feat(guard): allow the client to pass the jwt as a cookie

Author: MaximeMRF

src/define_config.ts

@@ -6,11 +6,16 @@ import { Secret } from '@adonisjs/core/helpers'
 export function jwtGuard<UserProvider extends JwtUserProviderContract<unknown>>(config: {
   provider: UserProvider
   tokenExpiresIn: number | string
+  useCookies?: boolean
 }): GuardConfigProvider<(ctx: HttpContext) => JwtGuard<UserProvider>> {
   return {
     async resolver(_, app) {
       const appKey = (app.config.get('app.appKey') as Secret<string>).release()
-      const options = { secret: appKey, expiresIn: config.tokenExpiresIn }
+      const options = {
+        secret: appKey,
+        expiresIn: config.tokenExpiresIn,
+        useCookies: config.useCookies,
+      }
       return (ctx) => new JwtGuard(ctx, config.provider, options)
     },
   }

src/jwt.ts

@@ -45,6 +45,7 @@ export interface JwtUserProviderContract<RealUser> {
 export type JwtGuardOptions = {
   secret: string
   expiresIn?: number | string
+  useCookies?: boolean
 }
 
 export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
@@ -102,6 +103,12 @@ export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
         : {}
     )
 
+    if (this.#options.useCookies) {
+      return this.#ctx.response.cookie('token', token, {
+        httpOnly: true,
+      })
+    }
+
     return {
       type: 'bearer',
       token: token,
@@ -124,24 +131,39 @@ export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
     }
     this.authenticationAttempted = true
 
+    const cookieHeader = this.#ctx.request.request.headers.cookie
+    let token
+
     /**
-     * Ensure the auth header exists
+     * If cookies are enabled, then read the token from the cookies
      */
-    const authHeader = this.#ctx.request.header('authorization')
-    if (!authHeader) {
-      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
-        guardDriverName: this.driverName,
-      })
+    if (cookieHeader) {
+      ;[, token] = cookieHeader!.split('=')
     }
 
     /**
-     * Split the header value and read the token from it
+     * If token is missing on cookies, then try to read it from the header authorization
      */
-    const [, token] = authHeader.split('Bearer ')
     if (!token) {
-      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
-        guardDriverName: this.driverName,
-      })
+      /**
+       * Ensure the auth header exists
+       */
+      const authHeader = this.#ctx.request.header('authorization')
+      if (!authHeader) {
+        throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+          guardDriverName: this.driverName,
+        })
+      }
+
+      /**
+       * Split the header value and read the token from it
+       */
+      ;[, token] = authHeader!.split('Bearer ')
+      if (!token) {
+        throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+          guardDriverName: this.driverName,
+        })
+      }
     }
 
     /**
@@ -210,10 +232,10 @@ export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
   async authenticateAsClient(
     user: UserProvider[typeof symbols.PROVIDER_REAL_USER]
   ): Promise<AuthClientResponse> {
-    const token = await this.generate(user)
+    const token: any = await this.generate(user)
     return {
       headers: {
-        authorization: `Bearer ${token.token}`,
+        authorization: `Bearer ${this.#options.useCookies ? token : token.token}`,
       },
     }
   }

tests/guard.spec.ts

@@ -23,7 +23,90 @@ test.group('Jwt guard | authenticate', () => {
     assert.deepEqual(guard.getUserOrFail(), authenticatedUser)
   })
 
-  test('throw error when authorization header is missing', async ({ assert }) => {
+  test('it should return a cookie when user is authenticated', async ({ assert }) => {
+    const ctx = new HttpContextFactory().create()
+    const userProvider = new JwtFakeUserProvider()
+
+    const guard = new JwtGuard(ctx, userProvider, { secret: 'thisisasecret', useCookies: true })
+    ctx.request.request.headers.cookie = 'token=' + jwt.sign({ userId: 1 }, 'thisisasecret')
+
+    const authenticatedUser = await guard.authenticate()
+
+    assert.isTrue(guard.isAuthenticated)
+    assert.isTrue(guard.authenticationAttempted)
+
+    assert.equal(guard.user, authenticatedUser)
+    assert.deepEqual(guard.getUserOrFail(), authenticatedUser)
+  })
+
+  test('throw error when cookie header is invalid', async ({ assert }) => {
+    const ctx = new HttpContextFactory().create()
+    const userProvider = new JwtFakeUserProvider()
+
+    const guard = new JwtGuard(ctx, userProvider, { secret: 'thisisasecret' })
+    ctx.request.request.headers.cookie = 'foo bar'
+    const [result] = await Promise.allSettled([guard.authenticate()])
+
+    assert.equal(result!.status, 'rejected')
+    if (result!.status === 'rejected') {
+      assert.instanceOf(result!.reason, errors.E_UNAUTHORIZED_ACCESS)
+    }
+
+    assert.isUndefined(guard.user)
+    assert.throws(() => guard.getUserOrFail(), 'Unauthorized access')
+
+    assert.isFalse(guard.isAuthenticated)
+    assert.isTrue(guard.authenticationAttempted)
+  })
+
+  test('throw error when cookie token is empty', async ({ assert }) => {
+    const ctx = new HttpContextFactory().create()
+    const userProvider = new JwtFakeUserProvider()
+
+    const guard = new JwtGuard(ctx, userProvider, { secret: 'thisisasecret' })
+    ctx.request.request.headers.cookie = 'token='
+    const [result] = await Promise.allSettled([guard.authenticate()])
+
+    assert.equal(result!.status, 'rejected')
+    if (result!.status === 'rejected') {
+      assert.instanceOf(result!.reason, errors.E_UNAUTHORIZED_ACCESS)
+    }
+
+    assert.isUndefined(guard.user)
+    assert.throws(() => guard.getUserOrFail(), 'Unauthorized access')
+
+    assert.isFalse(guard.isAuthenticated)
+    assert.isTrue(guard.authenticationAttempted)
+  })
+
+  test('throw error when cookie token has been expired', async ({ assert }) => {
+    const ctx = new HttpContextFactory().create()
+    const userProvider = new JwtFakeUserProvider()
+    const user = await userProvider.findById(1)
+    const token = await userProvider.createToken(user!.getOriginal(), 'thisisasecret', {
+      expiresIn: '1h',
+    })
+
+    timeTravel(61 * 60)
+
+    const guard = new JwtGuard(ctx, userProvider, { secret: 'thisisasecret' })
+    ctx.request.request.headers.cookie = `token=${token}`
+    const [result] = await Promise.allSettled([guard.authenticate()])
+
+    assert.equal(result!.status, 'rejected')
+    if (result!.status === 'rejected') {
+      assert.instanceOf(result!.reason, errors.E_UNAUTHORIZED_ACCESS)
+    }
+
+    assert.isUndefined(guard.user)
+    assert.throws(() => guard.getUserOrFail(), 'Unauthorized access')
+    assert.isFalse(guard.isAuthenticated)
+    assert.isTrue(guard.authenticationAttempted)
+  })
+
+  test('throw error when authorization header and cookie header are missing', async ({
+    assert,
+  }) => {
     const ctx = new HttpContextFactory().create()
     const userProvider = new JwtFakeUserProvider()