Mercurial Mercurial > prosody > prosody / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
spec/util_jwt_spec.lua
changeset 12705 8e402a2ae1b8
parent 12704 899c057781cd
child 12708 31a2bd84191d 
--- a/spec/util_jwt_spec.lua	Sat Jul 02 12:36:52 2022 +0100
+++ b/spec/util_jwt_spec.lua	Sat Jul 02 14:22:20 2022 +0100
@@ -21,131 +21,153 @@
 		assert.falsy(ok)
 	end);
 
-	it("validates HS256", function ()
-		local verify = jwt.new_verifier("HS256", "your-256-bit-secret");
-
-		local result = {verify([[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c]])};
-		assert.same({
-			true; -- success
-			{     -- payload
-				sub = "1234567890";
-				name = "John Doe";
-				iat = 1516239022;
+	local test_cases = {
+		{
+			algorithm = "HS256";
+			keys = {
+				{ "your-256-bit-secret", "your-256-bit-secret" };
+				{ "another-secret", "another-secret" };
+			};
+			{
+				name = "jwt.io reference";
+				[[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c]];
+				{     -- payload
+					sub = "1234567890";
+					name = "John Doe";
+					iat = 1516239022;
+				};
+			};
+		};
+		{
+			algorithm = "ES256";
+			keys = {
+				{ test_keys.ecdsa_private_pem, test_keys.ecdsa_public_pem };
+				{ test_keys.alt_ecdsa_private_pem, test_keys.alt_ecdsa_public_pem };
+			};
+			{
+				name = "jwt.io reference";
+				[[eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.tyh-VfuzIxCyGYDlkBA7DfyjrqmSHu6pQ2hoZuFqUSLPNY2N0mpHb3nk5K17HWP_3cYHBw7AhHale5wky6-sVA]];
+				{     -- payload
+					sub = "1234567890";
+					name = "John Doe";
+					admin = true;
+					iat = 1516239022;
+				};
 			};
-		}, result);
-
-	end);
-
-	it("validates ES256", function ()
-		local private_key = test_keys.ecdsa_private_pem;
-		local sign = jwt.new_signer("ES256", private_key);
-
-		local token = sign({
-			sub = "1234567890";
-			name = "John Doe";
-			admin = true;
-			iat = 1516239022;
-		});
-
-		local public_key = test_keys.ecdsa_public_pem;
-		local verify = jwt.new_verifier("ES256", public_key);
+		};
+		{
+			algorithm = "RS256";
+			keys = {
+				{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+				{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
+			};
+			{
+				name = "jwt.io reference";
+				[[eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ]];
+				{     -- payload
+					sub = "1234567890";
+					name = "John Doe";
+					admin = true;
+					iat = 1516239022;
+				};
+			};
+		};
+		{
+			algorithm = "PS256";
+			keys = {
+				{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+				{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
+			};
+			{
+				name = "jwt.io reference";
+				[[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]];
+				{     -- payload
+					sub = "1234567890";
+					name = "John Doe";
+					admin = true;
+					iat = 1516239022;
+				};
+			};
+		};
+	};
 
-		local result = {verify(token)};
-		assert.same({
-			true; -- success
-			{     -- payload
-				sub = "1234567890";
-				name = "John Doe";
-				admin = true;
-				iat = 1516239022;
-			};
-		}, result);
+	local function do_verify_test(algorithm, verifying_key, token, expect_payload)
+		local verify = jwt.new_verifier(algorithm, verifying_key);
 
-		local result = {verify[[eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.tyh-VfuzIxCyGYDlkBA7DfyjrqmSHu6pQ2hoZuFqUSLPNY2N0mpHb3nk5K17HWP_3cYHBw7AhHale5wky6-sVA]]};
-		assert.same({
-			true; -- success
-			{     -- payload
-				sub = "1234567890";
-				name = "John Doe";
-				admin = true;
-				iat = 1516239022;
-			};
-		}, result);
-	end);
+		assert.is_string(token);
+		local result = {verify(token)};
+		if expect_payload then
+			assert.same({
+				true; -- success
+				expect_payload; -- payload
+			}, result);
+		else
+			assert.same({
+				false;
+				"signature-mismatch";
+			}, result);
+		end
+	end
 
-	it("validates RS256", function ()
-		local private_key = test_keys.rsa_private_pem;
-		local sign = jwt.new_signer("RS256", private_key);
+	local function do_sign_verify_test(algorithm, signing_key, verifying_key, expect_success, expect_token)
+		local sign = jwt.new_signer(algorithm, signing_key);
 
-		local token = sign({
+		local test_payload = {
 			sub = "1234567890";
 			name = "John Doe";
 			admin = true;
 			iat = 1516239022;
-		});
+		};
 
-		local public_key = test_keys.rsa_public_pem;
-		local verify = jwt.new_verifier("RS256", public_key);
+		local token = sign(test_payload);
 
-		local result = {verify(token)};
-		assert.same({
-			true; -- success
-			{     -- payload
-				sub = "1234567890";
-				name = "John Doe";
-				admin = true;
-				iat = 1516239022;
-			};
-		}, result);
+		if expect_token then
+			assert.equal(expect_token, token);
+		end
+
+		do_verify_test(algorithm, verifying_key, token, expect_success and test_payload or false);
+	end
+				
 
-		local result = {verify[[eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ]]};
-		assert.same({
-			true; -- success
-			{     -- payload
-				sub = "1234567890";
-				name = "John Doe";
-				admin = true;
-				iat = 1516239022;
-			};
-		}, result);
-	end);
 
-	it("validates PS256", function ()
-		local private_key = test_keys.rsa_private_pem;
-		local sign = jwt.new_signer("PS256", private_key);
+	for _, algorithm_tests in ipairs(test_cases) do
+		local algorithm = algorithm_tests.algorithm;
+		local keypairs = algorithm_tests.keys;
+		describe(algorithm, function ()
+			it("can do basic sign and verify", function ()
+				for _, keypair in ipairs(keypairs) do
+					local signing_key, verifying_key = keypair[1], keypair[2];
+					do_sign_verify_test(algorithm, keypair[1], keypair[2], true);
+				end
+			end);
 
-		local token = sign({
-			sub = "1234567890";
-			name = "John Doe";
-			admin = true;
-			iat = 1516239022;
-		});
-
-		local public_key = test_keys.rsa_public_pem;
-		local verify = jwt.new_verifier("PS256", public_key);
+			if #keypairs >= 2 then
+				it("rejects invalid tokens", function ()
+					do_sign_verify_test(algorithm, keypairs[1][1], keypairs[2][2], false);
+				end);
+			else
+				pending("rejects invalid tokens", function ()
+					error("Needs at least 2 key pairs");
+				end);
+			end
 
-		local result = {verify(token)};
-		assert.same({
-			true; -- success
-			{     -- payload
-				sub = "1234567890";
-				name = "John Doe";
-				admin = true;
-				iat = 1516239022;
-			};
-		}, result);
-
-		local result = {verify[[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]]};
-		assert.same({
-			true; -- success
-			{     -- payload
-				sub = "1234567890";
-				name = "John Doe";
-				admin = true;
-				iat = 1516239022;
-			};
-		}, result);
-	end);
-
+			if #algorithm_tests > 0 then
+				for test_n, test_case in ipairs(algorithm_tests) do
+					it("can verify "..(test_case.name or (("test case %d"):format(test_n))), function ()
+						do_verify_test(
+							algorithm,
+							test_case.verifying_key or keypairs[1][2],
+							test_case[1],
+							test_case[2]
+						);
+					end);
+				end
+			else
+				pending("can verify reference tokens", function ()
+					error("No test tokens provided");
+				end);
+			end
+		end);
+	end
 end);
prosody