From 35109160ca5d439116bedeb3302ec3745e2895d5 Mon Sep 17 00:00:00 2001 From: Ciro Spaciari Date: Sat, 7 Oct 2023 19:22:45 -0300 Subject: feat(KeyObject) (#5940) * oops * createSecretKey but weird error * use the right prototype, do not add a function called export lol * HMAC JWT export + base64 fix * Fix Equals, Fix Get KeySize, add complete export RSA * fix RSA export * add EC exports * X25519 and ED25519 export + fixes * fix default exports * better asymmetricKeyType * fix private exports * fix symmetricKeySize * createPublicKey validations + refactor * jwt + der fixes * oopsies * add PEM into createPublicKey * cleanup * WIP * bunch of fixes * public from private + private OKP * encrypted keys fixes * oops * fix clear tls error, add some support to jwk and other formats on publicEncrypt/publicDecrypt * more fixes and tests working * more fixes more tests * more clear hmac errors * more tests and fixes * add generateKeyPair * more tests passing, some skips * fix EC key from private * fix OKP JWK * nodejs ignores ext and key_ops on KeyObject.exports * add EC sign verify test * some fixes * add crypto.generateKeyPairSync(type, options) * more fixes and more tests * fix hmac tests * jsonwebtoken tests * oops * oops2 * generated files * revert package.json * vm tests * todos instead of failues * toBunString -> toString * undo simdutf * improvements * unlikely * cleanup * cleanup 2 * oops * move _generateKeyPairSync checks to native --- test/js/third_party/jsonwebtoken/jwt.hs.test.js | 140 ++++++++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 test/js/third_party/jsonwebtoken/jwt.hs.test.js (limited to 'test/js/third_party/jsonwebtoken/jwt.hs.test.js') diff --git a/test/js/third_party/jsonwebtoken/jwt.hs.test.js b/test/js/third_party/jsonwebtoken/jwt.hs.test.js new file mode 100644 index 000000000..65424f66a --- /dev/null +++ b/test/js/third_party/jsonwebtoken/jwt.hs.test.js @@ -0,0 +1,140 @@ +import jwt from "jsonwebtoken"; +import { expect, describe, it } from "bun:test"; +import jws from "jws"; +import { generateKeyPairSync } from "crypto"; + +describe("HS256", function () { + describe("when signing using HS256", function () { + it("should throw if the secret is an asymmetric key", function () { + const { privateKey } = generateKeyPairSync("rsa", { modulusLength: 2048 }); + + expect(function () { + jwt.sign({ foo: "bar" }, privateKey, { algorithm: "HS256" }); + }).toThrow("must be a symmetric key"); + }); + + it("should throw if the payload is undefined", function () { + expect(function () { + jwt.sign(undefined, "secret", { algorithm: "HS256" }); + }).toThrow("payload is required"); + }); + + it("should throw if options is not a plain object", function () { + expect(function () { + jwt.sign({ foo: "bar" }, "secret", ["HS256"]); + }).toThrow('Expected "options" to be a plain object'); + }); + }); + + describe("with a token signed using HS256", function () { + var secret = "shhhhhh"; + + var token = jwt.sign({ foo: "bar" }, secret, { algorithm: "HS256" }); + + it("should be syntactically valid", function () { + expect(typeof token).toBe("string"); + expect(token.split(".")).toHaveLength(3); + }); + + it("should be able to validate without options", function (done) { + var callback = function (err, decoded) { + if (err) return done(err); + expect(decoded).toBeDefined(); + expect(decoded.foo).toBeDefined(); + expect("bar").toBe(decoded.foo); + done(); + }; + callback.issuer = "shouldn't affect"; + jwt.verify(token, secret, callback); + }); + + it("should validate with secret", function (done) { + jwt.verify(token, secret, function (err, decoded) { + if (err) return done(err); + expect(decoded).toBeDefined(); + expect(decoded.foo).toBeDefined(); + done(); + }); + }); + + it("should throw with invalid secret", function (done) { + jwt.verify(token, "invalid secret", function (err, decoded) { + expect(decoded).toBeUndefined(); + expect(err).toBeTruthy(); + done(); + }); + }); + + it("should throw with secret and token not signed", function (done) { + const header = { alg: "none" }; + const payload = { foo: "bar" }; + const token = jws.sign({ header, payload, secret: "secret", encoding: "utf8" }); + jwt.verify(token, "secret", function (err, decoded) { + expect(decoded).toBeUndefined(); + expect(err).toBeTruthy(); + done(); + }); + }); + + it("should throw with falsy secret and token not signed", function (done) { + const header = { alg: "none" }; + const payload = { foo: "bar" }; + const token = jws.sign({ header, payload, secret: null, encoding: "utf8" }); + jwt.verify(token, "secret", function (err, decoded) { + expect(decoded).toBeUndefined(); + expect(err).toBeTruthy(); + done(); + }); + }); + + it("should throw when verifying null", function (done) { + jwt.verify(null, "secret", function (err, decoded) { + expect(decoded).toBeUndefined(); + expect(err).toBeTruthy(); + done(); + }); + }); + + it("should return an error when the token is expired", function (done) { + var token = jwt.sign({ exp: 1 }, secret, { algorithm: "HS256" }); + jwt.verify(token, secret, { algorithm: "HS256" }, function (err, decoded) { + expect(decoded).toBeUndefined(); + expect(err).toBeTruthy(); + done(); + }); + }); + + it('should NOT return an error when the token is expired with "ignoreExpiration"', function (done) { + var token = jwt.sign({ exp: 1, foo: "bar" }, secret, { algorithm: "HS256" }); + jwt.verify(token, secret, { algorithm: "HS256", ignoreExpiration: true }, function (err, decoded) { + if (err) return done(err); + expect(decoded).toBeDefined(); + expect("bar").toBe(decoded.foo); + expect(decoded.foo).toBeDefined(); + done(); + }); + }); + + it("should default to HS256 algorithm when no options are passed", function () { + var token = jwt.sign({ foo: "bar" }, secret); + var verifiedToken = jwt.verify(token, secret); + expect(verifiedToken).toBeDefined(); + expect("bar").toBe(verifiedToken.foo); + }); + }); + + describe("should fail verification gracefully with trailing space in the jwt", function () { + var secret = "shhhhhh"; + var token = jwt.sign({ foo: "bar" }, secret, { algorithm: "HS256" }); + + it('should return the "invalid token" error', function (done) { + var malformedToken = token + " "; // corrupt the token by adding a space + jwt.verify(malformedToken, secret, { algorithm: "HS256", ignoreExpiration: true }, function (err) { + expect(err).not.toBeNull(); + expect("JsonWebTokenError").toBe(err.name); + expect("invalid token").toBe(err.message); + done(); + }); + }); + }); +}); -- cgit v1.2.3