mirror of
https://github.com/mountain-loop/yaak.git
synced 2026-07-16 17:51:25 +02:00
Fall back to JWT exp claim when OAuth token response has no expires_in (#506)
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
import jwt from "jsonwebtoken";
|
||||
import { describe, expect, test } from "vite-plus/test";
|
||||
import { extractCode } from "../src/util";
|
||||
import { extractCode, isTokenExpired, jwtExpiresAt } from "../src/util";
|
||||
|
||||
describe("extractCode", () => {
|
||||
test("extracts code from query when same origin + path", () => {
|
||||
@@ -107,3 +108,55 @@ describe("extractCode", () => {
|
||||
expect(extractCode(url, redirect)).toBe("abc");
|
||||
});
|
||||
});
|
||||
|
||||
describe("isTokenExpired", () => {
|
||||
const jwtWithExp = (expSecondsFromNow: number) =>
|
||||
jwt.sign({ exp: Math.floor(Date.now() / 1000) + expSecondsFromNow }, "test-secret");
|
||||
|
||||
test("uses stored expiresAt when present", () => {
|
||||
expect(isTokenExpired({ response: { access_token: "x" }, expiresAt: Date.now() - 1000 })).toBe(
|
||||
true,
|
||||
);
|
||||
expect(isTokenExpired({ response: { access_token: "x" }, expiresAt: Date.now() + 10000 })).toBe(
|
||||
false,
|
||||
);
|
||||
});
|
||||
|
||||
test("falls back to JWT exp claim when expiresAt is null", () => {
|
||||
expect(
|
||||
isTokenExpired({ response: { access_token: jwtWithExp(-60) }, expiresAt: null }),
|
||||
).toBe(true);
|
||||
expect(
|
||||
isTokenExpired({ response: { access_token: jwtWithExp(60) }, expiresAt: null }),
|
||||
).toBe(false);
|
||||
});
|
||||
|
||||
test("treats opaque tokens without expiresAt as non-expiring", () => {
|
||||
expect(isTokenExpired({ response: { access_token: "opaque-token" }, expiresAt: null })).toBe(
|
||||
false,
|
||||
);
|
||||
});
|
||||
|
||||
test("checks the token that is used as the credential", () => {
|
||||
// Expired id_token credential is not masked by an opaque access_token
|
||||
const token = {
|
||||
response: { access_token: "opaque-token", id_token: jwtWithExp(-60) },
|
||||
expiresAt: null,
|
||||
};
|
||||
expect(isTokenExpired(token, "id_token")).toBe(true);
|
||||
expect(isTokenExpired(token, "access_token")).toBe(false);
|
||||
});
|
||||
});
|
||||
|
||||
describe("jwtExpiresAt", () => {
|
||||
test("extracts exp claim in milliseconds", () => {
|
||||
const exp = Math.floor(Date.now() / 1000) + 300;
|
||||
expect(jwtExpiresAt(jwt.sign({ exp }, "test-secret"))).toBe(exp * 1000);
|
||||
});
|
||||
|
||||
test("returns null for non-JWT or missing tokens", () => {
|
||||
expect(jwtExpiresAt("not-a-jwt")).toBeNull();
|
||||
expect(jwtExpiresAt(undefined)).toBeNull();
|
||||
expect(jwtExpiresAt(jwt.sign({ foo: "bar" }, "test-secret"))).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user