From 7172a859e8e19e2310cfd762ed3dc5255c8596d5 Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 30 Aug 2019 15:48:37 +0200
Subject: [PATCH] fix: handle server_error on expired unsigned request objects

---
 .../authorization/process_request_object.js   |  8 +++--
 test/request/jwt_request.test.js              | 31 +++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/lib/actions/authorization/process_request_object.js b/lib/actions/authorization/process_request_object.js
index de28687d3..607ad3d7e 100644
--- a/lib/actions/authorization/process_request_object.js
+++ b/lib/actions/authorization/process_request_object.js
@@ -141,9 +141,13 @@ module.exports = async function processRequestObject(PARAM_LIST, ctx, next) {
     }
   }
 
-  if (alg === 'none') {
+  try {
     JWT.assertPayload(payload, opts);
-  } else {
+  } catch (err) {
+    throw new InvalidRequestObject(`Request Object claims are invalid (${err.message})`);
+  }
+
+  if (alg !== 'none') {
     try {
       await JWT.verify(params.request, client.keystore, opts);
       trusted = true;
diff --git a/test/request/jwt_request.test.js b/test/request/jwt_request.test.js
index 68e6162ab..ef84dff22 100644
--- a/test/request/jwt_request.test.js
+++ b/test/request/jwt_request.test.js
@@ -484,6 +484,37 @@ describe('request parameter features', () => {
         });
       }
 
+      it('handles JWT claim assertions', function () {
+        const spy = sinon.spy();
+        this.provider.once(errorEvt, spy);
+
+        return JWT.sign({
+          client_id: 'client',
+          response_type: 'code',
+          redirect_uri: 'https://client.example.com/cb',
+          exp: 1,
+        }, null, 'none', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({
+          agent: this.agent,
+          route,
+          verb,
+          auth: {
+            request,
+            scope: 'openid',
+            client_id: 'client',
+            response_type: 'code',
+          },
+        })
+          .expect(errorCode)
+          .expect(() => {
+            expect(spy.calledOnce).to.be.true;
+            expect(spy.args[0][1]).to.have.property('message', 'invalid_request_object');
+            expect(spy.args[0][1]).to.have.property(
+              'error_description',
+              'Request Object claims are invalid (jwt expired)',
+            );
+          }));
+      });
+
       it('doesnt allow client_id to differ', function () {
         const spy = sinon.spy();
         this.provider.once(errorEvt, spy);