Prevent throw on undefined/null secret

auth0 · Mar 30, 2015 · 0fdf78d · 0fdf78d
1 parent e46ca66
commit 0fdf78d
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/index.js b/index.js
@@ -107,6 +107,9 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
     return done(new JsonWebTokenError('jwt signature is required'));
   }
 
+  if (typeof secretOrPublicKey === "undefined" || secretOrPublicKey === null) // secretOrPublicKey can be empty string
+    return done(new JsonWebTokenError('secret or publick key must be provided'));
+
   if (!options.algorithms) {
     options.algorithms = ~secretOrPublicKey.toString().indexOf('BEGIN CERTIFICATE') ||
                          ~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ?

diff --git a/test/undefined_secretOrPublickey.tests.js b/test/undefined_secretOrPublickey.tests.js
@@ -0,0 +1,21 @@
+var fs = require('fs');
+var path = require('path');
+var jwt = require('../index');
+var JsonWebTokenError = require('../lib/JsonWebTokenError');
+var expect = require('chai').expect;
+
+var TOKEN = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.t-IDcSemACt8x4iTMCda8Yhe3iZaWbvV5XKSTbuAn0M';
+
+describe('verifying without specified secret or public key', function () {
+  it('should not verify null', function () {
+    expect(function () {
+      jwt.verify(TOKEN, null);
+    }).to.throw(JsonWebTokenError, /secret or publick key must be provided/);
+  });
+
+  it('should not verify undefined', function () {
+    expect(function () {
+      jwt.verify(TOKEN);
+    }).to.throw(JsonWebTokenError, /secret or publick key must be provided/);
+  });
+});