Ensure that authenticate only handles POST

2015-05-07 22:33:27 -08:00 · 2015-05-07 22:33:27 -08:00 · b3e5aa96ee
commit b3e5aa96ee
parent e80c34437b
2 changed files with 19 additions and 0 deletions
--- a/jwt.go
+++ b/jwt.go
@ -31,6 +31,7 @@ var (
 	ErrMalformedToken     = errors.New("please provide a valid token")
 	ErrInvalidSignature   = errors.New("signature could not be verified")
 	ErrParsingCredentials = errors.New("error parsing credentials")
+	ErrInvalidMethod      = errors.New("invalid request method")
 )

 // AuthFunc is a type for delegating user authentication to the client-code.
@ -175,6 +176,13 @@ func (m *Middleware) Secure(h http.Handler, v VerifyClaimsFunc) http.Handler {
 // the requester.
 func (m *Middleware) GenerateToken() http.Handler {
 	generateHandler := func(w http.ResponseWriter, r *http.Request) *jwtError {
+		if r.Method != "POST" {
+			return &jwtError{
+				status:  http.StatusBadRequest,
+				err:     ErrInvalidMethod,
+				message: "receiving request",
+			}
+		}
 		var b map[string]string
 		err := json.NewDecoder(r.Body).Decode(&b)
 		if err != nil {
--- a/jwt_test.go
+++ b/jwt_test.go
@ -221,3 +221,14 @@ func TestSecureHandlerGoodToken(t *testing.T) {
 		t.Errorf("wanted %s, got %s", "test", body)
 	}
 }
+
+func TestGenerateTokenHandlerNotPOST(t *testing.T) {
+	middleware := newMiddlewareOrFatal(t)
+	resp := httptest.NewRecorder()
+	req, _ := http.NewRequest("PUT", "http://example.com", nil)
+	middleware.GenerateToken().ServeHTTP(resp, req)
+	body := strings.TrimSpace(resp.Body.String())
+	if body != ErrInvalidMethod.Error() {
+		t.Errorf("wanted %q, got %q", ErrInvalidMethod.Error(), body)
+	}
+}