test/js/third_party/jsonwebtoken/jwt.hs.test.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

import jwt from "jsonwebtoken";
import { expect, describe, it } from "bun:test";
import jws from "jws";
import { generateKeyPairSync } from "crypto";

describe("HS256", function () {
  describe("when signing using HS256", function () {
    it("should throw if the secret is an asymmetric key", function () {
      const { privateKey } = generateKeyPairSync("rsa", { modulusLength: 2048 });

      expect(function () {
        jwt.sign({ foo: "bar" }, privateKey, { algorithm: "HS256" });
      }).toThrow("must be a symmetric key");
    });

    it("should throw if the payload is undefined", function () {
      expect(function () {
        jwt.sign(undefined, "secret", { algorithm: "HS256" });
      }).toThrow("payload is required");
    });

    it("should throw if options is not a plain object", function () {
      expect(function () {
        jwt.sign({ foo: "bar" }, "secret", ["HS256"]);
      }).toThrow('Expected "options" to be a plain object');
    });
  });

  describe("with a token signed using HS256", function () {
    var secret = "shhhhhh";

    var token = jwt.sign({ foo: "bar" }, secret, { algorithm: "HS256" });

    it("should be syntactically valid", function () {
      expect(typeof token).toBe("string");
      expect(token.split(".")).toHaveLength(3);
    });

    it("should be able to validate without options", function (done) {
      var callback = function (err, decoded) {
        if (err) return done(err);
        expect(decoded).toBeDefined();
        expect(decoded.foo).toBeDefined();
        expect("bar").toBe(decoded.foo);
        done();
      };
      callback.issuer = "shouldn't affect";
      jwt.verify(token, secret, callback);
    });

    it("should validate with secret", function (done) {
      jwt.verify(token, secret, function (err, decoded) {
        if (err) return done(err);
        expect(decoded).toBeDefined();
        expect(decoded.foo).toBeDefined();
        done();
      });
    });

    it("should throw with invalid secret", function (done) {
      jwt.verify(token, "invalid secret", function (err, decoded) {
        expect(decoded).toBeUndefined();
        expect(err).toBeTruthy();
        done();
      });
    });

    it("should throw with secret and token not signed", function (done) {
      const header = { alg: "none" };
      const payload = { foo: "bar" };
      const token = jws.sign({ header, payload, secret: "secret", encoding: "utf8" });
      jwt.verify(token, "secret", function (err, decoded) {
        expect(decoded).toBeUndefined();
        expect(err).toBeTruthy();
        done();
      });
    });

    it("should throw with falsy secret and token not signed", function (done) {
      const header = { alg: "none" };
      const payload = { foo: "bar" };
      const token = jws.sign({ header, payload, secret: null, encoding: "utf8" });
      jwt.verify(token, "secret", function (err, decoded) {
        expect(decoded).toBeUndefined();
        expect(err).toBeTruthy();
        done();
      });
    });

    it("should throw when verifying null", function (done) {
      jwt.verify(null, "secret", function (err, decoded) {
        expect(decoded).toBeUndefined();
        expect(err).toBeTruthy();
        done();
      });
    });

    it("should return an error when the token is expired", function (done) {
      var token = jwt.sign({ exp: 1 }, secret, { algorithm: "HS256" });
      jwt.verify(token, secret, { algorithm: "HS256" }, function (err, decoded) {
        expect(decoded).toBeUndefined();
        expect(err).toBeTruthy();
        done();
      });
    });

    it('should NOT return an error when the token is expired with "ignoreExpiration"', function (done) {
      var token = jwt.sign({ exp: 1, foo: "bar" }, secret, { algorithm: "HS256" });
      jwt.verify(token, secret, { algorithm: "HS256", ignoreExpiration: true }, function (err, decoded) {
        if (err) return done(err);
        expect(decoded).toBeDefined();
        expect("bar").toBe(decoded.foo);
        expect(decoded.foo).toBeDefined();
        done();
      });
    });

    it("should default to HS256 algorithm when no options are passed", function () {
      var token = jwt.sign({ foo: "bar" }, secret);
      var verifiedToken = jwt.verify(token, secret);
      expect(verifiedToken).toBeDefined();
      expect("bar").toBe(verifiedToken.foo);
    });
  });

  describe("should fail verification gracefully with trailing space in the jwt", function () {
    var secret = "shhhhhh";
    var token = jwt.sign({ foo: "bar" }, secret, { algorithm: "HS256" });

    it('should return the "invalid token" error', function (done) {
      var malformedToken = token + " "; // corrupt the token by adding a space
      jwt.verify(malformedToken, secret, { algorithm: "HS256", ignoreExpiration: true }, function (err) {
        expect(err).not.toBeNull();
        expect("JsonWebTokenError").toBe(err.name);
        expect("invalid token").toBe(err.message);
        done();
      });
    });
  });
});