Skip to content

Implementation of Configurable Token Locations in OAuth2 JWT Bearer A… #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Implementation of Configurable Token Locations in OAuth2 JWT Bearer A… #179

wants to merge 1 commit into from

Conversation

arpit-jn
Copy link
Contributor

@arpit-jn arpit-jn commented Jun 5, 2025

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR addresses issue #147 by adding the ability to configure which locations are checked for JWT tokens (header, query, or body parameters). Previously, the middleware would automatically check all possible token locations. Now, users can restrict token extraction to specific locations for enhanced security.

Changes

  • Added TokenLocation enum
  • Added configuration options for token locations in auth middleware
  • Updated documentation with example usage
  • Added tests to verify behavior with different configurations

References

Testing

  • Verified tokens are only extracted from specified locations
  • Confirmed default behavior matches RFC6750
  • Added tests for using both enum and boolean config options
  • Checked behavior with array of token locations works correctly
  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@arpit-jn arpit-jn requested a review from a team as a code owner June 5, 2025 16:49
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 5, 2025
View reviewed changes
packages/express-oauth2-jwt-bearer/test/index.test.ts
@@ -17,7 +17,12 @@
UnauthorizedError,
InvalidRequestError,
InvalidTokenError,
InsufficientScopeError,
Insufficie it('should succeed when token is in query', async () => {

Check notice

Code scanning / CodeQL

Syntax error Note test

Error: ',' expected.

Copilot Autofix

AI 15 days ago

To fix the syntax error:

  1. Correct the incomplete identifier Insufficie on line 19 by completing it as InsufficientScopeError.
  2. Ensure the code is syntactically valid and properly formatted.
  3. Verify that the corrected code aligns with the intended functionality and does not introduce new issues.

The fix involves editing the import statement on line 19 to restore the missing portion of the identifier.

Suggested changeset 1
packages/express-oauth2-jwt-bearer/test/index.test.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/express-oauth2-jwt-bearer/test/index.test.ts b/packages/express-oauth2-jwt-bearer/test/index.test.ts
--- a/packages/express-oauth2-jwt-bearer/test/index.test.ts
+++ b/packages/express-oauth2-jwt-bearer/test/index.test.ts
@@ -19,3 +19,4 @@
   InvalidTokenError,
-  Insufficie  it('should succeed when token is in query', async () => {
+  InsufficientScopeError,
+it('should succeed when token is in query', async () => {
     const jwt = await createJwt();
@@ -23,3 +24,3 @@
       tokenLocation: TokenLocation.QUERY,
-    });peError,
+    });
   TokenLocation,
EOF
@@ -19,3 +19,4 @@
InvalidTokenError,
Insufficie it('should succeed when token is in query', async () => {
InsufficientScopeError,
it('should succeed when token is in query', async () => {
const jwt = await createJwt();
@@ -23,3 +24,3 @@
tokenLocation: TokenLocation.QUERY,
});peError,
});
TokenLocation,
Copilot is powered by AI and may make mistakes. Always verify output.
packages/express-oauth2-jwt-bearer/test/index.test.ts
@@ -17,7 +17,12 @@
UnauthorizedError,
InvalidRequestError,
InvalidTokenError,
InsufficientScopeError,
Insufficie it('should succeed when token is in query', async () => {

Check notice

Code scanning / CodeQL

Syntax error Note test

Error: ',' expected.

Copilot Autofix

AI 15 days ago

To fix the syntax error, the misplaced code needs to be corrected. Specifically:

  1. The Insufficie fragment on line 20 should be completed as InsufficientScopeError and properly aligned with the import statement on line 19.
  2. The it('should succeed when token is in query', async () => { test case should be moved to its proper location after the imports.

This fix ensures that the code is syntactically correct and can be executed as intended.

Suggested changeset 1
packages/express-oauth2-jwt-bearer/test/index.test.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/express-oauth2-jwt-bearer/test/index.test.ts b/packages/express-oauth2-jwt-bearer/test/index.test.ts
--- a/packages/express-oauth2-jwt-bearer/test/index.test.ts
+++ b/packages/express-oauth2-jwt-bearer/test/index.test.ts
@@ -19,7 +19,3 @@
   InvalidTokenError,
-  Insufficie  it('should succeed when token is in query', async () => {
-    const jwt = await createJwt();
-    const baseUrl = await setup({
-      tokenLocation: TokenLocation.QUERY,
-    });peError,
+  InsufficientScopeError,
   TokenLocation,
@@ -27,2 +23,9 @@
 
+it('should succeed when token is in query', async () => {
+  const jwt = await createJwt();
+  const baseUrl = await setup({
+    tokenLocation: TokenLocation.QUERY,
+  });
+});
+
 const expectFailsWith = async (
EOF
@@ -19,7 +19,3 @@
InvalidTokenError,
Insufficie it('should succeed when token is in query', async () => {
const jwt = await createJwt();
const baseUrl = await setup({
tokenLocation: TokenLocation.QUERY,
});peError,
InsufficientScopeError,
TokenLocation,
@@ -27,2 +23,9 @@

it('should succeed when token is in query', async () => {
const jwt = await createJwt();
const baseUrl = await setup({
tokenLocation: TokenLocation.QUERY,
});
});

const expectFailsWith = async (
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@arpit-jn