Skip to content

Commit 39adf87

Browse files
MitMaroziluvatar
MitMaro
authored and
ziluvatar
committed
Refactor tests related to notBefore and nbf (#497)
This change extracts all tests in the current files related to notBefore and nbf into a single test file. It also adds several missing related tests.
1 parent fb0084a commit 39adf87

6 files changed

+283
-107
lines changed

package.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,8 @@
2020
},
2121
"scripts": {
2222
"lint": "eslint .",
23-
"test": "npm run lint && nyc mocha && nsp check && cost-of-modules"
23+
"coverage": "nyc mocha",
24+
"test": "npm run lint && npm run coverage && nsp check && cost-of-modules"
2425
},
2526
"repository": {
2627
"type": "git",

test/iat.tests.js

-9
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,4 @@ describe('iat', function () {
1212
expect(result.exp).to.be.closeTo(iat + expiresIn, 0.2);
1313
});
1414

15-
it('should work with a nbf calculated based on numeric iat', function () {
16-
var dateNow = Math.floor(Date.now() / 1000);
17-
var iat = dateNow - 30;
18-
var notBefore = -50;
19-
var token = jwt.sign({foo: 123, iat: iat}, '123', {notBefore: notBefore});
20-
var result = jwt.verify(token, '123');
21-
expect(result.nbf).to.equal(iat + notBefore);
22-
});
23-
2415
});

test/jwt.asymmetric_signing.tests.js

-52
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ var path = require('path');
55
var expect = require('chai').expect;
66
var assert = require('chai').assert;
77
var ms = require('ms');
8-
var sinon = require('sinon');
98

109
function loadKey(filename) {
1110
return fs.readFileSync(path.join(__dirname, filename));
@@ -114,57 +113,6 @@ describe('Asymmetric Algorithms', function(){
114113
});
115114
});
116115

117-
describe('when signing a token with not before', function () {
118-
var token = jwt.sign({ foo: 'bar' }, priv, { algorithm: algorithm, notBefore: -10 * 3600 });
119-
120-
it('should be valid expiration', function (done) {
121-
jwt.verify(token, pub, function (err, decoded) {
122-
assert.isNotNull(decoded);
123-
assert.isNull(err);
124-
done();
125-
});
126-
});
127-
128-
it('should be invalid', function (done) {
129-
// not active token
130-
token = jwt.sign({ foo: 'bar' }, priv, { algorithm: algorithm, notBefore: '10m' });
131-
132-
jwt.verify(token, pub, function (err, decoded) {
133-
assert.isUndefined(decoded);
134-
assert.isNotNull(err);
135-
assert.equal(err.name, 'NotBeforeError');
136-
assert.instanceOf(err.date, Date);
137-
assert.instanceOf(err, jwt.NotBeforeError);
138-
done();
139-
});
140-
});
141-
142-
143-
it('should valid when date are equals', function (done) {
144-
var fakeClock = sinon.useFakeTimers({now: 1451908031});
145-
146-
token = jwt.sign({ foo: 'bar' }, priv, { algorithm: algorithm, notBefore: 0 });
147-
148-
jwt.verify(token, pub, function (err, decoded) {
149-
fakeClock.uninstall();
150-
assert.isNull(err);
151-
assert.isNotNull(decoded);
152-
done();
153-
});
154-
});
155-
156-
it('should NOT be invalid', function (done) {
157-
// not active token
158-
token = jwt.sign({ foo: 'bar' }, priv, { algorithm: algorithm, notBefore: '10m' });
159-
160-
jwt.verify(token, pub, { ignoreNotBefore: true }, function (err, decoded) {
161-
assert.ok(decoded.foo);
162-
assert.equal('bar', decoded.foo);
163-
done();
164-
});
165-
});
166-
});
167-
168116
describe('when signing a token with audience', function () {
169117
var token = jwt.sign({ foo: 'bar' }, priv, { algorithm: algorithm, audience: 'urn:foo' });
170118

test/nbf.test.js

+281
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,281 @@
1+
'use strict';
2+
3+
const jwt = require('../');
4+
const expect = require('chai').expect;
5+
const sinon = require('sinon');
6+
const util = require('util');
7+
8+
function base64UrlEncode(str) {
9+
return Buffer.from(str).toString('base64')
10+
.replace(/\=/g, "")
11+
.replace(/\+/g, "-")
12+
.replace(/\//g, "_")
13+
;
14+
}
15+
16+
function signWithNoBefore(payload, notBefore) {
17+
const options = {algorithm: 'none'};
18+
if (notBefore !== undefined) {
19+
options.notBefore = notBefore;
20+
}
21+
return jwt.sign(payload, undefined, options);
22+
}
23+
24+
const noneAlgorithmHeader = 'eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0';
25+
26+
describe('not before', function() {
27+
describe('`jwt.sign` "notBefore" option validation', function () {
28+
[
29+
true,
30+
false,
31+
null,
32+
-1.1,
33+
1.1,
34+
-Infinity,
35+
Infinity,
36+
NaN,
37+
' ',
38+
'invalid',
39+
[],
40+
['foo'],
41+
{},
42+
{foo: 'bar'},
43+
].forEach((notBefore) => {
44+
it(`should error with with value ${util.inspect(notBefore)}`, function () {
45+
expect(() => signWithNoBefore({}, notBefore)).to.throw(
46+
'"notBefore" should be a number of seconds or string representing a timespan'
47+
);
48+
});
49+
});
50+
51+
// TODO this should throw the same error as other invalid inputs
52+
it(`should error with with value ''`, function () {
53+
expect(() => signWithNoBefore({}, '')).to.throw(
54+
'val is not a non-empty string or a valid number. val=""'
55+
);
56+
});
57+
58+
// undefined needs special treatment because {} is not the same as {notBefore: undefined}
59+
it('should error with with value undefined', function () {
60+
expect(() => jwt.sign({}, undefined, {notBefore: undefined, algorithm: 'none'})).to.throw(
61+
'"notBefore" should be a number of seconds or string representing a timespan'
62+
);
63+
});
64+
65+
it('should error when "nbf" is in payload', function () {
66+
expect(() => signWithNoBefore({nbf: 100}, 100)).to.throw(
67+
'Bad "options.notBefore" option the payload already has an "nbf" property.'
68+
);
69+
});
70+
71+
it('should error with a string payload', function () {
72+
expect(() => signWithNoBefore('a string payload', 100)).to.throw(
73+
'invalid notBefore option for string payload'
74+
);
75+
});
76+
77+
it('should error with a Buffer payload', function () {
78+
expect(() => signWithNoBefore(new Buffer('a Buffer payload'), 100)).to.throw(
79+
'invalid notBefore option for object payload'
80+
);
81+
});
82+
});
83+
84+
describe('`jwt.sign` "nbf" claim validation', function () {
85+
[
86+
true,
87+
false,
88+
null,
89+
undefined,
90+
'',
91+
' ',
92+
'invalid',
93+
[],
94+
['foo'],
95+
{},
96+
{foo: 'bar'},
97+
].forEach((nbf) => {
98+
it(`should error with with value ${util.inspect(nbf)}`, function () {
99+
expect(() => signWithNoBefore({nbf})).to.throw(
100+
'"nbf" should be a number of seconds'
101+
);
102+
});
103+
});
104+
});
105+
106+
describe('"nbf" in payload validation', function () {
107+
[
108+
true,
109+
false,
110+
null,
111+
-Infinity,
112+
Infinity,
113+
NaN,
114+
'',
115+
' ',
116+
'invalid',
117+
[],
118+
['foo'],
119+
{},
120+
{foo: 'bar'},
121+
].forEach((nbf) => {
122+
it(`should error with with value ${util.inspect(nbf)}`, function () {
123+
const encodedPayload = base64UrlEncode(JSON.stringify({nbf}));
124+
const token = `${noneAlgorithmHeader}.${encodedPayload}.`;
125+
expect(() => jwt.verify(token, undefined)).to.throw(
126+
jwt.JsonWebTokenError,
127+
'invalid nbf value'
128+
);
129+
});
130+
})
131+
});
132+
133+
describe('when signing and verifying a token with "notBefore" option', function () {
134+
let fakeClock;
135+
beforeEach(function () {
136+
fakeClock = sinon.useFakeTimers({now: 60000});
137+
});
138+
139+
afterEach(function () {
140+
fakeClock.uninstall();
141+
});
142+
143+
it('should set correct "nbf" with negative number of seconds', function () {
144+
const token = signWithNoBefore({}, -10);
145+
const decoded = jwt.decode(token);
146+
147+
const verified = jwt.verify(token, undefined);
148+
expect(decoded).to.deep.equal(verified);
149+
expect(decoded.nbf).to.equal(50);
150+
});
151+
152+
it('should set correct "nbf" with positive number of seconds', function () {
153+
const token = signWithNoBefore({}, 10);
154+
155+
fakeClock.tick(10000);
156+
const decoded = jwt.decode(token);
157+
158+
const verified = jwt.verify(token, undefined);
159+
expect(decoded).to.deep.equal(verified);
160+
expect(decoded.nbf).to.equal(70);
161+
});
162+
163+
it('should set correct "nbf" with zero seconds', function () {
164+
const token = signWithNoBefore({}, 0);
165+
166+
const decoded = jwt.decode(token);
167+
168+
const verified = jwt.verify(token, undefined);
169+
expect(decoded).to.deep.equal(verified);
170+
expect(decoded.nbf).to.equal(60);
171+
});
172+
173+
it('should set correct "nbf" with negative string timespan', function () {
174+
const token = signWithNoBefore({}, '-10 s');
175+
176+
const decoded = jwt.decode(token);
177+
178+
const verified = jwt.verify(token, undefined);
179+
expect(decoded).to.deep.equal(verified);
180+
expect(decoded.nbf).to.equal(50);
181+
});
182+
183+
184+
it('should set correct "nbf" with positive string timespan', function () {
185+
const token = signWithNoBefore({}, '10 s');
186+
187+
fakeClock.tick(10000);
188+
const decoded = jwt.decode(token);
189+
190+
const verified = jwt.verify(token, undefined);
191+
expect(decoded).to.deep.equal(verified);
192+
expect(decoded.nbf).to.equal(70);
193+
});
194+
195+
it('should set correct "nbf" with zero string timespan', function () {
196+
const token = signWithNoBefore({}, '0 s');
197+
198+
const decoded = jwt.decode(token);
199+
200+
const verified = jwt.verify(token, undefined);
201+
expect(decoded).to.deep.equal(verified);
202+
expect(decoded.nbf).to.equal(60);
203+
});
204+
205+
// TODO an nbf of -Infinity should fail validation
206+
it('should set null "nbf" when given -Infinity', function () {
207+
const token = signWithNoBefore({nbf: -Infinity});
208+
209+
const decoded = jwt.decode(token);
210+
expect(decoded.nbf).to.be.null;
211+
});
212+
213+
// TODO an nbf of Infinity should fail validation
214+
it('should set null "nbf" when given value Infinity', function () {
215+
const token = signWithNoBefore({nbf: Infinity});
216+
217+
const decoded = jwt.decode(token);
218+
expect(decoded.nbf).to.be.null;
219+
});
220+
221+
// TODO an nbf of NaN should fail validation
222+
it('should set null "nbf" when given value NaN', function () {
223+
const token = signWithNoBefore({nbf: NaN});
224+
225+
const decoded = jwt.decode(token);
226+
expect(decoded.nbf).to.be.null;
227+
});
228+
229+
it('should set correct "nbf" when "iat" is passed', function () {
230+
const token = signWithNoBefore({iat: 40}, -10);
231+
232+
const decoded = jwt.decode(token);
233+
234+
const verified = jwt.verify(token, undefined);
235+
expect(decoded).to.deep.equal(verified);
236+
expect(decoded.nbf).to.equal(30);
237+
});
238+
239+
it('should verify "nbf" using "clockTimestamp"', function () {
240+
const token = signWithNoBefore({}, 10);
241+
242+
const verified = jwt.verify(token, undefined, {clockTimestamp: 70});
243+
expect(verified.iat).to.equal(60);
244+
expect(verified.nbf).to.equal(70);
245+
});
246+
247+
it('should verify "nbf" using "clockTolerance"', function () {
248+
const token = signWithNoBefore({}, 5);
249+
250+
const verified = jwt.verify(token, undefined, {clockTolerance: 6});
251+
expect(verified.iat).to.equal(60);
252+
expect(verified.nbf).to.equal(65);
253+
});
254+
255+
it('should ignore a not active token when "ignoreNotBefore" is true', function () {
256+
const token = signWithNoBefore({}, '10 s');
257+
258+
const verified = jwt.verify(token, undefined, {ignoreNotBefore: true});
259+
expect(verified.iat).to.equal(60);
260+
expect(verified.nbf).to.equal(70);
261+
});
262+
263+
it('should error on verify if "nbf" is after current time', function () {
264+
const token = signWithNoBefore({nbf: 61});
265+
266+
expect(() => jwt.verify(token, undefined)).to.throw(
267+
jwt.NotBeforeError,
268+
'jwt not active'
269+
);
270+
});
271+
272+
it('should error on verify if "nbf" is after current time using clockTolerance', function () {
273+
const token = signWithNoBefore({}, 5);
274+
275+
expect(() => jwt.verify(token, undefined, {clockTolerance: 4})).to.throw(
276+
jwt.NotBeforeError,
277+
'jwt not active'
278+
);
279+
});
280+
});
281+
});

0 commit comments

Comments
 (0)