Merge pull request #1 from ritza-co/main

Return json for panic endpoint and allow using Authorisation header

Author: mark-robustelli

complete-application/routes/index.js

@@ -7,7 +7,7 @@ router.get('/', function (req, res, next) {
 });
 
 router.post('/panic', hasRole(['teller']), function (req, res, next) {
-  res.send("We've called the police!");
+  res.json({ message: "We've called the police!" });
 });
 
 router.get('/make-change', hasRole(['customer', 'teller']), function (req, res, next) {
@@ -23,4 +23,4 @@ router.get('/make-change', hasRole(['customer', 'teller']), function (req, res,
   res.json(result);
 });
 
-module.exports = router;
+module.exports = router;

complete-application/services/hasRole.js

@@ -2,7 +2,7 @@ const jose = require('jose');
 
 function hasRole(roles) {
   return (req, res, next) => {
-    const decodedToken = jose.decodeJwt(req.cookies['app.at']);
+    const decodedToken = jose.decodeJwt(req.verifiedToken);
     if (roles.some((role) => decodedToken.roles.includes(role))) return next();
     res.status(403);
     res.send({ error: `You do not have a role with permissions to do this.` });

complete-application/services/verifyJWT.js

@@ -6,7 +6,9 @@ const jwksClient = jose.createRemoteJWKSet(
 );
 
 const verifyJWT = async (req, res, next) => {
-  const access_token = req.cookies['app.at'];
+  const authHeader = req.headers.authorization;
+  const tokenFromHeader = authHeader ? authHeader.split(' ')[1] : null;
+  const access_token = req.cookies['app.at'] || tokenFromHeader;
   if (!access_token) {
     res.status(401);
     res.send({ error: 'Missing token cookie and Authorization header' });
@@ -16,6 +18,7 @@ const verifyJWT = async (req, res, next) => {
         issuer: process.env.BASE_URL,
         audience: process.env.CLIENT_ID,
       });
+      req.verifiedToken = access_token;
       next();
     } catch (e) {
       if (e instanceof jose.errors.JOSEError) {