Allow set user mapped from JWT directly on request (#6411)

* Use user mapped from JWT for Auth

* Add a test for userFromJWT bypass

Co-authored-by: Gordon Sun <[email protected]>

Author: sunshineo

spec/Middlewares.spec.js

@@ -356,4 +356,15 @@ describe('middlewares', () => {
       middlewares.DEFAULT_ALLOWED_HEADERS
     );
   });
+
+  it('should use user provided on field userFromJWT', done => {
+    AppCache.put(fakeReq.body._ApplicationId, {
+      masterKey: 'masterKey',
+    });
+    fakeReq.userFromJWT = 'fake-user';
+    middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
+      expect(fakeReq.auth.user).toEqual('fake-user');
+      done();
+    });
+  });
 });

src/middlewares.js

@@ -183,6 +183,17 @@ export function handleParseHeaders(req, res, next) {
     delete info.sessionToken;
   }
 
+  if (req.userFromJWT) {
+    req.auth = new auth.Auth({
+      config: req.config,
+      installationId: info.installationId,
+      isMaster: false,
+      user: req.userFromJWT,
+    });
+    next();
+    return;
+  }
+
   if (!info.sessionToken) {
     req.auth = new auth.Auth({
       config: req.config,