Supertest authenticate with bearer token

gistfile1.js

'use strict';

var should = require('should');
var app = require('../../app');
var request = require('supertest')(app);

describe('GET /api/incidents', function() {

    it('should require authorization', function(done) {
        request
            .get('/api/incidents')
            .expect(401)
            .end(function(err, res) {
                if (err) return done(err);
                done();
            });
    });

    var auth = {};
    before(loginUser(auth));

    it('should respond with JSON array', function(done) {
        request
            .get('/api/incidents')
            .set('Authorization', 'bearer ' + auth.token)
            .expect(200)
            .expect('Content-Type', /json/)
            .end(function(err, res) {
                if (err) return done(err);
                res.body.should.be.instanceof(Array);
                done();
            });
    });

});

function loginUser(auth) {
    return function(done) {
        request
            .post('/auth/local')
            .send({
                email: '[email protected]',
                password: 'test'
            })
            .expect(200)
            .end(onResponse);

        function onResponse(err, res) {
            auth.token = res.body.token;
            return done();
        }
    };
}

Thank you. could you please explain why bearer in lowercase not Bearer in uppercase? is a super test only accept bearer in lowercase?

This excerpt from RFC7235 may shed a light on your doubt:

2. Access Authentication Framework

2.1. Challenge and Response

HTTP provides a simple challenge-response authentication framework
that can be used by a server to challenge a client request and by a
client to provide authentication information. It uses a case-
insensitive token as a means to identify the authentication scheme,
followed by additional information necessary for achieving
authentication via that scheme.

Note that by "token", the RFC author is referring to a lexical token, representing the authentication scheme (like "Basic", "Bearer", etc...), or "auth-scheme" for short, and not your authentication token string.

The Basic authentication scheme builds on top of the HTTP Authentication Framework, along with the Bearer scheme. Take a look at what the Basic Authentication RFC (RFC767 states in the following section:

The Basic authentication scheme utilizes the Authentication Framework
as follows.

In challenges:

o The scheme name is "Basic".

o The authentication parameter 'realm' is REQUIRED ([RFC7235],
Section 2.2).

o The authentication parameter 'charset' is OPTIONAL (see
Section 2.1).

o No other authentication parameters are defined -- unknown
parameters MUST be ignored by recipients, and new parameters can
only be defined by revising this specification.

See also Section 4.1 of [RFC7235], which discusses the complexity of
parsing challenges properly.

Note that both scheme and parameter names are matched case-
insensitively.

So, although it's common to see auth-schemes written with the first letter capitalized, they are in fact case-insensitive.

Thank you very much for this!

please i have a question ... how do i test a secured route with jest (supertest) ....... where when a user login it generate a jwt and then that jwt generated will be used as a middleware to test other routes?????

You can use the auth method instead of setting the Authorization header by hand:

    it('should respond with JSON array', function(done) {
        request
            .get('/api/incidents')
            .auth(auth.token, { type: 'bearer' })
            .expect(200)
            .expect('Content-Type', /json/)
            .end(function(err, res) {
                if (err) return done(err);
                res.body.should.be.instanceof(Array);
                done();
            });
    });
``'

This worked for me. Thank you!