Fix JWT token not going through (#19)

The options for signing when saving the user were incorrect
joshgachnang · Dec 12, 2021 · dd46070 · dd46070
1 parent 9da4441
commit dd46070
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 74 deletions.
diff --git a/package.json b/package.json
@@ -34,7 +34,6 @@
     "mongoose-rest-framework": "^0.1.1",
     "on-finished": "^2.3.0",
     "passport-firebase-jwt": "^1.2.1",
-    "bcrypt": "^5.0.1",
     "express": "^4.17.1",
     "express-session": "^1.17.2",
     "jsonwebtoken": "^8.5.1",

diff --git a/src/example.ts b/src/example.ts
@@ -63,10 +63,7 @@ function getBaseServer() {
     }
   });
   app.use(express.json());
-  setupAuth(app, UserModel as any, {
-    sessionSecret: "cats",
-    jwtIssuer: "example.com",
-  });
+  setupAuth(app, UserModel as any);
   app.use(
     "/food",
     gooseRestRouter(FoodModel, {

diff --git a/src/expressServer.ts b/src/expressServer.ts
@@ -3,14 +3,14 @@ import axios from "axios";
 import cron from "cron";
 import express, {Router} from "express";
 import cloneDeep from "lodash/cloneDeep";
-import {setupAuth, UserModel} from "./mongooseRestFramework";
+import {Env, setupAuth, UserModel} from "./mongooseRestFramework";
 import onFinished from "on-finished";
 import passport from "passport";
 
 const SLOW_READ_MAX = 200;
 const SLOW_WRITE_MAX = 500;
 
-const dsn = (process.env as any).SENTRY_DSN;
+const dsn = (process.env as Env).SENTRY_DSN;
 if (process.env.NODE_ENV === "production") {
   if (!dsn) {
     throw new Error("You must set SENTRY_DSN in the environment.");
@@ -125,10 +125,7 @@ function initializeRoutes(UserModel: UserModel, addRoutes: AddRoutes) {
 
   app.use(logRequests);
 
-  setupAuth(app as any, UserModel as any, {
-    sessionSecret: process.env.SESSION_SECRET || "pumpkin",
-    jwtIssuer: process.env.JWT_ISSUER || "example.com",
-  });
+  setupAuth(app as any, UserModel as any);
 
   // Adds all the user
   addRoutes(app);
@@ -196,7 +193,7 @@ export function cronjob(name: string, schedule: "hourly" | string, callback: ()
 
 // Convenience method to send data to a Slack webhook.
 export async function sendToSlack(text: string, channel = "bots") {
-  const slackWebhookUrl = (process.env as any).SLACK_WEBHOOK;
+  const slackWebhookUrl = (process.env as Env).SLACK_WEBHOOK;
   if (!slackWebhookUrl) {
     throw new Error("You must set SLACK_WEBHOOK in the environment.");
   }

diff --git a/src/mongooseRestFramework.test.ts b/src/mongooseRestFramework.test.ts
@@ -13,11 +13,7 @@ import {
 } from "./mongooseRestFramework";
 
 const assert = chai.assert;
-const JWTOptions = {
-  sessionSecret: "cats",
-  jwtSecret: "secret",
-  jwtIssuer: "example.com",
-};
+
 mongoose.connect("mongodb://localhost:27017/mrf");
 
 interface User {
@@ -85,6 +81,9 @@ describe("mongoose rest framework", () => {
     // jest.resetModules(); // Most important - it clears the cache
     process.env = {...OLD_ENV}; // Make a copy
     process.env.TOKEN_SECRET = "secret";
+    process.env.TOKEN_EXPIRES_IN = "30m";
+    process.env.TOKEN_ISSUER = "example.com";
+    process.env.SESSION_SECRET = "session";
   });
 
   afterEach(function() {
@@ -119,7 +118,7 @@ describe("mongoose rest framework", () => {
         }),
       ]);
       app = getBaseServer();
-      setupAuth(app, UserModel as any, JWTOptions);
+      setupAuth(app, UserModel as any);
       app.use(
         "/food",
         gooseRestRouter(FoodModel, {
@@ -334,7 +333,7 @@ describe("mongoose rest framework", () => {
         }),
       ]);
       app = getBaseServer();
-      setupAuth(app, UserModel as any, JWTOptions);
+      setupAuth(app, UserModel as any);
       app.use(
         "/food",
         gooseRestRouter(FoodModel, {
@@ -613,7 +612,7 @@ describe("mongoose rest framework", () => {
         }),
       ]);
       app = getBaseServer();
-      setupAuth(app, UserModel as any, JWTOptions);
+      setupAuth(app, UserModel as any);
       app.use(
         "/food",
         gooseRestRouter(FoodModel, {
@@ -686,6 +685,9 @@ describe("test token auth", function() {
     // jest.resetModules(); // Most important - it clears the cache
     process.env = {...OLD_ENV}; // Make a copy
     process.env.TOKEN_SECRET = "secret";
+    process.env.TOKEN_EXPIRES_IN = "30m";
+    process.env.TOKEN_ISSUER = "example.com";
+    process.env.SESSION_SECRET = "session";
   });
 
   afterEach(function() {
@@ -728,7 +730,7 @@ describe("test token auth", function() {
       }),
     ]);
     app = getBaseServer();
-    setupAuth(app, UserModel as any, JWTOptions);
+    setupAuth(app, UserModel as any);
     app.use(
       "/food",
       gooseRestRouter(FoodModel, {
@@ -785,6 +787,34 @@ describe("test token auth", function() {
       ownerId: userId,
     });
 
+    const meRes = await server
+      .get("/auth/me")
+      .set("authorization", `Bearer ${token}`)
+      .expect(200);
+    console.log("ME RES", meRes.body.data);
+    assert.isDefined(meRes.body.data._id);
+    assert.isDefined(meRes.body.data.id);
+    assert.isUndefined(meRes.body.data.hash);
+    assert.equal(meRes.body.data.email, "new@example.com");
+    assert.isDefined(meRes.body.data.token);
+    assert.isDefined(meRes.body.data.updated);
+    assert.isDefined(meRes.body.data.created);
+    assert.isFalse(meRes.body.data.admin);
+
+    const mePatchRes = await server
+      .patch("/auth/me")
+      .send({email: "new2@example.com"})
+      .set("authorization", `Bearer ${token}`)
+      .expect(200);
+    assert.isDefined(mePatchRes.body.data._id);
+    assert.isDefined(mePatchRes.body.data.id);
+    assert.isUndefined(mePatchRes.body.data.hash);
+    assert.equal(mePatchRes.body.data.email, "new2@example.com");
+    assert.isDefined(mePatchRes.body.data.token);
+    assert.isDefined(mePatchRes.body.data.updated);
+    assert.isDefined(mePatchRes.body.data.created);
+    assert.isFalse(mePatchRes.body.data.admin);
+
     // Use token to see 2 foods + the one we just created
     const getRes = await server
       .get("/food")
@@ -811,6 +841,34 @@ describe("test token auth", function() {
     assert.isDefined(userId);
     assert.isDefined(token);
 
+    const meRes = await server
+      .get("/auth/me")
+      .set("authorization", `Bearer ${token}`)
+      .expect(200);
+    console.log("ME RES", meRes.body.data);
+    assert.isDefined(meRes.body.data._id);
+    assert.isDefined(meRes.body.data.id);
+    assert.isUndefined(meRes.body.data.hash);
+    assert.equal(meRes.body.data.email, "admin@example.com");
+    assert.isDefined(meRes.body.data.token);
+    assert.isDefined(meRes.body.data.updated);
+    assert.isDefined(meRes.body.data.created);
+    assert.isTrue(meRes.body.data.admin);
+
+    const mePatchRes = await server
+      .patch("/auth/me")
+      .send({email: "admin2@example.com"})
+      .set("authorization", `Bearer ${token}`)
+      .expect(200);
+    assert.isDefined(mePatchRes.body.data._id);
+    assert.isDefined(mePatchRes.body.data.id);
+    assert.isUndefined(mePatchRes.body.data.hash);
+    assert.equal(mePatchRes.body.data.email, "admin2@example.com");
+    assert.isDefined(mePatchRes.body.data.token);
+    assert.isDefined(mePatchRes.body.data.updated);
+    assert.isDefined(mePatchRes.body.data.created);
+    assert.isTrue(mePatchRes.body.data.admin);
+
     // Use token to see admin foods
     const getRes = await server
       .get("/food")