tests/auth.rs at 1801d787d0218176590effa7552c5697af00bfbc · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / tests / auth.rs
at 1801d787d0218176590effa7552c5697af00bfbc 5.3 kB view raw
  1use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
  2use bspds::auth;
  3use chrono::{Duration, Utc};
  4use k256::SecretKey;
  5use k256::ecdsa::{SigningKey, signature::Signer};
  6use rand::rngs::OsRng;
  7use serde_json::json;
  8
  9#[test]
 10fn test_jwt_flow() {
 11    let secret_key = SecretKey::random(&mut OsRng);
 12    let key_bytes = secret_key.to_bytes();
 13    let did = "did:plc:test";
 14
 15    let token = auth::create_access_token(did, &key_bytes).expect("create token");
 16    let data = auth::verify_access_token(&token, &key_bytes).expect("verify access token");
 17    assert_eq!(data.claims.sub, did);
 18    assert_eq!(data.claims.iss, did);
 19    assert_eq!(data.claims.scope, Some(auth::SCOPE_ACCESS.to_string()));
 20
 21    let r_token = auth::create_refresh_token(did, &key_bytes).expect("create refresh token");
 22    let r_data = auth::verify_refresh_token(&r_token, &key_bytes).expect("verify refresh token");
 23    assert_eq!(r_data.claims.scope, Some(auth::SCOPE_REFRESH.to_string()));
 24
 25    let aud = "did:web:service";
 26    let lxm = "com.example.test";
 27    let s_token =
 28        auth::create_service_token(did, aud, lxm, &key_bytes).expect("create service token");
 29    let s_data = auth::verify_token(&s_token, &key_bytes).expect("verify service token");
 30    assert_eq!(s_data.claims.aud, aud);
 31    assert_eq!(s_data.claims.lxm, Some(lxm.to_string()));
 32}
 33
 34#[test]
 35fn test_token_type_confusion_prevented() {
 36    let secret_key = SecretKey::random(&mut OsRng);
 37    let key_bytes = secret_key.to_bytes();
 38    let did = "did:plc:test";
 39
 40    let access_token = auth::create_access_token(did, &key_bytes).expect("create access token");
 41    let refresh_token = auth::create_refresh_token(did, &key_bytes).expect("create refresh token");
 42
 43    assert!(auth::verify_access_token(&access_token, &key_bytes).is_ok());
 44    assert!(auth::verify_access_token(&refresh_token, &key_bytes).is_err());
 45
 46    assert!(auth::verify_refresh_token(&refresh_token, &key_bytes).is_ok());
 47    assert!(auth::verify_refresh_token(&access_token, &key_bytes).is_err());
 48}
 49
 50#[test]
 51fn test_verify_fails_with_wrong_key() {
 52    let secret_key1 = SecretKey::random(&mut OsRng);
 53    let key_bytes1 = secret_key1.to_bytes();
 54
 55    let secret_key2 = SecretKey::random(&mut OsRng);
 56    let key_bytes2 = secret_key2.to_bytes();
 57
 58    let did = "did:plc:test";
 59    let token = auth::create_access_token(did, &key_bytes1).expect("create token");
 60
 61    let result = auth::verify_token(&token, &key_bytes2);
 62    assert!(result.is_err());
 63}
 64
 65#[test]
 66fn test_token_expiration() {
 67    let secret_key = SecretKey::random(&mut OsRng);
 68    let key_bytes = secret_key.to_bytes();
 69    let signing_key = SigningKey::from_slice(&key_bytes).expect("key");
 70
 71    let header = json!({
 72        "alg": "ES256K",
 73        "typ": "JWT"
 74    });
 75    let claims = json!({
 76        "iss": "did:plc:test",
 77        "sub": "did:plc:test",
 78        "aud": "did:web:test",
 79        "exp": (Utc::now() - Duration::seconds(10)).timestamp(),
 80        "iat": (Utc::now() - Duration::minutes(1)).timestamp(),
 81        "jti": "unique",
 82    });
 83
 84    let header_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&header).unwrap());
 85    let claims_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&claims).unwrap());
 86    let message = format!("{}.{}", header_b64, claims_b64);
 87    let signature: k256::ecdsa::Signature = signing_key.sign(message.as_bytes());
 88    let signature_b64 = URL_SAFE_NO_PAD.encode(signature.to_bytes());
 89    let token = format!("{}.{}", message, signature_b64);
 90
 91    let result = auth::verify_token(&token, &key_bytes);
 92    match result {
 93        Ok(_) => panic!("Token should be expired"),
 94        Err(e) => assert_eq!(e.to_string(), "Token expired"),
 95    }
 96}
 97
 98#[test]
 99fn test_invalid_token_format() {
100    let secret_key = SecretKey::random(&mut OsRng);
101    let key_bytes = secret_key.to_bytes();
102
103    assert!(auth::verify_token("invalid.token", &key_bytes).is_err());
104    assert!(auth::verify_token("too.many.parts.here", &key_bytes).is_err());
105    assert!(auth::verify_token("bad_base64.payload.sig", &key_bytes).is_err());
106}
107
108#[test]
109fn test_tampered_token() {
110    let secret_key = SecretKey::random(&mut OsRng);
111    let key_bytes = secret_key.to_bytes();
112    let did = "did:plc:test";
113
114    let token = auth::create_access_token(did, &key_bytes).expect("create token");
115    let parts: Vec<&str> = token.split('.').collect();
116
117    let claims_json = String::from_utf8(URL_SAFE_NO_PAD.decode(parts[1]).unwrap()).unwrap();
118    let mut claims: serde_json::Value = serde_json::from_str(&claims_json).unwrap();
119    claims["sub"] = json!("did:plc:hacker");
120    let tampered_claims_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&claims).unwrap());
121
122    let tampered_token = format!("{}.{}.{}", parts[0], tampered_claims_b64, parts[2]);
123
124    let result = auth::verify_token(&tampered_token, &key_bytes);
125    assert!(result.is_err());
126}
127
128#[test]
129fn test_get_did_from_token() {
130    let secret_key = SecretKey::random(&mut OsRng);
131    let key_bytes = secret_key.to_bytes();
132    let did = "did:plc:test";
133
134    let token = auth::create_access_token(did, &key_bytes).expect("create token");
135    let extracted_did = auth::get_did_from_token(&token).expect("get did");
136    assert_eq!(extracted_did, did);
137
138    assert!(auth::get_did_from_token("bad.token").is_err());
139}