Expose jwtDecode to allow fastify-auth0-verify to use lookup/decode logic

[markrzen]

Expose jwtDecode functionality, which includes the ability to change how the token is looked up, to enable fastify-auth0-verify to re-use this functionality, instead of re-write it.

Checklist

• run npm run test and npm run benchmark
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

[Eomm]

I think adding the decorator for this feature request is good and solve the replicated code and feature 👍🏽

It is not totally clear to me the additional level on the input options object ( options.decode, options.verify and options.sign ) since that argument should be already passed to the jwt module - could you check if it is needed?

Regarding the lines to update here: https://github.com/nearform/fastify-auth0-verify/blob/master/index.js#L153-L165

I would point out that it is necessary to give to the user an extra configuration setting here:

https://github.com/nearform/fastify-auth0-verify/blob/bf7a3dae417390a9d83dfe15ce191ed6aad8334e/index.js#L194

[markrzen]

@Eomm Here is a quick diff for what I expect would be the integration:
nearform/fastify-auth0-verify@master...markrzen:master

[markrzen]

I am second guessing this PR now. I have been thinking through how we could make this non-breaking for fastify-auth0-verify, and I am not sure it is possible in the way I have it written.

I might need to go back to the drawing board. We might want to expose lookupToken instead.

I suppose the trade off is:

• Major version change to fastify-jwt
• Expose jwtDecode under a different name in fastify-jwt
• Expose lookupToken instead, for use by fastify-auth0-verify

Thoughts @simoneb ?

[Eomm]

@markrzen

Major version change to fastify-jwt
Expose jwtDecode under a different name in fastify-jwt
Expose lookupToken instead, for use by fastify-auth0-verify

Not necessary.

If we configure fastify-jwt to add the jwtDecode decorator only if the options have the options.jwtDecode property, I think there will be no issue within fastify-auth0-verify.
In this way the fastify-auth0-verify won't break up and it can integrate this feature.

(and in a next major version of this plugin, we will add it by default)

Expose lookupToken instead, for use by fastify-auth0-verify

I tried to figure out why this would be necessary, but I did not understand actually.
Is my suggestion solving the problem and lookupToken is no more needed?

[markrzen]

@Eomm To make sure I understand, you are suggesting that upon fastify-jwt registration the user must pass in a value to enable the exposure of jwtDecode?

fastify.register(require('fastify-jwt'), {
  secret: 'supersecret',
  jwtDecode: true
})

If so this would absolutely work and is a great suggestion.

We would not need to expose lookupToken if we went this direction. The three options I gave above are all ways to solve the breaking change issue, but I like your fourth option the best.

[Eomm]

Yes @markrzen , exactly.

The only change is that the jwtDecode is a string to support the namespacing (but we could support the boolean as well and set the default request. jwtDecode() decorator name)

fastify.register(require('fastify-jwt'), {
  secret: 'supersecret',
  jwtDecode: `decodeJWTToken`
})

Could you add a // TODO comment in the source code to remember why we are going to add an optional decorator?

[markrzen]

@Eomm Works great for me. I will make those changes, update the README and do my best to update the types. Heads up on the types, I don't use TypeScript, so you will want to second guess my solution there :)

[Eomm]

Heads up on the types, I don't use TypeScript, so you will want to second guess my solution there :)

It is not blocking, but it should not be too much hard to get inspiration from the other tests

[markrzen]

@Eomm Working on the final changes now. Should be ready shortly.

[markrzen]

@Eomm Sans rebase/squash/fixup, how does this look?

[Eomm]

Almost done

We will need 2 approvals before merge

[markrzen]

@Eomm The benchmark script doesn't seem to exist in the repo. Is this a typo on the PR template?

[markrzen]

@Eomm All set. Let me know if there is anything else.

[mcollina]

lgtm

[climba03003]

LGTM.