Skip to content

fix: Ensure JWE expires as expected #2040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tusharpandey13 merged 2 commits into from
Apr 29, 2025
Merged

fix: Ensure JWE expires as expected #2040

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2179d75
fix: Ensure JWE expires as expected
frederikprijck Apr 7, 2025
d544f19
Merge branch 'main' into fix/jwe-expiration
frederikprijck Apr 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 85 additions & 46 deletions src/server/auth-client.test.ts
View file
Open in desktop

Large diffs are not rendered by default.

29 changes: 24 additions & 5 deletions src/server/cookies.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,28 +9,47 @@ describe("encrypt/decrypt", async () => {

it("should encrypt/decrypt a payload with the correct secret", async () => {
const payload = { key: "value" };
const encrypted = await encrypt(payload, secret);
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encrypted = await encrypt(payload, secret, expiration);
const decrypted = await decrypt(encrypted, secret);

expect(decrypted.payload).toEqual(payload);
expect(decrypted.payload).toEqual(expect.objectContaining(payload));
});

it("should fail to decrypt a payload with the incorrect secret", async () => {
const payload = { key: "value" };
const encrypted = await encrypt(payload, secret);
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encrypted = await encrypt(payload, secret, expiration);
await expect(() =>
decrypt(encrypted, incorrectSecret)
).rejects.toThrowError();
});

it("should fail to decrypt when expired", async () => {
const payload = { key: "value" };
const expiration = Math.floor(Date.now() / 1000 - 60); // 60 seconds in the past
const encrypted = await encrypt(payload, secret, expiration);
await expect(() =>
decrypt(encrypted, secret)
).rejects.toThrowError(`"exp" claim timestamp check failed`);
});

it("should fail to encrypt if a secret is not provided", async () => {
const payload = { key: "value" };
await expect(() => encrypt(payload, "")).rejects.toThrowError();
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);

await expect(() => encrypt(payload, "", expiration)).rejects.toThrowError();
});

it("should fail to decrypt if a secret is not provided", async () => {
const payload = { key: "value" };
const encrypted = await encrypt(payload, secret);
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);

const encrypted = await encrypt(payload, secret, expiration);
await expect(() => decrypt(encrypted, "")).rejects.toThrowError();
});
});
2 changes: 2 additions & 0 deletions src/server/cookies.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ const ENCRYPTION_INFO = "JWE CEK";
export async function encrypt(
payload: jose.JWTPayload,
secret: string,
expiration: number,
additionalHeaders?: {
iat: number;
uat: number;
Expand All @@ -31,6 +32,7 @@ export async function encrypt(

const encryptedCookie = await new jose.EncryptJWT(payload)
.setProtectedHeader({ enc: ENC, alg: ALG, ...additionalHeaders })
.setExpirationTime(expiration)
Copy link
Member Author

@frederikprijck frederikprijck Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the main thing this PR is fixing. The rest is just accommodating for this change.

.encrypt(encryptionSecret);

return encryptedCookie.toString();
Expand Down
21 changes: 16 additions & 5 deletions src/server/session/stateful-session-store.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,14 @@ describe("Stateful Session Store", async () => {
set: vi.fn(),
delete: vi.fn()
};
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(
{
id: sessionId
},
secret
secret,
expiration,
);

const headers = new Headers();
Expand Down Expand Up @@ -99,11 +102,14 @@ describe("Stateful Session Store", async () => {
set: vi.fn(),
delete: vi.fn()
};
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(
{
id: sessionId
},
secret
secret,
expiration,
);

const headers = new Headers();
Expand Down Expand Up @@ -464,12 +470,14 @@ describe("Stateful Session Store", async () => {
set: vi.fn(),
delete: vi.fn()
};

const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(
{
id: sessionId
},
secret
secret,
expiration,
);
const headers = new Headers();
headers.append("cookie", `__session=${encryptedCookieValue}`);
Expand Down Expand Up @@ -750,11 +758,14 @@ describe("Stateful Session Store", async () => {
set: vi.fn(),
delete: vi.fn()
};
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(
{
id: sessionId
},
secret
secret,
expiration,
);
const headers = new Headers();
headers.append("cookie", `__session=${encryptedCookieValue}`);
Expand Down
10 changes: 6 additions & 4 deletions src/server/session/stateful-session-store.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,15 +130,17 @@ export class StatefulSessionStore extends AbstractSessionStore {
if (!sessionId) {
sessionId = generateId();
}


const maxAge = this.calculateMaxAge(session.internal.createdAt);
const expiration = Date.now() / 1000 + maxAge;
const jwe = await cookies.encrypt(
{
id: sessionId
},
this.secret
this.secret,
expiration,
);
const maxAge = this.calculateMaxAge(session.internal.createdAt);


resCookies.set(this.sessionCookieName, jwe.toString(), {
...this.cookieConfig,
maxAge
Expand Down
43 changes: 27 additions & 16 deletions src/server/session/stateless-session-store.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,9 @@ describe("Stateless Session Store", async () => {
createdAt: Math.floor(Date.now() / 1000)
}
};
const encryptedCookieValue = await encrypt(session, secret);
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(session, secret, expiration);

const headers = new Headers();
headers.append("cookie", `__session=${encryptedCookieValue}`);
Expand All @@ -32,7 +34,7 @@ describe("Stateless Session Store", async () => {
secret
});

expect(await sessionStore.get(requestCookies)).toEqual(session);
expect(await sessionStore.get(requestCookies)).toEqual(expect.objectContaining(session));
});

it("should return null if no session cookie exists", async () => {
Expand Down Expand Up @@ -65,9 +67,12 @@ describe("Stateless Session Store", async () => {
uat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000)
};
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(
legacySession,
secret,
expiration,
legacyHeader
);

Expand Down Expand Up @@ -106,9 +111,12 @@ describe("Stateless Session Store", async () => {
uat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000)
};
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(
legacySession,
secret,
expiration,
legacyHeader
);

Expand Down Expand Up @@ -153,9 +161,12 @@ describe("Stateless Session Store", async () => {
uat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000)
};
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(
legacySession,
secret,
expiration,
legacyHeader
);

Expand Down Expand Up @@ -206,7 +217,9 @@ describe("Stateless Session Store", async () => {
}
]
};
const encryptedCookieValue = await encrypt(session, secret);
const maxAge = 60 * 60; // 1 hour in seconds
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const encryptedCookieValue = await encrypt(session, secret, expiration);

const headers = new Headers();
headers.append("cookie", `__session=${encryptedCookieValue}`);
Expand All @@ -216,7 +229,7 @@ describe("Stateless Session Store", async () => {
secret
});

expect(await sessionStore.get(requestCookies)).toEqual(session);
expect(await sessionStore.get(requestCookies)).toEqual(expect.objectContaining(session));
});
});

Expand Down Expand Up @@ -264,7 +277,7 @@ describe("Stateless Session Store", async () => {
const cookie = responseCookies.get("__session");

expect(cookie).toBeDefined();
expect((await decrypt(cookie!.value, secret)).payload).toEqual(session);
expect((await decrypt(cookie!.value, secret)).payload).toEqual(expect.objectContaining(session));
expect(cookie?.path).toEqual("/");
expect(cookie?.httpOnly).toEqual(true);
expect(cookie?.sameSite).toEqual("lax");
Expand Down Expand Up @@ -306,12 +319,10 @@ describe("Stateless Session Store", async () => {
const cookie = responseCookies.get("__session");

expect(cookie).toBeDefined();
expect((await decrypt(cookie!.value, secret)).payload).toEqual(session);
expect(cookie?.path).toEqual("/");
expect(cookie?.httpOnly).toEqual(true);
expect(cookie?.sameSite).toEqual("lax");
expect(cookie?.maxAge).toEqual(0); // cookie should expire immediately
expect(cookie?.secure).toEqual(false);

await expect(
decrypt(cookie!.value, secret)
).rejects.toThrow(`"exp" claim timestamp check failed`);
});

it("should delete the legacy cookie if it exists", async () => {
Expand Down Expand Up @@ -413,7 +424,7 @@ describe("Stateless Session Store", async () => {
const cookie = responseCookies.get("__session");

expect(cookie).toBeDefined();
expect((await decrypt(cookie!.value, secret)).payload).toEqual(session);
expect((await decrypt(cookie!.value, secret)).payload).toEqual(expect.objectContaining(session));
expect(cookie?.path).toEqual("/");
expect(cookie?.httpOnly).toEqual(true);
expect(cookie?.sameSite).toEqual("lax");
Expand Down Expand Up @@ -453,7 +464,7 @@ describe("Stateless Session Store", async () => {
const cookie = responseCookies.get("__session");

expect(cookie).toBeDefined();
expect((await decrypt(cookie!.value, secret)).payload).toEqual(session);
expect((await decrypt(cookie!.value, secret)).payload).toEqual(expect.objectContaining(session));
expect(cookie?.path).toEqual("/");
expect(cookie?.httpOnly).toEqual(true);
expect(cookie?.sameSite).toEqual("lax");
Expand Down Expand Up @@ -492,7 +503,7 @@ describe("Stateless Session Store", async () => {
const cookie = responseCookies.get("__session");

expect(cookie).toBeDefined();
expect((await decrypt(cookie!.value, secret)).payload).toEqual(session);
expect((await decrypt(cookie!.value, secret)).payload).toEqual(expect.objectContaining(session));
expect(cookie?.path).toEqual("/");
expect(cookie?.httpOnly).toEqual(true);
expect(cookie?.sameSite).toEqual("strict");
Expand Down Expand Up @@ -528,7 +539,7 @@ describe("Stateless Session Store", async () => {
const cookie = responseCookies.get("__session");

expect(cookie).toBeDefined();
expect((await decrypt(cookie!.value, secret)).payload).toEqual(session);
expect((await decrypt(cookie!.value, secret)).payload).toEqual(expect.objectContaining(session));
expect(cookie?.path).toEqual("/custom-path");
});

Expand Down Expand Up @@ -563,7 +574,7 @@ describe("Stateless Session Store", async () => {
const cookie = responseCookies.get("custom-session");

expect(cookie).toBeDefined();
expect((await decrypt(cookie!.value, secret)).payload).toEqual(session);
expect((await decrypt(cookie!.value, secret)).payload).toEqual(expect.objectContaining(session));
expect(cookie?.path).toEqual("/");
expect(cookie?.httpOnly).toEqual(true);
expect(cookie?.sameSite).toEqual("lax");
Expand Down
6 changes: 4 additions & 2 deletions src/server/session/stateless-session-store.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,9 @@ export class StatelessSessionStore extends AbstractSessionStore {
session: SessionData
) {
const { connectionTokenSets, ...originalSession } = session;
const jwe = await cookies.encrypt(originalSession, this.secret);
const maxAge = this.calculateMaxAge(session.internal.createdAt);
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const jwe = await cookies.encrypt(originalSession, this.secret, expiration);
const cookieValue = jwe.toString();
const options: CookieOptions = {
...this.cookieConfig,
Expand Down Expand Up @@ -141,7 +142,8 @@ export class StatelessSessionStore extends AbstractSessionStore {
cookieName: string,
maxAge: number
) {
const jwe = await cookies.encrypt(session, this.secret);
const expiration = Math.floor(Date.now() / 1000 + maxAge);
const jwe = await cookies.encrypt(session, this.secret, expiration);

const cookieValue = jwe.toString();

Expand Down
Loading