tests/auth.rs at c5450da8659ec6f2669d0ad264493d7e01944591 · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / tests / auth.rs
at c5450da8659ec6f2669d0ad264493d7e01944591 4.6 kB view raw
  1use bspds::auth;
  2use k256::SecretKey;
  3use rand::rngs::OsRng;
  4use chrono::{Utc, Duration};
  5use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
  6use serde_json::json;
  7use k256::ecdsa::{SigningKey, signature::Signer};
  8
  9#[test]
 10fn test_jwt_flow() {
 11    let secret_key = SecretKey::random(&mut OsRng);
 12    let key_bytes = secret_key.to_bytes();
 13    let did = "did:plc:test";
 14
 15    let token = auth::create_access_token(did, &key_bytes).expect("create token");
 16    let data = auth::verify_token(&token, &key_bytes).expect("verify token");
 17    assert_eq!(data.claims.sub, did);
 18    assert_eq!(data.claims.iss, did);
 19    assert_eq!(data.claims.scope, Some("access".to_string()));
 20
 21    let r_token = auth::create_refresh_token(did, &key_bytes).expect("create refresh token");
 22    let r_data = auth::verify_token(&r_token, &key_bytes).expect("verify refresh token");
 23    assert_eq!(r_data.claims.scope, Some("refresh".to_string()));
 24
 25    let aud = "did:web:service";
 26    let lxm = "com.example.test";
 27    let s_token = auth::create_service_token(did, aud, lxm, &key_bytes).expect("create service token");
 28    let s_data = auth::verify_token(&s_token, &key_bytes).expect("verify service token");
 29    assert_eq!(s_data.claims.aud, aud);
 30    assert_eq!(s_data.claims.lxm, Some(lxm.to_string()));
 31}
 32
 33#[test]
 34fn test_verify_fails_with_wrong_key() {
 35    let secret_key1 = SecretKey::random(&mut OsRng);
 36    let key_bytes1 = secret_key1.to_bytes();
 37
 38    let secret_key2 = SecretKey::random(&mut OsRng);
 39    let key_bytes2 = secret_key2.to_bytes();
 40
 41    let did = "did:plc:test";
 42    let token = auth::create_access_token(did, &key_bytes1).expect("create token");
 43
 44    let result = auth::verify_token(&token, &key_bytes2);
 45    assert!(result.is_err());
 46}
 47
 48#[test]
 49fn test_token_expiration() {
 50    let secret_key = SecretKey::random(&mut OsRng);
 51    let key_bytes = secret_key.to_bytes();
 52    let signing_key = SigningKey::from_slice(&key_bytes).expect("key");
 53
 54    let header = json!({
 55        "alg": "ES256K",
 56        "typ": "JWT"
 57    });
 58    let claims = json!({
 59        "iss": "did:plc:test",
 60        "sub": "did:plc:test",
 61        "aud": "did:web:test",
 62        "exp": (Utc::now() - Duration::seconds(10)).timestamp(),
 63        "iat": (Utc::now() - Duration::minutes(1)).timestamp(),
 64        "jti": "unique",
 65    });
 66
 67    let header_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&header).unwrap());
 68    let claims_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&claims).unwrap());
 69    let message = format!("{}.{}", header_b64, claims_b64);
 70    let signature: k256::ecdsa::Signature = signing_key.sign(message.as_bytes());
 71    let signature_b64 = URL_SAFE_NO_PAD.encode(signature.to_bytes());
 72    let token = format!("{}.{}", message, signature_b64);
 73
 74    let result = auth::verify_token(&token, &key_bytes);
 75    match result {
 76        Ok(_) => panic!("Token should be expired"),
 77        Err(e) => assert_eq!(e.to_string(), "Token expired"),
 78    }
 79}
 80
 81#[test]
 82fn test_invalid_token_format() {
 83    let secret_key = SecretKey::random(&mut OsRng);
 84    let key_bytes = secret_key.to_bytes();
 85
 86    assert!(auth::verify_token("invalid.token", &key_bytes).is_err());
 87    assert!(auth::verify_token("too.many.parts.here", &key_bytes).is_err());
 88    assert!(auth::verify_token("bad_base64.payload.sig", &key_bytes).is_err());
 89}
 90
 91#[test]
 92fn test_tampered_token() {
 93    let secret_key = SecretKey::random(&mut OsRng);
 94    let key_bytes = secret_key.to_bytes();
 95    let did = "did:plc:test";
 96
 97    let token = auth::create_access_token(did, &key_bytes).expect("create token");
 98    let parts: Vec<&str> = token.split('.').collect();
 99
100    let claims_json = String::from_utf8(URL_SAFE_NO_PAD.decode(parts[1]).unwrap()).unwrap();
101    let mut claims: serde_json::Value = serde_json::from_str(&claims_json).unwrap();
102    claims["sub"] = json!("did:plc:hacker");
103    let tampered_claims_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&claims).unwrap());
104
105    let tampered_token = format!("{}.{}.{}", parts[0], tampered_claims_b64, parts[2]);
106
107    let result = auth::verify_token(&tampered_token, &key_bytes);
108    assert!(result.is_err());
109}
110
111#[test]
112fn test_get_did_from_token() {
113    let secret_key = SecretKey::random(&mut OsRng);
114    let key_bytes = secret_key.to_bytes();
115    let did = "did:plc:test";
116
117    let token = auth::create_access_token(did, &key_bytes).expect("create token");
118    let extracted_did = auth::get_did_from_token(&token).expect("get did");
119    assert_eq!(extracted_did, did);
120
121    assert!(auth::get_did_from_token("bad.token").is_err());
122}