primait · cottinisimone · Mar 15, 2022 · Mar 7, 2022
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Next]
+
+### Changed
+
+- [Breaking] When Plug configuration miss the required_permission field a runtime error will be thrown
+
 ## [0.3.0] - 2022-01-25
 
 ### Added

@@ -25,13 +25,19 @@ defmodule PrimaAuth0Ex.Plug.VerifyAndValidateToken do
 
   require Logger
 
-  def init(opts), do: opts
+  def init(opts) do
+    if !Keyword.has_key?(opts, :required_permissions) do
+      raise "required_permissions configuration must be set"
+    end
+
+    opts
+  end
 
   def call(%Plug.Conn{} = conn, opts) do
     audience = Keyword.get(opts, :audience, global_audience())
     dry_run? = Keyword.get(opts, :dry_run, global_dry_run())
     ignore_signature = Keyword.get(opts, :ignore_signature, global_ignore_signature())
-    required_permissions = Keyword.get(opts, :required_permissions, [])
+    required_permissions = Keyword.get(opts, :required_permissions)
 
     if authorized?(conn, audience, required_permissions, ignore_signature), do: conn, else: forbidden(conn, dry_run?)
   end

@@ -10,7 +10,7 @@ defmodule PrimaAuth0Ex.Plug.VerifyAndValidateTokenTest do
   @moduletag capture_log: true
 
   @test_audience "test"
-  @opts VerifyAndValidateToken.init(audience: @test_audience)
+  @opts VerifyAndValidateToken.init(audience: @test_audience, required_permissions: [])
 
   @tag :external
   test "does nothing when token is valid" do
@@ -61,12 +61,16 @@ defmodule PrimaAuth0Ex.Plug.VerifyAndValidateTokenTest do
     assert conn.status == 401
   end
 
+  test "raise a runtime error when required_permissions is not set" do
+    assert_raise(RuntimeError, fn -> VerifyAndValidateToken.init(audience: audience()) end)
+  end
+
   @tag :external
   test "supports setting a custom audience for validation" do
     credentials = Auth0Credentials.from_env()
     {:ok, token} = Auth0AuthorizationService.retrieve_token(credentials, audience())
 
-    opts = VerifyAndValidateToken.init(audience: "something-different-than-" <> audience())
+    opts = VerifyAndValidateToken.init(audience: "something-different-than-" <> audience(), required_permissions: [])
 
     conn =
       conn(:get, "/")
@@ -94,7 +98,7 @@ defmodule PrimaAuth0Ex.Plug.VerifyAndValidateTokenTest do
   test "supports disabling verification of signatures" do
     # mostly useful for dev environments, to work with locally forged JWTs
     forged_token = JwtUtils.jwt_that_expires_in(1_000, @test_audience)
-    opts = VerifyAndValidateToken.init(audience: @test_audience, ignore_signature: true)
+    opts = VerifyAndValidateToken.init(audience: @test_audience, ignore_signature: true, required_permissions: [])
 
     conn =
       conn(:get, "/")
@@ -105,7 +109,7 @@ defmodule PrimaAuth0Ex.Plug.VerifyAndValidateTokenTest do
   end
 
   test "can be run in dry-run mode (ie. not blocking invalid requests)" do
-    opts = VerifyAndValidateToken.init(dry_run: true)
+    opts = VerifyAndValidateToken.init(dry_run: true, required_permissions: [])
 
     conn =
       conn(:get, "/")