added jwt-decoder.test.ts

Code-Hex · Code-Hex · commit 3b51919f2c72 · 2022-07-04T23:20:21.000+09:00
diff --git a/src/jwt-decoder.ts b/src/jwt-decoder.ts
@@ -101,42 +101,42 @@ const decodePayload = (
   if (!isNonEmptyString(payload.sub)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"sub" claim must be a string but got "${payload.sub}}"`
+      `"sub" claim must be a string but got "${payload.sub}"`
     );
   }
 
   if (!isNonEmptyString(payload.iss)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"iss" claim must be a string but got "${payload.iss}}"`
+      `"iss" claim must be a string but got "${payload.iss}"`
     );
   }
 
   if (!isNumber(payload.iat)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"iat" claim must be a number but got "${payload.iat}}"`
+      `"iat" claim must be a number but got "${payload.iat}"`
     );
   }
 
-  if (currentTimestamp < payload.iat) {
+  if (currentTimestamp <= payload.iat) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `Incorrect "iat" claim must be a newer than "${currentTimestamp}" (iat: "${payload.iat}")`
+      `Incorrect "iat" claim must be a older than "${currentTimestamp}" (iat: "${payload.iat}")`
     );
   }
 
   if (!isNumber(payload.exp)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"exp" claim must be a number but got "${payload.exp}"}`
+      `"exp" claim must be a number but got "${payload.exp}"`
     );
   }
 
-  if (currentTimestamp >= payload.exp) {
+  if (currentTimestamp > payload.exp) {
     throw new JwtError(
       JwtErrorCode.TOKEN_EXPIRED,
-      `Incorrect "exp" (expiration time) claim must be a older than "${currentTimestamp}" (exp: ${payload.exp})`
+      `Incorrect "exp" (expiration time) claim must be a newer than "${currentTimestamp}" (exp: "${payload.exp}")`
     );
   }
 
diff --git a/tests/jwk-utils.ts b/tests/jwk-utils.ts
@@ -23,9 +23,11 @@ export class TestingKeyFetcher implements KeyFetcher {
   }
 }
 
-export const genIat = (ms: number = Date.now()): number => Math.floor(ms / 1000)
+export const genTime = (ms: number = Date.now()): number => Math.floor(ms / 1000)
 export const genIss = (projectId: string = "projectId1234"): string => "https://securetoken.google.com/" + projectId
 
+export const encodeObjectBase64Url = (obj: any): string => encodeBase64Url(jsonUTF8Stringify(obj))
+
 const jsonUTF8Stringify = (obj: any): Uint8Array => utf8Encoder.encode(JSON.stringify(obj))
 
 export const signJWT = async (kid: string, payload: DecodedPayload, privateKey: CryptoKey) => {
@@ -34,8 +36,8 @@ export const signJWT = async (kid: string, payload: DecodedPayload, privateKey:
     typ: 'JWT',
     kid,
   };
-  const encodedHeader = encodeBase64Url(jsonUTF8Stringify(header)).replace(/=/g, "")
-  const encodedPayload = encodeBase64Url(jsonUTF8Stringify(payload)).replace(/=/g, "")
+  const encodedHeader = encodeObjectBase64Url(header).replace(/=/g, "")
+  const encodedPayload = encodeObjectBase64Url(payload).replace(/=/g, "")
   const headerAndPayload = `${encodedHeader}.${encodedPayload}`;
 
   const signature = await crypto.subtle.sign(
diff --git a/tests/jws-verifier.test.ts b/tests/jws-verifier.test.ts
@@ -1,16 +1,16 @@
 import { JwtError, JwtErrorCode } from "../src/errors"
 import { PublicKeySignatureVerifier, rs256alg } from "../src/jws-verifier"
 import { DecodedPayload, RS256Token } from "../src/jwt-decoder"
-import { genIat, genIss, signJWT, TestingKeyFetcher } from "./jwk-utils"
+import { genTime, genIss, signJWT, TestingKeyFetcher } from "./jwk-utils"
 
 describe("PublicKeySignatureVerifier", () => {
   const kid = "kid123456"
   const projectId = "projectId1234"
-  const currentTimestamp = Date.now()
+  const currentTimestamp = genTime(Date.now())
   const payload: DecodedPayload = {
     aud: projectId,
     exp: currentTimestamp + 9999,
-    iat: genIat(currentTimestamp - 10000), // -10s
+    iat: currentTimestamp - 10000, // -10s
     iss: genIss(projectId),
     sub: "userId12345",
   }
diff --git a/tests/jwt-decoder.test.ts b/tests/jwt-decoder.test.ts
@@ -0,0 +1,135 @@
+import { JwtError, JwtErrorCode } from "../src/errors"
+import { DecodedHeader, DecodedPayload, RS256Token } from "../src/jwt-decoder"
+import { genTime, genIss, signJWT, TestingKeyFetcher, encodeObjectBase64Url } from "./jwk-utils"
+
+describe("TokenDecoder", () => {
+  const kid = "kid123456"
+  const projectId = "projectId1234"
+  const currentTimestamp = genTime(Date.now())
+  const payload: DecodedPayload = {
+    aud: projectId,
+    exp: currentTimestamp, // now (for border test)
+    iat: currentTimestamp - 10000, // -10s
+    iss: genIss(projectId),
+    sub: "userId12345",
+  }
+
+  it("invalid token", () => {
+    expect(() => RS256Token.decode("invalid", currentTimestamp)).toThrowError(
+      new JwtError(
+        JwtErrorCode.INVALID_ARGUMENT,
+        "token must consist of 3 parts"
+      )
+    )
+  })
+
+  describe("header", () => {
+    const validHeader: DecodedHeader = {
+      kid,
+      alg: "RS256",
+    }
+
+    it("invalid kid", () => {
+      const headerPart = encodeObjectBase64Url({
+        ...validHeader,
+        kid: undefined
+      })
+      const jwt = `${headerPart}.payload.signature`
+      expect(() => RS256Token.decode(jwt, currentTimestamp)).toThrowError(
+        new JwtError(
+          JwtErrorCode.NO_KID_IN_HEADER,
+          `kid must be a string but got ${undefined}`
+        )
+      )
+    })
+
+    it("invalid alg", () => {
+      const headerPart = encodeObjectBase64Url({
+        ...validHeader,
+        alg: "HS256"
+      })
+      const jwt = `${headerPart}.payload.signature`
+      expect(() => RS256Token.decode(jwt, currentTimestamp)).toThrowError(
+        new JwtError(
+          JwtErrorCode.INVALID_ARGUMENT,
+          `algorithm must be RS256 but got ${"HS256"}`
+        )
+      )
+    })
+  })
+
+  describe("payload", () => {
+    test.each([
+      [
+        "aud",
+        {
+          ...payload,
+          aud: "",
+        },
+        new JwtError(
+          JwtErrorCode.INVALID_ARGUMENT,
+          `"aud" claim must be a string but got ""`
+        )
+      ],
+      [
+        "sub",
+        {
+          ...payload,
+          sub: "",
+        },
+        new JwtError(
+          JwtErrorCode.INVALID_ARGUMENT,
+          `"sub" claim must be a string but got ""`
+        )
+      ],
+      [
+        "iss",
+        {
+          ...payload,
+          iss: "",
+        },
+        new JwtError(
+          JwtErrorCode.INVALID_ARGUMENT,
+          `"iss" claim must be a string but got ""`
+        )
+      ],
+      [
+        "iat is in future",
+        {
+          ...payload,
+          iat: currentTimestamp + 10000, // +10s
+        },
+        new JwtError(
+          JwtErrorCode.INVALID_ARGUMENT,
+          `Incorrect "iat" claim must be a older than "${currentTimestamp}" (iat: "${currentTimestamp + 10000}")`
+        )
+      ],
+      [
+        "iat is now",
+        {
+          ...payload,
+          iat: currentTimestamp,
+        },
+        new JwtError(
+          JwtErrorCode.INVALID_ARGUMENT,
+          `Incorrect "iat" claim must be a older than "${currentTimestamp}" (iat: "${currentTimestamp}")`
+        )
+      ],
+      [
+        "exp is in past",
+        {
+          ...payload,
+          exp: currentTimestamp - 10000, // -10s
+        },
+        new JwtError(
+          JwtErrorCode.INVALID_ARGUMENT,
+          `Incorrect "exp" (expiration time) claim must be a newer than "${currentTimestamp}" (exp: "${currentTimestamp - 10000}")`
+        )
+      ],
+    ])("invalid %s", async (_, payload, wantErr) => {
+      const testingKeyFetcher = await TestingKeyFetcher.withKeyPairGeneration("mismachKid")
+      const jwt = await signJWT(kid, payload, testingKeyFetcher.getPrivateKey())
+      expect(() => RS256Token.decode(jwt, currentTimestamp)).toThrowError(wantErr)
+    })
+  })
+})
