From 2dcafa35e9967a75c94507169f44e4deb442bfdc Mon Sep 17 00:00:00 2001
From: Gordon Sun <gordon.sun@pipe17.com>
Date: Mon, 10 Feb 2020 18:02:12 -0800
Subject: [PATCH 1/2] Use user mapped from JWT for Auth

---
 src/middlewares.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/middlewares.js b/src/middlewares.js
index 75923e713f..81877db500 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -178,6 +178,17 @@ export function handleParseHeaders(req, res, next) {
     delete info.sessionToken;
   }
 
+  if (req.userFromJWT) {
+    req.auth = new auth.Auth({
+      config: req.config,
+      installationId: info.installationId,
+      isMaster: false,
+      user: req.userFromJWT,
+    });
+    next();
+    return;
+  }
+
   if (!info.sessionToken) {
     req.auth = new auth.Auth({
       config: req.config,

From 8906ee38da4b3dc3aef07c44f9fc67ed2be55a8e Mon Sep 17 00:00:00 2001
From: Gordon Sun <gordon.sun@pipe17.com>
Date: Mon, 9 Mar 2020 22:31:29 -0700
Subject: [PATCH 2/2] Add a test for userFromJWT bypass

---
 spec/Middlewares.spec.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js
index cd5aea7dfb..c81bd1b9fe 100644
--- a/spec/Middlewares.spec.js
+++ b/spec/Middlewares.spec.js
@@ -356,4 +356,15 @@ describe('middlewares', () => {
       middlewares.DEFAULT_ALLOWED_HEADERS
     );
   });
+
+  it('should use user provided on field userFromJWT', done => {
+    AppCache.put(fakeReq.body._ApplicationId, {
+      masterKey: 'masterKey',
+    });
+    fakeReq.userFromJWT = 'fake-user';
+    middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
+      expect(fakeReq.auth.user).toEqual('fake-user');
+      done();
+    });
+  });
 });