Rethink handleAuth

[finnhodgkin]

There are a few things that I'd change about this file:

• Firstly it's not really a handler (it doesn't respond to a request), it just validates authentication and passes that validation on to a handler. It should probably be moved to a different directory in your app (for example helpers or authentication).
• There are some unnecessary requires (bcrypt, qs handleError).
• You're calling jwt.verify with a callback which makes it asynchronous. Either change the whole function to be callback based (probably the better option) or use the non-callback jwt.verify:

jwt.verify(token, 'secret');

• Your secret should be stored in environment variables! There's no point in signing cookies if you post the secret openly on GitHub.
• No need to pass in res if you're not using it, you could even just only give handleAuth access to req.headers.cookie because you don't need anything else from the req object.

Something like:

const jwt = require('jsonwebtoken');
const cookie = require('cookie');

const handleAuth = (cookie, callback) => {
  if (!cookie) {
    return callback(new Error('No cookie');
  } 
  const token = cookie.parse(cookie).token;
  jwt.verify(token, process.env.JWT_SECRET, callback);
}

module.exports = handleAuth;

This would mean changing the way the function is called in your routers also (the routes would need to be wrapped in the callback). #

[MynahMarie]

Good points but why would we need a callback to the handleAuth function?