Skip to content

Commit

Permalink
test: add a check that signatures are verified before claims set
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Sep 9, 2022
1 parent f64cadd commit ec6a6a5
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions test/jwt/verify.test.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -380,3 +380,14 @@ test('Signed JWTs cannot use unencoded payload', async (t) => {
{ code: 'ERR_JWT_INVALID', message: 'JWTs MUST NOT use unencoded payload' },
)
})

test('signatures are compared before claim set', async (t) => {
// https://github.com/panva/jose/discussions/447
const jwt = await new SignJWT({ exp: 0 }).setProtectedHeader({ alg: 'HS256' }).sign(t.context.secret);

// with valid secret should throw exp failing to verify
await t.throwsAsync(jwtVerify(jwt, t.context.secret), { code: 'ERR_JWT_EXPIRED' })

// with invalid secret should throw signature failing to verify
await t.throwsAsync(jwtVerify(jwt, new Uint8Array([0x00, 0x01])), { code: 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED' })
})

0 comments on commit ec6a6a5

Please sign in to comment.