In multi-tenancy mode Authorization: Bearer undefined does not throw 401 Unauthorized error
arashlayeghi opened this issue · comments
Description
Provide a clear and concise description of the issue, including what you expected to happen.
When we use multi-tenancy (using secretCallback) in the case that Authorization is: Bearer undefined the middleware surprisingly passes to next middlewares and doesn't throw 401 Unauthorized error. As I checked in this case secretCallback is not called at all.
Reproduction
Detail the steps taken to reproduce this error, what was expected, and whether this issue can be reproduced consistently or if it is intermittent.
Where applicable, please include:
- Code sample to reproduce the issue
const jwt = require("express-jwt");
const { getSecrets } = require("../secrets");
const gWorldAuth0Config = getSecrets("AUTH0_CONFIGS").gworld;
const gforceAuth0Config = getSecrets("AUTH0_CONFIGS").gforce;
const GWORLD_ISSUER_DEV = "https://login.globalworkandtravel.com";
const GWORLD_ISSUER_LIVE = "https://gwat.auth0.com";
const GFORCE_ISSUER_LIVE = "https://globalgforce.auth0.com";
let audience;
const secretCallback = (req, payload, done) => {
const issuer = payload.iss;
let secret;
if (
issuer.startsWith(GWORLD_ISSUER_DEV) ||
issuer.startsWith(GWORLD_ISSUER_LIVE)
) {
secret = Buffer.from(gWorldAuth0Config.clientSecret, "base64");
audience = gWorldAuth0Config.clientID;
} else if (issuer.startsWith(GFORCE_ISSUER_LIVE)) {
secret = Buffer.from(gforceAuth0Config.clientSecret, "base64");
audience = gforceAuth0Config.clientID;
}
if (!secret) {
return done(new Error("Missing Secret"));
}
return done(null, secret);
};
module.exports = jwt({
secret: secretCallback,
audience,
algorithms: ["HS256"],
});
- Log files (redact/remove sensitive information)
- Application settings (redact/remove sensitive information)
- Screenshots
Environment
Please provide the following:
- Version 6.0.0:
- Node.js v12.0.0:
this should be covered by this test:
express-jwt/test/multitenancy.test.ts
Lines 41 to 53 in ef6d488