@bitblit/ratchet-epsilon-common 6.0.146-alpha → 6.0.147-alpha

package/src/http/auth/google-web-token-manipulator.ts

@@ -0,0 +1,80 @@
+import { Logger } from '@bitblit/ratchet-common/logger/logger';
+import jwt from 'jsonwebtoken';
+import jwks from 'jwks-rsa';
+import { WebTokenManipulator } from './web-token-manipulator.js';
+import fetch from 'cross-fetch';
+import { StringRatchet } from '@bitblit/ratchet-common/lang/string-ratchet';
+import { JwtTokenBase } from '@bitblit/ratchet-common/jwt/jwt-token-base';
+
+export class GoogleWebTokenManipulator implements WebTokenManipulator<JwtTokenBase> {
+  private static readonly GOOGLE_DISCOVERY_DOCUMENT: string = 'https://accounts.google.com/.well-known/openid-configuration';
+  private cacheGoogleDiscoveryDocument: any;
+  private jwksClient: any;
+
+  constructor(private clientId: string) {}
+
+  public async extractTokenFromAuthorizationHeader(authHeader: string): Promise<JwtTokenBase> {
+    let tokenString: string = StringRatchet.trimToEmpty(authHeader);
+    if (tokenString.toLowerCase().startsWith('bearer ')) {
+      tokenString = tokenString.substring(7);
+    }
+    const validated: JwtTokenBase = tokenString ? await this.parseAndValidateGoogleToken(tokenString, false) : null;
+    return validated;
+  }
+
+  public async parseAndValidateGoogleToken(googleToken: string, allowExpired: boolean = false): Promise<JwtTokenBase> {
+    Logger.debug('Auth : %s', StringRatchet.obscure(googleToken, 4));
+
+    // First decode so we can get the keys
+    const fullToken: any = jwt.decode(googleToken, { complete: true });
+    const kid: string = fullToken.header.kid;
+    const nowEpochSeconds: number = Math.floor(new Date().getTime() / 1000);
+
+    const pubKey: string = await this.fetchSigningKey(kid);
+    const validated: any = jwt.verify(googleToken, pubKey, {
+      audience: this.clientId,
+      issuer: ['https://accounts.google.com', 'accounts.google.com'],
+      ignoreExpiration: allowExpired,
+      clockTimestamp: nowEpochSeconds,
+    });
+
+    return validated;
+  }
+
+  private async fetchSigningKey(kid: string): Promise<string> {
+    const jClient: any = await this.fetchJwksClient();
+
+    return new Promise<string>((res, rej) => {
+      jClient.getSigningKey(kid, (err, key) => {
+        if (err) {
+          rej(err);
+        } else {
+          res(key.publicKey || key.rsaPublicKey);
+        }
+      });
+    });
+  }
+
+  private async fetchJwksClient(): Promise<any> {
+    if (!this.jwksClient) {
+      const discDoc: any = await this.fetchGoogleDiscoveryDocument();
+      const client: any = jwks({
+        cache: true,
+        cacheMaxEntries: 5,
+        cacheMaxAge: 1000 * 60 * 60 * 10,
+        jwksUri: discDoc.jwks_uri,
+      });
+      this.jwksClient = client;
+    }
+    return this.jwksClient;
+  }
+
+  private async fetchGoogleDiscoveryDocument(): Promise<any> {
+    if (!this.cacheGoogleDiscoveryDocument) {
+      const resp: Response = await fetch(GoogleWebTokenManipulator.GOOGLE_DISCOVERY_DOCUMENT);
+      const doc: any = await resp.json();
+      this.cacheGoogleDiscoveryDocument = doc;
+    }
+    return this.cacheGoogleDiscoveryDocument;
+  }
+}

package/src/http/auth/jwt-ratchet-local-web-token-manipulator.ts

@@ -0,0 +1,37 @@
+import { WebTokenManipulator } from './web-token-manipulator.js';
+
+import { RequireRatchet } from '@bitblit/ratchet-common/lang/require-ratchet';
+import { StringRatchet } from '@bitblit/ratchet-common/lang/string-ratchet';
+import { JwtTokenBase } from '@bitblit/ratchet-common/jwt/jwt-token-base';
+import { JwtRatchetLike } from '@bitblit/ratchet-node-only/jwt/jwt-ratchet-like';
+import { ExpiredJwtHandling } from '@bitblit/ratchet-common/jwt/expired-jwt-handling';
+
+/**
+ * Service for handling jwt tokens
+ */
+export class JwtRatchetLocalWebTokenManipulator<T extends JwtTokenBase> implements WebTokenManipulator<T> {
+  constructor(
+    private _jwtRatchet: JwtRatchetLike,
+    private _issuer: string,
+  ) {
+    RequireRatchet.notNullOrUndefined(_jwtRatchet, '_jwtRatchet');
+    RequireRatchet.notNullOrUndefined(StringRatchet.trimToNull(_issuer), '_issuer');
+  }
+
+  public get jwtRatchet(): JwtRatchetLike {
+    return this._jwtRatchet;
+  }
+
+  public get issuer(): string {
+    return this._issuer;
+  }
+
+  public async extractTokenFromAuthorizationHeader<T>(header: string): Promise<T> {
+    let tokenString: string = StringRatchet.trimToEmpty(header);
+    if (tokenString.toLowerCase().startsWith('bearer ')) {
+      tokenString = tokenString.substring(7);
+    }
+    const validated: T = tokenString ? await this.jwtRatchet.decodeToken(tokenString, ExpiredJwtHandling.THROW_EXCEPTION) : null;
+    return validated;
+  }
+}

package/src/http/auth/local-web-token-manipulator.spec.ts

@@ -0,0 +1,34 @@
+import { LocalWebTokenManipulator } from './local-web-token-manipulator.js';
+import { Logger } from '@bitblit/ratchet-common/logger/logger';
+import { LoggerLevelName } from '@bitblit/ratchet-common/logger/logger-level-name';
+import { CommonJwtToken } from '@bitblit/ratchet-common/jwt/common-jwt-token';
+import { describe, expect, test } from 'vitest';
+
+describe('#localWebTokenManipulator', function () {
+  test('should round trip a JWT token', async () => {
+    const svc: LocalWebTokenManipulator<CommonJwtToken<any>> = new LocalWebTokenManipulator(['1234567890'], 'test')
+      .withParseFailureLogLevel(LoggerLevelName.info)
+      .withExtraDecryptionKeys(['abcdefabcdef'])
+      .withOldKeyUseLogLevel(LoggerLevelName.info);
+
+    const testUser: any = {
+      data1: 'test',
+      data2: 15,
+    };
+
+    const token: string = await svc.createJWTStringAsync('test123@test.com', testUser);
+
+    Logger.info('Generated token : %s', token);
+
+    expect(token).toBeTruthy();
+
+    const outputUser: CommonJwtToken<any> = await svc.parseAndValidateJWTStringAsync(token);
+
+    Logger.info('Got result : %j', outputUser);
+
+    expect(outputUser).toBeTruthy();
+    expect(outputUser.user).toBeTruthy();
+    expect(outputUser.user['data1']).toEqual(testUser.data1);
+    expect(outputUser.user['data2']).toEqual(testUser.data2);
+  });
+});

package/src/http/auth/local-web-token-manipulator.ts

@@ -0,0 +1,114 @@
+import { WebTokenManipulator } from './web-token-manipulator.js';
+import { UnauthorizedError } from '../error/unauthorized-error.js';
+
+import { RequireRatchet } from '@bitblit/ratchet-common/lang/require-ratchet';
+import { Logger } from '@bitblit/ratchet-common/logger/logger';
+import { StringRatchet } from '@bitblit/ratchet-common/lang/string-ratchet';
+import { LoggerLevelName } from '@bitblit/ratchet-common/logger/logger-level-name';
+import { CommonJwtToken } from '@bitblit/ratchet-common/jwt/common-jwt-token';
+import { JwtTokenBase } from '@bitblit/ratchet-common/jwt/jwt-token-base';
+import { ExpiredJwtHandling } from '@bitblit/ratchet-common/jwt/expired-jwt-handling';
+import { JwtRatchet } from '@bitblit/ratchet-node-only/jwt/jwt-ratchet';
+import { JwtRatchetConfig } from '@bitblit/ratchet-node-only/jwt/jwt-ratchet-config';
+
+/**
+ * Service for handling jwt tokens
+ */
+export class LocalWebTokenManipulator<T extends JwtTokenBase> implements WebTokenManipulator<T> {
+  private _ratchet: JwtRatchet;
+
+  constructor(
+    private encryptionKeys: string[],
+    private issuer: string,
+  ) {
+    RequireRatchet.notNullOrUndefined(encryptionKeys, 'encryptionKeys');
+    RequireRatchet.noNullOrUndefinedValuesInArray(encryptionKeys, encryptionKeys.length);
+    const cfg: JwtRatchetConfig = {
+      encryptionKeyPromise: Promise.resolve(encryptionKeys),
+    };
+
+    this._ratchet = new JwtRatchet(cfg);
+  }
+
+  public withExtraDecryptionKeys(keys: string[]): LocalWebTokenManipulator<T> {
+    RequireRatchet.notNullOrUndefined(keys, 'keys');
+    RequireRatchet.noNullOrUndefinedValuesInArray(keys, keys.length);
+
+    const cfg: JwtRatchetConfig = this._ratchet.copyConfig;
+    cfg.decryptKeysPromise = Promise.resolve(keys);
+
+    this._ratchet = new JwtRatchet(cfg);
+    return this;
+  }
+
+  public withParseFailureLogLevel(logLevel: LoggerLevelName): LocalWebTokenManipulator<T> {
+    const cfg: JwtRatchetConfig = this._ratchet.copyConfig;
+    cfg.parseFailureLogLevel = logLevel;
+    this._ratchet = new JwtRatchet(cfg);
+    return this;
+  }
+
+  public withOldKeyUseLogLevel(logLevel: LoggerLevelName): LocalWebTokenManipulator<T> {
+    const cfg: JwtRatchetConfig = this._ratchet.copyConfig;
+    cfg.decryptOnlyKeyUseLogLevel = logLevel;
+    this._ratchet = new JwtRatchet(cfg);
+    return this;
+  }
+
+  public get jwtRatchet(): JwtRatchet {
+    return this._ratchet;
+  }
+
+  public get selectRandomEncryptionKey(): Promise<string> {
+    return this._ratchet.selectRandomEncryptionKey();
+  }
+
+  public createRefreshedJWTString(tokenString: string, expirationSeconds: number, allowExpired?: boolean): Promise<string> {
+    return this._ratchet.refreshJWTString(tokenString, allowExpired || false, expirationSeconds);
+  }
+
+  public async parseAndValidateJWTStringAsync<T extends JwtTokenBase>(tokenString: string): Promise<T> {
+    const payload: T = await this._ratchet.decodeToken(tokenString, ExpiredJwtHandling.ADD_FLAG);
+
+    if (JwtRatchet.hasExpiredFlag(payload)) {
+      throw new UnauthorizedError('Failing JWT token read/validate - token expired on ' + payload.exp);
+    } else {
+      return payload;
+    }
+  }
+
+  public async createJWTStringAsync<T>(
+    principal: string,
+    userObject: T,
+    roles: string[] = ['USER'],
+    expirationSeconds: number = 3600,
+    proxyUser: T = null,
+  ): Promise<string> {
+    Logger.info('Creating JWT token for %s  that expires in %s', principal, expirationSeconds);
+    const now = new Date().getTime();
+    const expires = now + expirationSeconds * 1000;
+
+    // Build token data and add claims
+    const tokenData: CommonJwtToken<T> = {
+      exp: expires,
+      iss: this.issuer,
+      sub: principal,
+      iat: now,
+
+      user: userObject,
+      proxy: proxyUser,
+    };
+
+    const token: string = await this._ratchet.createTokenString(tokenData, expirationSeconds);
+    return token;
+  }
+
+  public async extractTokenFromAuthorizationHeader<T extends JwtTokenBase>(header: string): Promise<T> {
+    let tokenString: string = StringRatchet.trimToEmpty(header);
+    if (tokenString.toLowerCase().startsWith('bearer ')) {
+      tokenString = tokenString.substring(7);
+    }
+    const validated: T = tokenString ? await this.parseAndValidateJWTStringAsync(tokenString) : null;
+    return validated;
+  }
+}

package/src/http/auth/web-token-manipulator.ts

@@ -0,0 +1,9 @@
+/**
+ * Service for handling auth tokens
+ */
+
+import { JwtTokenBase } from '@bitblit/ratchet-common/jwt/jwt-token-base';
+
+export interface WebTokenManipulator<T extends JwtTokenBase> {
+  extractTokenFromAuthorizationHeader(header: string): Promise<T>;
+}

package/src/http/error/bad-gateway.ts

@@ -0,0 +1,11 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class BadGateway<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 502;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, BadGateway.prototype);
+    this.withHttpStatusCode(BadGateway.HTTP_CODE);
+  }
+}

package/src/http/error/bad-request-error.ts

@@ -0,0 +1,11 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class BadRequestError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 400;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, BadRequestError.prototype);
+    this.withHttpStatusCode(BadRequestError.HTTP_CODE);
+  }
+}

package/src/http/error/conflict-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class ConflictError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 409;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, ConflictError.prototype);
+
+    this.withHttpStatusCode(ConflictError.HTTP_CODE);
+  }
+}

package/src/http/error/forbidden-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class ForbiddenError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 403;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, ForbiddenError.prototype);
+
+    this.withHttpStatusCode(ForbiddenError.HTTP_CODE);
+  }
+}

package/src/http/error/gateway-timeout.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class GatewayTimeout<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 504;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, GatewayTimeout.prototype);
+
+    this.withHttpStatusCode(GatewayTimeout.HTTP_CODE);
+  }
+}

package/src/http/error/method-not-allowed-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class MethodNotAllowedError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 405;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, MethodNotAllowedError.prototype);
+
+    this.withHttpStatusCode(MethodNotAllowedError.HTTP_CODE);
+  }
+}

package/src/http/error/misconfigured-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class MisconfiguredError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 500;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, MisconfiguredError.prototype);
+
+    this.withHttpStatusCode(MisconfiguredError.HTTP_CODE);
+  }
+}

package/src/http/error/not-found-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class NotFoundError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 404;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, NotFoundError.prototype);
+
+    this.withHttpStatusCode(NotFoundError.HTTP_CODE);
+  }
+}

package/src/http/error/not-implemented.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class NotImplemented<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 501;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, NotImplemented.prototype);
+
+    this.withHttpStatusCode(NotImplemented.HTTP_CODE);
+  }
+}

package/src/http/error/request-timeout-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class RequestTimeoutError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 500;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, RequestTimeoutError.prototype);
+
+    this.withHttpStatusCode(RequestTimeoutError.HTTP_CODE);
+  }
+}

package/src/http/error/service-unavailable.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class ServiceUnavailable<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 503;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, ServiceUnavailable.prototype);
+
+    this.withHttpStatusCode(ServiceUnavailable.HTTP_CODE);
+  }
+}

package/src/http/error/too-many-requests-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class TooManyRequestsError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 429;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, TooManyRequestsError.prototype);
+
+    this.withHttpStatusCode(TooManyRequestsError.HTTP_CODE);
+  }
+}

package/src/http/error/unauthorized-error.ts

@@ -0,0 +1,12 @@
+import { RestfulApiHttpError } from '@bitblit/ratchet-common/network/restful-api-http-error';
+
+export class UnauthorizedError<T = void> extends RestfulApiHttpError<T> {
+  public static readonly HTTP_CODE: number = 401;
+
+  constructor(...errors: string[]) {
+    super(...errors);
+    Object.setPrototypeOf(this, UnauthorizedError.prototype);
+
+    this.withHttpStatusCode(UnauthorizedError.HTTP_CODE);
+  }
+}

package/src/http/event-util.spec.ts

@@ -0,0 +1,190 @@
+import { APIGatewayEvent, APIGatewayEventRequestContext } from 'aws-lambda';
+import { EventUtil } from './event-util.js';
+import { BasicAuthToken } from './auth/basic-auth-token.js';
+import fs from 'fs';
+import path from 'path';
+import { EsmRatchet } from '@bitblit/ratchet-common/lang/esm-ratchet';
+import { describe, expect, test } from 'vitest';
+
+describe('#eventUtil', function () {
+  test('should extract pieces', function () {
+    const evt: APIGatewayEvent = {
+      httpMethod: 'GET',
+      path: '/cw/meta/server',
+      body: null,
+      headers: {
+        Host: 'api.test.com',
+        'X-Forwarded-Proto': 'https',
+      },
+      multiValueHeaders: {
+        Host: ['api.test.com'],
+        'X-Forwarded-Proto': ['https'],
+      },
+      multiValueQueryStringParameters: null,
+      isBase64Encoded: false,
+      pathParameters: null,
+      queryStringParameters: null,
+      stageVariables: null,
+      resource: '/{proxy+}',
+      requestContext: {
+        httpMethod: 'GET',
+        accountId: '1234',
+        apiId: '7890',
+        stage: 'v0',
+        path: '/cw/meta/server',
+        domainName: 'api.test.com',
+        identity: null,
+        requestId: 'asdf1234',
+        requestTimeEpoch: 1234,
+        resourceId: '1234',
+        resourcePath: '/{proxy+}',
+      } as APIGatewayEventRequestContext,
+    } as APIGatewayEvent;
+
+    expect(EventUtil.extractStage(evt)).toEqual('cw');
+    expect(EventUtil.extractApiGatewayStage(evt)).toEqual('v0');
+    expect(EventUtil.extractFullPrefix(evt)).toEqual('https://api.test.com/cw');
+    expect(EventUtil.extractFullPath(evt)).toEqual('https://api.test.com/cw/meta/server');
+    expect(EventUtil.extractHostHeader(evt)).toEqual('api.test.com');
+  });
+
+  test('should fix still encoded query params', function () {
+    const evt: APIGatewayEvent = {
+      httpMethod: 'GET',
+      path: '/cw/meta/server',
+      body: null,
+      headers: {
+        Host: 'api.test.com',
+        'X-Forwarded-Proto': 'https',
+      },
+      multiValueHeaders: {
+        Host: ['api.test.com'],
+        'X-Forwarded-Proto': ['https'],
+      },
+      isBase64Encoded: false,
+      pathParameters: null,
+      multiValueQueryStringParameters: {
+        a: ['b'],
+        'amp;c': ['d'],
+      },
+      queryStringParameters: {
+        a: 'b',
+        'amp;c': 'd',
+      },
+      stageVariables: null,
+      resource: '/{proxy+}',
+      requestContext: {
+        httpMethod: 'GET',
+        accountId: '1234',
+        apiId: '7890',
+        stage: 'v0',
+        path: '/cw/meta/server',
+        domainName: 'api.test.com',
+        identity: null,
+        requestId: 'asdf1234',
+        requestTimeEpoch: 1234,
+        resourceId: '1234',
+        resourcePath: '/{proxy+}',
+      } as APIGatewayEventRequestContext,
+    } as APIGatewayEvent;
+
+    expect(evt.queryStringParameters['a']).toBeTruthy();
+    expect(evt.queryStringParameters['amp;c']).toBeTruthy();
+    expect(evt.queryStringParameters['c']).toBeUndefined();
+
+    EventUtil.fixStillEncodedQueryParams(evt);
+
+    expect(evt.queryStringParameters['a']).toBeTruthy();
+    expect(evt.queryStringParameters['amp;c']).toBeUndefined();
+    expect(evt.queryStringParameters['c']).toBeTruthy();
+  });
+
+  test('should extract basic auth from headers', function () {
+    const evt: APIGatewayEvent = {
+      httpMethod: 'GET',
+      path: '/cw/meta/server',
+      body: null,
+      headers: {
+        Host: 'api.test.com',
+        'X-Forwarded-Proto': 'https',
+        Authorization: 'Basic dGVzdHVzZXI6dGVzdHBhc3M=',
+      },
+      multiValueHeaders: {
+        Host: ['api.test.com'],
+        'X-Forwarded-Proto': ['https'],
+        Authorization: ['Basic dGVzdHVzZXI6dGVzdHBhc3M='],
+      },
+      isBase64Encoded: false,
+      pathParameters: null,
+      multiValueQueryStringParameters: {
+        a: ['b'],
+        'amp;c': ['d'],
+      },
+      queryStringParameters: {
+        a: 'b',
+        'amp;c': 'd',
+      },
+      stageVariables: null,
+      resource: '/{proxy+}',
+      requestContext: {
+        httpMethod: 'GET',
+        accountId: '1234',
+        apiId: '7890',
+        stage: 'v0',
+        path: '/cw/meta/server',
+        domainName: 'api.test.com',
+        identity: null,
+        requestId: 'asdf1234',
+        requestTimeEpoch: 1234,
+        resourceId: '1234',
+        resourcePath: '/{proxy+}',
+      } as APIGatewayEventRequestContext,
+    } as APIGatewayEvent;
+
+    const basic: BasicAuthToken = EventUtil.extractBasicAuthenticationToken(evt);
+    expect(basic).toBeTruthy();
+    expect(basic.username).toBeTruthy();
+    expect(basic.password).toBeTruthy();
+    expect(basic.username).toEqual('testuser');
+    expect(basic.password).toEqual('testpass');
+  });
+
+  test('should add a token to an event, along with downstream stuff', function () {
+    const evt: APIGatewayEvent = JSON.parse(
+      fs
+        .readFileSync(
+          path.join(EsmRatchet.fetchDirName(import.meta.url), '../../../../test-data/epsilon/sample-json/sample-request-1.json'),
+        )
+        .toString(),
+    );
+    const jwtToken: string =
+      'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODg1MzY3NzU4ODcsImlzcyI6Im5lb24uYWRvbW5pLmNvbSIsInN1YiI6ImJpdGJsaXRAZ21haWwuY29tIiwiaWF0IjoxNTg4NTMzMTc1ODg3LCJ1c2VyIjp7ImlkIjo2LCJmaXJzdE5hbWUiOiJDaHJpcyIsImxhc3ROYW1lIjoiV2Vpc3MiLCJjb21wYW55IjoiQWRvbW5pIiwiZW1haWwiOiJiaXRibGl0QGdtYWlsLmNvbSIsImN1c3RvbWVyVHlwZSI6IkFETUlOIn0sImFjdGluZ1VzZXJJZCI6NiwiZ2xvYmFsIjp0cnVlLCJhZG1pbiI6eyJpZCI6NiwiZmlyc3ROYW1lIjoiQ2hyaXMiLCJsYXN0TmFtZSI6IldlaXNzIiwiY29tcGFueSI6IkFkb21uaSIsImVtYWlsIjoiYml0YmxpdEBnbWFpbC5jb20iLCJjdXN0b21lclR5cGUiOiJBRE1JTiJ9LCJzdWJVc2VycyI6W119.mwRSek5GwkvxpN44UTp49W6_9U_ARsFXThAyiqaF-eQ';
+    EventUtil.applyTokenToEventForTesting(evt, jwtToken);
+
+    const roundTripTokenString: string = EventUtil.extractBearerTokenFromEvent(evt);
+    expect(roundTripTokenString).toEqual(jwtToken);
+  });
+
+  test('should check if an event is a graphql introspection', function () {
+    const evt1: APIGatewayEvent = JSON.parse(
+      fs
+        .readFileSync(
+          path.join(EsmRatchet.fetchDirName(import.meta.url), '../../../../test-data/epsilon/sample-json/sample-request-1.json'),
+        )
+        .toString(),
+    );
+    const evt2: APIGatewayEvent = JSON.parse(
+      fs
+        .readFileSync(
+          path.join(EsmRatchet.fetchDirName(import.meta.url), '../../../../test-data/epsilon/sample-json/sample-gql-introspection.json'),
+        )
+        .toString(),
+    );
+
+    const res1: boolean = EventUtil.eventIsAGraphQLIntrospection(evt1);
+    const res2: boolean = EventUtil.eventIsAGraphQLIntrospection(evt2);
+
+    expect(res1).toBeFalsy();
+    expect(res2).toBeTruthy();
+  });
+});