borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix jwt-token

Browse Source
This commit is contained in:
Alexander Borg
2025-09-19 07:18:52 +02:00
parent 7626df36b6
commit 547b29af78
5 changed files with 523 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
server/middleware/auth.js
View File

@@ -104,22 +104,51 @@ async function authenticateToken(req, res, next) {
next();
} catch (error) {
// Only log unexpected errors, not common JWT validation failures
// Log authentication errors for monitoring (but not in tests)
if (process.env.NODE_ENV !== 'test' || error.name === 'TypeError') {
console.error('Token verification error:', error);
}
// Handle specific JWT errors
if (error.name === 'TokenExpiredError') {
return res.status(401).json({
success: false,
message: 'Token expired'
console.error('🔐 Authentication error:', {
error: error.name,
message: error.message,
userAgent: req.headers['user-agent'],
ip: req.ip || req.connection.remoteAddress,
path: req.path
});
}
// Handle specific JWT errors with detailed responses
if (error.name === 'TokenExpiredError') {
return res.status(401).json({
success: false,
error: 'TOKEN_EXPIRED',
message: 'Token expired',
redirectToLogin: true
});
}
if (error.name === 'JsonWebTokenError') {
return res.status(401).json({
success: false,
error: 'INVALID_TOKEN',
message: 'Invalid token',
redirectToLogin: true
});
}
if (error.name === 'NotBeforeError') {
return res.status(401).json({
success: false,
error: 'TOKEN_NOT_ACTIVE',
message: 'Token not active',
redirectToLogin: true
});
}
// Generic authentication error
return res.status(401).json({
success: false,
message: 'Invalid token'
error: 'AUTHENTICATION_FAILED',
message: 'Authentication failed',
redirectToLogin: true
});
}
}

285
server/tests/integration/auth-security.test.js Normal file
View File

@@ -0,0 +1,285 @@
// CRITICAL: Set environment variables FIRST
process.env.NODE_ENV = 'test';
process.env.JWT_SECRET = 'test-jwt-secret-key-for-testing-only';
const { describe, it, beforeEach, afterEach, before, after } = require('mocha');
const { expect } = require('chai');
const request = require('supertest');
const jwt = require('jsonwebtoken');
const { setupTestEnvironment, teardownTestEnvironment, cleanDatabase, createTestUser, createTestTenant } = require('../setup');
describe('Authentication Integration Tests', () => {
let app, models, sequelize, user, tenant;
before(async () => {
({ app, models, sequelize } = await setupTestEnvironment());
});
after(async () => {
await teardownTestEnvironment();
});
beforeEach(async () => {
await cleanDatabase();
tenant = await createTestTenant({ slug: 'test-tenant' });
user = await createTestUser({
username: 'testuser',
role: 'admin',
tenant_id: tenant.id
});
});
describe('Protected Route Access', () => {
it('should deny access to protected route without token', async () => {
const response = await request(app)
.get('/api/users/profile')
.expect(401);
expect(response.body).to.deep.equal({
success: false,
message: 'Access token required'
});
});
it('should deny access with malformed authorization header', async () => {
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', 'InvalidToken')
.expect(401);
expect(response.body).to.deep.equal({
success: false,
message: 'Invalid token format'
});
});
it('should deny access with expired token', async () => {
const expiredToken = jwt.sign(
{ userId: user.id, username: user.username, role: user.role },
process.env.JWT_SECRET,
{ expiresIn: '-1h' }
);
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${expiredToken}`)
.expect(401);
expect(response.body).to.deep.equal({
success: false,
error: 'TOKEN_EXPIRED',
message: 'Token expired',
redirectToLogin: true
});
});
it('should deny access with invalid token signature', async () => {
const invalidToken = jwt.sign(
{ userId: user.id, username: user.username, role: user.role },
'wrong-secret',
{ expiresIn: '1h' }
);
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${invalidToken}`)
.expect(401);
expect(response.body).to.deep.equal({
success: false,
error: 'INVALID_TOKEN',
message: 'Invalid token',
redirectToLogin: true
});
});
it('should deny access for non-existent user', async () => {
const fakeToken = jwt.sign(
{ userId: 'non-existent-id', username: 'fake', role: 'admin' },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${fakeToken}`)
.expect(401);
expect(response.body).to.deep.equal({
success: false,
message: 'User not found'
});
});
it('should deny access for inactive user', async () => {
// Deactivate the user
await user.update({ is_active: false });
const validToken = jwt.sign(
{ userId: user.id, username: user.username, role: user.role },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${validToken}`)
.expect(401);
expect(response.body).to.deep.equal({
success: false,
message: 'User account is inactive'
});
});
it('should allow access with valid token', async () => {
const validToken = jwt.sign(
{ userId: user.id, username: user.username, role: user.role, tenantId: tenant.slug },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${validToken}`)
.expect(200);
expect(response.body.success).to.be.true;
expect(response.body.data).to.have.property('username', user.username);
});
});
describe('Role-Based Access Control', () => {
let adminUser, regularUser, adminToken, userToken;
beforeEach(async () => {
adminUser = await createTestUser({
username: 'admin',
role: 'admin',
tenant_id: tenant.id
});
regularUser = await createTestUser({
username: 'user',
role: 'user',
tenant_id: tenant.id
});
adminToken = jwt.sign(
{ userId: adminUser.id, username: adminUser.username, role: adminUser.role, tenantId: tenant.slug },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
userToken = jwt.sign(
{ userId: regularUser.id, username: regularUser.username, role: regularUser.role, tenantId: tenant.slug },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
});
it('should allow admin access to admin-only endpoints', async () => {
const response = await request(app)
.get('/api/health/metrics')
.set('Authorization', `Bearer ${adminToken}`)
.expect(200);
expect(response.body.success).to.be.true;
});
it('should deny regular user access to admin-only endpoints', async () => {
const response = await request(app)
.get('/api/health/metrics')
.set('Authorization', `Bearer ${userToken}`)
.expect(403);
expect(response.body).to.deep.equal({
success: false,
message: 'Insufficient permissions'
});
});
});
describe('Token Security Validation', () => {
it('should reject token with incorrect algorithm', async () => {
// Create token with different algorithm (if supported by library)
const maliciousToken = jwt.sign(
{ userId: user.id, username: user.username, role: 'admin' },
process.env.JWT_SECRET,
{ algorithm: 'none' }
);
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${maliciousToken}`)
.expect(401);
expect(response.body.success).to.be.false;
expect(response.body.error).to.equal('INVALID_TOKEN');
});
it('should reject tampered token payload', async () => {
const validToken = jwt.sign(
{ userId: user.id, username: user.username, role: 'user' },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
// Tamper with the token by modifying the payload
const parts = validToken.split('.');
const tamperedPayload = Buffer.from('{"userId":"' + user.id + '","username":"' + user.username + '","role":"admin"}').toString('base64');
const tamperedToken = parts[0] + '.' + tamperedPayload + '.' + parts[2];
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${tamperedToken}`)
.expect(401);
expect(response.body.success).to.be.false;
expect(response.body.error).to.equal('INVALID_TOKEN');
});
});
describe('Tenant Context Validation', () => {
let otherTenant, otherUser;
beforeEach(async () => {
otherTenant = await createTestTenant({ slug: 'other-tenant' });
otherUser = await createTestUser({
username: 'otheruser',
role: 'admin',
tenant_id: otherTenant.id
});
});
it('should set correct tenant context from JWT', async () => {
const validToken = jwt.sign(
{ userId: user.id, username: user.username, role: user.role, tenantId: tenant.slug },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
// Make a request that would show tenant context in logs
const response = await request(app)
.get('/api/devices')
.set('Authorization', `Bearer ${validToken}`)
.expect(200);
expect(response.body.success).to.be.true;
});
it('should handle missing tenant context gracefully', async () => {
const tokenWithoutTenant = jwt.sign(
{ userId: user.id, username: user.username, role: user.role },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
const response = await request(app)
.get('/api/users/profile')
.set('Authorization', `Bearer ${tokenWithoutTenant}`)
.expect(200);
expect(response.body.success).to.be.true;
});
});
});

174
server/tests/middleware/auth.test.js
View File

@@ -188,5 +188,179 @@ describe('Authentication Middleware', () => {
expect(res.data.success).to.be.false;
expect(res.data.message).to.equal('User account is inactive');
});
it('should handle malformed JWT token', async () => {
const req = mockRequest({
headers: { authorization: 'Bearer malformed.jwt' }
});
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(res.statusCode).to.equal(401);
expect(res.data.success).to.be.false;
expect(res.data.error).to.equal('INVALID_TOKEN');
expect(res.data.redirectToLogin).to.be.true;
});
it('should handle JWT with invalid signature', async () => {
const invalidToken = jwt.sign(
{ userId: 1, username: 'test' },
'wrong-secret',
{ expiresIn: '1h' }
);
const req = mockRequest({
headers: { authorization: `Bearer ${invalidToken}` }
});
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(res.statusCode).to.equal(401);
expect(res.data.success).to.be.false;
expect(res.data.error).to.equal('INVALID_TOKEN');
expect(res.data.redirectToLogin).to.be.true;
});
it('should handle JWT not before error', async () => {
const futureToken = jwt.sign(
{ userId: 1, username: 'test', nbf: Math.floor(Date.now() / 1000) + 3600 },
process.env.JWT_SECRET || 'test-secret',
{ expiresIn: '1h' }
);
const req = mockRequest({
headers: { authorization: `Bearer ${futureToken}` }
});
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(res.statusCode).to.equal(401);
expect(res.data.success).to.be.false;
expect(res.data.error).to.equal('TOKEN_NOT_ACTIVE');
expect(res.data.redirectToLogin).to.be.true;
});
it('should handle missing JWT_SECRET environment variable', async () => {
const originalSecret = process.env.JWT_SECRET;
delete process.env.JWT_SECRET;
const token = jwt.sign(
{ userId: 1, username: 'test' },
'any-secret',
{ expiresIn: '1h' }
);
const req = mockRequest({
headers: { authorization: `Bearer ${token}` }
});
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(res.statusCode).to.equal(401);
expect(res.data.success).to.be.false;
expect(res.data.error).to.equal('AUTHENTICATION_FAILED');
expect(res.data.redirectToLogin).to.be.true;
// Restore original secret
process.env.JWT_SECRET = originalSecret;
});
it('should include error details for monitoring', async () => {
const originalEnv = process.env.NODE_ENV;
process.env.NODE_ENV = 'production';
const consoleSpy = sinon.spy(console, 'error');
const req = mockRequest({
headers: {
authorization: 'Bearer invalid.jwt.token',
'user-agent': 'Test Agent',
},
ip: '127.0.0.1',
path: '/api/test',
connection: { remoteAddress: '127.0.0.1' }
});
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(consoleSpy.calledOnce).to.be.true;
const logCall = consoleSpy.firstCall.args;
expect(logCall[0]).to.equal('🔐 Authentication error:');
expect(logCall[1]).to.have.property('error');
expect(logCall[1]).to.have.property('userAgent', 'Test Agent');
expect(logCall[1]).to.have.property('ip', '127.0.0.1');
expect(logCall[1]).to.have.property('path', '/api/test');
consoleSpy.restore();
process.env.NODE_ENV = originalEnv;
});
});
describe('Enhanced Error Response Format', () => {
it('should return consistent error format for expired tokens', async () => {
const expiredToken = jwt.sign(
{ userId: 1, username: 'test' },
process.env.JWT_SECRET || 'test-secret',
{ expiresIn: '-1h' }
);
const req = mockRequest({
headers: { authorization: `Bearer ${expiredToken}` }
});
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(res.statusCode).to.equal(401);
expect(res.data).to.deep.equal({
success: false,
error: 'TOKEN_EXPIRED',
message: 'Token expired',
redirectToLogin: true
});
});
it('should return consistent error format for invalid tokens', async () => {
const req = mockRequest({
headers: { authorization: 'Bearer invalid.jwt.token' }
});
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(res.statusCode).to.equal(401);
expect(res.data).to.deep.equal({
success: false,
error: 'INVALID_TOKEN',
message: 'Invalid token',
redirectToLogin: true
});
});
it('should return consistent error format for missing tokens', async () => {
const req = mockRequest();
const res = mockResponse();
const next = mockNext();
await authenticateToken(req, res, next);
expect(res.statusCode).to.equal(401);
expect(res.data).to.deep.equal({
success: false,
message: 'Access token required'
});
});
});
});