Prevent strategy from running when the current path matches a dispatc…

…h request path (#60)
waiting-for-dev · Dec 20, 2024 · 14052e7 · 14052e7
1 parent 786f61f
commit 14052e7
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/lib/warden/jwt_auth/strategy.rb b/lib/warden/jwt_auth/strategy.rb
@@ -7,8 +7,10 @@ module JWTAuth
     # Warden strategy to authenticate an user through a JWT token in the
     # `Authorization` request header
     class Strategy < Warden::Strategies::Base
+      include JWTAuth::Import['dispatch_requests']
+
       def valid?
-        token_exists? && issuer_claim_valid?
+        token_exists? && issuer_claim_valid? && !path_is_dispatch_request_path?
       end
 
       def store?
@@ -25,6 +27,14 @@ def authenticate!
 
       private
 
+      def path_is_dispatch_request_path?
+        current_path = EnvHelper.path_info(env)
+        request_method = EnvHelper.request_method(env)
+        dispatch_requests.any? do |tuple|
+          request_method == tuple.first && current_path.match(tuple.last)
+        end
+      end
+
       def issuer_claim_valid?
         configured_issuer = Warden::JWTAuth.config.issuer
         return true if configured_issuer.nil?

diff --git a/spec/warden/jwt_auth/strategy_spec.rb b/spec/warden/jwt_auth/strategy_spec.rb
@@ -15,7 +15,28 @@
   describe '#valid?' do
     context 'when Authorization header is valid' do
       it 'returns true' do
-        env = { 'HTTP_AUTHORIZATION' => 'Bearer 123' }
+        env = { 'HTTP_AUTHORIZATION' => 'Bearer 123', 'PATH_INFO' => '/users', 'REQUEST_METHOD' => 'GET' }
+        strategy = described_class.new(env, :user)
+
+        expect(strategy).to be_valid
+      end
+
+      it 'returns false when the current path / method matches a dispatch request path / method' do
+        env = { 'HTTP_AUTHORIZATION' => 'Bearer 123', 'PATH_INFO' => '/sign_in', 'REQUEST_METHOD' => 'POST' }
+        strategy = described_class.new(env, :user)
+
+        expect(strategy).not_to be_valid
+      end
+
+      it 'returns true when the current path matches a dispatch request, but the method does not' do
+        env = { 'HTTP_AUTHORIZATION' => 'Bearer 123', 'PATH_INFO' => '/sign_in', 'REQUEST_METHOD' => 'GET' }
+        strategy = described_class.new(env, :user)
+
+        expect(strategy).to be_valid
+      end
+
+      it 'returns true when the current path does not match a dispatch request path' do
+        env = { 'HTTP_AUTHORIZATION' => 'Bearer 123', 'PATH_INFO' => '/users', 'REQUEST_METHOD' => 'POST' }
         strategy = described_class.new(env, :user)
 
         expect(strategy).to be_valid
@@ -29,6 +50,20 @@
 
         expect(strategy).not_to be_valid
       end
+
+      it 'returns false when the current path matches a dispatch request path' do
+        env = { 'PATH_INFO' => '/sign_in', 'REQUEST_METHOD' => 'POST' }
+        strategy = described_class.new(env, :user)
+
+        expect(strategy).not_to be_valid
+      end
+
+      it 'returns true when the current path does not match a dispatch request path' do
+        env = { 'PATH_INFO' => '/users', 'REQUEST_METHOD' => 'GET' }
+        strategy = described_class.new(env, :user)
+
+        expect(strategy).not_to be_valid
+      end
     end
 
     context 'when issuer claim is configured and it matches the configured issuer' do