init

[Amri91]

Fixes #1
Fixes #3
Fixes #4

[Avaq]

Great! :)
I'll get into reviewing the code once we have settled all meta issues.

[Avaq]

We should add "root": true to prevent extension of unrelated configs.

[Amri91]

👍

[Avaq]

I don't think it's appropriate to state that all code is run with jest. We should move this statement to test/.eslintrc.json.

[Amri91]

You are correct, however, I would suggest having one eslintrc and use glob patterns instead so we don't need to write one config file per mocks and tests folders. Check the comment about jest's mocks folder location requirements. What do you think?

[Avaq]

What does the mongo environment add?

[Amri91]

Nothing at all, I forgot to remove it :)

[Avaq]

We should clean up the .gitignore to:

• contain only files and directories specific to this project (eg build or installer output); and
• use absolute paths by default.

[Amri91]

👍

[Avaq]

Should we move the mocks directory under test?

[Amri91]

Jest requires the mocks to exist in the same level as the modules to be mocked. Docs. But I see your point, having a mocks directory beside every mocked file might get messy.

[Avaq]

Perhaps we can avoid this kind of mocking altogether by using dependency injection (as we discussed offline).

[Avaq]

Why not just have everything in this file? We can always change it once we need to split things up.

[Amri91]

👍

[Avaq]

Using a package lock is not appropriate for libraries. Let's remove it and add ./.npmrc containing package-lock = false.

[Amri91]

👍

[Avaq]

Let's start at version 0.0.0 and increment once we publish. We can use https://github.com/davidchambers/xyz for automating this process. It's very nice and I use it on all my libraries.

[Amri91]

👍

[Avaq]

Let's think of a description.

[Amri91]

👍

[miselaytes-anton]

interesting ) What benefit does using Symbol here bring?

[Avaq]

It makes the property "private by obscurity".

[miselaytes-anton]

Right, so you can never bypass the set function, nice

[Avaq]

You can bypass it, it just takes more effort. It's the same principle as doing this._____________algorithm = ..., except that it's "more" obscure.
I discussed offline with Amri the possibility of using a closure to capture private properties, eg:

function JWTPlus({store, algorithm = 'HS512', expiresIn = regularTokenLife, jwt}) {
  return {
    setAlgorithm(x){ assert(v !== 'none', 'Algorithm none is not accepted'); algorithm = x }
  }
}

[miselaytes-anton]

hm, from what I read Symbol would create a unique value, which you can not know if its not on the scope. How can you bypass it?

const s1 = Symbol('s');
const s2 = Symbol('s');
console.log(s1 === s2);//false

const a = {};
a[s1] = 5;

console.log(Object.keys(a));//[]

[Avaq]

const hasProp = Object.prototype.hasOwnProperty;

const specialGet = (prop, object) => {
  if(hasProp.call(object, prop)) return object[prop];
  const symbols = Object.getOwnPropertySymbols(object);

  return symbols
  .filter(x => x.toString().slice('Symbol('.length, -1) === prop)
  .map(x => object[x])
  [0];
};


const o = {
  'regular': 'public bar',
  [Symbol('special')]: 'private bar'
};

console.log(specialGet('regular', o))
console.log(specialGet('special', o))

[miselaytes-anton]

haha, well for people ready to go all this way to modify a private property, I mean just let them do it..

[Avaq]

I think simply not documenting the property name is obscure enough. If you want a private variable, you can use a closure.

[Amri91]

One of the major issues with JWT is its low misuse-resistance and this library tries amend that. If a user wants to get the symbol property that bad, I think that level of misuse-resistance is outside the scope.

However, I do see your point, it makes sense to use an _, a meant-to-be-private variable with the appropriate naming convention might be sufficiently misuse-resistant. I'll remove the use of Symbols and use _ instead.

Further more, Google JavaScript Style Guide warns against using Symbol and promotes the use of an _ along with an annotation for private fields.

[Avaq]

I think it's better to use interfaces (t.inter) over structs in most cases.

[Amri91]

👍

[Avaq]

Let's replace all of the contents in this file by:

/node_modules/

All the other stuff is either environment specific (so belongs in ~/.gitignore) or not related to this project (such as bower_components, what's that doing here).

[Amri91]

👍

[Avaq]

These two pairs of getters and setters are overwritten by plain values upon object construction. They are essentially unreachable code.

[Avaq]

Actually, never mind 😳

[Avaq]

You could add a name to this refinement for clearer error messages.

[Amri91]

👍

[Avaq]

What is this TODO for?

[Amri91]

Currently, I am using HS512 as the default algorithm, I need to read more about recommended jwt algorithms, perhaps I should create an issue for this as well.

[Avaq]

Let's remove this comment, and if it's still relevant, create a github issue instead.

[Amri91]

👍

[Avaq]

Missing newline

[Amri91]

👍

[Avaq]

What is the purpose of these comments? Are you going to generate documentation from them? If so, let's at least create an issue for it.

[Amri91]

Yes, I am going to generate documentation from these comments, I'll add an issue. 👍

[Avaq]

Why do we represent TTL as strings?

[Amri91]

Currently, this library accepts strings and numbers for this.expiresIn, I think strings are more readable, i.e. '1h' than the numbers, but the user can pass either. Is that what you meant?
I also refactored a bit so that we accept string and number formats but always use numbers internally. I will push soon.

[Amri91]

As discussed offline

[Avaq]

Is it necessary to pass down these options? Or can we provide our own?

[Amri91]

I thought about asking the user to provide them once when calling the constructor, but I think these options may change between jwt method calls. I decided to give the user the option to pass them. Do you believe it is better not to?

[Amri91]

As discussed offline

[Avaq]

You could also type-check the other arguments, such as oldToken - even if you're just checking whether they are Strings.

[Amri91]

👍

[Avaq]

I don't think taking rememberMe here makes for a good API. It's puts some party (the front-end or back-end) in charge of remembering whether the user selected "remember me" when they logged in. Perhaps it's better to keep this information in the token, and just carry it forward.

---

Do we have to pass along the signOptions, or can we provide our own?

[Amri91]

That's a great idea. 👍

[Avaq]

You will have to explain why all this is necessary.

[Amri91]

I'll add it in the documentations. But the idea is that some options are already stored in the token (we can also use this for rememberMe), so the refresher does not have to do any processing to generate the options again and the new token will almost match the old one.

[Amri91]

It turned out that it is not :)

[Avaq]

It looks good to me. Let's squash the commits. :)

[Amri91]

Fixes #7

Errors thrown now has the same structure as the ones thrown by jsonwebtoken (the default library used)

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@f2bae6a). Click here to learn what that means.
The diff coverage is 100%.

@@           Coverage Diff           @@
##             master     #2   +/-   ##
=======================================
  Coverage          ?   100%           
=======================================
  Files             ?      1           
  Lines             ?     49           
  Branches          ?      3           
=======================================
  Hits              ?     49           
  Misses            ?      0           
  Partials          ?      0

Impacted Files	Coverage Δ
index.js	100% <100%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f2bae6a...a0d06d0. Read the comment docs.