auth/internal/api/jwks_test.go at 3b393aa38b8c526e1eeb4f4ca7749bb6215d0824 · supabase/auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package api

import (
	"crypto/rand"
	"crypto/rsa"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"

	"github.com/lestrrat-go/jwx/v2/jwk"
	"github.com/stretchr/testify/require"
	"github.com/supabase/auth/internal/conf"
)

func TestJwks(t *testing.T) {
	// generate RSA key pair for testing
	rsaPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
	require.NoError(t, err)
	rsaJwkPrivate, err := jwk.FromRaw(rsaPrivateKey)
	require.NoError(t, err)
	rsaJwkPublic, err := rsaJwkPrivate.PublicKey()
	require.NoError(t, err)
	kid := rsaJwkPublic.KeyID()

	cases := []struct {
		desc        string
		config      conf.JWTConfiguration
		expectedLen int
	}{
		{
			desc: "hmac key should not be returned",
			config: conf.JWTConfiguration{
				Aud:    "authenticated",
				Secret: "test-secret",
			},
			expectedLen: 0,
		},
		{
			desc: "rsa public key returned",
			config: conf.JWTConfiguration{
				Aud:    "authenticated",
				Secret: "test-secret",
				Keys: conf.JwtKeysDecoder{
					kid: conf.JwkInfo{
						PublicKey:  rsaJwkPublic,
						PrivateKey: rsaJwkPrivate,
					},
				},
			},
			expectedLen: 1,
		},
	}

	for _, c := range cases {
		t.Run(c.desc, func(t *testing.T) {
			mockAPI, _, err := setupAPIForTest()
			require.NoError(t, err)
			mockAPI.config.JWT = c.config

			req := httptest.NewRequest(http.MethodGet, "/.well-known/jwks.json", nil)
			w := httptest.NewRecorder()
			mockAPI.handler.ServeHTTP(w, req)
			require.Equal(t, http.StatusOK, w.Code)

			var data map[string]interface{}
			require.NoError(t, json.NewDecoder(w.Body).Decode(&data))
			require.Len(t, data["keys"], c.expectedLen)

			for _, key := range data["keys"].([]interface{}) {
				bytes, err := json.Marshal(key)
				require.NoError(t, err)
				actualKey, err := jwk.ParseKey(bytes)
				require.NoError(t, err)
				require.Equal(t, c.config.Keys[kid].PublicKey, actualKey)
			}
		})
	}
}

func TestWellKnownOpenIDIssuerFallbackToExternalURL(t *testing.T) {
	mockAPI, _, err := setupAPIForTest()
	require.NoError(t, err)

	mockAPI.config.JWT.Issuer = ""
	mockAPI.config.API.ExternalURL = "https://auth.example.com"

	req := httptest.NewRequest(http.MethodGet, "/.well-known/openid-configuration", nil)
	w := httptest.NewRecorder()
	mockAPI.handler.ServeHTTP(w, req)
	require.Equal(t, http.StatusOK, w.Code)

	var resp OpenIDConfigurationResponse
	require.NoError(t, json.NewDecoder(w.Body).Decode(&resp))

	require.Equal(t, "https://auth.example.com", resp.Issuer)
	require.True(t, strings.HasPrefix(resp.AuthorizationEndpoint, "https://auth.example.com/"), "authorization_endpoint should be absolute, got %q", resp.AuthorizationEndpoint)
	require.True(t, strings.HasPrefix(resp.TokenEndpoint, "https://auth.example.com/"), "token_endpoint should be absolute, got %q", resp.TokenEndpoint)
	require.True(t, strings.HasPrefix(resp.JWKSURL, "https://auth.example.com/"), "jwks_uri should be absolute, got %q", resp.JWKSURL)
	require.True(t, strings.HasPrefix(resp.UserInfoEndpoint, "https://auth.example.com/"), "userinfo_endpoint should be absolute, got %q", resp.UserInfoEndpoint)
}

func TestWellKnownOpenIDIssuerStripsTrailingSlash(t *testing.T) {
	mockAPI, _, err := setupAPIForTest()
	require.NoError(t, err)

	mockAPI.config.JWT.Issuer = "https://auth.example.com/"
	mockAPI.config.API.ExternalURL = "https://something-else.example.com"

	req := httptest.NewRequest(http.MethodGet, "/.well-known/openid-configuration", nil)
	w := httptest.NewRecorder()
	mockAPI.handler.ServeHTTP(w, req)
	require.Equal(t, http.StatusOK, w.Code)

	var resp OpenIDConfigurationResponse
	require.NoError(t, json.NewDecoder(w.Body).Decode(&resp))

	require.Equal(t, "https://auth.example.com", resp.Issuer)
	require.Equal(t, "https://auth.example.com/oauth/authorize", resp.AuthorizationEndpoint)
	require.Equal(t, "https://auth.example.com/oauth/token", resp.TokenEndpoint)
	require.Equal(t, "https://auth.example.com/.well-known/jwks.json", resp.JWKSURL)
	require.Equal(t, "https://auth.example.com/oauth/userinfo", resp.UserInfoEndpoint)
}