should be clear that jwt passed to secretOrKeyProvider is not decoded

mikenicholson · mikenicholson · commit 1bb3d5ba5201 · 2017-07-27T23:45:12.000-04:00
diff --git a/README.md b/README.md
@@ -29,9 +29,9 @@ extracted from the request or verified.
 * `secretOrKey` is a string or buffer containing the secret
   (symmetric) or PEM-encoded public key (asymmetric) for verifying the token's
   signature. REQUIRED unless `secretOrKeyProvider` is provided.
-* `secretOrKeyProvider` is a callback in the format `function secretOrKeyProvider(token, done)`,
+* `secretOrKeyProvider` is a callback in the format `function secretOrKeyProvider(request, rawJwtToken, done)`,
   which should call `done` with a secret or PEM-encoded public key (asymmetric) for the given key and request combination.
-  `done` accepts arguments in the format `function done(err, secret)`.
+  `done` accepts arguments in the format `function done(err, secret)`. Note it is up to the implementer to decode rawJwtToken.
   REQUIRED unless `secretOrKey` is provided.
 * `jwtFromRequest` (REQUIRED) Function that accepts a request as the only
   parameter and returns either the JWT as a string or *null*. See
diff --git a/lib/strategy.js b/lib/strategy.js
@@ -11,10 +11,10 @@ var passport = require('passport-strategy')
  *
  * @param options
  *          secretOrKey: String or buffer containing the secret or PEM-encoded public key. Required unless secretOrKeyProvider is provided.
- *          secretOrKeyProvider: callback in the format secretOrKeyProvider(request, token, done)`,
+ *          secretOrKeyProvider: callback in the format secretOrKeyProvider(request, rawJwtToken, done)`,
  *                               which should call done with a secret or PEM-encoded public key
- *                               (asymmetric) for the given token and  request combination. done
- *                               has the signature function done(err, secret).
+ *                               (asymmetric) for the given undecoded jwt token string and  request
+ *                               combination. done has the signature function done(err, secret).
  *                               REQUIRED unless `secretOrKey` is provided.
  *          jwtFromRequest: (REQUIRED) Function that accepts a reqeust as the only parameter and returns the either JWT as a string or null
  *          issuer: If defined issuer will be verified against this value
@@ -36,7 +36,7 @@ function JwtStrategy(options, verify) {
         if (this._secretOrKeyProvider) {
           	throw new TypeError('JwtStrategy has been given both a secretOrKey and a secretOrKeyProvider');
         }
-        this._secretOrKeyProvider = function (request, token, done) {
+        this._secretOrKeyProvider = function (request, rawJwtToken, done) {
             done(null, options.secretOrKey)
         };
     }
