get token from either auth header or cookie

Author: rideam

complete-application/services/hasRole.js

@@ -2,7 +2,7 @@ const jose = require('jose');
 
 function hasRole(roles) {
   return (req, res, next) => {
-    const decodedToken = jose.decodeJwt(req.cookies['app.at']);
+    const decodedToken = jose.decodeJwt(req.verifiedToken);
     if (roles.some((role) => decodedToken.roles.includes(role))) return next();
     res.status(403);
     res.send({ error: `You do not have a role with permissions to do this.` });

complete-application/services/verifyJWT.js

@@ -6,7 +6,9 @@ const jwksClient = jose.createRemoteJWKSet(
 );
 
 const verifyJWT = async (req, res, next) => {
-  const access_token = req.cookies['app.at'];
+  const authHeader = req.headers.authorization;
+  const tokenFromHeader = authHeader ? authHeader.split(' ')[1] : null;
+  const access_token = req.cookies['app.at'] || tokenFromHeader;
   if (!access_token) {
     res.status(401);
     res.send({ error: 'Missing token cookie and Authorization header' });
@@ -16,6 +18,7 @@ const verifyJWT = async (req, res, next) => {
         issuer: process.env.BASE_URL,
         audience: process.env.CLIENT_ID,
       });
+      req.verifiedToken = access_token;
       next();
     } catch (e) {
       if (e instanceof jose.errors.JOSEError) {