From 35109160ca5d439116bedeb3302ec3745e2895d5 Mon Sep 17 00:00:00 2001 From: Ciro Spaciari Date: Sat, 7 Oct 2023 19:22:45 -0300 Subject: feat(KeyObject) (#5940) * oops * createSecretKey but weird error * use the right prototype, do not add a function called export lol * HMAC JWT export + base64 fix * Fix Equals, Fix Get KeySize, add complete export RSA * fix RSA export * add EC exports * X25519 and ED25519 export + fixes * fix default exports * better asymmetricKeyType * fix private exports * fix symmetricKeySize * createPublicKey validations + refactor * jwt + der fixes * oopsies * add PEM into createPublicKey * cleanup * WIP * bunch of fixes * public from private + private OKP * encrypted keys fixes * oops * fix clear tls error, add some support to jwk and other formats on publicEncrypt/publicDecrypt * more fixes and tests working * more fixes more tests * more clear hmac errors * more tests and fixes * add generateKeyPair * more tests passing, some skips * fix EC key from private * fix OKP JWK * nodejs ignores ext and key_ops on KeyObject.exports * add EC sign verify test * some fixes * add crypto.generateKeyPairSync(type, options) * more fixes and more tests * fix hmac tests * jsonwebtoken tests * oops * oops2 * generated files * revert package.json * vm tests * todos instead of failues * toBunString -> toString * undo simdutf * improvements * unlikely * cleanup * cleanup 2 * oops * move _generateKeyPairSync checks to native --- test/js/third_party/jsonwebtoken/claim-iat.test.js | 254 +++++++++++++++++++++ 1 file changed, 254 insertions(+) create mode 100644 test/js/third_party/jsonwebtoken/claim-iat.test.js (limited to 'test/js/third_party/jsonwebtoken/claim-iat.test.js') diff --git a/test/js/third_party/jsonwebtoken/claim-iat.test.js b/test/js/third_party/jsonwebtoken/claim-iat.test.js new file mode 100644 index 000000000..6d72a58f6 --- /dev/null +++ b/test/js/third_party/jsonwebtoken/claim-iat.test.js @@ -0,0 +1,254 @@ +"use strict"; + +import jwt from "jsonwebtoken"; +import { expect, describe, it, beforeEach } from "bun:test"; +import util from "util"; +import testUtils from "./test-utils"; +import jws from "jws"; +import sinon from "sinon"; + +function signWithIssueAt(issueAt, options, callback) { + const payload = {}; + if (issueAt !== undefined) { + payload.iat = issueAt; + } + const opts = Object.assign({ algorithm: "HS256" }, options); + // async calls require a truthy secret + // see: https://github.com/brianloveswords/node-jws/issues/62 + testUtils.signJWTHelper(payload, "secret", opts, callback); +} + +function verifyWithIssueAt(token, maxAge, options, secret, callback) { + const opts = Object.assign({ maxAge }, options); + testUtils.verifyJWTHelper(token, secret, opts, callback); +} + +describe("issue at", function () { + describe('`jwt.sign` "iat" claim validation', function () { + [true, false, null, "", "invalid", [], ["foo"], {}, { foo: "bar" }].forEach(iat => { + it(`should error with iat of ${util.inspect(iat)}`, function (done) { + signWithIssueAt(iat, {}, err => { + testUtils.asyncCheck(done, () => { + expect(err).toBeInstanceOf(Error); + expect(err.message).toEqual('"iat" should be a number of seconds'); + }); + }); + }); + }); + + // undefined needs special treatment because {} is not the same as {iat: undefined} + it("should error with iat of undefined", function (done) { + testUtils.signJWTHelper({ iat: undefined }, "secret", { algorithm: "HS256" }, err => { + testUtils.asyncCheck(done, () => { + expect(err).toBeInstanceOf(Error); + expect(err.message).toEqual('"iat" should be a number of seconds'); + }); + }); + }); + }); + + describe('"iat" in payload with "maxAge" option validation', function () { + [true, false, null, undefined, -Infinity, Infinity, NaN, "", "invalid", [], ["foo"], {}, { foo: "bar" }].forEach( + iat => { + it(`should error with iat of ${util.inspect(iat)}`, function (done) { + const header = { alg: "HS256" }; + const payload = { iat }; + const token = jws.sign({ header, payload, secret: "secret", encoding: "utf8" }); + verifyWithIssueAt(token, "1 min", {}, "secret", err => { + testUtils.asyncCheck(done, () => { + expect(err).toBeInstanceOf(jwt.JsonWebTokenError); + expect(err.message).toEqual("iat required when maxAge is specified"); + }); + }); + }); + }, + ); + }); + + describe("when signing a token", function () { + let fakeClock; + beforeEach(function () { + fakeClock = sinon.useFakeTimers({ now: 60000 }); + }); + + afterEach(function () { + fakeClock.uninstall(); + }); + + [ + { + description: 'should default to current time for "iat"', + iat: undefined, + expectedIssueAt: 60, + options: {}, + }, + { + description: 'should sign with provided time for "iat"', + iat: 100, + expectedIssueAt: 100, + options: {}, + }, + // TODO an iat of -Infinity should fail validation + { + description: 'should set null "iat" when given -Infinity', + iat: -Infinity, + expectedIssueAt: null, + options: {}, + }, + // TODO an iat of Infinity should fail validation + { + description: 'should set null "iat" when given Infinity', + iat: Infinity, + expectedIssueAt: null, + options: {}, + }, + // TODO an iat of NaN should fail validation + { + description: 'should set to current time for "iat" when given value NaN', + iat: NaN, + expectedIssueAt: 60, + options: {}, + }, + { + description: 'should remove default "iat" with "noTimestamp" option', + iat: undefined, + expectedIssueAt: undefined, + options: { noTimestamp: true }, + }, + { + description: 'should remove provided "iat" with "noTimestamp" option', + iat: 10, + expectedIssueAt: undefined, + options: { noTimestamp: true }, + }, + ].forEach(testCase => { + it(testCase.description, function (done) { + signWithIssueAt(testCase.iat, testCase.options, (err, token) => { + testUtils.asyncCheck(done, () => { + expect(err).toBeNull(); + expect(jwt.decode(token).iat).toEqual(testCase.expectedIssueAt); + }); + }); + }); + }); + }); + + describe("when verifying a token", function () { + let fakeClock; + + beforeEach(function () { + fakeClock = sinon.useFakeTimers({ now: 60000 }); + }); + + afterEach(function () { + fakeClock.uninstall(); + }); + + [ + { + description: 'should verify using "iat" before the "maxAge"', + clockAdvance: 10000, + maxAge: 11, + options: {}, + }, + { + description: 'should verify using "iat" before the "maxAge" with a provided "clockTimestamp', + clockAdvance: 60000, + maxAge: 11, + options: { clockTimestamp: 70 }, + }, + { + description: 'should verify using "iat" after the "maxAge" but within "clockTolerance"', + clockAdvance: 10000, + maxAge: 9, + options: { clockTimestamp: 2 }, + }, + ].forEach(testCase => { + it(testCase.description, function (done) { + const token = jwt.sign({}, "secret", { algorithm: "HS256" }); + fakeClock.tick(testCase.clockAdvance); + verifyWithIssueAt(token, testCase.maxAge, testCase.options, "secret", (err, token) => { + testUtils.asyncCheck(done, () => { + expect(err).toBeNull(); + expect(typeof token).toBe("object"); + }); + }); + }); + }); + + [ + { + description: 'should throw using "iat" equal to the "maxAge"', + clockAdvance: 10000, + maxAge: 10, + options: {}, + expectedError: "maxAge exceeded", + expectedExpiresAt: 70000, + }, + { + description: 'should throw using "iat" after the "maxAge"', + clockAdvance: 10000, + maxAge: 9, + options: {}, + expectedError: "maxAge exceeded", + expectedExpiresAt: 69000, + }, + { + description: 'should throw using "iat" after the "maxAge" with a provided "clockTimestamp', + clockAdvance: 60000, + maxAge: 10, + options: { clockTimestamp: 70 }, + expectedError: "maxAge exceeded", + expectedExpiresAt: 70000, + }, + { + description: 'should throw using "iat" after the "maxAge" and "clockTolerance', + clockAdvance: 10000, + maxAge: 8, + options: { clockTolerance: 2 }, + expectedError: "maxAge exceeded", + expectedExpiresAt: 68000, + }, + ].forEach(testCase => { + it(testCase.description, function (done) { + const expectedExpiresAtDate = new Date(testCase.expectedExpiresAt); + const token = jwt.sign({}, "secret", { algorithm: "HS256" }); + fakeClock.tick(testCase.clockAdvance); + + verifyWithIssueAt(token, testCase.maxAge, testCase.options, "secret", err => { + testUtils.asyncCheck(done, () => { + expect(err).toBeInstanceOf(jwt.JsonWebTokenError); + expect(err.message).toEqual(testCase.expectedError); + expect(err.expiredAt).toStrictEqual(expectedExpiresAtDate); + }); + }); + }); + }); + }); + + describe("with string payload", function () { + it("should not add iat to string", function (done) { + const payload = "string payload"; + const options = { algorithm: "HS256" }; + testUtils.signJWTHelper(payload, "secret", options, (err, token) => { + const decoded = jwt.decode(token); + testUtils.asyncCheck(done, () => { + expect(err).toBeNull(); + expect(decoded).toEqual(payload); + }); + }); + }); + + it("should not add iat to stringified object", function (done) { + const payload = "{}"; + const options = { algorithm: "HS256", header: { typ: "JWT" } }; + testUtils.signJWTHelper(payload, "secret", options, (err, token) => { + const decoded = jwt.decode(token); + testUtils.asyncCheck(done, () => { + expect(err).toEqual(null); + expect(JSON.stringify(decoded)).toEqual(payload); + }); + }); + }); + }); +}); -- cgit v1.2.3