|
| 1 | +/** |
| 2 | + * Copyright (c) 2023 Gitpod GmbH. All rights reserved. |
| 3 | + * Licensed under the GNU Affero General Public License (AGPL). |
| 4 | + * See License.AGPL.txt in the project root for license information. |
| 5 | + */ |
| 6 | + |
| 7 | +import { TypeORM, resetDB } from "@gitpod/gitpod-db/lib"; |
| 8 | +import { User } from "@gitpod/gitpod-protocol"; |
| 9 | +import { Deferred } from "@gitpod/gitpod-protocol/lib/util/deferred"; |
| 10 | +import { expect } from "chai"; |
| 11 | +import * as express from "express"; |
| 12 | +import { Container } from "inversify"; |
| 13 | +import { v4 } from "uuid"; |
| 14 | +import { SessionHandler } from "./session-handler"; |
| 15 | +import { createTestContainer } from "./test/service-testing-container-module"; |
| 16 | +import { UserService } from "./user/user-service"; |
| 17 | + |
| 18 | +describe("SessionHandler", () => { |
| 19 | + let container: Container; |
| 20 | + let sessionHandler: SessionHandler; |
| 21 | + let existingUser: User; |
| 22 | + let jwtSessionHandler: express.Handler; |
| 23 | + interface Response { |
| 24 | + status?: number; |
| 25 | + value?: string; |
| 26 | + cookie?: string; |
| 27 | + } |
| 28 | + const handle = async (user?: User, cookie?: string): Promise<Response> => { |
| 29 | + const deferred = new Deferred<Response>(); |
| 30 | + const result: Response = { |
| 31 | + status: undefined, |
| 32 | + value: undefined, |
| 33 | + cookie: undefined, |
| 34 | + }; |
| 35 | + jwtSessionHandler( |
| 36 | + { user, headers: { cookie } } as express.Request, |
| 37 | + { |
| 38 | + status: function (statusCode: number) { |
| 39 | + result.status = statusCode; |
| 40 | + return this; |
| 41 | + }, |
| 42 | + send: function (value: string) { |
| 43 | + result.value = value; |
| 44 | + deferred.resolve(result); |
| 45 | + }, |
| 46 | + cookie: function (name: string, value: string, opts: express.CookieOptions) { |
| 47 | + result.cookie = `${name}=${value}; `; |
| 48 | + }, |
| 49 | + } as any as express.Response, |
| 50 | + () => {}, |
| 51 | + ); |
| 52 | + return await deferred.promise; |
| 53 | + }; |
| 54 | + |
| 55 | + beforeEach(async () => { |
| 56 | + container = createTestContainer(); |
| 57 | + sessionHandler = container.get(SessionHandler); |
| 58 | + jwtSessionHandler = sessionHandler.jwtSessionConvertor(); |
| 59 | + const userService = container.get(UserService); |
| 60 | + // insert some users to the DB to reproduce INC-379 |
| 61 | + await userService.createUser({ |
| 62 | + identity: { |
| 63 | + authName: "github", |
| 64 | + authProviderId: "github", |
| 65 | + authId: "1234", |
| 66 | + }, |
| 67 | + }); |
| 68 | + existingUser = await userService.createUser({ |
| 69 | + identity: { |
| 70 | + authName: "github", |
| 71 | + authProviderId: "github", |
| 72 | + authId: "1234", |
| 73 | + }, |
| 74 | + }); |
| 75 | + }); |
| 76 | + |
| 77 | + afterEach(async () => { |
| 78 | + const typeorm = container.get(TypeORM); |
| 79 | + await resetDB(typeorm); |
| 80 | + }); |
| 81 | + |
| 82 | + describe("verify", () => { |
| 83 | + it("should return undefined for an empty cookie", async () => { |
| 84 | + const user = await sessionHandler.verify(""); |
| 85 | + expect(user).to.be.undefined; |
| 86 | + }); |
| 87 | + it("should return undefined for an invalid cookie", async () => { |
| 88 | + const user = await sessionHandler.verify("invalid"); |
| 89 | + expect(user).to.be.undefined; |
| 90 | + }); |
| 91 | + it("should return the user for a valid JWT with correct 'sub' claim", async () => { |
| 92 | + const cookie = await sessionHandler.createJWTSessionCookie(existingUser.id); |
| 93 | + const user = await sessionHandler.verify(`${cookie.name}=${cookie.value}`); |
| 94 | + expect(user?.id).to.be.equal(existingUser.id); |
| 95 | + }); |
| 96 | + it("should return undefined for a valid JWT with incorrect 'sub' claim", async () => { |
| 97 | + const unexisingUserId = v4(); |
| 98 | + const cookie = await sessionHandler.createJWTSessionCookie(unexisingUserId); |
| 99 | + const user = await sessionHandler.verify(`${cookie.name}=${cookie.value}`); |
| 100 | + expect(user).to.be.undefined; |
| 101 | + }); |
| 102 | + }); |
| 103 | + describe("createJWTSessionCookie", () => { |
| 104 | + it("should create a valid JWT token with correct attributes and cookie options", async () => { |
| 105 | + const maxAge = 7 * 24 * 60 * 60; |
| 106 | + const issuedAfter = Math.floor(new Date().getTime() / 1000); |
| 107 | + const expiresAfter = issuedAfter + maxAge; |
| 108 | + const { name, value: token, opts } = await sessionHandler.createJWTSessionCookie("1"); |
| 109 | + |
| 110 | + const decoded = await sessionHandler.verifyJWTCookie(`${name}=${token}`); |
| 111 | + expect(decoded, "Verify the JWT is valid").to.not.be.null; |
| 112 | + |
| 113 | + expect(decoded!.sub).to.equal("1", "Check the 'sub' claim"); |
| 114 | + expect(decoded!.iat || 0).to.be.greaterThanOrEqual(issuedAfter, "Check the 'iat' claim"); |
| 115 | + expect(decoded!.exp || 0).to.be.greaterThanOrEqual(expiresAfter, "Check the 'exp' claim"); |
| 116 | + |
| 117 | + // Check cookie options |
| 118 | + expect(opts.httpOnly).to.equal(true); |
| 119 | + expect(opts.secure).to.equal(true); |
| 120 | + expect(opts.maxAge).to.equal(maxAge * 1000); |
| 121 | + expect(opts.sameSite).to.equal("strict"); |
| 122 | + |
| 123 | + expect(name, "Check cookie name").to.equal("_gitpod_dev_jwt_"); |
| 124 | + }); |
| 125 | + }); |
| 126 | + describe("jwtSessionConvertor", () => { |
| 127 | + it("user is not authenticated", async () => { |
| 128 | + const res = await handle(); |
| 129 | + expect(res.status).to.equal(401); |
| 130 | + expect(res.value).to.equal("User has no valid session."); |
| 131 | + expect(res.cookie).to.be.undefined; |
| 132 | + }); |
| 133 | + it("JWT cookie is not present", async () => { |
| 134 | + const res = await handle(existingUser); |
| 135 | + expect(res.status).to.equal(200); |
| 136 | + expect(res.value).to.equal("New JWT cookie issued."); |
| 137 | + expect(res.cookie).not.to.be.undefined; |
| 138 | + }); |
| 139 | + it("JWT cookie is present and valid", async () => { |
| 140 | + const cookie = await sessionHandler.createJWTSessionCookie(existingUser.id); |
| 141 | + const res = await handle(existingUser, `${cookie.name}=${cookie.value}`); |
| 142 | + expect(res.status).to.equal(200); |
| 143 | + expect(res.value).to.equal("User session already has a valid JWT session."); |
| 144 | + expect(res.cookie).to.be.undefined; |
| 145 | + }); |
| 146 | + it("JWT cookie is present and refreshed", async () => { |
| 147 | + const cookieToRefresh = await sessionHandler.createJWTSessionCookie(existingUser.id, { |
| 148 | + issuedAtMs: Date.now() - SessionHandler.JWT_REFRESH_THRESHOLD - 1, |
| 149 | + }); |
| 150 | + const res = await handle(existingUser, `${cookieToRefresh.name}=${cookieToRefresh.value}`); |
| 151 | + expect(res.status).to.equal(200); |
| 152 | + expect(res.value).to.equal("Refreshed JWT cookie issued."); |
| 153 | + expect(res.cookie).not.to.be.undefined; |
| 154 | + }); |
| 155 | + it("JWT cookie is present and expired", async () => { |
| 156 | + const expiredCookie = await sessionHandler.createJWTSessionCookie(existingUser.id, { |
| 157 | + expirySeconds: 0, |
| 158 | + }); |
| 159 | + const res = await handle(existingUser, `${expiredCookie.name}=${expiredCookie.value}`); |
| 160 | + expect(res.status).to.equal(401); |
| 161 | + expect(res.value).to.equal("JWT Session is invalid"); |
| 162 | + expect(res.cookie).to.be.undefined; |
| 163 | + }); |
| 164 | + it("JWT cookie is present but invalid", async () => { |
| 165 | + const res = await handle(existingUser, "_gitpod_dev_jwt_=invalid"); |
| 166 | + expect(res.status).to.equal(401); |
| 167 | + expect(res.value).to.equal("JWT Session is invalid"); |
| 168 | + expect(res.cookie).to.be.undefined; |
| 169 | + }); |
| 170 | + }); |
| 171 | +}); |
0 commit comments