https://github.com/antarasi/feathers-auth-test
This project is prepared to test feathers authentication using REST and socket.io.
https://github.com/antarasi/feathers-auth-test
feathers feathers-authentication jwt
Last synced: 7 months ago
JSON representation
This project is prepared to test feathers authentication using REST and socket.io.
- Host: GitHub
- URL: https://github.com/antarasi/feathers-auth-test
- Owner: antarasi
- License: mit
- Created: 2017-12-15T20:27:16.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2017-12-18T11:36:08.000Z (almost 8 years ago)
- Last Synced: 2025-01-25T04:11:00.668Z (9 months ago)
- Topics: feathers, feathers-authentication, jwt
- Language: JavaScript
- Homepage:
- Size: 57.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# feathers-auth-test
>
## About
This project is prepared to test feathers authentication using REST and socket.io.
## What's inside
Server is configured to have 2 protected endpoints in users service:
1. FIND: `users:find` protected by `@feathersjs/authentication.hooks.authenticate('jwt')`
2. GET: `users:get` protected by `feathers-authentication-hooks.restrictToAuthenticated()`
and specs to run against two transports (REST and socket.io) to test authorization:
`test/auth.test.js`:
1. should reject unauthorized access
- When not logged in - both endpoints should reject requests
2. should login correctly
- Perform login routine that result in generating `accessToken`
3. should find all users (authenticate:jwt)
- Requested FIND endpoint should be fulfilled after login
4. should get one user (restrictToAuthenticated)
- Requested GET endpoint should be fulfilled after login
5. authtoken should be expired now
- Wait for `authToken` to expire
6. should reject to find users (authenticate:jwt)
- Requested FIND endpoint should be rejected after `authToken` expiration
7. should reject to get user (restrictToAuthenticated)
- Requested GET endpoint should be rejected after `authToken` expiration
## How to run
Run npm scipt: `npm run mocha:auth`
## Test results
Response messages are either misleading or not consistent in comparison to other transports. Therefore it breaks transport agnosticism rule.
### Socket.io failed tests:
#### 6. should reject to find users (authenticate:jwt)
```
Socket.io tests
6. should reject to find users (authenticate:jwt):
AssertionError: expected promise to be rejected with an error including 'jwt expired' but it was fulfilled with { Object (total, limit, ...) }
```
I expect that after the token expires, I should get `jwt expired` error message, but `authenticate('jwt')` method is fulfilling the request regardless of token expiration time. REST transport passes that test responding with `jwt expired`.
#### 7. should reject to get user (restrictToAuthenticated)
```
Socket.io tests
7. should reject to get user (restrictToAuthenticated):
AssertionError: expected promise to be rejected with an error including 'You are not authenticated' but it was fulfilled with { Object (email, _id) }
```
I expect that after the token expires, I should get `jwt expired` error message, but `restrictToAuthenticated()` method is fulfilling the request regardless of token expiration time. REST transport passes that test responding with `jwt expired`.
### REST failed tests:
#### 4. should get one user (restrictToAuthenticated)
```
REST tests
4. should get one user (restrictToAuthenticated):
NotAuthenticated: You are not authenticated.
at new NotAuthenticated (node_modules\@feathersjs\client\dist\feathers.js:508:17)
at convert (node_modules\@feathersjs\client\dist\feathers.js:653:32)
at toError (node_modules\@feathersjs\client\dist\feathers.js:94:9)
at
at process._tickCallback (internal/process/next_tick.js:188:7)
```
I expect that when passing valid access token, `restrictToAuthenticated()` method should parse token from request like `authenticate('jwt')` does, but it looks like it doesn't. Socket.io transport passes that test and fulfill the request. What's the purpose of having either `authenticate('jwt')` and `restrictToAuthenticated()` methods that produce different behavior and make authorization less predictable?