Authentication Bearer addition

janishar · janishar · commit fae6e2c1febe · 2020-04-11T03:53:16.000+05:30
diff --git a/src/auth/authUtils.ts b/src/auth/authUtils.ts
@@ -5,13 +5,19 @@ import { Types } from 'mongoose';
 import User from '../database/model/User';
 import { tokenInfo } from '../config';
 
-export const validateTokenData = async (payload: JwtPayload, userId: Types.ObjectId): Promise<JwtPayload> => {
+export const getAccessToken = (authorization: string) => {
+	if (!authorization) throw new AuthFailureError('Invalid Authorization');
+	if (!authorization.startsWith('Bearer ')) throw new AuthFailureError('Invalid Authorization');
+	return authorization.split(' ')[1];
+};
+
+export const validateTokenData = (payload: JwtPayload, userId: Types.ObjectId): boolean => {
 	if (!payload || !payload.iss || !payload.sub || !payload.aud || !payload.prm
 		|| payload.iss !== tokenInfo.issuer
 		|| payload.aud !== tokenInfo.audience
 		|| payload.sub !== userId.toHexString())
 		throw new AuthFailureError('Invalid Access Token');
-	return payload;
+	return true;
 };
 
 export const createTokens = async (user: User, accessTokenKey: string, refreshTokenKey: string)
diff --git a/src/auth/authentication.ts b/src/auth/authentication.ts
@@ -5,7 +5,7 @@ import { AuthFailureError, AccessTokenError, TokenExpiredError } from '../core/A
 import JWT, { ValidationParams } from '../core/JWT';
 import KeystoreRepo from '../database/repository/KeystoreRepo';
 import { Types } from 'mongoose';
-import { validateTokenData } from './authUtils';
+import { getAccessToken } from './authUtils';
 import { tokenInfo } from '../config';
 import validator, { ValidationSource } from '../helpers/validator';
 import schema from './schema';
@@ -15,21 +15,24 @@ const router = express.Router();
 
 export default router.use(validator(schema.auth, ValidationSource.HEADER),
 	asyncHandler(async (req: ProtectedRequest, res, next) => {
-		req.accessToken = req.headers['x-access-token'].toString();
-
-		const user = await UserRepo.findById(new Types.ObjectId(req.headers['x-user-id'].toString()));
-		if (!user) throw new AuthFailureError('User not registered');
-		req.user = user;
+		req.accessToken = getAccessToken(req.headers.authorization); // Express headers are auto converted to lowercase
 
 		try {
+			const jwtPayload = await JWT.decode(req.accessToken);
+			if (!jwtPayload.sub || !Types.ObjectId.isValid(jwtPayload.sub))
+				throw new AuthFailureError('Invalid access token');
+
+			const user = await UserRepo.findById(new Types.ObjectId(jwtPayload.sub));
+			if (!user) throw new AuthFailureError('User not registered');
+			req.user = user;
+
 			const payload = await JWT.validate(
 				req.accessToken,
-				new ValidationParams(tokenInfo.issuer, tokenInfo.audience, user._id.toHexString()));
+				new ValidationParams(tokenInfo.issuer, tokenInfo.audience, req.user._id.toHexString()));
 
-			const jwtPayload = await validateTokenData(payload, req.user._id);
 			const keystore = await KeystoreRepo.findforKey(req.user._id, payload.prm);
 
-			if (!keystore || keystore.primaryKey !== jwtPayload.prm)
+			if (!keystore || keystore.primaryKey !== payload.prm)
 				throw new AuthFailureError('Invalid access token');
 
 			req.keystore = keystore;
diff --git a/src/auth/schema.ts b/src/auth/schema.ts
@@ -1,12 +1,11 @@
 import Joi from '@hapi/joi';
-import { JoiObjectId } from '../helpers/validator';
+import { JoiAuthBearer } from '../helpers/validator';
 
 export default {
 	apiKey: Joi.object().keys({
 		'x-api-key': Joi.string().required()
 	}).unknown(true),
 	auth: Joi.object().keys({
-		'x-access-token': Joi.string().required(),
-		'x-user-id': JoiObjectId().required(),
+		'authorization': JoiAuthBearer().required(),
 	}).unknown(true)
 };
diff --git a/src/core/JWT.ts b/src/core/JWT.ts
@@ -42,33 +42,20 @@ export default class JWT {
 		} catch (e) {
 			Logger.debug(e);
 			if (e && e.name === 'TokenExpiredError') throw new TokenExpiredError();
+			// throws error if the token has not been encrypted by the private key
 			throw new BadTokenError();
 		}
 	}
 
 	/**
-	 * This method checks the token and returns the decoded data even when the token is expired
+	 * Returns the decoded payload without verifying if the signature is valid.
 	 */
-	public static async decode(token: string, validations: ValidationParams): Promise<JwtPayload> {
-		const cert = await this.readPublicKey();
+	public static async decode(token: string): Promise<JwtPayload> {
 		try {
-			// token is verified if it was encrypted by the private key
-			// and if is still not expired then get the payload
-			// @ts-ignore
-			return <JwtPayload>await promisify(verify)(token, cert, validations);
+			return <JwtPayload>decode(token);
 		} catch (e) {
 			Logger.debug(e);
-			if (e && e.name === 'TokenExpiredError') {
-				// if the token has expired but was encryped by the private key
-				// then decode it to get the payload
-				// @ts-ignore
-				return <JwtPayload>decode(token);
-			}
-			else {
-				// throws error if the token has not been encrypted by the private key
-				// or has not been issued for the user
-				throw new BadTokenError();
-			}
+			throw new BadTokenError();
 		}
 	}
 }
diff --git a/src/helpers/validator.ts b/src/helpers/validator.ts
@@ -21,6 +21,11 @@ export const JoiUrlEndpoint = () => Joi.string().custom((value: string, helpers)
 	return value;
 }, 'Url Endpoint Validation');
 
+export const JoiAuthBearer = () => Joi.string().custom((value: string, helpers) => {
+	if (!value.startsWith('Bearer ')) return helpers.error('any.invalid');
+	if (!value.split(' ')[1]) return helpers.error('any.invalid');
+	return value;
+}, 'Authorization Header Validation');
 
 export default (schema: Joi.ObjectSchema, source: ValidationSource = ValidationSource.BODY) =>
 	(req: Request, res: Response, next: NextFunction) => {
diff --git a/src/routes/v1/access/token.ts b/src/routes/v1/access/token.ts
@@ -7,7 +7,7 @@ import { AuthFailureError, } from '../../../core/ApiError';
 import JWT, { ValidationParams } from '../../../core/JWT';
 import KeystoreRepo from '../../../database/repository/KeystoreRepo';
 import crypto from 'crypto';
-import { validateTokenData, createTokens } from '../../../auth/authUtils';
+import { validateTokenData, createTokens, getAccessToken } from '../../../auth/authUtils';
 import validator, { ValidationSource } from '../../../helpers/validator';
 import schema from './schema';
 import asyncHandler from '../../../helpers/asyncHandler';
@@ -18,29 +18,23 @@ const router = express.Router();
 router.post('/refresh',
 	validator(schema.auth, ValidationSource.HEADER), validator(schema.refreshToken),
 	asyncHandler(async (req: ProtectedRequest, res, next) => {
-		req.accessToken = req.headers['x-access-token'].toString();
+		req.accessToken = getAccessToken(req.headers.authorization); // Express headers are auto converted to lowercase
 
-		const user = await UserRepo.findById(new Types.ObjectId(req.headers['x-user-id'].toString()));
+		const accessTokenPayload = await JWT.decode(req.accessToken);
+		if (!accessTokenPayload.sub || !Types.ObjectId.isValid(accessTokenPayload.sub))
+			throw new AuthFailureError('Invalid access token');
+
+		const user = await UserRepo.findById(new Types.ObjectId(accessTokenPayload.sub));
 		if (!user) throw new AuthFailureError('User not registered');
 		req.user = user;
 
-		const accessTokenPayload = await validateTokenData(
-			await JWT.decode(req.accessToken,
-				new ValidationParams(
-					tokenInfo.issuer,
-					tokenInfo.audience,
-					req.user._id.toHexString())),
-			req.user._id
-		);
+		validateTokenData(accessTokenPayload, req.user._id);
 
-		const refreshTokenPayload = await validateTokenData(
-			await JWT.validate(req.body.refreshToken,
-				new ValidationParams(
-					tokenInfo.issuer,
-					tokenInfo.audience,
-					req.user._id.toHexString())),
-			req.user._id
-		);
+		const refreshTokenPayload = await JWT.validate(req.body.refreshToken,
+			new ValidationParams(
+				tokenInfo.issuer,
+				tokenInfo.audience,
+				req.user._id.toHexString()));
 
 		const keystore = await KeystoreRepo.find(
 			req.user._id,
diff --git a/tests/auth/authentication/mock.ts b/tests/auth/authentication/mock.ts
@@ -16,6 +16,11 @@ export const mockUserFindById = jest.fn(async (id: Types.ObjectId) => {
 	else return null;
 });
 
+export const mockJwtDecode = jest.fn(async (token: string): Promise<JwtPayload> => {
+	if (token == ACCESS_TOKEN) return <JwtPayload>{ sub: USER_ID.toHexString() };
+	throw new BadTokenError();
+});
+
 export const mockJwtValidate = jest.fn(
 	async (token: string, validations: ValidationParams): Promise<JwtPayload> => {
 		if (token == ACCESS_TOKEN) return <JwtPayload>{ prm: 'abcdef' };
@@ -25,13 +30,6 @@ export const mockJwtValidate = jest.fn(
 export const mockKeystoreFindForKey = jest.fn(
 	async (client: User, key: string): Promise<Keystore> => (<Keystore>{ client: client, primaryKey: key }));
 
-export const mockValidateTokenData =
-	jest.fn(async (payload: JwtPayload, userId: Types.ObjectId): Promise<JwtPayload> => payload);
-
-jest.mock('../../../src/auth/authUtils', () => ({
-	get validateTokenData() { return mockValidateTokenData; }
-}));
-
 jest.mock('../../../src/database/repository/UserRepo', () => ({
 	get findById() { return mockUserFindById; }
 }));
@@ -41,13 +39,13 @@ jest.mock('../../../src/database/repository/KeystoreRepo', () => ({
 }));
 
 JWT.validate = mockJwtValidate;
+JWT.decode = mockJwtDecode;
 
 export const addHeaders = (request: any) => request
 	.set('Content-Type', 'application/json')
 	.set('x-api-key', API_KEY);
 
-export const addAuthHeaders = (request: any, userId: Types.ObjectId = USER_ID) => request
+export const addAuthHeaders = (request: any) => request
 	.set('Content-Type', 'application/json')
-	.set('x-api-key', API_KEY)
-	.set('x-access-token', ACCESS_TOKEN)
-	.set('x-user-id', userId.toHexString());
+	.set('Authorization', `Bearer ${ACCESS_TOKEN}`)
+	.set('x-api-key', API_KEY);
diff --git a/tests/auth/authentication/unit.test.ts b/tests/auth/authentication/unit.test.ts
@@ -1,6 +1,6 @@
 import {
 	USER_ID, ACCESS_TOKEN, addHeaders, addAuthHeaders,
-	mockValidateTokenData, mockUserFindById, mockJwtValidate, mockKeystoreFindForKey
+	mockUserFindById, mockJwtValidate, mockJwtDecode, mockKeystoreFindForKey
 } from './mock';
 
 import app from '../../../src/app';
@@ -12,63 +12,48 @@ describe('authentication validation', () => {
 	const request = supertest(app);
 
 	beforeEach(() => {
-		mockValidateTokenData.mockClear();
 		mockUserFindById.mockClear();
 		mockJwtValidate.mockClear();
+		mockJwtDecode.mockClear();
 		mockKeystoreFindForKey.mockClear();
 	});
 
-	it('Should response with 400 if x-access-token header is not passed', async () => {
-		const response = await addHeaders(request.get(endpoint))
-			.set('x-user-id', USER_ID.toHexString());
+	it('Should response with 400 if Authorization header is not passed', async () => {
+		const response = await addHeaders(request.get(endpoint));
 		expect(response.status).toBe(400);
-		expect(response.body.message).toMatch(/x-access-token/);
+		expect(response.body.message).toMatch(/authorization/);
+		expect(mockJwtDecode).not.toBeCalled();
 		expect(mockUserFindById).not.toBeCalled();
 	});
 
-	it('Should response with 400 if x-user-id header is not passed', async () => {
-		const response = await addHeaders(request.get(endpoint))
-			.set('x-access-token', ACCESS_TOKEN);
-		expect(response.status).toBe(400);
-		expect(response.body.message).toMatch(/x-user-id/);
-		expect(mockUserFindById).not.toBeCalled();
-	});
 
-	it('Should response with 400 if x-user-id header is not mongoose id', async () => {
+	it('Should response with 400 if Authorization header do not have Bearer', async () => {
 		const response = await addHeaders(request.get(endpoint))
-			.set('x-access-token', ACCESS_TOKEN)
-			.set('x-user-id', '123');
+			.set('Authorization', '123');
 		expect(response.status).toBe(400);
-		expect(response.body.message).toMatch(/x-user-id/);
+		expect(response.body.message).toMatch(/authorization/);
+		expect(mockJwtDecode).not.toBeCalled();
 		expect(mockUserFindById).not.toBeCalled();
 	});
 
-	it('Should response with 401 if wrong x-user-id header is provided', async () => {
+	it('Should response with 401 if wrong Authorization header is provided', async () => {
 		const response = await addHeaders(request.get(endpoint))
-			.set('x-access-token', ACCESS_TOKEN)
-			.set('x-user-id', '5e7b8c22d347fc2407c564a6'); // some random mongoose id
-		expect(response.status).toBe(401);
-		expect(response.body.message).toMatch(/not registered/);
-		expect(mockUserFindById).toBeCalledTimes(1);
-	});
-
-	it('Should response with 401 if wrong x-access-token header is provided', async () => {
-		const response = await addHeaders(request.get(endpoint))
-			.set('x-access-token', '123')
-			.set('x-user-id', USER_ID);
+			.set('Authorization', 'Bearer 123');
 		expect(response.status).toBe(401);
 		expect(response.body.message).toMatch(/token/i);
-		expect(mockUserFindById).toBeCalledTimes(1);
-		expect(mockJwtValidate).toBeCalledTimes(1);
+		expect(mockJwtDecode).toBeCalledTimes(1);
+		expect(mockJwtDecode).toBeCalledWith('123');
+		expect(mockUserFindById).not.toBeCalled();
 	});
 
-	it('Should response with 404 if correct x-access-token and x-user-id header are provided', async () => {
+	it('Should response with 404 if correct Authorization header is provided', async () => {
 		const response = await addAuthHeaders(request.get(endpoint));
 		expect(response.body.message).not.toMatch(/not registered/);
 		expect(response.body.message).not.toMatch(/token/i);
 		expect(response.status).toBe(404);
+		expect(mockJwtDecode).toBeCalledTimes(1);
+		expect(mockJwtDecode).toBeCalledWith(ACCESS_TOKEN);
 		expect(mockUserFindById).toBeCalledTimes(1);
-		expect(mockValidateTokenData).toBeCalledTimes(1);
 		expect(mockJwtValidate).toBeCalledTimes(1);
 	});
 });
diff --git a/tests/auth/authorization/mock.ts b/tests/auth/authorization/mock.ts
@@ -5,7 +5,6 @@ import { Types } from 'mongoose';
 import User from '../../../src/database/model/User';
 import Role, { RoleCode } from '../../../src/database/model/Role';
 
-
 export const LEARNER_ROLE_ID = new Types.ObjectId(); // random id
 export const WRITER_ROLE_ID = new Types.ObjectId(); // random id
 export const EDITOR_ROLE_ID = new Types.ObjectId(); // random id
diff --git a/tests/auth/authorization/unit.test.ts b/tests/auth/authorization/unit.test.ts
@@ -2,7 +2,7 @@ import { addAuthHeaders } from '../authentication/mock';
 
 // import the mock for the current test after all other mock imports
 // this will prevent the different implementations by the other mock
-import { mockRoleRepoFindByCode, mockUserFindById, USER_ID_WRITER } from './mock';
+import { mockRoleRepoFindByCode, mockUserFindById } from './mock';
 
 import app from '../../../src/app';
 import supertest from 'supertest';
@@ -39,7 +39,7 @@ describe('authentication validation for writer', () => {
 	});
 
 	it('Should response with 404 if user have writer role', async () => {
-		const response = await addAuthHeaders(request.get(endpoint), USER_ID_WRITER);
+		const response = await addAuthHeaders(request.get(endpoint));
 		expect(response.status).toBe(404);
 		expect(mockRoleRepoFindByCode).toBeCalledTimes(1);
 		expect(mockUserFindById).toBeCalledTimes(1);
