Merge branch 'secret-key-provider' of https://github.com/gpoole/passport-jwt into pr108-secret-key-provider

Author: mikenicholson

README.md

@@ -26,12 +26,15 @@ The JWT authentication strategy is constructed as follows:
 `options` is an object literal containing options to control how the token is
 extracted from the request or verified.
 
-* `secretOrKey` is a REQUIRED string or buffer containing the secret
+* `secretOrKey` is a string or buffer containing the secret
   (symmetric) or PEM-encoded public key (asymmetric) for verifying the token's
-  signature.
-
+  signature. REQUIRED unless `secretOrKeyProvider` is provided.
+* `secretOrKeyProvider` is a callback in the format `function secretOrKeyProvider(token, done)`,
+  which should call `done` with a secret or PEM-encoded public key (asymmetric) for the given key and request combination.
+  `done` accepts arguments in the format `function done(err, secret)`.
+  REQUIRED unless `secretOrKey` is provided.
 * `jwtFromRequest` (REQUIRED) Function that accepts a request as the only
-  parameter and returns either the JWT as a string or *null*. See 
+  parameter and returns either the JWT as a string or *null*. See
   [Extracting the JWT from the request](#extracting-the-jwt-from-the-request) for
   more details.
 * `issuer`: If defined the token issuer (iss) will be verified against this
@@ -84,7 +87,7 @@ possible the JWT is parsed from the request by a user-supplied callback passed i
 `jwtFromRequest` parameter.  This callback, from now on referred to as an extractor,
 accepts a request object as an argument and returns the encoded JWT string or *null*.
 
-#### Included extractors 
+#### Included extractors
 
 A number of extractor factory functions are provided in passport-jwt.ExtractJwt. These factory
 functions return a new extractor configured with the given parameters.
@@ -105,7 +108,7 @@ functions return a new extractor configured with the given parameters.
 ### Writing a custom extractor function
 
 If the supplied extractors don't meet your needs you can easily provide your own callback. For
-example, if you are using the cookie-parser middleware and want to extract the JWT in a cookie 
+example, if you are using the cookie-parser middleware and want to extract the JWT in a cookie
 you could use the following function as the argument to the jwtFromRequest option:
 
 ```

lib/strategy.js

@@ -25,8 +25,18 @@ function JwtStrategy(options, verify) {
     passport.Strategy.call(this);
     this.name = 'jwt';
 
-    this._secretOrKey = options.secretOrKey;
-    if (!this._secretOrKey) {
+    this._secretOrKeyProvider = options.secretOrKeyProvider;
+
+    if (options.secretOrKey) {
+        if (this._secretOrKeyProvider) {
+          	throw new TypeError('JwtStrategy has been given both a secretOrKey and a secretOrKeyProvider');
+        }
+        this._secretOrKeyProvider = function (token, done) {
+            done(options.secretOrKey)
+        };
+    }
+
+    if (!this._secretOrKeyProvider) {
         throw new TypeError('JwtStrategy requires a secret or key');
     }
 
@@ -82,7 +92,7 @@ JwtStrategy.prototype.authenticate = function(req, options) {
     }
 
     // Verify the JWT
-    JwtStrategy.JwtVerifier(token, this._secretOrKey, this._verifOpts, function(jwt_err, payload) {
+    JwtStrategy.JwtVerifier(token, this._secretOrKeyProvider, this._verifOpts, function(jwt_err, payload) {
         if (jwt_err) {
             return self.fail(jwt_err);
         } else {

lib/verify_jwt.js

@@ -1,5 +1,14 @@
 var jwt = require('jsonwebtoken');
 
-module.exports  = function(token, secretOrKey, options, callback) { 
-    return jwt.verify(token, secretOrKey, options, callback);
+module.exports  = function(token, secretOrKeyProvider, options, callback, verify) {
+    if (!verify) {
+      verify = jwt.verify;
+    }
+    return secretOrKeyProvider(token, function (err, secretOrKey) {
+        if (err) {
+            callback(err);
+            return;
+        }
+        verify(token, secretOrKey, options, callback);
+    });
 };

test/strategy-validation-test.js

@@ -39,11 +39,13 @@ describe('Strategy', function() {
         });
 
 
-        it('should call with the right secret as an argument', function() {
-            expect(Strategy.JwtVerifier.args[0][1]).to.equal('secret');
+        it('should be given a function that calls done with the secretOrKey when passed the token', function() {
+            const secretOrKeyProvider = Strategy.JwtVerifier.args[0][1];
+            const doneSpy = sinon.spy();
+            secretOrKeyProvider(null, doneSpy);
+            expect(doneSpy.calledWith('secret')).to.be.true;
         });
 
-
         it('should call with the right issuer option', function() {
             expect(Strategy.JwtVerifier.args[0][2]).to.be.an.object;
             expect(Strategy.JwtVerifier.args[0][2].issuer).to.equal('TestIssuer');

test/strategy-verify-test.js

@@ -2,19 +2,20 @@ var chai = require('chai')
     , Strategy = require('../lib/strategy')
     , test_data = require('./testdata')
     , sinon = require('sinon')
+    , verify = require('../lib/verify_jwt')
     , extract_jwt = require('../lib/extract_jwt');
 
 
 describe('Strategy', function() {
 
     before(function() {
-        Strategy.JwtVerifier = sinon.stub(); 
+        Strategy.JwtVerifier = sinon.stub();
         Strategy.JwtVerifier.callsArgWith(3, null, test_data.valid_jwt.payload);
     });
 
     describe('Handling a request with a valid JWT and succesful verification', function() {
 
-        var strategy, user, info; 
+        var strategy, user, info;
 
         before(function(done) {
             strategy = new Strategy({jwtFromRequest:extract_jwt.fromAuthHeader(), secretOrKey: 'secret'}, function(jwt_paylod, next) {
@@ -63,7 +64,7 @@ describe('Strategy', function() {
                     info = i;
                     done();
                 })
-                .req(function(req) { 
+                .req(function(req) {
                     req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
                 })
                 .authenticate();
@@ -74,7 +75,7 @@ describe('Strategy', function() {
             expect(info).to.be.an.object;
             expect(info.message).to.equal('invalid user');
         });
-        
+
     });
 
 
@@ -93,7 +94,7 @@ describe('Strategy', function() {
                     err = e;
                     done();
                 })
-                .req(function(req) { 
+                .req(function(req) {
                     req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
                 })
                 .authenticate();
@@ -122,7 +123,7 @@ describe('Strategy', function() {
                     err = e;
                     done();
                 })
-                .req(function(req) { 
+                .req(function(req) {
                     req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
                 })
                 .authenticate();
@@ -169,4 +170,26 @@ describe('Strategy', function() {
 
     });
 
+    describe('verify function', function() {
+        it('should call the secretOrKeyProvider with the token and pass it to verify', function() {
+            const provider = sinon.spy(function(token, done) {
+              done(null, 'secret');
+            });
+            const verifyStub = sinon.stub();
+            verify(test_data.valid_jwt.payload, provider, null, null, verifyStub);
+            expect(provider.calledOnce).to.be.true;
+            expect(provider.calledWith(test_data.valid_jwt.payload)).to.be.true;
+            expect(verifyStub.calledWith(test_data.valid_jwt.payload, 'secret')).to.be.true;
+        });
+
+        it('should call the callback with an error if the secretOrKeyProvider fails to return a key', function() {
+            const providerStub = function(token, done) {
+              done(new Error('invalid key'));
+            };
+            const callback = sinon.spy();
+            verify(test_data.valid_jwt.payload, providerStub, null, callback);
+            expect(callback.calledWith(sinon.match.instanceOf(Error)));
+        });
+    });
+
 });