From ec6a6a5037a702e3fc0ee7f4e94c65d99ccdd81d Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Fri, 9 Sep 2022 09:26:55 +0200 Subject: [PATCH] test: add a check that signatures are verified before claims set --- test/jwt/verify.test.mjs | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/test/jwt/verify.test.mjs b/test/jwt/verify.test.mjs index 259c45e89c..760bc2531d 100644 --- a/test/jwt/verify.test.mjs +++ b/test/jwt/verify.test.mjs @@ -380,3 +380,14 @@ test('Signed JWTs cannot use unencoded payload', async (t) => { { code: 'ERR_JWT_INVALID', message: 'JWTs MUST NOT use unencoded payload' }, ) }) + +test('signatures are compared before claim set', async (t) => { + // https://github.com/panva/jose/discussions/447 + const jwt = await new SignJWT({ exp: 0 }).setProtectedHeader({ alg: 'HS256' }).sign(t.context.secret); + + // with valid secret should throw exp failing to verify + await t.throwsAsync(jwtVerify(jwt, t.context.secret), { code: 'ERR_JWT_EXPIRED' }) + + // with invalid secret should throw signature failing to verify + await t.throwsAsync(jwtVerify(jwt, new Uint8Array([0x00, 0x01])), { code: 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED' }) +})