Merge pull request #374 from ziluvatar/add-check-for-empty-secrets

sign: add check to be sure secret has a value
auth0 · Aug 4, 2017 · c6a7026 · c6a7026
2 parents 43739dc + c584d1c
commit c6a7026
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/sign.js b/sign.js
@@ -66,6 +66,9 @@ module.exports = function (payload, secretOrPrivateKey, options, callback) {
     throw err;
   }
 
+  if (!secretOrPrivateKey) {
+    return failure(new Error('secretOrPrivateKey must have a value'));
+  }
 
   if (typeof payload === 'undefined') {
     return failure(new Error('payload is required'));

diff --git a/test/async_sign.tests.js b/test/async_sign.tests.js
@@ -63,5 +63,19 @@ describe('signing a token asynchronously', function() {
         done();
       });
     });
+
+    describe('secret must have a value', function(){
+      [undefined, '', 0].forEach(function(secret){
+        it('should return an error if the secret is falsy: ' + (typeof secret === 'string' ? '(empty string)' : secret), function(done) {
+        // This is needed since jws will not answer for falsy secrets
+          jwt.sign('string', secret, {}, function(err, token) {
+            expect(err).to.be.exist();
+            expect(err.message).to.equal('secretOrPrivateKey must have a value');
+            expect(token).to.not.exist;
+            done();
+          });
+        });
+      });
+    });
   });
 });