Add https:// if iss doesn't include it in JWT (#24)

* add https to iss url if not already present * use assignment operator in rename helper function * v1.3.1 * add test coverage for branch in addHttps function
articulate · Jan 21, 2021 · 97ac795 · 97ac795
1 parent b4d5a0b
commit 97ac795
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 6 deletions.
diff --git a/index.js b/index.js
@@ -9,6 +9,9 @@ const { rename, tapP }      = require('./lib/helpers')
 
 const wellKnown = '/.well-known/openid-configuration'
 
+const addHttps = url =>
+  /^http[s]?:\/\//.test(url) ? url : 'https://' + url
+
 const bindFunction = client =>
   promisify(client.getSigningKey.bind(client))
 
@@ -78,7 +81,7 @@ const factory = options => {
   const getSigningKey = ({ header: { kid }, payload: { iss } }) =>
     clients[iss]
       ? clients[iss](kid)
-      : buildClient(jwksOpts, iss.replace(/\/$/, '') + wellKnown)
+      : buildClient(jwksOpts, addHttps(iss.replace(/\/$/, '')) + wellKnown)
         .then(cacheClient(iss))
         .then(fn => fn(kid))
 

diff --git a/lib/helpers.js b/lib/helpers.js
@@ -2,7 +2,7 @@ exports.rename = (prevKey, nextKey) => obj => {
   const next = {}
   for (const key in obj) {
     if (key === prevKey) next[nextKey] = obj[prevKey]
-    else next[key] === obj[key]
+    else next[key] = obj[key]
   }
   return next
 }

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@articulate/authentic",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "Proper validation of JWT's against JWK's",
   "main": "index.js",
   "types": "index.d.ts",

diff --git a/test/fixtures/keys.json b/test/fixtures/keys.json
@@ -15,5 +15,13 @@
     "kid": "DaX11gArWQebNHO7EMPML5VtT4Ewrfkwc5SlGiWvUwA",
     "kty": "RSA",
     "use": "sig"
-  }]
-}
+  },
+  {
+    "kty": "RSA",
+    "n": "wPg46vn7i0LXw0_jIiKlaKXmu8pkVZxB17r8qNW7lO5EEwvqzfg5mZ_bArZlU3VXgwTS4qDL5Mn1sDRgMd16602Posk_oRDkZFP8djStkxGm4lvxkTUHQwB4kcfnuRhSNodkIY3eZ53wN9GaNMd3Q4p2WKQ3YUgNc61tyxbpR19tfyiI0bnyBfMj15LY_MLQmjdBu8ZV8uV9KKhegNwBwW-V4HmqBnKZFdfdm0zLg0U21Nb2TowZ1UVlK4Usdkhx--JM1Kjwt6TEfDlysg--5SJGoPbiuaXDUhAiR6MXbha6Z6291MwcC5jxSw8LHXhrnzEDjEPve3cnvBtwMXmsbQ",
+    "e": "AQAB",
+    "kid": "3dK4-C5reVFKJPeTSaAPNs-p41kbWUDOBXF3XQHXjak",
+    "alg": "RS256",
+    "use": "sig"
+  }
+]}
diff --git a/test/fixtures/token-iss-no-https.js b/test/fixtures/token-iss-no-https.js
diff --git a/test/index.js b/test/index.js
@@ -7,13 +7,13 @@ const bad                = require('./fixtures/bad-iss')
 const keys               = require('./fixtures/keys')
 const oidc               = require('./fixtures/oidc')
 const token              = require('./fixtures/token')
+const httpsMissingToken  = require('./fixtures/token-iss-no-https.js')
 const capitalBearerToken = 'Bearer ' + token
 const lowerBearerToken   = 'bearer ' + token
 const malformedBearerToken = 'Bearer' + token.slice(0, 200)
 
 const { issuer } = oidc
 
-
 const badIss = jwt.decode(bad, { complete: true }).payload.iss
 
 const wellKnown = '/.well-known/openid-configuration'
@@ -105,6 +105,24 @@ describe('authentic', () => {
         )
       })
 
+      describe('with a valid jwt that is missing protocol in iss claim', () => {
+        beforeEach(() => {
+          const auth = require('..')({
+            verify: { ignoreExpiration: true },
+            issWhitelist: [ issuer.replace('https://', '') ],
+          })
+          auth(httpsMissingToken).then(res)
+        })
+
+        it('validates the jwt against the jwks', () =>
+          expect(res().sub).to.equal('00udjyjssbt2S1QVr0h7')
+        )
+
+        it('caches the jwks client', () =>
+          expect(res().sub).to.equal('00udjyjssbt2S1QVr0h7')
+        )
+      })
+
       describe('with a valid jwt that starts with Bearer', () => {
         beforeEach(() =>
           authentic(capitalBearerToken).then(res)