added more tests

Code-Hex · Code-Hex · commit b5c7b11fbfda · 2022-07-04T22:30:58.000+09:00
diff --git a/src/base64.test.ts b/src/base64.test.ts
diff --git a/src/base64.ts b/src/base64.ts
@@ -1,45 +1,23 @@
-export const decodeBase64Url = (str: string): string => {
-  return decodeBase64(str).replace(/_|-/g, (m) => ({ _: "/", "-": "+" }[m]!));;
+export const decodeBase64Url = (str: string): Uint8Array => {
+  return decodeBase64(str.replace(/_|-/g, (m) => ({ _: "/", "-": "+" }[m]!)))
 };
 
-export const decodeBase64UrlBytes = (str: string): Uint8Array =>
-  new TextEncoder().encode(decodeBase64Url(str));
-
-export const encodeBase64UrlBytes = (buf: ArrayBufferLike) => {
-  return encodeBase64Url(String.fromCharCode(...new Uint8Array(buf)));
-};
-
-export const encodeBase64Url = (str: string): string =>
-  encodeBase64(str).replace(/\/|\+/g, (m) => ({ "/": "_", "+": "-" }[m]!));
-
-const pad = (s: string): string => {
-  switch (s.length % 4) {
-    case 2:
-      return `${s}==`;
-    case 3:
-      return `${s}=`;
-    default:
-      return s;
-  }
-};
+export const encodeBase64Url = (buf: ArrayBufferLike): string =>
+  encodeBase64(buf).replace(/\/|\+/g, (m) => ({ "/": "_", "+": "-" }[m]!));
 
 // This approach is written in MDN.
 // btoa does not support utf-8 characters. So we need a little bit hack.
-const encodeBase64 = (str: string): string => {
-  const binary = []
-  const encoded = new TextEncoder().encode(str)
-  for (let i = 0; i < encoded.byteLength; i++) {
-    binary.push(String.fromCharCode(encoded[i]))
-  }
-  return pad(btoa(binary.join('')))
+export const encodeBase64 = (buf: ArrayBufferLike): string => {
+  const binary = String.fromCharCode(...new Uint8Array(buf))
+  return btoa(binary)
 }
 
 // atob does not support utf-8 characters. So we need a little bit hack.
-const decodeBase64 = (str: string): string => {
-  const binary = atob(pad(str))
+const decodeBase64 = (str: string): Uint8Array => {
+  const binary = atob(str)
   const bytes = new Uint8Array(new ArrayBuffer(binary.length));
-  for (let i = 0; i < binary.length; i++) {
+  for (let i = 0; i < binary.length ; i++) {
     bytes[i] = binary.charCodeAt(i);
   }
-  return new TextDecoder().decode(bytes)
+  return bytes
 }
diff --git a/src/jws-verifier.ts b/src/jws-verifier.ts
@@ -4,7 +4,13 @@ import { JsonWebKeyWithKid, RS256Token } from "./jwt-decoder";
 import { isNonNullObject } from "./validator";
 
 // https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library
-const rs256alg = { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+// https://developer.mozilla.org/en-US/docs/Web/API/RsaHashedKeyGenParams
+export const rs256alg: RsaHashedKeyGenParams = {
+  name: "RSASSA-PKCS1-v1_5",
+  modulusLength: 2048,
+  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+  hash: "SHA-256",
+};
 
 export interface SignatureVerifier {
   verify(token: RS256Token): Promise<void>;
@@ -44,7 +50,8 @@ export class PublicKeySignatureVerifier implements SignatureVerifier {
       if (publicKey.kid !== header.kid) {
         continue;
       }
-      if (await this.verifySignature(token, publicKey)) {
+      const verified = await this.verifySignature(token, publicKey)
+      if (verified) {
         // succeeded
         return;
       }
diff --git a/src/jwt-decoder.ts b/src/jwt-decoder.ts
@@ -1,5 +1,6 @@
-import { decodeBase64UrlBytes } from "./base64";
+import { decodeBase64Url } from "./base64";
 import { JwtError, JwtErrorCode } from "./errors";
+import { utf8Decoder, utf8Encoder } from "./utf8";
 import { isNonEmptyString, isNumber, isString } from "./validator";
 
 export interface TokenDecoder {
@@ -10,7 +11,7 @@ export interface JsonWebKeyWithKid extends JsonWebKey {
   kid: string;
 }
 
-type DecodedHeader = { kid: string; alg: "RS256" } & Record<string, any>;
+export type DecodedHeader = { kid: string; alg: "RS256" } & Record<string, any>;
 
 export type DecodedPayload = {
   aud: string;
@@ -52,7 +53,7 @@ export class RS256Token {
     return new RS256Token(token, {
       header,
       payload,
-      signature: decodeBase64UrlBytes(tokenParts[2]),
+      signature: decodeBase64Url(tokenParts[2]),
     });
   }
 
@@ -61,7 +62,7 @@ export class RS256Token {
 
     // `${token.header}.${token.payload}`
     const trimmedSignature = rawToken.substring(0, rawToken.lastIndexOf("."));
-    return new TextEncoder().encode(trimmedSignature);
+    return utf8Encoder.encode(trimmedSignature);
   }
 }
 
@@ -93,42 +94,42 @@ const decodePayload = (
   if (!isNonEmptyString(payload.aud)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"aud" claim must be a string but got ${payload.aud}}`
+      `"aud" claim must be a string but got "${payload.aud}"`
     );
   }
 
   if (!isNonEmptyString(payload.sub)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"sub" claim must be a string but got ${payload.sub}}`
+      `"sub" claim must be a string but got "${payload.sub}}"`
     );
   }
 
   if (!isNonEmptyString(payload.iss)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"iss" claim must be a string but got ${payload.iss}}`
+      `"iss" claim must be a string but got "${payload.iss}}"`
     );
   }
 
   if (!isNumber(payload.iat)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"iat" claim must be a number but got ${payload.iat}}`
+      `"iat" claim must be a number but got "${payload.iat}}"`
     );
   }
 
   if (currentTimestamp < payload.iat) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `Incorrect "iat" claim must be a newer than "${currentTimestamp}" (iat: ${payload.iat})`
+      `Incorrect "iat" claim must be a newer than "${currentTimestamp}" (iat: "${payload.iat}")`
     );
   }
 
   if (!isNumber(payload.exp)) {
     throw new JwtError(
       JwtErrorCode.INVALID_ARGUMENT,
-      `"exp" claim must be a number but got ${payload.exp}}`
+      `"exp" claim must be a number but got "${payload.exp}"}`
     );
   }
 
@@ -143,21 +144,9 @@ const decodePayload = (
 };
 
 const decodeBase64JSON = (b64Url: string): any => {
-  let b64 = b64Url.replace(/-/g, "+").replace(/_/g, "/");
-  switch (b64.length % 4) {
-    case 0:
-      break;
-    case 2:
-      b64 += "==";
-      break;
-    case 3:
-      b64 += "=";
-      break;
-    default:
-      throw new Error("Illegal base64url string.");
-  }
+  const decoded = decodeBase64Url(b64Url)
   try {
-    return JSON.parse(decodeURIComponent(atob(b64)));
+    return JSON.parse(utf8Decoder.decode(decoded));
   } catch {
     return null;
   }
diff --git a/src/utf8.ts b/src/utf8.ts
@@ -0,0 +1,2 @@
+export const utf8Encoder = new TextEncoder()
+export const utf8Decoder = new TextDecoder()
diff --git a/tests/base64.test.ts b/tests/base64.test.ts
@@ -0,0 +1,55 @@
+import { decodeBase64Url, encodeBase64Url } from "../src/base64";
+import { utf8Encoder } from "../src/utf8";
+
+const urlRef = (s: string): string =>
+  s.replace(/\+|\//g, (m) => ({ "+": "-", "/": "_" }[m]!))
+
+const str2UInt8Array = (s: string): Uint8Array => {
+  const buffer = new Uint8Array(new ArrayBuffer(s.length));
+  for (let i = 0; i < buffer.byteLength; i++) {
+    buffer[i] = s.charCodeAt(i);
+  }
+  return buffer
+}
+
+describe("base64", () => {
+  describe.each([
+    // basic
+    [utf8Encoder.encode("Hello, 世界"), "SGVsbG8sIOS4lueVjA=="],
+
+    // RFC 3548 examples
+    [str2UInt8Array("\x14\xfb\x9c\x03\xd9\x7e"), "FPucA9l+"],
+    [str2UInt8Array("\x14\xfb\x9c\x03\xd9"), "FPucA9k="],
+    [str2UInt8Array("\x14\xfb\x9c\x03"), "FPucAw=="],
+
+    // RFC 4648 examples
+    [str2UInt8Array(""), ""],
+    [str2UInt8Array("f"), "Zg=="],
+    [str2UInt8Array("fo"), "Zm8="],
+    [str2UInt8Array("foo"), "Zm9v"],
+    [str2UInt8Array("foob"), "Zm9vYg=="],
+    [str2UInt8Array("fooba"), "Zm9vYmE="],
+    [str2UInt8Array("foobar"), "Zm9vYmFy"],
+
+    // Wikipedia examples
+    [str2UInt8Array("sure."), "c3VyZS4="],
+    [str2UInt8Array("sure"), "c3VyZQ=="],
+    [str2UInt8Array("sur"), "c3Vy"],
+    [str2UInt8Array("su"), "c3U="],
+    [str2UInt8Array("leasure."), "bGVhc3VyZS4="],
+    [str2UInt8Array("easure."), "ZWFzdXJlLg=="],
+    [str2UInt8Array("asure."), "YXN1cmUu"],
+    [str2UInt8Array("sure."), "c3VyZS4="],
+  ])('%s, %s', (decoded, encoded) => {
+    it("encode", () => {
+      const got = encodeBase64Url(decoded)
+      const want = urlRef(encoded)
+      expect(got).toStrictEqual(want)
+    })
+    it("decode", () => {
+      const got = decodeBase64Url(urlRef(encoded))
+      const want = decoded
+      expect(got).toStrictEqual(want)
+    })
+  })
+})
diff --git a/tests/jwk-utils.ts b/tests/jwk-utils.ts
@@ -0,0 +1,49 @@
+import { encodeBase64Url } from "../src/base64";
+import { KeyFetcher } from "../src/jwk-fetcher";
+import { rs256alg } from "../src/jws-verifier";
+import { DecodedHeader, DecodedPayload, JsonWebKeyWithKid } from "../src/jwt-decoder";
+import { utf8Encoder } from "../src/utf8";
+
+export class TestingKeyFetcher implements KeyFetcher {
+
+  constructor(public readonly kid: string, private readonly keyPair: CryptoKeyPair) {}
+
+  public static async withKeyPairGeneration(kid: string): Promise<TestingKeyFetcher> {
+    const keyPair = await crypto.subtle.generateKey(rs256alg, true, ["sign", "verify"])
+    return new TestingKeyFetcher(kid, keyPair)
+  }
+
+  public async fetchPublicKeys(): Promise<Array<JsonWebKeyWithKid>> {
+    const publicJWK = await crypto.subtle.exportKey("jwk", this.keyPair.publicKey)
+    return [{kid: this.kid, ...publicJWK}];
+  }
+
+  public getPrivateKey(): CryptoKey {
+    return this.keyPair.privateKey
+  }
+}
+
+export const genIat = (ms: number = Date.now()): number => Math.floor(ms / 1000)
+export const genIss = (projectId: string = "projectId1234"): string => "https://securetoken.google.com/" + projectId
+
+const jsonUTF8Stringify = (obj: any): Uint8Array => utf8Encoder.encode(JSON.stringify(obj))
+
+export const signJWT = async (kid: string, payload: DecodedPayload, privateKey: CryptoKey) => {
+  const header: DecodedHeader = {
+    alg: 'RS256',
+    typ: 'JWT',
+    kid,
+  };
+  const encodedHeader = encodeBase64Url(jsonUTF8Stringify(header)).replace(/=/g, "")
+  const encodedPayload = encodeBase64Url(jsonUTF8Stringify(payload)).replace(/=/g, "")
+  const headerAndPayload = `${encodedHeader}.${encodedPayload}`;
+
+  const signature = await crypto.subtle.sign(
+    rs256alg,
+    privateKey,
+    utf8Encoder.encode(headerAndPayload),
+  );
+
+  const base64Signature = encodeBase64Url(signature).replace(/=/g, "")
+  return `${headerAndPayload}.${base64Signature}`;
+}
diff --git a/tests/jws-verifier.test.ts b/tests/jws-verifier.test.ts
diff --git a/tests/validator.test.ts b/tests/validator.test.ts

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+export const utf8Encoder = new TextEncoder()`
	`2`	`+export const utf8Decoder = new TextDecoder()`