diff --git a/index.js b/index.js index 9e6fc38..53189fe 100644 --- a/index.js +++ b/index.js @@ -9,6 +9,9 @@ const { rename, tapP } = require('./lib/helpers') const wellKnown = '/.well-known/openid-configuration' +const addHttps = url => + /^http[s]?:\/\//.test(url) ? url : 'https://' + url + const bindFunction = client => promisify(client.getSigningKey.bind(client)) @@ -78,7 +81,7 @@ const factory = options => { const getSigningKey = ({ header: { kid }, payload: { iss } }) => clients[iss] ? clients[iss](kid) - : buildClient(jwksOpts, iss.replace(/\/$/, '') + wellKnown) + : buildClient(jwksOpts, addHttps(iss.replace(/\/$/, '')) + wellKnown) .then(cacheClient(iss)) .then(fn => fn(kid)) diff --git a/lib/helpers.js b/lib/helpers.js index 91f9a86..4f7274c 100644 --- a/lib/helpers.js +++ b/lib/helpers.js @@ -2,7 +2,7 @@ exports.rename = (prevKey, nextKey) => obj => { const next = {} for (const key in obj) { if (key === prevKey) next[nextKey] = obj[prevKey] - else next[key] === obj[key] + else next[key] = obj[key] } return next } diff --git a/package.json b/package.json index f6525d6..63f1805 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@articulate/authentic", - "version": "1.3.0", + "version": "1.3.1", "description": "Proper validation of JWT's against JWK's", "main": "index.js", "types": "index.d.ts", diff --git a/test/fixtures/keys.json b/test/fixtures/keys.json index 8bfd07e..e624a0b 100644 --- a/test/fixtures/keys.json +++ b/test/fixtures/keys.json @@ -15,5 +15,13 @@ "kid": "DaX11gArWQebNHO7EMPML5VtT4Ewrfkwc5SlGiWvUwA", "kty": "RSA", "use": "sig" - }] -} + }, + { + "kty": "RSA", + "n": "wPg46vn7i0LXw0_jIiKlaKXmu8pkVZxB17r8qNW7lO5EEwvqzfg5mZ_bArZlU3VXgwTS4qDL5Mn1sDRgMd16602Posk_oRDkZFP8djStkxGm4lvxkTUHQwB4kcfnuRhSNodkIY3eZ53wN9GaNMd3Q4p2WKQ3YUgNc61tyxbpR19tfyiI0bnyBfMj15LY_MLQmjdBu8ZV8uV9KKhegNwBwW-V4HmqBnKZFdfdm0zLg0U21Nb2TowZ1UVlK4Usdkhx--JM1Kjwt6TEfDlysg--5SJGoPbiuaXDUhAiR6MXbha6Z6291MwcC5jxSw8LHXhrnzEDjEPve3cnvBtwMXmsbQ", + "e": "AQAB", + "kid": "3dK4-C5reVFKJPeTSaAPNs-p41kbWUDOBXF3XQHXjak", + "alg": "RS256", + "use": "sig" + } +]} diff --git a/test/fixtures/token-iss-no-https.js b/test/fixtures/token-iss-no-https.js new file mode 100644 index 0000000..7e5afc5 --- /dev/null +++ b/test/fixtures/token-iss-no-https.js @@ -0,0 +1 @@ +module.exports = 'eyJraWQiOiIzZEs0LUM1cmVWRktKUGVUU2FBUE5zLXA0MWtiV1VET0JYRjNYUUhYamFrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVkanlqc3NidDJTMVFWcjBoNyIsInZlciI6MSwiaXNzIjoiYXV0aGVudGljLmFydGljdWxhdGUuY29tLyIsImF1ZCI6IjBvYWRqeWs1MjNobFpmeWIxMGg3IiwiaWF0IjoxNTE2NjM3MDkxLCJleHAiOjE1MTY2NDA2OTEsImp0aSI6IklELmM4amh6b2t5MGZGTlByOExfU0NycnBnVFRVeUFvY3RIdjY5T0tTbWY1R0EiLCJhbXIiOlsicHdkIl0sImlkcCI6IjAwb2NnNHRidTZGSzJEaDVHMGg3Iiwibm9uY2UiOiIyIiwiYXV0aF90aW1lIjoxNTE2NjM3MDkxLCJ0ZW5hbnRJZCI6ImQ0MmUzM2ZkLWYwNWUtNGE0ZS05MDUwLTViN2IyZTgwMDgzNCJ9.inuggb9ZZSdwLYMr0t5uTGP_wV3Y-ZC11xpwgU4ltU6YyE3jwZKr_XNXVs7qjzZoCmuE_Ubk2mnub491BUtye2L8RnU3kN1_HW9sEotu7X8WDt-avQ1-NlQY_G4W2pEmD-RYLM0lNCEXnwQUGyLqhhZkZ-vCOkJUGDYCttgNk25TPTcGI_Ro26BdrPW31BAUgj1KzVVs8c5316uacEV-2yS9jDIcjm0_3RoxeINwibfNwthNiYn18tMdy_wPJA4BTaDVep2wdrYoJMnFTl0h2ayIxBrFkzZPYSImCbHEuBgIkV4xHf_Ipulgyvf1CGrv7_EGiXuXOu-jPSm4WZvoVg' diff --git a/test/index.js b/test/index.js index 720e213..947ec6e 100644 --- a/test/index.js +++ b/test/index.js @@ -7,13 +7,13 @@ const bad = require('./fixtures/bad-iss') const keys = require('./fixtures/keys') const oidc = require('./fixtures/oidc') const token = require('./fixtures/token') +const httpsMissingToken = require('./fixtures/token-iss-no-https.js') const capitalBearerToken = 'Bearer ' + token const lowerBearerToken = 'bearer ' + token const malformedBearerToken = 'Bearer' + token.slice(0, 200) const { issuer } = oidc - const badIss = jwt.decode(bad, { complete: true }).payload.iss const wellKnown = '/.well-known/openid-configuration' @@ -105,6 +105,24 @@ describe('authentic', () => { ) }) + describe('with a valid jwt that is missing protocol in iss claim', () => { + beforeEach(() => { + const auth = require('..')({ + verify: { ignoreExpiration: true }, + issWhitelist: [ issuer.replace('https://', '') ], + }) + auth(httpsMissingToken).then(res) + }) + + it('validates the jwt against the jwks', () => + expect(res().sub).to.equal('00udjyjssbt2S1QVr0h7') + ) + + it('caches the jwks client', () => + expect(res().sub).to.equal('00udjyjssbt2S1QVr0h7') + ) + }) + describe('with a valid jwt that starts with Bearer', () => { beforeEach(() => authentic(capitalBearerToken).then(res)