1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
var PS_SUPPORTED = true;
import jwt from "jsonwebtoken";
import { expect, describe, it } from "bun:test";
import path from "path";
import fs from "fs";
var pub = fs.readFileSync(path.join(__dirname, "pub.pem"), "utf8");
// priv is never used
// var priv = fs.readFileSync(path.join(__dirname, 'priv.pem'));
var TOKEN =
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE0MjY1NDY5MTl9.ETgkTn8BaxIX4YqvUWVFPmum3moNZ7oARZtSBXb_vP4";
describe("when setting a wrong `header.alg`", function () {
describe("signing with pub key as symmetric", function () {
it("should not verify", function () {
expect(function () {
jwt.verify(TOKEN, pub);
}).toThrow(/invalid algorithm/);
});
});
describe("signing with pub key as HS256 and whitelisting only RS256", function () {
it("should not verify", function () {
expect(function () {
jwt.verify(TOKEN, pub, { algorithms: ["RS256"] });
}).toThrow(/invalid algorithm/);
});
});
if (PS_SUPPORTED) {
describe("signing with pub key as HS256 and whitelisting only PS256", function () {
it("should not verify", function () {
expect(function () {
jwt.verify(TOKEN, pub, { algorithms: ["PS256"] });
}).toThrow(/invalid algorithm/);
});
});
}
describe("signing with HS256 and checking with HS384", function () {
it("should not verify", function () {
expect(function () {
var token = jwt.sign({ foo: "bar" }, "secret", { algorithm: "HS256" });
jwt.verify(token, "some secret", { algorithms: ["HS384"] });
}).toThrow(/invalid algorithm/);
});
});
});
|
