Teach authentication middleware to fail early if OAuth token is missing

If the request lacks an OAuth token, don't waste resources making a
request to the GitHub API to validate the token. Instead, return
immediately with a 401 error.

Author: jasonrudolph

Diff for: lib/middleware.js

@@ -11,6 +11,11 @@ exports.authenticate = function ({identityProvider, ignoredPaths}) {
     if (ignoredPaths.includes(req.path)) return next()
 
     const oauthToken = req.headers['github-oauth-token']
+    if (oauthToken == null) {
+      res.status(401).send({message: 'Authentication required'})
+      return
+    }
+
     try {
       res.locals.identity = await identityProvider.identityForToken(oauthToken)
     } catch (error) {

Diff for: test/middleware.test.js

@@ -84,6 +84,21 @@ suite('authenticate', () => {
       assert.equal(response.body.message, 'Error resolving identity for token: an error')
     }
 
+    // Make a request with a missing token.
+    {
+      let requestAllowed
+      const request = {
+        path: '/some-path',
+        headers: {}
+      }
+      const response = new FakeResponse()
+      await authenticateMiddleware(request, response, () => { requestAllowed = false })
+
+      assert(!requestAllowed)
+      assert.equal(response.code, 401)
+      assert.equal(response.body.message, 'Authentication required')
+    }
+
     // Make a request to an ignored path, and don't pass a token.
     {
       let requestAllowed