frisbyjs test is failing because get() is not sending the HTTP headers

Question

I have a frisbyjs test inside another frisbyjs test's afterJSON() that is failing. When I debug the server code, it appears that the x-access-token and x-key HTTP headers are not getting sent. Am I sending them wrong? Surely I'm doing something silly.

Below is the outer test. The first test in afterJSON() is the one that fails:

frisby.create('Should be able to log in with test user')
.post(appHost + '/login',
    {
        username:'test@voxoid.com',
        password:'pass123'
    },
    {json: true},
    {headers: {'Content-Type': 'application/json'}})
.expectStatus(200)
.expectJSONTypes({ token: String })
.expectJSON({
    user: {
        name:'test',
        role:'admin',
        username:'test@voxoid.com'
    }
})
.afterJSON(function(res) {
    // TODO: The functionality works, but this test does not; the headers do not get sent.
    console.log('x-access-token: ' + res.token);
    console.log('x-key: ' + res.user.username);

    // **************** THIS IS THE TEST THAT FAILS ********************
    frisby.create('Should allow access with valid token')
        .get(appHost + '/api/v1/products',{},
            {json:true},
            {headers:{
                'x-access-token': res.token,
                'x-key': res.user.username
            }})
        .inspectJSON()
        .expectStatus(200)
        .toss();

    frisby.create('Should not allow access with invalid token')
        .get(appHost + '/api/v1/products',{},
        {json:true},
        {headers:{
            'x-access-token': res.token + '123',
            'x-key': res.user.username
        }})
        .expectStatus(401)
        .toss();
})
.toss();

The inspectJSON() results in:

{ status: 401, message: 'Invalid Token or Key' }

And here is the server code (an express middleware) handling the request, where token and key both end up 'undefined' while debugging, and res.headers does not contain the x-access-token nor x-key headers:

var jwt = require('jwt-simple');
var validateUser = require('../routes/auth').validateUser;

module.exports = function(req, res, next) {

  // When performing a cross domain request, you will recieve
  // a preflighted request first. This is to check if our the app
  // is safe. 

  // We skip the token outh for [OPTIONS] requests.
  //if(req.method == 'OPTIONS') next();

  var token = (req.body && req.body.access_token) || (req.query && req.query.access_token) || req.headers['x-access-token'];
  var key = (req.body && req.body.x_key) || (req.query && req.query.x_key) || req.headers['x-key'];

  if (token || key) {
    try {
      var decoded = jwt.decode(token, require('../config/secret.js')());

      if (decoded.exp <= Date.now()) {
        res.status(400);
        res.json({
          "status": 400,
          "message": "Token Expired"
        });
        return;
      }

      // Authorize the user to see if s/he can access our resources

      var dbUser = validateUser(key); // The key would be the logged in user's username
      if (dbUser) {


        if ((req.url.indexOf('admin') >= 0 && dbUser.role == 'admin') || (req.url.indexOf('admin') < 0 && req.url.indexOf('/api/v1/') >= 0)) {
          next(); // To move to next middleware
        } else {
          res.status(403);
          res.json({
            "status": 403,
            "message": "Not Authorized"
          });
          return;
        }
      } else {
        // No user with this name exists, respond back with a 401
        res.status(401);
        res.json({
          "status": 401,
          "message": "Invalid User"
        });
        return;
      }

    } catch (err) {
      res.status(500);
      res.json({
        "status": 500,
        "message": "Oops something went wrong",
        "error": err
      });
    }
  } else {
    res.status(401);
    res.json({
      "status": 401,
      "message": "Invalid Token or Key"
    });
    return;
  }
};

Answer 1

Yes, it's something simple - "almost a typo". Here's the working code:

frisby.create('Should allow access with valid token')
  .get(appHost + '/api/v1/products', {
     json: true,
     headers: {
       'x-access-token': res.token,
       'x-key': res.user.username
     }
  })
  .inspectJSON()
  .expectStatus(200)
  .toss();

Notice how we're passing single options object to .get(), instead of three separate ones (for json and headers, and one empty at the beginning).

Also: if most of your requests will contain these headers, it might be useful to set them globally. This applies to other options, too:

frisby.globalSetup({
  request: { 
    json: true,
    headers: {
      'x-access-token': res.token,
      'x-key': res.user.username
    }
  }
});

frisby.create('Should allow access with valid token')
  .get(appHost + '/api/v1/products') //no need for options - they're already set!
  .inspectJSON()
  .expectStatus(200)
  .toss();

frisby.create('Should not allow access with invalid token')
  .get(appHost + '/api/v1/products', {
    // ...but you still can override them - when needed
    headers: {
      'x-access-token': res.token + '123',
      'x-key': res.user.username
    }
  })
  .expectStatus(401)
  .toss();