search

dwyl / hapi-auth-jwt2

:lock: Secure Hapi.js authentication plugin using JSON Web Tokens (JWT) in Headers, URL or Cookies
ISC License
798 stars 126 forks source link

NoJS support and JWTs passed on POST bodies #319

Closed stevenleadbeater closed 5 years ago

stevenleadbeater commented 5 years ago

An issue can arise when supporting users with JavaScript disabled when JWTs are too large to pass on query strings.

With JS disabled, tokens cannot be added to headers by using redirects from OAuth providers in to the consuming service.

Cloud providers will place limitations on URI lengths

OAuth services may not always sit on a sibling subdomain of the protected service negating the use of a secure cookie

The only way to pass a token in this case is to use either an HTML form with the token in a hidden field and a button with instructions for users to press the button if they have JS disabled and some JS that will submit the form automatically if it is enabled

Currently, this plugin is returning Unauthorised responses when there has not been a token passed as part of a cookie, query string or header: preventing the use of the payload authentication life cycle method in the parent HAPI JS framework this plugin has been written for.

Please provide support for tokens passed as part of POST bodies as this will enable accessibility for screen reader software that does not support JavaScript

nelsonic commented 5 years ago

Hi @stevenleadbeater thanks for opening this issue to describe the use case. 🥇 And thanks for opening the PR with a suggested implementation. 👍 We will take a look at it shortly. 👀⏳

nelsonic commented 5 years ago

360 lines is a pretty massive diff for a comparatively small feature ... 🤔 image

image

the update made to lib/index.d.ts is a lot more reasonable from a reviewer/maintainer's perspective. 💭

nelsonic commented 5 years ago

I'm going through the code to see what the actual diff from master is ... 🔍 👀 (_but this would be a lot faster/easier if the PR only contained the new feature rather than a rework of existing functionality..._)

stevenleadbeater commented 5 years ago

Yes, sorry about that, in order to let the authenticate and payload methods share the implementation for parsing JWTs, it made sense to move the body out to the internals from the authenticate method. Unfortunately the payload lifecycle method doesn't have access to the h.authenticated and h.unauthenticated methods so that mandated the rework. I'm sorry about the volume of movement. It ended up being necessary as part of the implementation

nelsonic commented 5 years ago

@stevenleadbeater hapi-auth-jwt2@8.7.0 on NPM contains your updates. 🚀 Thanks again for adding this functionality for people who have JS disabled. ✅