test(fxa-auth-server): migrate 16 OAuth Mocha test files to Jest (FXA-12565)

Author: vbudhram

packages/fxa-auth-server/jest.config.js

@@ -20,6 +20,7 @@ module.exports = {
     '^fxa-shared/(.*)$': '<rootDir>/../fxa-shared/$1',
   },
   testTimeout: 10000,
+  maxWorkers: 4,
   clearMocks: true,
   workerIdleMemoryLimit: '512MB',
   setupFiles: ['<rootDir>/jest.setup.js', '<rootDir>/jest.setup-proxyquire.js'],

packages/fxa-auth-server/jest.integration.config.js

@@ -12,6 +12,10 @@ module.exports = {
   moduleNameMapper: {
     ...baseConfig.moduleNameMapper,
     '^@fxa/vendored/(.*)$': '<rootDir>/../../libs/vendored/$1/src',
+    // Map bare 'fxa-shared' to source to avoid class identity mismatches
+    // between dist/cjs and source modules (e.g., ScopeSet loaded via
+    // require('fxa-shared').oauth.scopes vs fxa-shared/oauth/scopes).
+    '^fxa-shared$': '<rootDir>/../fxa-shared/index',
   },
 
   testMatch: [
@@ -25,13 +29,8 @@ module.exports = {
   globalSetup: '<rootDir>/test/support/jest-global-setup.ts',
   globalTeardown: '<rootDir>/test/support/jest-global-teardown.ts',
 
-  setupFiles: [
-    '<rootDir>/test/support/jest-setup-env.ts',
-  ],
-
-  setupFilesAfterEnv: [
-    '<rootDir>/test/support/jest-setup-integration.ts',
-  ],
+  setupFiles: ['<rootDir>/test/support/jest-setup-env.ts'],
+  setupFilesAfterEnv: ['<rootDir>/test/support/jest-setup-integration.ts'],
 
   collectCoverageFrom: [
     'lib/**/*.{ts,js}',

packages/fxa-auth-server/jest.setup.js

@@ -5,10 +5,14 @@
 /**
  * Jest global setup - runs before each test file.
  *
- * The OAuth keys exist in config/key.json but the config module's path
- * resolution can behave differently under Jest's module transformation.
- * This sets the env var to allow tests to run without requiring the
- * OAuth key validation (which is a runtime concern, not a unit test concern).
+ * Set NODE_ENV=dev so that the config module loads config/dev.json,
+ * which includes OAuth keys (config/key.json), authServerSecrets,
+ * and other values required by unit tests. This matches the CI test
+ * runner (scripts/test-ci.sh) which also exports NODE_ENV=dev.
+ *
+ * Jest defaults NODE_ENV to 'test', but there is no config/test.json
+ * in this package, so tests fail without the dev config overlay.
  */
-
-process.env.FXA_OPENID_UNSAFELY_ALLOW_MISSING_ACTIVE_KEY = 'true';
+if (!process.env.NODE_ENV || process.env.NODE_ENV === 'test') {
+  process.env.NODE_ENV = 'dev';
+}

packages/fxa-auth-server/lib/oauth/assertion.spec.ts

@@ -0,0 +1,204 @@
+export {};
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const cloneDeep = require('lodash/cloneDeep');
+const util = require('util');
+
+const jwt = require('jsonwebtoken');
+const jwtSign = util.promisify(jwt.sign);
+
+const { config } = require('../../config');
+const unique = require('./unique');
+
+const verifyAssertion = require('./assertion');
+
+const ISSUER = config.get('oauthServer.browserid.issuer');
+const AUDIENCE = config.get('publicUrl');
+const USERID = unique(16).toString('hex');
+const GENERATION = 12345;
+const VERIFIED_EMAIL = 'test@exmample.com';
+const LAST_AUTH_AT = Date.now();
+const AMR = ['pwd', 'otp'];
+const AAL = 2;
+const PROFILE_CHANGED_AT = Date.now();
+const JWT_IAT = Date.now();
+
+const ERRNO_INVALID_ASSERTION = 104;
+
+const GOOD_CLAIMS = {
+  'fxa-generation': GENERATION,
+  'fxa-verifiedEmail': VERIFIED_EMAIL,
+  'fxa-lastAuthAt': LAST_AUTH_AT,
+  'fxa-tokenVerified': true,
+  'fxa-amr': AMR,
+  'fxa-aal': AAL,
+  'fxa-profileChangedAt': PROFILE_CHANGED_AT,
+};
+
+const AUTH_SERVER_SECRETS = config.get('oauthServer.authServerSecrets');
+
+async function makeJWT(
+  claims: Record<string, any>,
+  key: string = AUTH_SERVER_SECRETS[0],
+  options: Record<string, any> = {}
+) {
+  const mergedClaims = {
+    iat: JWT_IAT,
+    exp: JWT_IAT + 60,
+    sub: USERID,
+    aud: AUDIENCE,
+    iss: ISSUER,
+    ...claims,
+  };
+  const mergedOptions = {
+    algorithm: 'HS256',
+    ...options,
+  };
+  return await jwtSign(mergedClaims, key, mergedOptions);
+}
+
+describe('JWT verifyAssertion', () => {
+  it('should accept well-formed JWT assertions', async () => {
+    expect(AUTH_SERVER_SECRETS.length).toBeGreaterThanOrEqual(1);
+
+    const assertion = await makeJWT(GOOD_CLAIMS);
+    const claims = await verifyAssertion(assertion);
+    expect(claims).toEqual({
+      iat: JWT_IAT,
+      uid: USERID,
+      'fxa-generation': GENERATION,
+      'fxa-verifiedEmail': VERIFIED_EMAIL,
+      'fxa-lastAuthAt': LAST_AUTH_AT,
+      'fxa-tokenVerified': true,
+      'fxa-amr': AMR,
+      'fxa-aal': AAL,
+      'fxa-profileChangedAt': PROFILE_CHANGED_AT,
+    });
+  });
+
+  it('should accept JWTs signed with an alternate key', async () => {
+    expect(AUTH_SERVER_SECRETS.length).toBeGreaterThanOrEqual(2);
+    const assertion = await makeJWT(GOOD_CLAIMS, AUTH_SERVER_SECRETS[1]);
+    const claims = await verifyAssertion(assertion);
+    expect(claims).toEqual({
+      iat: JWT_IAT,
+      uid: USERID,
+      'fxa-generation': GENERATION,
+      'fxa-verifiedEmail': VERIFIED_EMAIL,
+      'fxa-lastAuthAt': LAST_AUTH_AT,
+      'fxa-tokenVerified': true,
+      'fxa-amr': AMR,
+      'fxa-aal': AAL,
+      'fxa-profileChangedAt': PROFILE_CHANGED_AT,
+    });
+  });
+
+  it('should reject JWTs signed with an unknown key', async () => {
+    const assertion = await makeJWT(GOOD_CLAIMS, 'whereDidThisComeFrom?');
+    await expect(verifyAssertion(assertion)).rejects.toHaveProperty(
+      'errno',
+      ERRNO_INVALID_ASSERTION
+    );
+  });
+
+  it('should reject expired JWTs', async () => {
+    const assertion = await makeJWT({
+      ...GOOD_CLAIMS,
+      exp: Math.floor(Date.now() / 1000) - 60,
+    });
+    await expect(verifyAssertion(assertion)).rejects.toHaveProperty(
+      'errno',
+      ERRNO_INVALID_ASSERTION
+    );
+  });
+
+  it('should reject JWTs with incorrect audience', async () => {
+    const assertion = await makeJWT({
+      ...GOOD_CLAIMS,
+      aud: 'https://example.com',
+    });
+    await expect(verifyAssertion(assertion)).rejects.toHaveProperty(
+      'errno',
+      ERRNO_INVALID_ASSERTION
+    );
+  });
+
+  it('should reject JWTs with unexpected algorithms', async () => {
+    const assertion = await makeJWT(GOOD_CLAIMS, AUTH_SERVER_SECRETS[0], {
+      algorithm: 'HS384',
+    });
+    await expect(verifyAssertion(assertion)).rejects.toHaveProperty(
+      'errno',
+      ERRNO_INVALID_ASSERTION
+    );
+  });
+
+  it('should reject JWTs from non-allowed issuers', async () => {
+    const assertion = await makeJWT({
+      ...GOOD_CLAIMS,
+      iss: 'evil.com',
+    });
+    await expect(verifyAssertion(assertion)).rejects.toHaveProperty(
+      'errno',
+      ERRNO_INVALID_ASSERTION
+    );
+  });
+
+  it('should reject JWTs with malformed user id', async () => {
+    const assertion = await makeJWT({
+      ...GOOD_CLAIMS,
+      sub: 'non-hex-string',
+    });
+    await expect(verifyAssertion(assertion)).rejects.toHaveProperty(
+      'errno',
+      ERRNO_INVALID_ASSERTION
+    );
+  });
+
+  it('should reject JWTs with missing `lastAuthAt` claim', async () => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const { 'fxa-lastAuthAt': _removed, ...claimsWithoutLastAuth } = GOOD_CLAIMS;
+    const assertion = await makeJWT(claimsWithoutLastAuth);
+    await expect(verifyAssertion(assertion)).rejects.toHaveProperty(
+      'errno',
+      ERRNO_INVALID_ASSERTION
+    );
+  });
+
+  it('should accept JWTs with missing `amr` claim', async () => {
+    let claims: any = cloneDeep(GOOD_CLAIMS);
+    delete claims['fxa-amr'];
+    const assertion = await makeJWT(claims);
+    claims = await verifyAssertion(assertion);
+    expect(Object.keys(claims).sort()).toEqual([
+      'fxa-aal',
+      'fxa-generation',
+      'fxa-lastAuthAt',
+      'fxa-profileChangedAt',
+      'fxa-tokenVerified',
+      'fxa-verifiedEmail',
+      'iat',
+      'uid',
+    ]);
+  });
+
+  it('should accept assertions with missing `aal` claim', async () => {
+    let claims: any = cloneDeep(GOOD_CLAIMS);
+    delete claims['fxa-aal'];
+    const assertion = await makeJWT(claims);
+    claims = await verifyAssertion(assertion);
+    expect(Object.keys(claims).sort()).toEqual([
+      'fxa-amr',
+      'fxa-generation',
+      'fxa-lastAuthAt',
+      'fxa-profileChangedAt',
+      'fxa-tokenVerified',
+      'fxa-verifiedEmail',
+      'iat',
+      'uid',
+    ]);
+  });
+});