fix: validate token before validating against allow list (#163)

MichaelGoberling · web-flow · commit c5770b66ff93 · 2025-03-11T14:04:57.000-04:00
* test: failing test cases

* fix: validate token before attempting to validate against allow list
diff --git a/src/ims.js b/src/ims.js
@@ -481,12 +481,11 @@ class Ims {
       let validationResponse = await this._validateToken(token)
 
       // Validate token against the allow list
-      const tokenData = getTokenData(token)
-      const clientId = tokenData.client_id
-      if (allowList) {
+      if (validationResponse.imsValidation.valid && allowList) {
         aioLogger.debug('validateTokenAllowList (allowList): (%s)', allowList.join(', '))
+        const tokenData = getTokenData(token)
+        const clientId = tokenData.client_id
         if (allowList.indexOf(clientId) === -1) {
-          console.log(`${clientId} not in allow list: ${allowList.join(', ')}`)
           validationResponse = {
             status: 403,
             imsValidation: {
diff --git a/test/ims.test.js b/test/ims.test.js
@@ -505,6 +505,36 @@ test('Ims.validateTokenAllowList(token, allowList) clientId not in allow list, w
   expect(mockExponentialBackoff).toHaveBeenCalledTimes(1)
 })
 
+test('Ims.validateTokenAllowList(token, allowList) bad token, with cache', async () => {
+  const cache = new ValidationCache(1, 2, 3)
+  const ims = new Ims('stage', cache)
+  const clientId = 'some-client-id-2'
+  const token = 'fake'
+
+  await expect(ims.validateTokenAllowList(token, [clientId]))
+    .resolves.toEqual({
+      valid: false,
+      reason: 'bad payload'
+    })
+
+  expect(mockExponentialBackoff).toHaveBeenCalledTimes(0)
+})
+
+test('Ims.validateTokenAllowList(token, allowList) bad token in jwt format, with cache', async () => {
+  const cache = new ValidationCache(1, 2, 3)
+  const ims = new Ims('stage', cache)
+  const clientId = 'some-client-id-2'
+  const token = 'fake.fake'
+
+  await expect(ims.validateTokenAllowList(token, [clientId]))
+    .resolves.toEqual({
+      valid: false,
+      reason: 'bad payload'
+    })
+
+  expect(mockExponentialBackoff).toHaveBeenCalledTimes(0)
+})
+
 test('Ims.getOrganizations(token)', async () => {
   const ims = new Ims()
 
