feat: Replace jwt expiration with a config and environment variable (#…

…145)
screwdriver-cd · Jul 18, 2024 · 18fe16d · 18fe16d
1 parent bed1fac
commit 18fe16d
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 4 deletions.
diff --git a/config/custom-environment-variables.yaml b/config/custom-environment-variables.yaml
@@ -4,6 +4,7 @@
 auth:
     # A public key for verifying JWTs signed by api.screwdriver.cd
     jwtPublicKey: SECRET_JWT_PUBLIC_KEY
+    jwtMaxAge: JWT_MAX_AGE
 
 httpd:
     # Port to listen on

diff --git a/config/default.yaml b/config/default.yaml
@@ -6,6 +6,7 @@ auth:
         -----BEGIN PUBLIC KEY-----
         INSERT STUFF HERE
         -----END PUBLIC KEY-----
+    jwtMaxAge: 13h
 
 httpd:
     # Port to listen on

diff --git a/plugins/auth.js b/plugins/auth.js
@@ -29,7 +29,8 @@ exports.plugin = {
         const pluginOptions = joi.attempt(
             options,
             joi.object().keys({
-                jwtPublicKey: joi.string().required()
+                jwtPublicKey: joi.string().required(),
+                jwtMaxAge: joi.string().required()
             }),
             'Invalid config for auth plugin'
         );
@@ -40,7 +41,7 @@ exports.plugin = {
             key: pluginOptions.jwtPublicKey,
             verifyOptions: {
                 algorithms: ['RS256'],
-                maxAge: '13h'
+                maxAge: pluginOptions.jwtMaxAge
             },
             // This function is run once the Token has been decoded with signature
             validate

diff --git a/test/lib/server.test.js b/test/lib/server.test.js
@@ -39,7 +39,8 @@ describe('server case', function () {
                         engine: new Catbox()
                     },
                     auth: {
-                        jwtPublicKey: '12345'
+                        jwtPublicKey: '12345',
+                        jwtMaxAge: '1h'
                     },
                     commands: {},
                     ecosystem,

diff --git a/test/plugins/auth.test.js b/test/plugins/auth.test.js
@@ -19,7 +19,8 @@ describe('auth plugin test', () => {
         plugin = require('../../plugins/auth');
 
         options = {
-            jwtPublicKey: fs.readFileSync(path.join(__dirname, './data/auth.test.crt'), 'utf8')
+            jwtPublicKey: fs.readFileSync(path.join(__dirname, './data/auth.test.crt'), 'utf8'),
+            jwtMaxAge: '1h'
         };
 
         server = Hapi.server({
@@ -90,4 +91,44 @@ describe('auth plugin test', () => {
         assert.equal(200, response.statusCode);
         assert.equal('success', response.result);
     });
+
+    it('jwt expiration', async () => {
+        const privateKey = fs.readFileSync(path.join(__dirname, './data/auth.test.key'), 'utf8');
+        const token = jwt.sign({ data: 'some data' }, privateKey, {
+            algorithm: 'RS256'
+        });
+
+        let response;
+
+        await server.register({
+            plugin,
+            options: { ...options, jwtMaxAge: '0h' }
+        });
+
+        server.route({
+            method: 'GET',
+            path: '/',
+            options: {
+                auth: 'token'
+            },
+            handler() {
+                return 'success';
+            }
+        });
+
+        try {
+            response = await server.inject({
+                method: 'GET',
+                url: '/',
+                headers: {
+                    Authorization: token
+                }
+            });
+        } catch (err) {
+            assert.fail(err);
+        }
+
+        assert.equal(401, response.statusCode);
+        assert.equal('Unauthorized', response.statusMessage);
+    });
 });