1 files changed, 49 insertions, 0 deletions

diff --git a/test/js/third_party/jsonwebtoken/wrong_alg.test.js b/test/js/third_party/jsonwebtoken/wrong_alg.test.js
new file mode 100644
index 000000000..948e467f9
--- /dev/null
+++ b/test/js/third_party/jsonwebtoken/wrong_alg.test.js
@@ -0,0 +1,49 @@
+var PS_SUPPORTED = true;
+import jwt from "jsonwebtoken";
+import { expect, describe, it } from "bun:test";
+import path from "path";
+import fs from "fs";
+
+var pub = fs.readFileSync(path.join(__dirname, "pub.pem"), "utf8");
+// priv is never used
+// var priv = fs.readFileSync(path.join(__dirname, 'priv.pem'));
+
+var TOKEN =
+  "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE0MjY1NDY5MTl9.ETgkTn8BaxIX4YqvUWVFPmum3moNZ7oARZtSBXb_vP4";
+
+describe("when setting a wrong `header.alg`", function () {
+  describe("signing with pub key as symmetric", function () {
+    it("should not verify", function () {
+      expect(function () {
+        jwt.verify(TOKEN, pub);
+      }).toThrow(/invalid algorithm/);
+    });
+  });
+
+  describe("signing with pub key as HS256 and whitelisting only RS256", function () {
+    it("should not verify", function () {
+      expect(function () {
+        jwt.verify(TOKEN, pub, { algorithms: ["RS256"] });
+      }).toThrow(/invalid algorithm/);
+    });
+  });
+
+  if (PS_SUPPORTED) {
+    describe("signing with pub key as HS256 and whitelisting only PS256", function () {
+      it("should not verify", function () {
+        expect(function () {
+          jwt.verify(TOKEN, pub, { algorithms: ["PS256"] });
+        }).toThrow(/invalid algorithm/);
+      });
+    });
+  }
+
+  describe("signing with HS256 and checking with HS384", function () {
+    it("should not verify", function () {
+      expect(function () {
+        var token = jwt.sign({ foo: "bar" }, "secret", { algorithm: "HS256" });
+        jwt.verify(token, "some secret", { algorithms: ["HS384"] });
+      }).toThrow(/invalid algorithm/);
+    });
+  });
+});