Merge pull request #56 from byu-oit/throw-better-x5t-error

GaryGSC · web-flow · commit f297ee6d992a · 2021-07-22T15:57:25.000-06:00
Throw better error if x5t in JWT doesn't match any known keys
diff --git a/lib/index.js b/lib/index.js
@@ -382,8 +382,12 @@ async function verifyJWT (options, cache, jwt) {
   const openIdConfig = await initOpenId(cache)
   const algorithms = openIdConfig.id_token_signing_alg_values_supported
 
-  const key = (await initPem(cache)).filter(key => key.x5t === jwtHeaders.x5t)
-  const pem = key[0].x5c
+  const matchingKey = (await initPem(cache)).find(key => key.x5t === jwtHeaders.x5t)
+  if (!matchingKey) {
+    debug('Failed verifying JWT: x5t in JWT did not correspond to any known key')
+    throw new Error('x5t in JWT did not correspond to any known key')
+  }
+  const pem = matchingKey.x5c
 
   debug('verifying JWT')
   try {
diff --git a/test/index.test.js b/test/index.test.js
@@ -82,6 +82,18 @@ describe('byu-jwt', function () {
           expect(value).to.equal(false)
         })
     })
+
+    it('invalid x5t in JWT', () => {
+      const [encodedJwtHeaders, ...restOfJwt] = jwt.split('.')
+      const decodedJwtHeaders = JSON.parse(Buffer.from(encodedJwtHeaders.replace(/=/g, ''), 'base64').toString())
+      const jwtHeadersWithInvalidX5t = { ...decodedJwtHeaders, x5t: 'invalid x5t' }
+      const encodedJwtHeadersWithInvalidX5t = Buffer.from(JSON.stringify(jwtHeadersWithInvalidX5t)).toString('base64').replace(/=/g, '')
+      const jwtWithInvalidX5t = [encodedJwtHeadersWithInvalidX5t, ...restOfJwt].join('.')
+      return byuJWT.verifyJWT(jwtWithInvalidX5t)
+        .then(value => {
+          expect(value).to.equal(false)
+        })
+    })
   })
 
   describe('decodeJWT', () => {
@@ -120,6 +132,15 @@ describe('byu-jwt', function () {
           expect(err.message).to.equal('Invalid JWT')
         })
     })
+
+    it('missing JWT', () => {
+      const headers = {}
+      return byuJWT.authenticate(headers)
+        .then(() => { throw Error('not this error') })
+        .catch(err => {
+          expect(err.message).to.equal('Missing expected JWT')
+        })
+    })
   })
 
   describe('authenticateUAPIMiddleware', () => {
