add new validation function (#21)

* add new auth function

* add new auth function that tests a bearer token against a function
* wrote a test for wrong header

* comment Promise.resolve block

* Update Readme.md

Co-Authored-By: Manuel Spigolon <[email protected]>

* Update Readme.md

Co-Authored-By: Manuel Spigolon <[email protected]>

* add more info about auth option

add info about what happens if auth is not a function or undefined

* remove failSilent. add request parameter

* remove failSilent option
* made the auth function to strictly return a literal boolean
* add request parameter to auth function

Author: panitaxx

Readme.md

@@ -45,6 +45,13 @@ sent to the client (optional)
 * `contentType`: If the content to be sent is anything other than
 `application/json`, then the `contentType` property must be set (optional)
 * `bearerType`: string specifying the Bearer string (optional)
+* `function auth (key, req) {}` : this function will test if `key` is a valid token.
+   The function must return literal `true` if the key is accepted or literal `false`
+   if rejected. The function may return also a promise that resolves to one of this
+   values. If the function returns or resolves to another value, rejects or throws 
+   it will send an HTTP status 500. `req` will contain the request object. If `auth`
+   is a function, `keys` will be ignored. If `auth` is not a function or undefined,
+   `keys` will be used.
 
 The default configuration object is:
 
@@ -55,7 +62,8 @@ The default configuration object is:
     bearerType: 'Bearer',
     errorResponse: (err) => {
       return {error: err.message}
-    }
+    },
+    auth: undefined
   }
   ```
 

plugin.js

@@ -6,6 +6,7 @@ const compare = require('secure-compare')
 function factory (options) {
   const defaultOptions = {
     keys: [],
+    auth: undefined,
     errorResponse (err) {
       return { error: err.message }
     },
@@ -14,7 +15,7 @@ function factory (options) {
   }
   const _options = Object.assign({}, defaultOptions, options || {})
   if (_options.keys instanceof Set) _options.keys = Array.from(_options.keys)
-  const { keys, errorResponse, contentType, bearerType } = _options
+  const { keys, errorResponse, contentType, bearerType, auth } = _options
 
   function bearerAuthHook (fastifyReq, fastifyRes, next) {
     const header = fastifyReq.req.headers['authorization']
@@ -27,22 +28,56 @@ function factory (options) {
     }
 
     const key = header.substring(bearerType.length).trim()
-    if (authenticate(keys, key) === undefined) {
-      const invalidKeyError = Error('invalid authorization header')
-      fastifyReq.log.error('invalid authorization header: `%s`', header)
-      if (contentType) fastifyRes.header('content-type', contentType)
-      fastifyRes.code(401).send(errorResponse(invalidKeyError))
-      return
+    let retVal
+    // check if auth function is defined
+    if (auth && auth instanceof Function) {
+      try {
+        retVal = auth(key, fastifyReq)
+      // catch any error from the user provided function
+      } catch (err) {
+        retVal = Promise.reject(err)
+      }
+    } else {
+    // if auth is not defined use keys
+      retVal = authenticate(keys, key)
     }
 
-    next()
+    const invalidKeyError = Error('invalid authorization header')
+
+    // retVal contains the result of the auth function if defined or the
+    // result of the key comparison.
+    // retVal is enclosed in a Promise.resolve to allow auth to be a normal
+    // function or an async funtion. If it returns a non-promise value it
+    // will be converted to a resolving promise. If it returns a promise it
+    // will be resolved.
+    Promise.resolve(retVal).then((val) => {
+      // if val is not truthy return 401
+      if (val === false) {
+        fastifyReq.log.error('invalid authorization header: `%s`', header)
+        if (contentType) fastifyRes.header('content-type', contentType)
+        fastifyRes.code(401).send(errorResponse(invalidKeyError))
+        return
+      }
+      if (val === true) {
+        // if it fails down stream return the proper error
+        try {
+          next()
+        } catch (err) {
+          next(err)
+        }
+        return
+      }
+      fastifyRes.code(500).send(errorResponse(new Error('internal server error')))
+    }).catch((err) => {
+      fastifyRes.code(500).send(errorResponse(err instanceof Error ? err : Error(String(err))))
+    })
   }
 
   return bearerAuthHook
 }
 
 function authenticate (keys, key) {
-  return keys.find((a) => compare(a, key))
+  return keys.findIndex((a) => compare(a, key)) !== -1
 }
 
 function plugin (fastify, options, next) {

test/hook.test.js

@@ -146,3 +146,282 @@ test('hook accepts correct header with extra padding', (t) => {
     t.pass()
   })
 })
+
+test('hook accepts correct header with auth function (promise)', (t) => {
+  t.plan(2)
+  const auth = function (val) {
+    t.equal(val, key, 'wrong argument')
+    return Promise.resolve(true)
+  }
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer ${key}` }
+    }
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.fail('should not happen')
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.pass()
+  })
+})
+
+test('hook accepts correct header with auth function (non-promise)', (t) => {
+  t.plan(2)
+  const auth = function (val) {
+    t.equal(val, key, 'wrong argument')
+    return true
+  }
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer ${key}` }
+    }
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.fail('should not happen')
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.pass()
+  })
+})
+
+test('hook rejects wrong token with keys', (t) => {
+  t.plan(2)
+
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer abcdedfg` }
+    }
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /invalid authorization header/)
+  }
+
+  const hook = plugin(keys)
+  hook(request, response, () => {
+    t.fail('should not accept')
+  })
+})
+
+test('hook rejects wrong token with auth function', (t) => {
+  t.plan(5)
+
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer abcdefg` }
+    }
+  }
+
+  const auth = function (val, req) {
+    t.equal(req, request)
+    t.equal(val, 'abcdefg', 'wrong argument')
+    return false
+  }
+
+  const response = {
+    code: (status) => {
+      t.equal(401, status)
+      return response
+    },
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /invalid authorization header/)
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.fail('should not accept')
+  })
+})
+
+test('hook rejects wrong token with function (resolved promise)', (t) => {
+  t.plan(4)
+
+  const auth = function (val) {
+    t.equal(val, 'abcdefg', 'wrong argument')
+    return Promise.resolve(false)
+  }
+
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer abcdefg` }
+    }
+  }
+  const response = {
+    code: (status) => {
+      t.equal(401, status)
+      return response
+    },
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /invalid authorization header/)
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.fail('should not accept')
+  })
+})
+
+test('hook  rejects with 500 when functions fails', (t) => {
+  t.plan(4)
+
+  const auth = function (val) {
+    t.equal(val, 'abcdefg', 'wrong argument')
+    throw Error('failing')
+  }
+
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer abcdefg` }
+    }
+  }
+  const response = {
+    code: (status) => {
+      t.equal(500, status)
+      return response
+    },
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /failing/)
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.fail('should not accept')
+  })
+})
+
+test('hook  rejects with 500 when promise rejects', (t) => {
+  t.plan(4)
+
+  const auth = function (val) {
+    t.equal(val, 'abcdefg', 'wrong argument')
+    return Promise.reject(Error('failing'))
+  }
+
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer abcdefg` }
+    }
+  }
+  const response = {
+    code: (status) => {
+      t.equal(500, status)
+      return response
+    },
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /failing/)
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.fail('should not accept')
+  })
+})
+
+test('hook  rejects with 500 when functions returns non-boolean', (t) => {
+  t.plan(4)
+
+  const auth = function (val) {
+    t.equal(val, 'abcdefg', 'wrong argument')
+    return 'foobar'
+  }
+
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer abcdefg` }
+    }
+  }
+  const response = {
+    code: (status) => {
+      t.equal(500, status)
+      return response
+    },
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /internal server error/)
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.fail('should not accept')
+  })
+})
+
+test('hook  rejects with 500 when promise resolves to non-boolean', (t) => {
+  t.plan(4)
+
+  const auth = function (val) {
+    t.equal(val, 'abcdefg', 'wrong argument')
+    return Promise.resolve('abcde')
+  }
+
+  const request = {
+    log: { error: noop },
+    req: {
+      headers: { authorization: `bearer abcdefg` }
+    }
+  }
+  const response = {
+    code: (status) => {
+      t.equal(500, status)
+      return response
+    },
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /internal server error/)
+  }
+
+  const hook = plugin({ auth })
+  hook(request, response, () => {
+    t.fail('should not accept')
+  })
+})