I'm stuck writing a test for my get endpoint which requires a token of the admin to return a list of users.
Here is my user endpoint:
app.get("/users", (req,res) => {
const payload = req.payload
if (payload && payload.user === "admin") {
User.find({}, (err, users) => {
if(!err) {
res.status(200).send(users)
} else { res.status(500).send(err) }
})
} else { res.status(500).send("Authentication Error!)}
}
Here's my jwt middleware:
module.exports = {
validateToken: (req, res, next) => {
const authorizationHeader = req.headers.authorization;
let result;
if (authorizationHeader) {
const token = req.headers.authorization.split(" ")[1]; // Bearer <token>
const options = {
expiresIn: "2d",
issuer: "clint maruti"
};
try {
// verify makes sure that the token hasn't expired and has been issued by us
result = jwt.verify(token, process.env.JWT_SECRET, options);
// Let's pass back the decoded token to the request object
req.decoded = result;
// We call next to pass execution to the subsequent middleware
next();
} catch (err) {
// Throw an error just in case anything goes wrong with verification
throw new Error(err)
}
} else {
result = {
error: 'Authentication error. Token required.',
status: 401
}
res.status(401).send(result)
}
}
};
Here's my sample test:
let User = require("../models/users");
// Require dev dependencies
let chai = require("chai");
let chaiHttp = require("chai-http");
let app = require("../app");
let should = chai.should();
chai.use(chaiHttp);
let defaultUser = {
name: "admin",
password: "admin#123"
};
let token;
// parent block
describe("User", () => {
beforeEach(done => {
chai
.request(app)
.post("/users")
.send(defaultUser)
.end((err, res) => {
res.should.have.status(200);
done();
});
});
beforeEach(done => {
chai
.request(app)
.post("/login")
.send(defaultUser)
.end((err, res) => {
token = res.body.token;
res.should.have.status(200);
done();
});
});
afterEach(done => {
// After each test we truncate the database
User.remove({}, err => {
done();
});
});
describe("/get users", () => {
it("should fetch all users successfully", done => {
chai
.request(app)
.set("Authentication", token)
.get("/users")
.end((err, res) => {
res.should.have.status(200);
res.body.should.be.a("object");
res.body.should.have.property("users");
done();
});
});
});
});
Problem:
My test is giving me an assertion error 500 instead of 200 of the status code, I have written 2 beforeEach functions. One, to register the admin and the other one to Login the admin and get the token. I wonder if this is what is bringing the error? Please help
I found the answer here:
How to send Headers ('Authorization','Bearer token') in Mocha Test cases
You have to set { Authorization: "Bearer" + token } instead of "Authentication", token
You have to call .set after .get
describe("/get users", () => {
it("should fetch all users successfully", (done) => {
chai
.request(app)
.get("/users")
.set({ Authorization: `Bearer ${token}` })
.end((err, res) => {
res.should.have.status(200);
res.body.should.be.a("object");
res.body.should.have.property("users");
done();
});
});
});
chai-http has auth function to send the Authorization Bearer token.
Accroding to chai-http code on Github, token can be pass using:
.auth(accessToken, { type: 'bearer' })
An example provided on the similar Question:
https://stackoverflow.com/a/66106588/4067905
Related
I am a beginner with node js. I want to make an authentication server using jwt (jsonwebtoken).
The problem is when I test my end point "/api/posts?authorisation=Bearer token..." in postman with method POST with the right token, it gives me forbidden.
Here is my code:
const express = require('express')
const jwt = require('jsonwebtoken')
const app = express()
app.get("/api", (req, res) => {
res.json({
message: "Hey there!!!"
})
})
app.post('/api/posts', verifyToken, (req, res) => {
jwt.verify(req.token, "secretkey", (err, authData) => {
if (err) {
res.sendStatus(403) //forbidden
res.send(`<h2>${err}</h2>`)
} else {
res.json({
message: "Post Created...",
authData
})
}
})
})
app.post('/api/login', (req, res) => {
const user = {
id: 1,
username: "John",
email: "john#gmail.com"
}
jwt.sign({ user: user }, "secretkey", (err, token) => {
res.json({
token
})
})
})
function verifyToken(req, res, next) {
const bearerHeader = req.headers["authorization"]
if (typeof bearerHeader !== "undefined") {
const bearerToken = bearerHeader.split(" ")[1]
req.token = bearerToken
next()
} else {
res.sendStatus(403) //forbidden
}
}
app.listen(5000, () => {
console.log("Server is running :)")
})
I expected it to work because I brought it from a tutorial.
Your code works
The problem is in your request invocation:
According to the oauth2 spec, the Authorization token should be a header and your code expect that
So the token should be sent as http header, not as a query param like foo/bar?authorization=Bearer token...".
Here some samples
Postman
Axios (javascript)
let webApiUrl = 'example.com/getStuff';
let tokenStr = 'xxyyzz';
axios.get(webApiUrl,
{ headers: { "Authorization": `Bearer ${tokenStr}` } });
Advice
Read about oauth2 and jwt
Perform the token validation in the middleware to avoid the validation on each route
I am trying to get my token variable from /signing to provide it to the name change route. But the assertion is not always triggering. Can there be any better way to do this? Can I use async-await to solve this problem, if so, how?
describe("setName", function (done) {
it("/POST user setName", function (done) {
Users.remove({}, (err) => {
console.log(chalk.bgBlue(`Removing User`));
// done();
});
let user = {
"email": "tiwari.ai.harsh#gmail.com",
"password": "password",
"name": "Harsh Tiwari"
}
var requester = chai.request(app).keepOpen()
requester.post("/api/users/signin").send({
user
}).end((err_signin, res_signin) => {
let token = res_signin.body.user.token;
let name = "Name Changed"
requester.post("/api/users/setName").set({ authorization: `Token ${token}` }).send({
name
}).end((err, res) => {
res.should.have.status(200); <--------------------------- This is not working
});
done()
});
});
});
The current code will execute done before the requester.post("/api/users/setName") finish because it is an async execution.
To solve the issue, the done() should be specified after res.should.have.status(200);
describe('setName', function (done) {
// NOTE: I also moved remove function here to ensure user is removed correctly
before(function(done) {
Users.remove({}, (err) => {
console.log(chalk.bgBlue(`Removing User`));
done(); // NOTE: also specify done to tell mocha that async execution is finished
});
})
it('/POST user setName', function (done) {
let user = {
email: 'tiwari.ai.harsh#gmail.com',
password: 'password',
name: 'Harsh Tiwari',
};
var requester = chai.request(app).keepOpen();
requester
.post('/api/users/signin')
.send({
user,
})
.end((err_signin, res_signin) => {
let token = res_signin.body.user.token;
let name = 'Name Changed';
requester
.post('/api/users/setName')
.set({ authorization: `Token ${token}` })
.send({
name,
})
.end((err, res) => {
res.should.have.status(200);
done(); // NOTE: move here
});
});
});
});
I have a login system with tokens. When logging in, it checks whether such a user exists, doesn't have information about current user during the login session. What's the easiest way to check it and send response to frontend?
Routes:
function verifyToken(req, res, next) {
if (!req.headers.authorization) {
return res.status(401).send('Unauthorized request');
}
let token = req.headers.authorization.split(' ')[1];
if (token === 'null') {
return res.status(401).send('Unauthorized request');
}
let payload = jwt.verify(token, 'secretKey');
if (!payload) {
return res.status(401).send('Unauthorized request');
}
req.userId = payload.subject;
next();
}
router.post('/register', (req, res) => {
let userData = req.body;
let user = new User(userData);
user.save((error, registeredUser) => {
if (error) {
console.log(error);
} else {
let payload = { subject: registeredUser._id };
let token = jwt.sign(payload, 'secretKey');
res.status(200).send({ token });
}
})
})
router.post('/login', (req, res) => {
let userData = req.body;
User.findOne({ email: userData.email }, (error, user) => {
if (error) {
console.log(error);
} else {
if (!user) {
res.status(401).send('Invalid email');
} else
if (user.password !== userData.password) {
res.status(401).send('Invalid password')
} else {
let payload = { subject: user._id };
let token = jwt.sign(payload, 'secretKey');
res.status(200).send({ token });
}
}
})
})
You could try using a middleware to retrieve the token from the Authorization header and retrieve the userId from there, the middleware could look something like this:
const decodeToken = (token) => {
return jwt.verify(token, 'secretKey', (err, decoded) => {
if (err) {
return undefined;
}
return decoded;
});
};
const authorize = (req, res, next) => {
if (!req.headers.authorization) {
return res.status(401).send({message: 'UNAUTHORIZED'});
}
const token = req.headers.authorization.split(' ')[1];
if (!token) {
return res.status(401).send({message: 'UNAUTHORIZED'});
}
const decodedToken = decodeToken(token);
if (!decodedToken) {
return res.status(401).send({message: 'UNAUTHORIZED'});
}
req.userId = decodedToken.subject;
next();
};
module.exports = authorize;
Hope this helps you, if not, I hope you find your answer :)
EDIT
To use the middleware you only need to add it to your route, I´ll leave you an example with a get request:
const authorize = require('../middleware/authorize');
router.get('/someroute', authorize, (req, res) => {
// authorize will verify the token and attach the userId to your request
// so to use it you'll only need to call req.userId
// something like this
console.log('current logged user id', req.userId);
// YOUR CODE HERE
});
I'm building a small application where a user logs in and gets redirected to /profile. Right now, I fetch the JWT from localstorage and check it via the server. The server then sends it back to the client to tell me if it's a valid session or not.
jQuery/Client:
UserController.initPanel = () => {
if (session === null) {
window.location = "/";
} else {
UserController.requestAuth(session);
}
};
UserController.requestAuth = (sessionToken) => {
var settings = {
"url": "/api/auth",
"method": "POST",
"headers": {
"Content-Type": "application/json",
"Authorization": `Bearer ${sessionToken}`,
},
"data": ""
}
$.ajax(settings).done(function (response) {
console.log(response);
});
};
Node.js/auth.js route:
router.post("/", (req, res) => {
const authHeader = req.headers.authorization;
if (typeof authHeader !== 'undefined') {
const bearerToken = authHeader.split(' ')[1];
verifyToken(bearerToken, (authData) => {
tokenRequest(authData, (authResponse) => {
handleAuthResponse(req, res, authResponse);
})
});
}
});
const handleAuthResponse = (req, res, authResponse) => {
console.log(authResponse);
return res.status(200).json(authResponse);
}
const verifyToken = (token, cb) => {
jwt.verify(token, 'mysecret', (err, authData) => {
if (err) {
res.sendStatus(403)
} else {
cb(authData);
}
});
}
const tokenRequest = (authHeader, cb) => {
//console.log(authHeader);
var config = {
headers: {'Authorization': `bearer ${authHeader.token}`}
};
axios.get('https://myapi.dev/api/session/me', config)
.then((res) => {
if (res.data.error) {
return response.data
} else {
cb(res.data);
}
})
.catch((error) => {
console.log('error', error);
});
}
I feel like this isn't the correct way to do it. I'm rendering templates with ejs:
router.get("/profile", (req, res) => {
const settings = {
title: "Profile",
revslider: false
};
res.render("profile/profile", { settings: settings } );
});
And if for some reason, JS is disabled, /profile is still accessible. Which isn't that big of a problem, it just feels wrong.
So, is it possible to access /profile route, securely checking for authorization server-side first, before rendering?
Also, auth.js returns some user data I could use in the .ejs template. So that's another reason I'd like to try check auth before rendering as well.
EDIT:
Auth middleware, which I didn't use because I wasn't sure how to pass in the token?
module.exports = (req, res, next) => {
try {
const decoded = jwt.verify(req.body.token, 'mysecret');
req.token = decoded;
} catch (error) {
console.log(error);
return res.status(401).json({
message: 'Auth Failed'
});
}
next();
}
Very basic middleware implementation below which leverages express and express-session.
We basically create a simple function to check req.session exists, within that object, you could have something that identifies whether the user has actually authenticated. I'd recommend you add your own logic here to further check the user status.
const authCheckMiddleware = (req, res, next) => {
// Perform auth checking logic here, which you can attach
// to any route.
if(!req.session) {
return res.redirect('/');
}
next();
};
The authCheckMiddleware can be attached to any route, with app.use or router.use. The req object is passed to all middleware.
// Use the authCheckMiddleware function
router.use('/profile', authCheckMiddleware);
Your router.get('/profile') call is now protected by the above middleware.
// Route protected by above auth check middleware
router.get("/profile", (req, res) => {
const settings = {
title: "Profile",
revslider: false
};
res.render("profile/profile", { settings: settings } );
});
i've got a problem
I'm trying to make a simple login page,
but i've problem with passing the token through http header
app.post('/login',(req,res) => {
var body = req.body.user;
User.findByCredentials(body.email,body.password).then((user) => {
return user.generateAuthToken().then((token) => {
res.header('x-auth', token).send(user);
});
}).catch((e) => {
res.status(400).send();
});
});
here is the route for login page, I saved the token in 'x-auth' in header, and it's work
but...
var authenticate = (req, res, next) => {
var token = req.header('x-auth');
User.findByToken(token).then((user) => {
if (!user) {
return Promise.reject();
}
req.user = user;
req.token = token;
next();
}).catch((e) => {
res.status(401).send();
});
};
module.exports = {authenticate};
this function is middle-ware for privet routes, when I asking for 'x-auth' i've got 'undifined'
here is the piece that connect between both codes
app.get('/',authenticate,(req,res) => {
res.sendFile(publicPath + '/index.html');
});
someone can help me with that?