if no auth_token anywhere - stack dump about passport-jwt HOT 6 CLOSED

    if (!token) {
      var parsed_url =url.parse(req.url, true);
      if(parsed_url.query && parsed_url.query.hasOwnProperty(self._tokenQueryParameterName))
      {
        token = parsed_url.query[self._tokenQueryParameterName];
      }
    }

was my fix to allow the execution to continue.

from passport-jwt.

I spent some time trying to reproduce this in a real environment and I am having some difficulty.

The TypeError only occurs when when req.url is an instance of url.Url and not when req.url is a string. Running this under node's http.Server always results in req.url being set to a string.

What http server or framework are you running this under that causes req.url to not be set to a string?

I've added a unit test to reproduce in commit 67a2e0b and merged your pull request #19 into a new branch (bugfix-17). Once I understand the conditions to reproduce the issue I'll go ahead and merge it in to master.

from passport-jwt.

I tested using postman against a koa, nodejs, koa-passport, passport-jwt. If you need more, let me know.

      console.log("REQ URL", this.req.url);
      var url = require('url');

      var parsed_url = url.parse(this.req.url,true);

      console.log("parsed url", parsed_url);

      console.log("query", parsed_url.query);

output:

REQ URL /devices/92760
parsed url { protocol: null,
  slashes: null,
  auth: null,
  host: null,
  port: null,
  hostname: null,
  hash: null,
  search: '',
  query: {},
  pathname: '/devices/92760',
  path: '/devices/92760',
  href: '/devices/92760' }
query {}

Here is one with ?something=true

REQ URL /devices/92760?something=true
parsed url { protocol: null,
  slashes: null,
  auth: null,
  host: null,
  port: null,
  hostname: null,
  hash: null,
  search: '?something=true',
  query: { something: 'true' },
  pathname: '/devices/92760',
  path: '/devices/92760?something=true',
  href: '/devices/92760?something=true' }
query { something: 'true' }

The problem was that the since the URL has no query with an auth token, it would fail that check, and throw a TypeError, it expected a query property of self._tokenQueryParameterName

When I am not authenticated, and haven't gotten a token anywhere, I should be rejected with "not authenticated" not a "500 error" because the request failed to even complete.

When you merge this, I can drop my personal forked version, and be happy not requiring my own modified version.

from passport-jwt.

Hmm, looking over this, and trying to prove myself right some more, I see what you mean. Is the req not the same as this.req in koa? I'll dive deeper, and remove my authentication on my app that I'm actively working on. Give me an hour or so.

EDIT:

I can't reproduce anymore, I'm thinking I had something out of order during passport initialization and maybe the req.url wasn't available at the time, and I figured it was the strategy itself, I put that check into place to make sure I got an Unauthorized, but now I've tried everything I could possibly have done, but I never kept my bad code.

Can you close this if that's ok? I feel bad/dumb/tired.

If I can reproduce this, I'll open a new issue in the future.

from passport-jwt.

closing

from passport-jwt.

No need to feel bad/dumb. I appreciate the contribution and I'm going to go ahead and merge anyways since I should have been checking that the attribute was present before attempting to access it.

from passport-jwt.