
-    error: 'foobar'
-  }))
-})
-
 test('get boom error with error message', (t) => {
   const result = utils.raiseUnauthorized('foobar')
   t.truthy(result)
-  t.deepEqual(result, boom.unauthorized(null, 'Bearer', {
-    strategy: 'keycloak-jwt',
-    error: 'foobar'
+  t.deepEqual(result, boom.unauthorized('foobar', 'Bearer', {
+    strategy: 'keycloak-jwt'
   }))
 })