From b08571774f8d142216a2c187caca7808a86db19f Mon Sep 17 00:00:00 2001
From: Gordon Sun <sunshineo@gmail.com>
Date: Fri, 3 Apr 2020 15:09:37 -0700
Subject: [PATCH] Allow set user mapped from JWT directly on request (#6411)

* Use user mapped from JWT for Auth

* Add a test for userFromJWT bypass

Co-authored-by: Gordon Sun <gordon.sun@pipe17.com>
---
 spec/Middlewares.spec.js | 11 +++++++++++
 src/middlewares.js       | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js
index cd5aea7d..c81bd1b9 100644
--- a/spec/Middlewares.spec.js
+++ b/spec/Middlewares.spec.js
@@ -356,4 +356,15 @@ describe('middlewares', () => {
       middlewares.DEFAULT_ALLOWED_HEADERS
     );
   });
+
+  it('should use user provided on field userFromJWT', done => {
+    AppCache.put(fakeReq.body._ApplicationId, {
+      masterKey: 'masterKey',
+    });
+    fakeReq.userFromJWT = 'fake-user';
+    middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
+      expect(fakeReq.auth.user).toEqual('fake-user');
+      done();
+    });
+  });
 });
diff --git a/src/middlewares.js b/src/middlewares.js
index 9da19635..6f836119 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -183,6 +183,17 @@ export function handleParseHeaders(req, res, next) {
     delete info.sessionToken;
   }
 
+  if (req.userFromJWT) {
+    req.auth = new auth.Auth({
+      config: req.config,
+      installationId: info.installationId,
+      isMaster: false,
+      user: req.userFromJWT,
+    });
+    next();
+    return;
+  }
+
   if (!info.sessionToken) {
     req.auth = new auth.Auth({
       config: req.config,