spec/fridge/access_token_spec.rb in fridge-0.3.0 vs spec/fridge/access_token_spec.rb in fridge-0.3.1
- old
+ new
@@ -1,6 +1,7 @@
require 'spec_helper'
+require 'json'
describe Fridge::AccessToken do
describe '#initialize' do
let(:private_key) { OpenSSL::PKey::RSA.new(1024) }
let(:public_key) { OpenSSL::PKey::RSA.new(private_key.public_key) }
@@ -24,10 +25,18 @@
it 'should raise an error on an incorrectly signed JWT' do
jwt = JWT.encode({ id: 'foobar' }, OpenSSL::PKey::RSA.new(1024), 'RS512')
expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
end
+
+ # http://bit.ly/jwt-none-vulnerability
+ it 'should raise an error with { "alg": "none" }' do
+ jwt = "#{Base64.encode64({ typ: 'JWT', alg: 'none' }.to_json).chomp}." \
+ "#{Base64.encode64({ id: 'foobar' }.to_json).chomp}"
+ expect(JWT.decode(jwt, nil, false)).to eq('id' => 'foobar')
+ expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
+ end
end
describe '#serialize' do
let(:options) do
{
@@ -96,9 +105,27 @@
end
it 'should raise an error if required attributes are missing' do
subject.subject = nil
expect { subject.serialize }.to raise_error Fridge::SerializationError
+ end
+
+ it 'should encode and decode :actor as :act' do
+ # The `act` field can recursively encode additional
+ # claims, so we check those too.
+ actor = { subject: 'foo', username: 'test', actor: { subject: 'bar' } }
+ subject = described_class.new(options.merge(actor: actor))
+
+ # The JWT lib will return everything as strings, so we'll
+ # test that, although eventually we'll want to see symbols back.
+ actor_s = { 'sub' => 'foo', 'username' => 'test',
+ 'act' => { 'sub' => 'bar' } }
+ hash = JWT.decode(subject.serialize, public_key)
+ expect(hash['act']).to eq(actor_s)
+
+ # Now, check that we properly get symbols back
+ new = described_class.new(subject.serialize)
+ expect(new.actor).to eq(actor)
end
end
describe '#expired?' do
it 'should return true if the access token has expired' do