From 97ac795347cc5b73e08e2b1c599c1b8c81a0e071 Mon Sep 17 00:00:00 2001
From: Steve Purr <spurr@articulate.com>
Date: Thu, 21 Jan 2021 13:58:48 -0500
Subject: [PATCH] Add https:// if iss doesn't include it in JWT (#24)

* add https to iss url if not already present

* use assignment operator in rename helper function

* v1.3.1

* add test coverage for branch in addHttps function
---
 index.js                            |  5 ++++-
 lib/helpers.js                      |  2 +-
 package.json                        |  2 +-
 test/fixtures/keys.json             | 12 ++++++++++--
 test/fixtures/token-iss-no-https.js |  1 +
 test/index.js                       | 20 +++++++++++++++++++-
 6 files changed, 36 insertions(+), 6 deletions(-)
 create mode 100644 test/fixtures/token-iss-no-https.js

diff --git a/index.js b/index.js
index 9e6fc38..53189fe 100644
--- a/index.js
+++ b/index.js
@@ -9,6 +9,9 @@ const { rename, tapP }      = require('./lib/helpers')
 
 const wellKnown = '/.well-known/openid-configuration'
 
+const addHttps = url =>
+  /^http[s]?:\/\//.test(url) ? url : 'https://' + url
+
 const bindFunction = client =>
   promisify(client.getSigningKey.bind(client))
 
@@ -78,7 +81,7 @@ const factory = options => {
   const getSigningKey = ({ header: { kid }, payload: { iss } }) =>
     clients[iss]
       ? clients[iss](kid)
-      : buildClient(jwksOpts, iss.replace(/\/$/, '') + wellKnown)
+      : buildClient(jwksOpts, addHttps(iss.replace(/\/$/, '')) + wellKnown)
         .then(cacheClient(iss))
         .then(fn => fn(kid))
 
diff --git a/lib/helpers.js b/lib/helpers.js
index 91f9a86..4f7274c 100644
--- a/lib/helpers.js
+++ b/lib/helpers.js
@@ -2,7 +2,7 @@ exports.rename = (prevKey, nextKey) => obj => {
   const next = {}
   for (const key in obj) {
     if (key === prevKey) next[nextKey] = obj[prevKey]
-    else next[key] === obj[key]
+    else next[key] = obj[key]
   }
   return next
 }
diff --git a/package.json b/package.json
index f6525d6..63f1805 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@articulate/authentic",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "Proper validation of JWT's against JWK's",
   "main": "index.js",
   "types": "index.d.ts",
diff --git a/test/fixtures/keys.json b/test/fixtures/keys.json
index 8bfd07e..e624a0b 100644
--- a/test/fixtures/keys.json
+++ b/test/fixtures/keys.json
@@ -15,5 +15,13 @@
     "kid": "DaX11gArWQebNHO7EMPML5VtT4Ewrfkwc5SlGiWvUwA",
     "kty": "RSA",
     "use": "sig"
-  }]
-}
+  },
+  {
+    "kty": "RSA",
+    "n": "wPg46vn7i0LXw0_jIiKlaKXmu8pkVZxB17r8qNW7lO5EEwvqzfg5mZ_bArZlU3VXgwTS4qDL5Mn1sDRgMd16602Posk_oRDkZFP8djStkxGm4lvxkTUHQwB4kcfnuRhSNodkIY3eZ53wN9GaNMd3Q4p2WKQ3YUgNc61tyxbpR19tfyiI0bnyBfMj15LY_MLQmjdBu8ZV8uV9KKhegNwBwW-V4HmqBnKZFdfdm0zLg0U21Nb2TowZ1UVlK4Usdkhx--JM1Kjwt6TEfDlysg--5SJGoPbiuaXDUhAiR6MXbha6Z6291MwcC5jxSw8LHXhrnzEDjEPve3cnvBtwMXmsbQ",
+    "e": "AQAB",
+    "kid": "3dK4-C5reVFKJPeTSaAPNs-p41kbWUDOBXF3XQHXjak",
+    "alg": "RS256",
+    "use": "sig"
+  }
+]}
diff --git a/test/fixtures/token-iss-no-https.js b/test/fixtures/token-iss-no-https.js
new file mode 100644
index 0000000..7e5afc5
--- /dev/null
+++ b/test/fixtures/token-iss-no-https.js
@@ -0,0 +1 @@
+module.exports = 'eyJraWQiOiIzZEs0LUM1cmVWRktKUGVUU2FBUE5zLXA0MWtiV1VET0JYRjNYUUhYamFrIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVkanlqc3NidDJTMVFWcjBoNyIsInZlciI6MSwiaXNzIjoiYXV0aGVudGljLmFydGljdWxhdGUuY29tLyIsImF1ZCI6IjBvYWRqeWs1MjNobFpmeWIxMGg3IiwiaWF0IjoxNTE2NjM3MDkxLCJleHAiOjE1MTY2NDA2OTEsImp0aSI6IklELmM4amh6b2t5MGZGTlByOExfU0NycnBnVFRVeUFvY3RIdjY5T0tTbWY1R0EiLCJhbXIiOlsicHdkIl0sImlkcCI6IjAwb2NnNHRidTZGSzJEaDVHMGg3Iiwibm9uY2UiOiIyIiwiYXV0aF90aW1lIjoxNTE2NjM3MDkxLCJ0ZW5hbnRJZCI6ImQ0MmUzM2ZkLWYwNWUtNGE0ZS05MDUwLTViN2IyZTgwMDgzNCJ9.inuggb9ZZSdwLYMr0t5uTGP_wV3Y-ZC11xpwgU4ltU6YyE3jwZKr_XNXVs7qjzZoCmuE_Ubk2mnub491BUtye2L8RnU3kN1_HW9sEotu7X8WDt-avQ1-NlQY_G4W2pEmD-RYLM0lNCEXnwQUGyLqhhZkZ-vCOkJUGDYCttgNk25TPTcGI_Ro26BdrPW31BAUgj1KzVVs8c5316uacEV-2yS9jDIcjm0_3RoxeINwibfNwthNiYn18tMdy_wPJA4BTaDVep2wdrYoJMnFTl0h2ayIxBrFkzZPYSImCbHEuBgIkV4xHf_Ipulgyvf1CGrv7_EGiXuXOu-jPSm4WZvoVg'
diff --git a/test/index.js b/test/index.js
index 720e213..947ec6e 100644
--- a/test/index.js
+++ b/test/index.js
@@ -7,13 +7,13 @@ const bad                = require('./fixtures/bad-iss')
 const keys               = require('./fixtures/keys')
 const oidc               = require('./fixtures/oidc')
 const token              = require('./fixtures/token')
+const httpsMissingToken  = require('./fixtures/token-iss-no-https.js')
 const capitalBearerToken = 'Bearer ' + token
 const lowerBearerToken   = 'bearer ' + token
 const malformedBearerToken = 'Bearer' + token.slice(0, 200)
 
 const { issuer } = oidc
 
-
 const badIss = jwt.decode(bad, { complete: true }).payload.iss
 
 const wellKnown = '/.well-known/openid-configuration'
@@ -105,6 +105,24 @@ describe('authentic', () => {
         )
       })
 
+      describe('with a valid jwt that is missing protocol in iss claim', () => {
+        beforeEach(() => {
+          const auth = require('..')({
+            verify: { ignoreExpiration: true },
+            issWhitelist: [ issuer.replace('https://', '') ],
+          })
+          auth(httpsMissingToken).then(res)
+        })
+
+        it('validates the jwt against the jwks', () =>
+          expect(res().sub).to.equal('00udjyjssbt2S1QVr0h7')
+        )
+
+        it('caches the jwks client', () =>
+          expect(res().sub).to.equal('00udjyjssbt2S1QVr0h7')
+        )
+      })
+
       describe('with a valid jwt that starts with Bearer', () => {
         beforeEach(() =>
           authentic(capitalBearerToken).then(res)