-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CognitoExpress.validate()
's callback
parameter is optional, but is blindly invoked for error conditions
#18
Comments
The unit tests mask this bug because of how they are passing an async callback: cognito-express/test/strategy.js Lines 121 to 130 in 86c7386
Because the callback is async, it will be executed after the Restructuring the test as follows: it("should check if Validate function can fail successfully when invalid token is passed (Promise)", async () => {
await strategy.init(result => expect(result).to.eql(true));
try {
await strategy.validate("token");
} catch (err) {
expect(err).to.eql("Not a valid JWT token");
};
}); Surfaces the failure:
|
@ghdna, do you have any thoughts on or plans for this PR? |
@robertbullen Since issues like this one have been open for so long I created a different library aws-cognito-express. |
This means that the promisified code path in
CognitoExpress.validate()
is fundamentally broken for failure scenarios.Here are the offending lines:
cognito-express/lib/strategy.js
Lines 52 to 63 in 86c7386
Meanwhile, just a little further down
callback
is properly checked in two locations:cognito-express/lib/strategy.js
Lines 72 to 89 in 86c7386
The text was updated successfully, but these errors were encountered: