Added verify_options to AuthToken initializer to give more validation…

… control to the user
thefactus · Nov 16, 2016 · 67ec0c5 · 67ec0c5
1 parent 0884b4d
commit 67ec0c5
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 6 deletions.
diff --git a/app/model/knock/auth_token.rb b/app/model/knock/auth_token.rb
@@ -5,9 +5,9 @@ class AuthToken
     attr_reader :token
     attr_reader :payload
 
-    def initialize payload: {}, token: nil
+    def initialize payload: {}, token: nil, verify_options: {}
       if token.present?
-        @payload, _ = JWT.decode token, decode_key, true, options
+        @payload, _ = JWT.decode token, decode_key, true, options.merge(verify_options)
         @token = token
       else
         @payload = claims.merge(payload)

diff --git a/test/model/knock/auth_token_test.rb b/test/model/knock/auth_token_test.rb
@@ -48,20 +48,62 @@ class AuthTokenTest < ActiveSupport::TestCase
     end
 
     test "validate expiration claim by default" do
-      token = Knock::AuthToken.new(payload: { sub: 'foo' }).token
+      token = AuthToken.new(payload: {sub: 'foo'}).token
       Timecop.travel(25.hours.from_now) do
         assert_raises(JWT::ExpiredSignature) {
-          Knock::AuthToken.new(token: token)
+          AuthToken.new(token: token)
         }
       end
     end
 
     test "does not validate expiration claim with a nil token_lifetime" do
       Knock.token_lifetime = nil
 
-      token = Knock::AuthToken.new(payload: { sub: 'foo' }).token
+      token = AuthToken.new(payload: {sub: 'foo'}).token
       Timecop.travel(10.years.from_now) do
-        assert_not Knock::AuthToken.new(token: token).payload.has_key?('exp')
+        assert_not AuthToken.new(token: token).payload.has_key?('exp')
+      end
+    end
+
+    test "validate aud when verify_options[:verify_aud] is true" do
+      verify_options = {
+          verify_aud: true
+      }
+      Knock.token_audience = -> { 'bar' }
+      key = Knock.token_secret_signature_key.call
+      assert_raises(JWT::InvalidAudError) {
+        AuthToken.new token: @token, verify_options: verify_options
+      }
+    end
+
+    test "does not validate aud when verify_options[:verify_aud] is false" do
+      verify_options = {
+          verify_aud: false
+      }
+      Knock.token_audience = -> { 'bar' }
+      key = Knock.token_secret_signature_key.call
+      assert_not AuthToken.new(token: @token, verify_options: verify_options).payload.has_key?('aud')
+    end
+
+    test "validate expiration when verify_options[:verify_expiration] is true" do
+      verify_options = {
+          verify_expiration: true
+      }
+      token = AuthToken.new(payload: {sub: 'foo'}).token
+      Timecop.travel(25.hours.from_now) do
+        assert_raises(JWT::ExpiredSignature) {
+          AuthToken.new(token: token, verify_options: verify_options)
+        }
+      end
+    end
+
+    test "does not validate expiration when verify_options[:verify_expiration] is false" do
+      verify_options = {
+          verify_expiration: false
+      }
+      token = AuthToken.new(payload: {sub: 'foo'}).token
+      Timecop.travel(25.hours.from_now) do
+        assert AuthToken.new(token: token, verify_options: verify_options).payload.has_key?('exp')
       end
     end