added parameter to irgnore url token

README.md

@@ -164,9 +164,10 @@ signature `function(decoded, callback)` where:
 - `responseFunc` - (***optional***) optional function called to decorate the response with authentication headers before the response headers or payload is written where:
     - `request` - the request object.
     - `reply(err, response)`- is called if an error occurred
-- `urlKey` - (***optional***) if you prefer to pass your token via url, simply add a `token` url parameter to your request or use a custom parameter by setting `urlKey`
-- `cookieKey` - (***optional***) if you prefer to pass your token via a cookie, simply set the cookie `token=your.jsonwebtoken.here` or use a custom key by setting `cookieKey`
-- `tokenType` - (**optinal**) allow custom token type, e.g. Authorization: \<tokenType> 12345678, default is none.
+- `allowUrlToken` - (***optional*** *default: true*) if don't want to allow url tokens you can disable this here by setting this to *false*
+- `urlKey` - (***optional*** *default: 'token'*) if you prefer to pass your token via url, simply add a `token` url parameter to your request or use a custom parameter by setting `urlKey`
+- `cookieKey` - (***optional*** *default: 'token'*) if you prefer to pass your token via a cookie, simply set the cookie `token=your.jsonwebtoken.here` or use a custom key by setting `cookieKey`
+- `tokenType` - (**optinal** *default: none*) allow custom token type, e.g. Authorization: \<tokenType> 12345678, default is none.
 
 ### Understanding the Request Flow
 

lib/extract.js

@@ -9,9 +9,10 @@ module.exports = function (request, options) {
   // The key holding token value in url or cookie defaults to token
   var urlKey = typeof options.urlKey === 'string' ? options.urlKey : 'token';
   var cookieKey = typeof options.cookieKey === 'string' ? options.cookieKey : 'token';
+  var allowUrlToken = typeof options.allowUrlToken === 'boolean' ? options.allowUrlToken : true;
   var auth;
 
-  if(request.query[urlKey]) { // tokens via url: https://github.com/dwyl/hapi-auth-jwt2/issues/19
+  if(allowUrlToken && request.query[urlKey]) { // tokens via url: https://github.com/dwyl/hapi-auth-jwt2/issues/19
     auth = request.query[urlKey];
   } // JWT tokens in cookie: https://github.com/dwyl/hapi-auth-jwt2/issues/55
   else if (request.headers.authorization) {

test/basic_server.js

@@ -41,10 +41,18 @@ server.register(require('../'), function () {
     verifyOptions: { algorithms: [ 'HS256' ] } // only allow HS256 algorithm
   });
 
+  server.auth.strategy('jwt-nourl', 'jwt', {
+    key: secret,
+    validateFunc: validate,
+    verifyOptions: { algorithms: [ 'HS256' ] }, // only allow HS256 algorithm
+    allowUrlToken: false
+  });
+
   server.route([
     { method: 'GET',  path: '/', handler: home, config: { auth: false } },
     { method: 'GET', path: '/token', handler: sendToken, config: { auth: 'jwt' } },
     { method: 'POST', path: '/privado', handler: privado, config: { auth: 'jwt' } },
+    { method: 'POST', path: '/privadonourl', handler: privado, config: { auth: 'jwt-nourl' } },
     { method: 'POST', path: '/required', handler: privado, config: { auth: { mode: 'required', strategy: 'jwt' } } },
     { method: 'POST', path: '/optional', handler: privado, config: { auth: { mode: 'optional', strategy: 'jwt' } } },
     { method: 'POST', path: '/try', handler: privado, config: { auth: { mode: 'try', strategy: 'jwt' } } }

test/url_token_test.js

@@ -76,3 +76,18 @@ test("Access restricted content (with VALID Token)", function(t) {
     t.end();
   });
 });
+
+test("Using route with allowUrlToken=false should be denied", function(t) {
+  // use the token as the 'authorization' header in requests
+  var token = JWT.sign({ id: 123, "name": "Charlie" }, secret);
+  token = "?token=" + token;
+  var options = {
+    method: "POST",
+    url: "/privadonourl" + token
+  };
+  // server.inject lets us simulate an http request
+  server.inject(options, function(response) {
+    t.equal(response.statusCode, 401, "No urlKey configured so URL-Tokens should be denied");
+    t.end();
+  });
+});