UNPKG

google-id-token-verifier

Version:

A small library to validate a google ID token for consuming it in node.js backend server.

github.com/maeltm/node-google-id-token-verifier

maeltm/node-google-id-token-verifier

172 lines (140 loc) 5.71 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
'use strict'; var _ = require('underscore'); var assert = require('assert'); var crypto = require('crypto'); var fs = require('fs'); var sinon = require('sinon'); var request = require('request'); var verifier = require('../lib/main'); var testEnvelope = require('./fixtures/envelope'); var testToken = require('./fixtures/idToken'); var testOAuthCerts = require('./fixtures/oauthcerts'); function makeFakeIdToken(payload, envelope) { var privateKey = fs.readFileSync('./test/fixtures/private.pem', 'utf-8'); var data = new Buffer(JSON.stringify(envelope)).toString('base64') + '.' + new Buffer(JSON.stringify(payload)).toString('base64'); var signer = crypto.createSign('sha256'); signer.update(data); var signature = signer.sign(privateKey, 'base64'); data += '.' + signature; return data; } function makeValidPayload(payload) { var maxLifetimeSecs = 86400; var now = new Date().getTime() / 1000; var expiry = now + (maxLifetimeSecs / 2); payload.iat = now; payload.exp = expiry; return payload; } describe('verifying google idToken', function () { before(function (done) { sinon .stub(request, 'get') .yields(null, { statusCode: 200, headers: {} }, testOAuthCerts); done(); }); after(function (done) { request.get.restore(); done(); }); it('should succeed to get tokenInfo with verifying', function (done) { var payload = makeValidPayload(_.clone(testToken)); var envelope = _.clone(testEnvelope); var data = makeFakeIdToken(payload, envelope); verifier.verify(data, payload.aud, function (error, tokenInfo) { assert.equal(_.isError(error), false); assert.equal(tokenInfo.sub, payload.sub); done(); }); }); it('should fail to load payload if iss is invalid', function (done) { var payload = makeValidPayload(_.clone(testToken)); payload.iss = 'invalid.issuer.domain'; var envelope = _.clone(testEnvelope); var data = makeFakeIdToken(payload, envelope); verifier.verify(data, payload.aud, function (error, tokenInfo) { assert.equal(_.isError(error), true); assert.equal(error.message, 'Invalid idToken issuer'); assert.equal(_.isEmpty(tokenInfo), true); done(); }); }); it('should fail to verify signature if jwk is invalid', function (done) { var payload = makeValidPayload(_.clone(testToken)); var envelope = _.clone(testEnvelope); envelope.kid = 'invalidKid'; var data = makeFakeIdToken(payload, envelope); verifier.verify(data, payload.aud, function (error, tokenInfo) { assert.equal(_.isError(error), true); assert.equal(error.message, 'Cannot not found valid JWK'); assert.equal(_.isEmpty(tokenInfo), true); done(); }); }); it('should fail to decode JWT if idToken is invalid', function (done) { var payload = makeValidPayload(_.clone(testToken)); var envelope = _.clone(testEnvelope); var data = makeFakeIdToken(payload, envelope); data += '.invalidCode'; verifier.verify(data, payload.aud, function (error, tokenInfo) { assert.equal(_.isError(error), true); assert.equal(error.message, 'Invalid idToken'); assert.equal(_.isEmpty(tokenInfo), true); done(); }); }); it('should fail to decode JWT if payload is invalid', function (done) { var payload = makeValidPayload(_.clone(testToken)); var envelope = _.clone(testEnvelope); var privateKey = fs.readFileSync('./test/fixtures/private.pem', 'utf-8'); var data = new Buffer(JSON.stringify(envelope)).toString('base64') + '.' + new Buffer(JSON.stringify(payload) + 'invalidJson').toString('base64'); var signer = crypto.createSign('sha256'); signer.update(data); var signature = signer.sign(privateKey, 'base64'); data += '.' + signature; verifier.verify(data, payload.aud, function (error, tokenInfo) { assert.equal(_.isError(error), true); assert.equal(error.message, 'Invalid payload'); assert.equal(_.isEmpty(tokenInfo), true); done(); }); }); it('should fail to verify signature if signature is invalid', function (done) { var payload = makeValidPayload(_.clone(testToken)); var envelope = _.clone(testEnvelope); var data = makeFakeIdToken(payload, envelope); var invalidSignatureData = data.substring(0, data.lastIndexOf('.') + 1) + 'InvalidSignature'; verifier.verify(invalidSignatureData, payload.aud, function (error, tokenInfo) { assert.equal(_.isError(error), true); assert.equal(error.message, 'Invalid Signature'); assert.equal(_.isEmpty(tokenInfo), true); done(); }); }); it('should fail to verify payload if audience is invalid', function (done) { var payload = makeValidPayload(_.clone(testToken)); payload.aud = 'invalid.audience.domain'; var envelope = _.clone(testEnvelope); var data = makeFakeIdToken(payload, envelope); verifier.verify(data, testToken.aud, function (error, tokenInfo) { assert.equal(_.isError(error), true); assert.equal(error.message, 'Invalid idToken audience'); assert.equal(_.isEmpty(tokenInfo), true); done(); }); }); it('should fail to verify payload if idToken is expired', function (done) { var payload = makeValidPayload(_.clone(testToken)); payload.exp = new Date(0).getTime() / 1000; var envelope = _.clone(testEnvelope); var data = makeFakeIdToken(payload, envelope); verifier.verify(data, payload.aud, function (error, tokenInfo) { assert.equal(_.isError(error), true); assert.equal(error.message, 'Expired idToken'); assert.equal(_.isEmpty(tokenInfo), true); done(); }); }); });