test(auth): add tests for jwtAuthHandler

jescalada · jescalada · commit 420be8d1b8bd · 2025-04-13T21:35:37.000+09:00
diff --git a/src/service/passport/jwtAuthHandler.js b/src/service/passport/jwtAuthHandler.js
@@ -1,6 +1,17 @@
-const jwtAuthHandler = () => {
+const { assignRoles, validateJwt } = require('./jwtUtils');
+
+/**
+ * Middleware function to handle JWT authentication.
+ * @param {*} overrideConfig optional configuration to override the default JWT configuration (e.g. for testing)
+ * @returns {Function} the middleware function 
+ */
+const jwtAuthHandler = (overrideConfig = null) => {
   return async (req, res, next) => {
-    const apiAuthMethods = require('../../config').getAPIAuthMethods();
+    const apiAuthMethods = 
+        overrideConfig
+          ? [{ type: "jwt", jwtConfig: overrideConfig }]
+          : require('../../config').getAPIAuthMethods();
+
     const jwtAuthMethod = apiAuthMethods.find((method) => method.type.toLowerCase() === "jwt");
       if (!jwtAuthMethod) {
           return next();
diff --git a/src/service/passport/jwtUtils.js b/src/service/passport/jwtUtils.js
@@ -26,11 +26,12 @@ async function getJwks(authorityUrl) {
  * @param {*} authorityUrl the OIDC authority URL
  * @param {*} clientID the OIDC client ID 
  * @param {*} expectedAudience the expected audience for the token
+ * @param {*} getJwksInject the getJwks function to use (for dependency injection). Defaults to the built-in getJwks function.
  * @return {Promise<object>} the verified payload or an error
  */
-async function validateJwt(token, authorityUrl, clientID, expectedAudience) {
+async function validateJwt(token, authorityUrl, clientID, expectedAudience, getJwksInject = getJwks) {
   try {
-      const jwks = await getJwks(authorityUrl);
+      const jwks = await getJwksInject(authorityUrl);
 
       const decodedHeader = await jwt.decode(token, { complete: true });
       if (!decodedHeader || !decodedHeader.header || !decodedHeader.header.kid) {
diff --git a/test/testJwtAuthHandler.test.js b/test/testJwtAuthHandler.test.js
@@ -111,3 +111,76 @@ describe('assignRoles', () => {
   });
 });
 
+describe('jwtAuthHandler', () => {
+  let req, res, next, jwtConfig, validVerifyResponse;
+
+  beforeEach(() => {
+    req = { header: sinon.stub(), isAuthenticated: sinon.stub(), user: {} };
+    res = { status: sinon.stub().returnsThis(), send: sinon.stub() };
+    next = sinon.stub();
+
+    jwtConfig = {
+      clientID: 'client-id',
+      authorityURL: 'https://accounts.google.com',
+      expectedAudience: 'expected-audience',
+      roleMapping: { 'admin': { 'admin': 'admin' } }
+    };
+
+    validVerifyResponse = {
+      header: { kid: '123' },
+      azp: 'client-id',
+      sub: 'user123',
+      admin: 'admin'
+    };
+  });
+
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  it('should call next if user is authenticated', async () => {
+    req.isAuthenticated.returns(true);
+    await jwtAuthHandler()(req, res, next);
+    expect(next.calledOnce).to.be.true;
+  });
+
+  it('should return 401 if no token provided', async () => {
+    req.header.returns(null);
+    await jwtAuthHandler()(req, res, next);
+
+    expect(res.status.calledWith(401)).to.be.true;
+    expect(res.send.calledWith('No token provided\n')).to.be.true;
+  });
+
+  it('should return 500 if authorityURL not configured', async () => {
+    req.header.returns('Bearer fake-token');
+    jwtConfig.authorityURL = null;
+    sinon.stub(jwt, 'verify').returns(validVerifyResponse);
+
+    await jwtAuthHandler(jwtConfig)(req, res, next);
+
+    expect(res.status.calledWith(500)).to.be.true;
+    expect(res.send.calledWith('OIDC authority URL is not configured\n')).to.be.true;
+  });
+
+  it('should return 500 if clientID not configured', async () => {
+    req.header.returns('Bearer fake-token');
+    jwtConfig.clientID = null;
+    sinon.stub(jwt, 'verify').returns(validVerifyResponse);
+
+    await jwtAuthHandler(jwtConfig)(req, res, next);
+
+    expect(res.status.calledWith(500)).to.be.true;
+    expect(res.send.calledWith('OIDC client ID is not configured\n')).to.be.true;
+  });
+
+  it('should return 401 if JWT validation fails', async () => {
+    req.header.returns('Bearer fake-token');
+    sinon.stub(jwt, 'verify').throws(new Error('Invalid token'));
+
+    await jwtAuthHandler(jwtConfig)(req, res, next);
+
+    expect(res.status.calledWith(401)).to.be.true;
+    expect(res.send.calledWithMatch(/JWT validation failed:/)).to.be.true;
+  });
+});
