Skip to content

use token and algo from jwt header #6416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Mar 11, 2020
Merged

use token and algo from jwt header #6416

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
accb75e
use token and algo from jwt header
andrewking0207 Feb 17, 2020
90cf87b
Merge pull request #1 from parse-community/master
andrewking0207 Mar 4, 2020
3a89c7a
Merge pull request #2 from andrewking0207/master
andrewking0207 Mar 4, 2020
9a3e617
change node-rsa out for jwks-rsa, reflect change in tests and add one…
andrewking0207 Mar 5, 2020
4e9e205
Change node-rsa out for jwks-rsa, tests and test coverage
andrewking0207 Mar 5, 2020
ae16ab3
remove superfluous cache, allow jwks cache parameters to be passed to…
andrewking0207 Mar 6, 2020
1027556
remove package lock
andrewking0207 Mar 6, 2020
316b9d7
regenerate package lock
andrewking0207 Mar 6, 2020
4643ef8
try fixing package-lock with copy from master
andrewking0207 Mar 8, 2020
de7e47c
manual changes for merge conflict
andrewking0207 Mar 8, 2020
806a50b
whitespace
andrewking0207 Mar 8, 2020
8239070
pass options as object
andrewking0207 Mar 8, 2020
b3d353a
fix inconsistent variable name
andrewking0207 Mar 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 119 additions & 0 deletions spec/AuthenticationAdapters.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1136,6 +1136,7 @@ describe('oauth2 auth adapter', () => {
describe('apple signin auth adapter', () => {
const apple = require('../lib/Adapters/Auth/apple');
const jwt = require('jsonwebtoken');
const httpsRequest = require('../lib/Adapters/Auth/httpsRequest');

it('should throw error with missing id_token', async () => {
try {
Expand All @@ -1146,7 +1147,89 @@ describe('apple signin auth adapter', () => {
}
});

it('should not decode invalid id_token', async () => {
try {
await apple.validateAuthData(
{ id: 'the_user_id', token: 'the_token' },
{ client_id: 'secret' }
);
fail();
} catch (e) {
expect(e.message).toBe('provided token does not decode as JWT');
}
});

it('should throw error if public key used to encode token is not available', async () => {
try {
const fakeDecodedToken = { header: { kid: '789', alg: 'RS256' } };
const fakeKeys = {
keys: [
{
e: 'AQAB',
kid: '123',
n: 'ABCDEFGH',
},
],
};
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken);
spyOn(httpsRequest, 'get').and.callFake(() => fakeKeys);

await apple.validateAuthData(
{ id: 'the_user_id', token: 'the_token' },
{ client_id: 'secret' }
);
fail();
} catch (e) {
expect(e.message).toBe(
'Public key with matching key ID to token not found'
);
}
});

it('should use algorithm from key header to verify id_token', async () => {
const fakeClaim = {
iss: 'https://appleid.apple.com',
aud: 'secret',
exp: Date.now(),
sub: 'the_user_id',
};
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
const fakeKeys = {
keys: [
{
e: 'AQAB',
kid: '123',
n: 'ABCDEFGH',
},
],
};
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken);
spyOn(httpsRequest, 'get').and.callFake(() => fakeKeys);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim);

const result = await apple.validateAuthData(
{ id: 'the_user_id', token: 'the_token' },
{ client_id: 'secret' }
);
expect(result).toEqual(fakeClaim);
expect(jwt.verify.calls.first().args[2].algorithms).toEqual(
fakeDecodedToken.header.alg
);
});

it('should not verify invalid id_token', async () => {
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
const fakeKeys = {
keys: [
{
e: 'AQAB',
kid: '123',
n: 'ABCDEFGH',
},
],
};
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken);
spyOn(httpsRequest, 'get').and.callFake(() => fakeKeys);
try {
await apple.validateAuthData(
{ id: 'the_user_id', token: 'the_token' },
Expand All @@ -1165,6 +1248,18 @@ describe('apple signin auth adapter', () => {
exp: Date.now(),
sub: 'the_user_id',
};
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
const fakeKeys = {
keys: [
{
e: 'AQAB',
kid: '123',
n: 'ABCDEFGH',
},
],
};
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken);
spyOn(httpsRequest, 'get').and.callFake(() => fakeKeys);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim);

const result = await apple.validateAuthData(
Expand All @@ -1179,6 +1274,18 @@ describe('apple signin auth adapter', () => {
iss: 'https://not.apple.com',
sub: 'the_user_id',
};
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
const fakeKeys = {
keys: [
{
e: 'AQAB',
kid: '123',
n: 'ABCDEFGH',
},
],
};
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken);
spyOn(httpsRequest, 'get').and.callFake(() => fakeKeys);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim);

try {
Expand All @@ -1200,6 +1307,18 @@ describe('apple signin auth adapter', () => {
aud: 'invalid_client_id',
sub: 'the_user_id',
};
const fakeDecodedToken = { header: { kid: '123', alg: 'RS256' } };
const fakeKeys = {
keys: [
{
e: 'AQAB',
kid: '123',
n: 'ABCDEFGH',
},
],
};
spyOn(jwt, 'decode').and.callFake(() => fakeDecodedToken);
spyOn(httpsRequest, 'get').and.callFake(() => fakeKeys);
spyOn(jwt, 'verify').and.callFake(() => fakeClaim);

try {
Expand Down
27 changes: 23 additions & 4 deletions src/Adapters/Auth/apple.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ const TOKEN_ISSUER = 'https://appleid.apple.com';

let currentKey;

const getApplePublicKey = async () => {
const getApplePublicKey = async keyId => {
let data;
try {
data = await httpsRequest.get('https://appleid.apple.com/auth/keys');
Expand All @@ -21,7 +21,11 @@ const getApplePublicKey = async () => {
throw e;
}

const key = data.keys[0];
const key = data.keys.find(key => key.kid === keyId);

if (!key) {
throw Error('Public key with matching key ID to token not found');
}

const pubKey = new NodeRSA();
pubKey.importKey(
Expand All @@ -32,15 +36,30 @@ const getApplePublicKey = async () => {
return currentKey;
};

const getKeyAndAlgoFromToken = token => {
const decodedToken = jwt.decode(token, { complete: true });
if (!decodedToken) {
throw Error('provided token does not decode as JWT');
}
const keyId = decodedToken.header.kid;
const algo = decodedToken.header.alg;

return { keyId, algo };
};

const verifyIdToken = async ({ token, id }, clientID) => {
if (!token) {
throw new Parse.Error(
Parse.Error.OBJECT_NOT_FOUND,
'id token is invalid for this user.'
);
}
const applePublicKey = await getApplePublicKey();
const jwtClaims = jwt.verify(token, applePublicKey, { algorithms: 'RS256' });

const decodedToken = getKeyAndAlgoFromToken(token);
const applePublicKey = await getApplePublicKey(decodedToken.keyId);
const jwtClaims = jwt.verify(token, applePublicKey, {
algorithms: decodedToken.algo,
});

if (jwtClaims.iss !== TOKEN_ISSUER) {
throw new Parse.Error(
Expand Down