8018892406

Committed 23 Feb 2024 12:04PM UTC coverage: 93.066%. Remained the same

Build # 8018892406

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #99 from ibm-cloud-security/abod-akhras-patch-2

Update dry-publish.js to use Node v20

Run Details

78 of 94 branches covered (82.98%)

Branch coverage included in aggregate %.

177 of 180 relevant lines covered (98.33%)

4.77 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

96.83

/src/TokenValidator.js

const constants = require('./constants');
const TokenError = require('./errors/TokenError');

class TokenValidator {
        constructor({jwt = require('jsrsasign')} = {}) {
                this.jwt = jwt;
        }

        decodeAndValidate({token, publicKeys, issuer, clientId, nonce}) {
                const now = Math.floor(Date.now() / 1000);

                const tokenParts = token.split('.');
                if (tokenParts.length !== 3) {
                        throw new TokenError(`Invalid JWT token. Got only ${tokenParts.length} parts.`);
                }

                const decoded = this.jwt.KJUR.jws.JWS.parse(token);
                if (!decoded.headerObj) {
                        throw new TokenError(constants.INVALID_TOKEN);
                }
                const kid = decoded.headerObj.kid;
                const publicKey = this.getPublicKey(publicKeys.keys, kid);

                const myKey = this.jwt.KEYUTIL.getKey(publicKey);
                const isValid = this.jwt.KJUR.jws.JWS.verify(token, myKey, {alg: [constants.TOKEN_ALG]});
                if (!isValid) {
                        throw new TokenError(constants.INVALID_SIGNATURE);
                }

                if (decoded.payloadObj.exp < now) {
                        throw new TokenError(constants.EXPIRED_TOKEN);
                }

                if (decoded.headerObj.ver !== constants.VERSION) {
                        throw new TokenError(constants.INVALID_VERSION);
                }

                if (decoded.headerObj.alg !== constants.TOKEN_ALG) {
                        throw new TokenError(constants.INVALID_ALGORITHM);
                }

                if (decoded.payloadObj.iss !== issuer) {
                        throw new TokenError(constants.INVALID_ISSUER);
                }

                if (!decoded.payloadObj.aud.includes(clientId)) {
                        throw new TokenError(constants.INVALID_AUDIENCE);
                }

                if (nonce && (!decoded.payloadObj.nonce || decoded.payloadObj.nonce !== nonce)) {
                        throw new TokenError(constants.INVALID_NONCE);
                }

                return decoded.payloadObj;
        }

        getPublicKey(keys, kid) {
                let publicKey;
                for (let i = 0; i < keys.length; i++) {
                        if (keys[i].kid === kid) {
                                publicKey = keys[i];
                        }
                }

                if (!publicKey) {
                        throw new TokenError(constants.MISSING_PUBLIC_KEY);
                }
                return publicKey;
        }
}

module.exports = TokenValidator;

1	const constants = require('./constants');	1✔
2	const TokenError = require('./errors/TokenError');	1✔
3
4	class TokenValidator {
5	constructor({jwt = require('jsrsasign')} = {}) {	25✔
6	this.jwt = jwt;	13✔
7	}
8
9	decodeAndValidate({token, publicKeys, issuer, clientId, nonce}) {
10	const now = Math.floor(Date.now() / 1000);	11✔
11
12	const tokenParts = token.split('.');	11✔
13	if (tokenParts.length !== 3) {	11✔
14	throw new TokenError(`Invalid JWT token. Got only ${tokenParts.length} parts.`);	1✔
15	}
16
17	const decoded = this.jwt.KJUR.jws.JWS.parse(token);	10✔
18	if (!decoded.headerObj) {	10✔
19	throw new TokenError(constants.INVALID_TOKEN);	1✔
20	}
21	const kid = decoded.headerObj.kid;	9✔
22	const publicKey = this.getPublicKey(publicKeys.keys, kid);	9✔
23
24	const myKey = this.jwt.KEYUTIL.getKey(publicKey);	8✔
25	const isValid = this.jwt.KJUR.jws.JWS.verify(token, myKey, {alg: [constants.TOKEN_ALG]});	8✔
26	if (!isValid) {	8!
27	throw new TokenError(constants.INVALID_SIGNATURE);	×
28	}
29
30	if (decoded.payloadObj.exp < now) {	8✔
31	throw new TokenError(constants.EXPIRED_TOKEN);	1✔
32	}
33
34	if (decoded.headerObj.ver !== constants.VERSION) {	7✔
35	throw new TokenError(constants.INVALID_VERSION);	1✔
36	}
37
38	if (decoded.headerObj.alg !== constants.TOKEN_ALG) {	6✔
39	throw new TokenError(constants.INVALID_ALGORITHM);	1✔
40	}
41
42	if (decoded.payloadObj.iss !== issuer) {	5✔
43	throw new TokenError(constants.INVALID_ISSUER);	1✔
44	}
45
46	if (!decoded.payloadObj.aud.includes(clientId)) {	4✔
47	throw new TokenError(constants.INVALID_AUDIENCE);	1✔
48	}
49
50	if (nonce && (!decoded.payloadObj.nonce \|\| decoded.payloadObj.nonce !== nonce)) {	3✔
51	throw new TokenError(constants.INVALID_NONCE);	1✔
52	}
53
54	return decoded.payloadObj;	2✔
55	}
56
57	getPublicKey(keys, kid) {
58	let publicKey;
59	for (let i = 0; i < keys.length; i++) {	9✔
60	if (keys[i].kid === kid) {	9✔
61	publicKey = keys[i];	8✔
62	}
63	}
64
65	if (!publicKey) {	9✔
66	throw new TokenError(constants.MISSING_PUBLIC_KEY);	1✔
67	}
68	return publicKey;	8✔
69	}
70	}
71
72	module.exports = TokenValidator;	1✔

ibm-cloud-security / appid-clientsdk-js / 8018892406

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous