Got security tests and examples working.

robmoffat · robmoffat · commit e53a7925d4a6 · 2026-03-09T09:50:36.000Z
diff --git a/.gitignore b/.gitignore
@@ -28,4 +28,6 @@ cucumber-report.html
 nyc-coverage-report/
 .history/
 .rollup.cache
-tsconfig.tsbuildinfo
+tsconfig.tsbuildinfo
+**/html-report/
+packages/fdc3-security/junit.xml
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/fdc3-agent-proxy/src/channels/DefaultChannel.ts b/packages/fdc3-agent-proxy/src/channels/DefaultChannel.ts
@@ -45,6 +45,7 @@ export class DefaultChannel implements Channel {
       payload: {
         channelId: this.id,
         context,
+        metadata: {},
       },
       type: 'broadcastRequest',
     };
diff --git a/packages/fdc3-agent-proxy/src/listeners/DefaultContextListener.ts b/packages/fdc3-agent-proxy/src/listeners/DefaultContextListener.ts
@@ -58,9 +58,8 @@ export class DefaultContextListener
 
   action(m: BroadcastEvent): void {
     const metadata: DesktopAgentProvidableContextMetadata = {
-      source: m.payload.originatingApp,
+      source: m.payload.metadata?.source,
       timestamp: m.meta.timestamp,
-      traceId: m.metadata?.traceId,
     };
     this.handler(m.payload.context, metadata);
   }
diff --git a/packages/fdc3-schema/generated/api/BrowserTypes.ts b/packages/fdc3-schema/generated/api/BrowserTypes.ts
@@ -1315,7 +1315,8 @@ export interface MessageAuthenticity {
    */
   kid?: string;
   /**
-   * Indicates whether the message was signed.
+   * Indicates whether the context includes a signature, but check other fields to see if the
+   * signature is valid.
    */
   signed: boolean;
   /**
diff --git a/packages/fdc3-schema/schemas/api/api.schema copy.json-bk b/packages/fdc3-schema/schemas/api/api.schema copy.json-bk
diff --git a/packages/fdc3-schema/schemas/api/api.schema.json b/packages/fdc3-schema/schemas/api/api.schema.json
@@ -57,7 +57,7 @@
             "properties": {
                 "signed": {
                     "type": "boolean",
-                    "description": "Indicates whether the message was signed."
+                    "description": "Indicates whether the context includes a signature, but check other fields to see if the signature is valid."
                 },
                 "valid": {
                     "type": "boolean",
diff --git a/packages/fdc3-security/junit.xml b/packages/fdc3-security/junit.xml
diff --git a/packages/fdc3-security/package.json b/packages/fdc3-security/package.json
@@ -34,12 +34,12 @@
   },
   "devDependencies": {
     "@cucumber/cucumber": "10.3.1",
-    "@types/jest": "^29.5.12",
     "@cucumber/html-formatter": "11.0.4",
     "@cucumber/pretty-formatter": "1.0.1",
     "@eslint/js": "^9.19.0",
     "@finos/testing": "2.2.0",
     "@types/expect": "24.3.0",
+    "@types/jest": "^29.5.12",
     "@types/lodash": "4.14.167",
     "@types/node": "^20.16.11",
     "@types/uuid": "^10.0.0",
@@ -67,4 +67,4 @@
     "typescript-eslint": "^8.17.0",
     "uuid": "^9.0.1"
   }
-}
+}
diff --git a/packages/fdc3-security/src/impl/JosePublicFDC3Security.ts b/packages/fdc3-security/src/impl/JosePublicFDC3Security.ts
@@ -157,39 +157,40 @@ export class JosePublicFDC3Security implements PublicFDC3Security {
 
       const result = await jose.compactVerify(reconstitutedJws, jwksEndpoint, {});
 
+      const errors: string[] = [];
+
       // Check signature freshness (based on iat in header)
       if (iat && now - iat > this.timeLimits.signatureFreshnessSeconds) {
-        return {
-          signed: true,
-          valid: false,
-          trusted: false,
-          antiReplayClaims: antiReplay,
-
-          errors: [
-            `Signature is too old (iat: ${iat}, now: ${now}, max age: ${this.timeLimits.signatureFreshnessSeconds}s)`,
-          ],
-        };
+        errors.push(
+          `Signature is too old (iat: ${iat}, now: ${now}, max age: ${this.timeLimits.signatureFreshnessSeconds}s)`
+        );
       }
 
       // Check context expiry (based on exp in antiReplay)
       if (antiReplay.exp && now > antiReplay.exp) {
-        return {
-          signed: false,
-          errors: [`Context has expired (exp: ${antiReplay.exp}, now: ${now})`],
-        };
+        errors.push(`Context has expired (exp: ${antiReplay.exp}, now: ${now})`);
       }
 
       // Check pluggable anti-replay claims (like jti)
       if (this.antiReplayChecker) {
         const replayValid = await this.antiReplayChecker.check(antiReplay);
         if (!replayValid) {
-          return {
-            signed: false,
-            errors: [`Anti-replay check failed for jti: ${antiReplay.jti}`],
-          };
+          errors.push(`Anti-replay check failed for jti: ${antiReplay.jti}`);
         }
       }
 
+      if (errors.length > 0) {
+        return {
+          signed: true,
+          valid: false,
+          alg,
+          kid,
+          jku,
+          antiReplayClaims: antiReplay,
+          errors,
+        };
+      }
+
       return {
         signed: true,
         valid: result.payload != null,
diff --git a/packages/fdc3-security/test/FDC3Security.test.ts b/packages/fdc3-security/test/FDC3Security.test.ts
@@ -182,7 +182,7 @@ describe('JosePrivateFDC3Security', () => {
       const wrappedKeyResponse = await sender.wrapKey(symmetricJWK, receiverBaseUrl);
 
       // Verify the wrapped key response structure
-      expect(wrappedKeyResponse.type).toBe('fdc3.security.symmetricKey.response');
+      expect(wrappedKeyResponse.type).toBe('fdc3.security.symmetricKeyResponse');
       expect(wrappedKeyResponse.id.pki).toBe(receiverBaseUrl);
       expect(wrappedKeyResponse.wrappedKey).toBeDefined();
 
@@ -217,49 +217,65 @@ describe('JosePrivateFDC3Security', () => {
       // Wait for the signature to become stale (2 seconds, receiver has 1-second freshness limit)
       await new Promise(resolve => setTimeout(resolve, 2000));
 
-      // Verify it's rejected due to stale signature
+      // Verify it's rejected due to stale signature (signed=true per schema, valid=false when rejecting)
       const result = await receiverPublic.check(signature, mockContext, antiReplay);
-      expect(result.signed).toBe(false);
-      expect('errors' in result).toBe(true);
-      if (!result.signed && result.errors) {
+      expect(result.signed).toBe(true);
+      expect(result.valid).toBe(false);
+      expect(result.errors).toBeDefined();
+      if (result.errors) {
         const hasStaleSignatureError = result.errors.some(e => e.includes('Signature is too old'));
         expect(hasStaleSignatureError).toBe(true);
       }
     });
 
     it('should reject expired contexts (context validity)', async () => {
-      // Sign the context
-      const { signature, antiReplay } = await sender.sign(mockContext);
-
-      // Create an expired antiReplay token
-      const expiredAntiReplay = {
-        ...antiReplay,
-        exp: Math.floor(Date.now() / 1000) - 10,
+      // Use senderImpl but sign with a manual antiReplay that has exp in the past.
+      // We cannot use sign() with modified antiReplay (signature would not verify), so we
+      // create a receiver with short context validity and use a signature whose antiReplay
+      // has already naturally expired by waiting.
+      const contextExpiryLimits: FDC3SecurityTimeLimits = {
+        signatureFreshnessSeconds: 60,
+        contextValiditySeconds: 1,
       };
 
-      // Immediately verify it works with original token
+      // Create a sender with same keys as senderImpl (so resolver works) but short validity
+      const shortValiditySender = new JosePrivateFDC3Security(
+        senderImpl.signingPrivateKey,
+        senderImpl.signingPublicKey,
+        senderImpl.wrappingPrivateKey,
+        senderImpl.wrappingPublicKey,
+        senderBaseUrl,
+        senderJWKSUrl,
+        senderPublicKeyResolver,
+        senderAllowListFunction,
+        contextExpiryLimits
+      );
+
+      // Sign the context (antiReplay will have exp = now + 1)
+      const { signature, antiReplay } = await shortValiditySender.sign(mockContext);
+
+      // Immediately verify it works
       const immediateResult = await receiverPublic.check(signature, mockContext, antiReplay);
       if (immediateResult.signed) {
         expect(immediateResult.valid).toBe(true);
       }
 
-      // Create a new receiver with long signature freshness but short context validity
-      const contextExpiryLimits: FDC3SecurityTimeLimits = {
-        signatureFreshnessSeconds: 60, // Long freshness - won't trigger
-        contextValiditySeconds: 1, // Short validity - should trigger
-      };
+      // Wait for the context to expire
+      await new Promise(resolve => setTimeout(resolve, 2000));
+
       const contextExpiryReceiver: PublicFDC3Security = await createJosePrivateFDC3Security(
         receiverBaseUrl,
         receiverPublicKeyResolver,
         receiverAllowListFunction,
         contextExpiryLimits
       );
 
-      // Verify it's rejected due to context expiry using the expired token
-      const result = await contextExpiryReceiver.check(signature, mockContext, expiredAntiReplay);
-      expect(result.signed).toBe(false);
-      expect('errors' in result).toBe(true);
-      if (!result.signed && result.errors) {
+      // Verify it's rejected due to context expiry (signed=true per schema, valid=false when rejecting)
+      const result = await contextExpiryReceiver.check(signature, mockContext, antiReplay);
+      expect(result.signed).toBe(true);
+      expect(result.valid).toBe(false);
+      expect(result.errors).toBeDefined();
+      if (result.errors) {
         const hasExpiryError = result.errors.some(e => e.includes('Context has expired'));
         expect(hasExpiryError).toBe(true);
       }
