🤘

Author: jsumners

.gitignore

@@ -0,0 +1,2 @@
+node_modules/
+.vscode/

Readme.md

@@ -0,0 +1,63 @@
+# fastify-bearer-auth
+
+*fastify-bearer-auth* provides a simple request hook for the [Fastify][fastify]
+web framework.
+
+[fastify]: https://github.com/fastify/fastify
+
+## Example
+
+```js
+'use strict'
+
+const fastify = require('fastify')
+const bearerAuthPlugin = require('fastify-bearer-auth')
+const keys = new Set(['a-super-secret-key', 'another-super-secret-key'])
+
+fastify.addHook('preHandler', bearerAuthPlugin({keys}))
+fastify.get('/foo', (req, reply) => {
+  reply({authenticated: true})
+})
+
+fastify.listen({port: 8000}, (err) => {
+  if (err) {
+    console.error(err.message)
+    process.exit(1)
+  }
+  console.log.info('http://127.0.0.1:8000/foo')
+})
+```
+
+## API
+
++ `factory(config)`: exported by `require('fastify-bearer-auth')`. The `config`
+  object must have a `keys` property that is set to an object which has a
+  `has(key)` method. It may also have method `errorResponse(err)` and property
+  `contentType`. If set, the `errorResponse(err)` method must synchronously
+  return the content body to be sent to the client. If the content to be sent
+  is anything other than `application/json`, then the `contentType` property
+  must be set. The default config object is:
+
+  ```js
+  {
+    keys: new Set(),
+    contentType: undefined,
+    errorResponse: (err) => {
+      return {error: err.message}
+    }
+  }
+  ```
+
++ `bearerAuthHook(req, reply, next)`: a standard *Fastify*
+  [preHandler hook][prehook] which will inspect the request's headers
+  for an `authorization` header in the format `bearer key`. The `key` will be
+  matched against the configured `keys` object via the `has(key)` method. If
+  the `authorization` header is missing, malformed, or the `key` does not
+  validate then a 401 response will be sent with a `{error: message}` body;
+  no further request processing will be performed.
+
+[prehook]: https://github.com/fastify/fastify/blob/master/docs/Hooks.md
+
+## License
+
+[MIT License](http://jsumners.mit-license.org/)

package.json

@@ -0,0 +1,33 @@
+{
+  "name": "fastify-bearer-auth",
+  "version": "1.0.0",
+  "description": "An authentication plugin for Fastify",
+  "main": "plugin.js",
+  "scripts": {
+    "test": "tap 'test/**/*.js'",
+    "lint": "standard"
+  },
+  "precommit": [
+    "lint",
+    "test"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://[email protected]/jsumners/fastify-bearer-auth.git"
+  },
+  "keywords": [
+    "fastify",
+    "authentication"
+  ],
+  "author": "James Sumners <[email protected]>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/jsumners/fastify-bearer-auth/issues"
+  },
+  "homepage": "https://github.com/jsumners/fastify-bearer-auth#readme",
+  "devDependencies": {
+    "pre-commit": "^1.2.2",
+    "standard": "^10.0.1",
+    "tap": "^10.3.2"
+  }
+}

plugin.js

@@ -0,0 +1,39 @@
+'use strict'
+
+module.exports = function (options) {
+  const defaultOptions = {
+    keys: new Set(),
+    errorResponse (err) {
+      return {error: err.message}
+    },
+    contentType: undefined
+  }
+  const _options = Object.assign(defaultOptions, options || {})
+  const keys = _options.keys
+  const errorResponse = _options.errorResponse
+  const contentType = _options.contentType
+
+  function bearerAuthHook (fastifyReq, fastifyRes, next) {
+    const header = fastifyReq.req.headers['authorization']
+    if (!header) {
+      const noHeaderError = Error('missing authorization header')
+      fastifyReq.log.error('unauthorized: %s', noHeaderError.message)
+      if (contentType) fastifyRes.header('content-type', contentType)
+      fastifyRes.code(401).send(errorResponse(noHeaderError))
+      return
+    }
+
+    const key = header.substring(6).trim()
+    if (keys.has(key) === false) {
+      const invalidKeyError = Error('invalid authorization header')
+      fastifyReq.log.error('invalid authorization header: `%s`', header)
+      if (contentType) fastifyRes.header('content-type', contentType)
+      fastifyRes.code(401).send(errorResponse(invalidKeyError))
+      return
+    }
+
+    next()
+  }
+
+  return bearerAuthHook
+}

test/hook.test.js

@@ -0,0 +1,122 @@
+'use strict'
+
+const test = require('tap').test
+const noop = () => {}
+const plugin = require('../')
+const key = '123456789012354579814'
+const keys = {keys: new Set([key])}
+
+test('hook rejects for missing header', (t) => {
+  t.plan(2)
+
+  const request = {
+    log: {error: noop},
+    req: {headers: {}}
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /missing authorization header/)
+  }
+
+  const hook = plugin()
+  hook(request, response)
+})
+
+test('hook rejects header without bearer prefix', (t) => {
+  t.plan(2)
+
+  const request = {
+    log: {error: noop},
+    req: {
+      headers: {authorization: key}
+    }
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /invalid authorization header/)
+  }
+
+  const hook = plugin(keys)
+  hook(request, response)
+})
+
+test('hook rejects malformed header', (t) => {
+  t.plan(2)
+
+  const request = {
+    log: {error: noop},
+    req: {
+      headers: {authorization: `bearerr ${key}`}
+    }
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.ok(body.error)
+    t.match(body.error, /invalid authorization header/)
+  }
+
+  const hook = plugin(keys)
+  hook(request, response)
+})
+
+test('hook accepts correct header', (t) => {
+  t.plan(1)
+
+  const request = {
+    log: {error: noop},
+    req: {
+      headers: {authorization: `bearer ${key}`}
+    }
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.fail('should not happen')
+  }
+
+  const hook = plugin(keys)
+  hook(request, response, () => {
+    t.pass()
+  })
+})
+
+test('hook accepts correct header with extra padding', (t) => {
+  t.plan(1)
+
+  const request = {
+    log: {error: noop},
+    req: {
+      headers: {authorization: `bearer   ${key}   `}
+    }
+  }
+  const response = {
+    code: () => response,
+    send: send
+  }
+
+  function send (body) {
+    t.fail('should not happen')
+  }
+
+  const hook = plugin(keys)
+  hook(request, response, () => {
+    t.pass()
+  })
+})