aboutsummaryrefslogtreecommitdiffstats
path: root/spec/util_jwt_spec.lua
diff options
context:
space:
mode:
Diffstat (limited to 'spec/util_jwt_spec.lua')
-rw-r--r--spec/util_jwt_spec.lua252
1 files changed, 137 insertions, 115 deletions
diff --git a/spec/util_jwt_spec.lua b/spec/util_jwt_spec.lua
index 8204eebf..9ac3887b 100644
--- a/spec/util_jwt_spec.lua
+++ b/spec/util_jwt_spec.lua
@@ -21,131 +21,153 @@ describe("util.jwt", function ()
assert.falsy(ok)
end);
- it("validates HS256", function ()
- local verify = jwt.new_verifier("HS256", "your-256-bit-secret");
-
- local result = {verify([[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c]])};
- assert.same({
- true; -- success
- { -- payload
- sub = "1234567890";
- name = "John Doe";
- iat = 1516239022;
+ local test_cases = {
+ {
+ algorithm = "HS256";
+ keys = {
+ { "your-256-bit-secret", "your-256-bit-secret" };
+ { "another-secret", "another-secret" };
};
- }, result);
-
- end);
-
- it("validates ES256", function ()
- local private_key = test_keys.ecdsa_private_pem;
- local sign = jwt.new_signer("ES256", private_key);
-
- local token = sign({
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
- });
-
- local public_key = test_keys.ecdsa_public_pem;
- local verify = jwt.new_verifier("ES256", public_key);
-
- local result = {verify(token)};
- assert.same({
- true; -- success
- { -- payload
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
+ {
+ name = "jwt.io reference";
+ [[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c]];
+ { -- payload
+ sub = "1234567890";
+ name = "John Doe";
+ iat = 1516239022;
+ };
};
- }, result);
-
- local result = {verify[[eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.tyh-VfuzIxCyGYDlkBA7DfyjrqmSHu6pQ2hoZuFqUSLPNY2N0mpHb3nk5K17HWP_3cYHBw7AhHale5wky6-sVA]]};
- assert.same({
- true; -- success
- { -- payload
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
+ };
+ {
+ algorithm = "ES256";
+ keys = {
+ { test_keys.ecdsa_private_pem, test_keys.ecdsa_public_pem };
+ { test_keys.alt_ecdsa_private_pem, test_keys.alt_ecdsa_public_pem };
};
- }, result);
- end);
-
- it("validates RS256", function ()
- local private_key = test_keys.rsa_private_pem;
- local sign = jwt.new_signer("RS256", private_key);
-
- local token = sign({
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
- });
-
- local public_key = test_keys.rsa_public_pem;
- local verify = jwt.new_verifier("RS256", public_key);
-
- local result = {verify(token)};
- assert.same({
- true; -- success
- { -- payload
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
+ {
+ name = "jwt.io reference";
+ [[eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.tyh-VfuzIxCyGYDlkBA7DfyjrqmSHu6pQ2hoZuFqUSLPNY2N0mpHb3nk5K17HWP_3cYHBw7AhHale5wky6-sVA]];
+ { -- payload
+ sub = "1234567890";
+ name = "John Doe";
+ admin = true;
+ iat = 1516239022;
+ };
};
- }, result);
-
- local result = {verify[[eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ]]};
- assert.same({
- true; -- success
- { -- payload
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
+ };
+ {
+ algorithm = "RS256";
+ keys = {
+ { test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+ { test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
};
- }, result);
- end);
+ {
+ name = "jwt.io reference";
+ [[eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ]];
+ { -- payload
+ sub = "1234567890";
+ name = "John Doe";
+ admin = true;
+ iat = 1516239022;
+ };
+ };
+ };
+ {
+ algorithm = "PS256";
+ keys = {
+ { test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+ { test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
+ };
+ {
+ name = "jwt.io reference";
+ [[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]];
+ { -- payload
+ sub = "1234567890";
+ name = "John Doe";
+ admin = true;
+ iat = 1516239022;
+ };
+ };
+ };
+ };
- it("validates PS256", function ()
- local private_key = test_keys.rsa_private_pem;
- local sign = jwt.new_signer("PS256", private_key);
+ local function do_verify_test(algorithm, verifying_key, token, expect_payload)
+ local verify = jwt.new_verifier(algorithm, verifying_key);
- local token = sign({
+ assert.is_string(token);
+ local result = {verify(token)};
+ if expect_payload then
+ assert.same({
+ true; -- success
+ expect_payload; -- payload
+ }, result);
+ else
+ assert.same({
+ false;
+ "signature-mismatch";
+ }, result);
+ end
+ end
+
+ local function do_sign_verify_test(algorithm, signing_key, verifying_key, expect_success, expect_token)
+ local sign = jwt.new_signer(algorithm, signing_key);
+
+ local test_payload = {
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
- });
-
- local public_key = test_keys.rsa_public_pem;
- local verify = jwt.new_verifier("PS256", public_key);
-
- local result = {verify(token)};
- assert.same({
- true; -- success
- { -- payload
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
- };
- }, result);
-
- local result = {verify[[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]]};
- assert.same({
- true; -- success
- { -- payload
- sub = "1234567890";
- name = "John Doe";
- admin = true;
- iat = 1516239022;
- };
- }, result);
- end);
-
+ };
+
+ local token = sign(test_payload);
+
+ if expect_token then
+ assert.equal(expect_token, token);
+ end
+
+ do_verify_test(algorithm, verifying_key, token, expect_success and test_payload or false);
+ end
+
+
+
+ for _, algorithm_tests in ipairs(test_cases) do
+ local algorithm = algorithm_tests.algorithm;
+ local keypairs = algorithm_tests.keys;
+ describe(algorithm, function ()
+ it("can do basic sign and verify", function ()
+ for _, keypair in ipairs(keypairs) do
+ local signing_key, verifying_key = keypair[1], keypair[2];
+ do_sign_verify_test(algorithm, keypair[1], keypair[2], true);
+ end
+ end);
+
+ if #keypairs >= 2 then
+ it("rejects invalid tokens", function ()
+ do_sign_verify_test(algorithm, keypairs[1][1], keypairs[2][2], false);
+ end);
+ else
+ pending("rejects invalid tokens", function ()
+ error("Needs at least 2 key pairs");
+ end);
+ end
+
+ if #algorithm_tests > 0 then
+ for test_n, test_case in ipairs(algorithm_tests) do
+ it("can verify "..(test_case.name or (("test case %d"):format(test_n))), function ()
+ do_verify_test(
+ algorithm,
+ test_case.verifying_key or keypairs[1][2],
+ test_case[1],
+ test_case[2]
+ );
+ end);
+ end
+ else
+ pending("can verify reference tokens", function ()
+ error("No test tokens provided");
+ end);
+ end
+ end);
+ end
end);
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-21 13:23:22 +0000