@guardian/pan-domain-node 0.4.2 → 0.5.0

package/.changeset/README.md

@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets)
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)

package/.changeset/config.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3.0.4/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": []
+}

package/.nvmrc

@@ -1 +1 @@
-8
+v20.18.1

package/CHANGELOG.md

@@ -0,0 +1,7 @@
+# @guardian/pan-domain-node
+
+## 0.5.0
+
+### Minor Changes
+
+- 01ddac5: Fix bug preventing cookie expiry from being correctly validated

package/dist/src/api.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.guardianValidation = exports.AuthenticationStatus = void 0;
 var panda_1 = require("./panda");
-exports.PanDomainAuthentication = panda_1.PanDomainAuthentication;
+Object.defineProperty(exports, "PanDomainAuthentication", { enumerable: true, get: function () { return panda_1.PanDomainAuthentication; } });
 var AuthenticationStatus;
 (function (AuthenticationStatus) {
     AuthenticationStatus["INVALID_COOKIE"] = "Invalid Cookie";

package/dist/src/fetch-public-key.d.ts

@@ -0,0 +1,5 @@
+export interface PublicKeyHolder {
+    key: string;
+    lastUpdated: Date;
+}
+export declare function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder>;

package/dist/src/fetch-public-key.js

@@ -0,0 +1,40 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchPublicKey = void 0;
+const iniparser = __importStar(require("iniparser"));
+const utils_1 = require("./utils");
+function fetchPublicKey(region, bucket, keyFile) {
+    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
+    return utils_1.httpGet(path).then(response => {
+        const config = iniparser.parseString(response);
+        if (config.publicKey) {
+            return {
+                key: utils_1.base64ToPEM(config.publicKey, "PUBLIC"),
+                lastUpdated: new Date()
+            };
+        }
+        else {
+            throw new Error("Missing publicKey setting from config");
+        }
+    });
+}
+exports.fetchPublicKey = fetchPublicKey;

package/dist/src/panda.d.ts

@@ -1,11 +1,8 @@
 /// <reference types="node" />
 import { User, AuthenticationResult, ValidateUserFn } from './api';
-interface PublicKeyHolder {
-    key: string;
-    lastUpdated: Date;
-}
+import { PublicKeyHolder } from './fetch-public-key';
 export declare function createCookie(user: User, privateKey: string): string;
-export declare function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTimestamp: number, validateUser: ValidateUserFn): AuthenticationResult;
+export declare function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult;
 export declare class PanDomainAuthentication {
     cookieName: string;
     region: string;
@@ -20,4 +17,3 @@ export declare class PanDomainAuthentication {
     getPublicKey(): Promise<string>;
     verify(requestCookies: string): Promise<AuthenticationResult>;
 }
-export {};

package/dist/src/panda.js

@@ -1,31 +1,29 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const iniparser = __importStar(require("iniparser"));
+exports.PanDomainAuthentication = exports.verifyUser = exports.createCookie = void 0;
 const cookie = __importStar(require("cookie"));
 const utils_1 = require("./utils");
 const api_1 = require("./api");
-function fetchPublicKey(region, bucket, keyFile) {
-    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
-    return utils_1.httpGet(path).then(response => {
-        const config = iniparser.parseString(response);
-        if (config.publicKey) {
-            return {
-                key: utils_1.base64ToPEM(config.publicKey, "PUBLIC"),
-                lastUpdated: new Date()
-            };
-        }
-        else {
-            throw new Error("Missing publicKey setting from config");
-        }
-    });
-}
+const fetch_public_key_1 = require("./fetch-public-key");
 function createCookie(user, privateKey) {
     let queryParams = [];
     queryParams.push("firstName=" + user.firstName);
@@ -42,7 +40,7 @@ function createCookie(user, privateKey) {
     return queryParamsString + "." + signature;
 }
 exports.createCookie = createCookie;
-function verifyUser(pandaCookie, publicKey, currentTimestamp, validateUser) {
+function verifyUser(pandaCookie, publicKey, currentTime, validateUser) {
     if (!pandaCookie) {
         return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
     }
@@ -50,9 +48,10 @@ function verifyUser(pandaCookie, publicKey, currentTimestamp, validateUser) {
     if (!utils_1.verifySignature(data, signature, publicKey)) {
         return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
     }
+    const currentTimestampInMilliseconds = currentTime.getTime();
     try {
         const user = utils_1.parseUser(data);
-        const isExpired = user.expires < currentTimestamp;
+        const isExpired = user.expires < currentTimestampInMilliseconds;
         if (isExpired) {
             return { status: api_1.AuthenticationStatus.EXPIRED, user };
         }
@@ -75,20 +74,21 @@ class PanDomainAuthentication {
         this.bucket = bucket;
         this.keyFile = keyFile;
         this.validateUser = validateUser;
-        this.publicKey = fetchPublicKey(region, bucket, keyFile);
+        this.publicKey = fetch_public_key_1.fetchPublicKey(region, bucket, keyFile);
         this.keyUpdateTimer = setInterval(() => this.getPublicKey(), this.keyCacheTime);
     }
     stop() {
         if (this.keyUpdateTimer) {
             clearInterval(this.keyUpdateTimer);
+            this.keyUpdateTimer = undefined;
         }
     }
     getPublicKey() {
         return this.publicKey.then(({ key, lastUpdated }) => {
             const now = new Date();
-            const diff = now.getMilliseconds() - lastUpdated.getMilliseconds();
+            const diff = now.getTime() - lastUpdated.getTime();
             if (diff > this.keyCacheTime) {
-                this.publicKey = fetchPublicKey(this.region, this.bucket, this.keyFile);
+                this.publicKey = fetch_public_key_1.fetchPublicKey(this.region, this.bucket, this.keyFile);
                 return this.publicKey.then(({ key }) => key);
             }
             else {
@@ -100,8 +100,7 @@ class PanDomainAuthentication {
         return this.getPublicKey().then(publicKey => {
             const cookies = cookie.parse(requestCookies);
             const pandaCookie = cookies[this.cookieName];
-            const now = new Date().getMilliseconds();
-            return verifyUser(pandaCookie, publicKey, now, this.validateUser);
+            return verifyUser(pandaCookie, publicKey, new Date(), this.validateUser);
         });
     }
 }

package/dist/src/utils.js

@@ -1,12 +1,25 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseUser = exports.httpGet = exports.base64ToPEM = exports.sign = exports.verifySignature = exports.parseCookie = exports.decodeBase64 = void 0;
 const crypto = __importStar(require("crypto"));
 const https = __importStar(require("https"));
 const url_1 = require("url");

package/dist/test/fixtures.js

@@ -1,5 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.sampleNonGuardianCookie = exports.sampleCookieWithoutMultifactor = exports.sampleCookie = exports.publicKey = exports.encodedPublicKey = exports.privateKey = exports.encodedPrivateKey = void 0;
 const utils_1 = require("../src/utils");
 exports.encodedPrivateKey = "MIIJKAIBAAKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQKCAgAFEDXDb10Rtl5vT6oXLjzswYcD6Ct8v23eLYcKqJlNeXuysQODxnJAxBTuubPvXOSxC6DVbaa7zQxqldjPy92eVfDiOii5naR648AMG2Rl4ybm9+Zfvnwgu9WIjLxFK6zl6A0dMi82W47HP6s5d8gbWREjtO1HXOCGe6rIUyLpC3mm5JX/aaeG9NHRsNeY5vXWgsrOdgaUSeaPSsiXvi/XdPP94aBdvDjqq0kKssQofA5PTMlOd0Nv+lN9Sew7po0NJ4q/U7aFzF5BaFidty8JA3DdQQRPgVrWVF57StvHkYMZSnwgWA6noZaWL/N2RkbeQw0KsDKxdo3KFYkVb8OuTN68b3J5sKIo48LaDbfWbuThcdUFdpKXUd6lvJ2vCnbN6e1fzJdjpCNg9mb2g8KnSW9xqXek8cx0b+LNh+p/YDUI/BZDfsXjeqODiGEruYWfaYiL4STOOXIq5SoyP6XEDbX41UHcb/P3pJExBB7R6fpUFREUd0tUAQAQ93YUitWIs8U1tVAB9/qaUO6BFgOghrbswUiX4twVdmqhrBVOcYUImu7LUdcpMLIdR/gyy47w8xEhiv/oudWVx7rkJS4+l949KtUmyd5x+MNT7nAF99eSIv3iNpL6eS7OWiak5gfoVATy0shNd48H62mGtYjfoGzndGE26tNCHXoAkTrbQQKCAQEA47QXH0Y5xbnq8rlqukwVt+EDMJUtZBqfxGDnkDmtfGefxiyE1VLb+Q0Z1es3lxjcmb1Qupl9tjrWeejK2QymSOzPaluOTpIFOZbFqzNha68nONoiWjqwkCg7VvTo0mRKLwSEnCrCOB8HiLKQAhirdPwtW/8PLd+B8HZSB3UKFylbT+ghHIz5b4P81GksRGbsb6g3+ipz53mvtJpe77J7Y84wPQppj6Ry0WjsQr4iv2hF5PWNMhHVDj8eO80DJvWRCFVTWqTE3WYxZJ/5jdeOdVTwtrYghP72X0zAnVpQCVzcn8tLghKsfePhCw3zNtFE3dk4XHQD4uhPU88GtxJ3vwKCAQEA0fHVZmW8EwxYUEzhFl+2J4evszh8R2Sga+LHv4hy2qGydiciVnv4Y/IoScc0IQ+YHoj9fNad+/UoR8ctSBgrPDzeiY/7ldSp/j5Tbqb4h3Ioaqf9uNg7qHpnciz1o8AI8fFelXZ5hA8GuXo8VGy60xMCyapjkLzTXshdRPjUzcLX1PrUy+me4ZR/KdIkqOOmzgvBVII3gb0iN70gTqn2HSIUC3yMiXA+X6OkHoDL7tn8tkF/aD+uenxOvOadsoJPtaFPaMD0X5vJ8LIjsBThAncVApx93XJIdkJm2ffXq2JhQJfZ6ZXypa6ooepzmB58kxA+TZiJpQLLQJ17xC/sYQKCAQBwuzJPW3cyuw7kyINcZFrERHRN0y07yCqdENTUBJotYygo9tV0v6cEMEZAMEm/VqGww5d6Ko+gbpTMmkIDH04cAJHXuChGIejQUCLg1Xk/1OF4NhaX0UKkvCZUsL+rmddYW8ZDgq/RFRunw6+kOg54xni2eRpMvcEZCZsm8fzi5qi8cNIjzm+XlCLSDpfJ7aLUzNWZ1va2/PnOUjb6OMT57pTXQ5ZrdSEbJ/UAPh354WfpKOCUj1uJyBnxxVfwK9d35rZzw+trKTL+/GySmst+r2TVMGn9LjVPjTI3NQU2/XCE9CMX7KLVWMKLtIZa91Q++VH8A7wA1L6hYXeTn2MFAoIBAEb5xvdTNX4LEmAzXXU+7kn26UNhuUI5lrJifL0X2BxpxfeDy2wJhTPkzhIDMnBq4TaRgYEO3WIsw21gvMI+yX8X5PQEpT1GJCI71+D0udiwk1Fbcb9n+uM+XnKPGIw/g8annx5Qa0xl+BQEaxjvmUl6h9q9q+Nmst68RivnI6pcULNECWTWmkwQ89yjmpkuPVozRyzWyQUnd8X4Pk/ZzcaTmss3VBuywqN6oyVczZT2RSUoh3Yq8UWfeM8L+Aw9Wc1Bt6LmeLdJ579jugTxShCXSZcUaMjQtgak9DiEPXlHTTGVJKp/cwToQ0JaDLJEvEDLoQSCqSYMB8LUet8chIECggEBANxvUJxCLbx4CZrUJC5O2w01GMDFdTfYOUcK75pFAbXkpBPXDLsuz2dK1y8ANk3ibWWrlV6YKDUwl+gWDHmJOcvKqKKAeUnrhIMmJGaO6C++5DxPE/n7g5M86GA0bu/+B+32wL/65B8HoJrkHnSMJp9GcCsVZA3+2xcJfo+xAiXeiRobRIxCQMYCDDM7Hr7X5jGa7l9bQr4GuWRKRYTroE9LCDnH/LLUN+0ny3UXrSjtTUVL4mVAJT0Ws2H1zUzVDbu7ZQgA0u3GjtdFvAnS/E+ln8DS3Q1DeD6Zsf0hrrJbtwU4zZIU445SZ+IUaTjueB9v/skukoIQi/0Mj+gpZ1c=";
 exports.privateKey = utils_1.base64ToPEM(exports.encodedPrivateKey, "RSA PRIVATE");

package/dist/test/panda.test.js

@@ -1,28 +1,41 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const api_1 = require("../src/api");
 const panda_1 = require("../src/panda");
+const fetch_public_key_1 = require("../src/fetch-public-key");
 const fixtures_1 = require("./fixtures");
 const utils_1 = require("../src/utils");
+jest.mock('../src/fetch-public-key');
+jest.useFakeTimers('modern');
 describe('verifyUser', function () {
     test("return invalid cookie if missing", () => {
-        expect(panda_1.verifyUser(undefined, "", 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
+        expect(panda_1.verifyUser(undefined, "", new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
     });
     test("return invalid cookie for a malformed signature", () => {
         const [data, signature] = fixtures_1.sampleCookie.split(".");
         const testCookie = data + ".1234";
-        expect(panda_1.verifyUser(testCookie, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
+        expect(panda_1.verifyUser(testCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
     });
     test("return expired", () => {
-        const someTimeInTheFuture = 5678;
+        const someTimeInTheFuture = new Date(5678);
+        expect(someTimeInTheFuture.getTime()).toBe(5678);
         expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, someTimeInTheFuture, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.EXPIRED);
     });
     test("return not authenticated if user fails validation function", () => {
-        expect(panda_1.verifyUser(fixtures_1.sampleCookieWithoutMultifactor, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
-        expect(panda_1.verifyUser(fixtures_1.sampleNonGuardianCookie, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
+        expect(panda_1.verifyUser(fixtures_1.sampleCookieWithoutMultifactor, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
+        expect(panda_1.verifyUser(fixtures_1.sampleNonGuardianCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
     });
     test("return authenticated", () => {
-        expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.AUTHORISED);
+        expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.AUTHORISED);
     });
 });
 describe('createCookie', function () {
@@ -41,3 +54,61 @@ describe('createCookie', function () {
         expect(cookie).toEqual(fixtures_1.sampleCookie);
     });
 });
+describe('panda class', function () {
+    beforeEach(() => {
+        fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: new Date() });
+    });
+    describe('stop', () => {
+        it('stops auto refresh', () => {
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            expect(panda.keyUpdateTimer).not.toBeUndefined();
+            panda.stop();
+            expect(panda.keyUpdateTimer).toBeUndefined();
+        });
+    });
+    describe('getPublicKey', () => {
+        it('getsPublicKey immediately when last fetch is within the cache time', () => __awaiter(this, void 0, void 0, function* () {
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const fetchesBeforeGet = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+            const fetchesAfterGet = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            expect(fetchesAfterGet).toEqual(fetchesBeforeGet);
+        }));
+        it('getsPublicKey after refetching when last fetch is outside the cache time', () => __awaiter(this, void 0, void 0, function* () {
+            // cache time is 1 min
+            const fiveMinsAgo = new Date();
+            fiveMinsAgo.setMinutes(fiveMinsAgo.getMinutes() - 5);
+            fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: fiveMinsAgo });
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const fetchesBefore = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+            fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY 2', lastUpdated: fiveMinsAgo });
+            const fetchesAfter = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY 2');
+            expect(fetchesAfter).toEqual(fetchesBefore + 1);
+        }));
+    });
+    describe('verify', () => {
+        beforeEach(() => {
+            fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: fixtures_1.publicKey, lastUpdated: new Date() });
+        });
+        it('should return authenticated if valid', () => __awaiter(this, void 0, void 0, function* () {
+            jest.setSystemTime(100);
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleCookie}`);
+            expect(status).toBe(api_1.AuthenticationStatus.AUTHORISED);
+        }));
+        it('should return expired if expired', () => __awaiter(this, void 0, void 0, function* () {
+            jest.setSystemTime(10000);
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleCookie}`);
+            expect(status).toBe(api_1.AuthenticationStatus.EXPIRED);
+        }));
+        it('should return not authenticated if validation fails', () => __awaiter(this, void 0, void 0, function* () {
+            jest.setSystemTime(100);
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', api_1.guardianValidation);
+            const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleNonGuardianCookie}`);
+            expect(status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
+        }));
+    });
+});

package/jest.config.js

@@ -3,6 +3,7 @@ module.exports = {
     "<rootDir>/src",
     "<rootDir>/test"
   ],
+  "clearMocks": true,
   "transform": {
     "^.+\\.tsx?$": "ts-jest"
   },
@@ -15,4 +16,4 @@ module.exports = {
     "json",
     "node"
   ],
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@guardian/pan-domain-node",
-  "version": "0.4.2",
+  "version": "0.5.0",
   "description": "NodeJs implementation of Guardian pan-domain auth verification",
   "main": "dist/src/api.js",
   "types": "dist/src/api.d.ts",
@@ -22,16 +22,17 @@
   },
   "homepage": "https://github.com/guardian/pan-domain-authentication",
   "devDependencies": {
-    "@types/cookie": "^0.3.2",
+    "@changesets/cli": "^2.27.10",
+    "@types/cookie": "^0.4.0",
     "@types/iniparser": "0.0.29",
-    "@types/jest": "^24.0.9",
-    "@types/node": "^11.10.5",
-    "jest": "^24.3.1",
-    "ts-jest": "^24.0.0",
-    "typescript": "^3.3.3333"
+    "@types/jest": "^26.0.9",
+    "@types/node": "^14.0.27",
+    "jest": "^26.2.2",
+    "ts-jest": "^26.1.4",
+    "typescript": "^3.9.7"
   },
   "dependencies": {
-    "cookie": "^0.3.1",
+    "cookie": "^0.4.1",
     "iniparser": "^1.0.5"
   },
   "scripts": {

package/src/fetch-public-key.ts

@@ -0,0 +1,27 @@
+import * as iniparser from 'iniparser';
+import {base64ToPEM, httpGet} from './utils';
+
+export interface PublicKeyHolder {
+    key: string,
+    lastUpdated: Date
+}
+
+
+export function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder> {
+    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
+
+    return httpGet(path).then(response => {
+        const config: { publicKey?: string} = iniparser.parseString(response);
+
+        if(config.publicKey) {
+            return {
+                key: base64ToPEM(config.publicKey, "PUBLIC"),
+                lastUpdated: new Date()
+            };
+        } else {
+            throw new Error("Missing publicKey setting from config");
+        }
+    });
+}
+
+

package/src/panda.ts

@@ -1,30 +1,8 @@
-import * as iniparser from 'iniparser';
 import * as cookie from 'cookie';
 
-import {base64ToPEM, httpGet, parseCookie, parseUser, sign, verifySignature} from './utils';
+import {parseCookie, parseUser, sign, verifySignature} from './utils';
 import {AuthenticationStatus, User, AuthenticationResult, ValidateUserFn} from './api';
-
-interface PublicKeyHolder {
-    key: string,
-    lastUpdated: Date
-}
-
-function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder> {
-    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
-
-    return httpGet(path).then(response => {
-        const config: { publicKey?: string} = iniparser.parseString(response);
-
-        if(config.publicKey) {
-            return {
-                key: base64ToPEM(config.publicKey, "PUBLIC"),
-                lastUpdated: new Date()
-            };
-        } else {
-            throw new Error("Missing publicKey setting from config");
-        }
-    });
-}
+import { fetchPublicKey, PublicKeyHolder } from './fetch-public-key';
 
 export function createCookie(user: User, privateKey: string): string {
     let queryParams: string[] = [];
@@ -46,7 +24,7 @@ export function createCookie(user: User, privateKey: string): string {
     return queryParamsString + "." + signature
 }
 
-export function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTimestamp: number, validateUser: ValidateUserFn): AuthenticationResult {
+export function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult {
     if(!pandaCookie) {
         return { status: AuthenticationStatus.INVALID_COOKIE };
     }
@@ -57,9 +35,11 @@ export function verifyUser(pandaCookie: string | undefined, publicKey: string, c
         return { status: AuthenticationStatus.INVALID_COOKIE };
     }
 
+    const currentTimestampInMilliseconds = currentTime.getTime();
+
     try {
         const user: User = parseUser(data);
-        const isExpired = user.expires < currentTimestamp;
+        const isExpired = user.expires < currentTimestampInMilliseconds;
 
         if(isExpired) {
             return { status: AuthenticationStatus.EXPIRED, user };
@@ -102,13 +82,14 @@ export class PanDomainAuthentication {
     stop(): void {
         if(this.keyUpdateTimer) {
             clearInterval(this.keyUpdateTimer);
+            this.keyUpdateTimer = undefined;
         }
     }
 
     getPublicKey(): Promise<string> {
         return this.publicKey.then(({ key, lastUpdated }) => {
             const now = new Date();
-            const diff = now.getMilliseconds() - lastUpdated.getMilliseconds();
+            const diff = now.getTime() - lastUpdated.getTime();
 
             if(diff > this.keyCacheTime) {
                 this.publicKey = fetchPublicKey(this.region, this.bucket, this.keyFile);
@@ -124,8 +105,7 @@ export class PanDomainAuthentication {
             const cookies = cookie.parse(requestCookies);
             const pandaCookie = cookies[this.cookieName];
 
-            const now = new Date().getMilliseconds();
-            return verifyUser(pandaCookie, publicKey, now, this.validateUser);
+            return verifyUser(pandaCookie, publicKey, new Date(), this.validateUser);
         });
     }
 }

package/test/panda.test.ts

@@ -1,5 +1,6 @@
 import {guardianValidation, AuthenticationStatus, User} from '../src/api';
-import { verifyUser, createCookie } from '../src/panda';
+import { verifyUser, createCookie, PanDomainAuthentication } from '../src/panda';
+import { fetchPublicKey } from '../src/fetch-public-key';
 
 import {
     sampleCookie,
@@ -10,31 +11,35 @@ import {
 } from './fixtures';
 import {decodeBase64} from "../src/utils";
 
+jest.mock('../src/fetch-public-key');
+jest.useFakeTimers('modern');
+
 describe('verifyUser', function () {
 
     test("return invalid cookie if missing", () => {
-        expect(verifyUser(undefined, "", 0, guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
+        expect(verifyUser(undefined, "", new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
     });
 
     test("return invalid cookie for a malformed signature", () => {
         const [data, signature] = sampleCookie.split(".");
         const testCookie = data + ".1234";
 
-        expect(verifyUser(testCookie, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
+        expect(verifyUser(testCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
     });
 
     test("return expired", () => {
-        const someTimeInTheFuture = 5678;
+        const someTimeInTheFuture = new Date(5678);
+        expect(someTimeInTheFuture.getTime()).toBe(5678);
         expect(verifyUser(sampleCookie, publicKey, someTimeInTheFuture, guardianValidation).status).toBe(AuthenticationStatus.EXPIRED);
     });
 
     test("return not authenticated if user fails validation function", () => {
-        expect(verifyUser(sampleCookieWithoutMultifactor, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
-        expect(verifyUser(sampleNonGuardianCookie, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+        expect(verifyUser(sampleCookieWithoutMultifactor, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+        expect(verifyUser(sampleNonGuardianCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
     });
 
     test("return authenticated", () => {
-        expect(verifyUser(sampleCookie, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.AUTHORISED);
+        expect(verifyUser(sampleCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.AUTHORISED);
     });
 });
 
@@ -56,3 +61,93 @@ describe('createCookie', function () {
         expect(cookie).toEqual(sampleCookie)
     });
 });
+
+describe('panda class', function () {
+  beforeEach(() => {
+    (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: new Date() });
+  });
+
+  describe('stop', () => {
+
+    it('stops auto refresh', () => {
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      expect(panda.keyUpdateTimer).not.toBeUndefined();
+      panda.stop();
+      expect(panda.keyUpdateTimer).toBeUndefined();
+    });
+
+  });
+
+  describe('getPublicKey', () => {
+
+    it('getsPublicKey immediately when last fetch is within the cache time', async () => {
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const fetchesBeforeGet = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+      const fetchesAfterGet = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      expect(fetchesAfterGet).toEqual(fetchesBeforeGet);
+
+    });
+
+    it('getsPublicKey after refetching when last fetch is outside the cache time', async () => {
+      // cache time is 1 min
+      const fiveMinsAgo = new Date();
+      fiveMinsAgo.setMinutes(fiveMinsAgo.getMinutes() - 5);
+
+      (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: fiveMinsAgo });
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+
+      const fetchesBefore = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+
+      (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY 2', lastUpdated: fiveMinsAgo });
+
+      const fetchesAfter = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY 2');
+
+      expect(fetchesAfter).toEqual(fetchesBefore + 1);
+    });
+
+  });
+
+  describe('verify', () => {
+
+    beforeEach(() => {
+      (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: publicKey, lastUpdated: new Date() });
+    });
+
+    it('should return authenticated if valid', async () => {
+      jest.setSystemTime(100);
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const { status } = await panda.verify(`cookiename=${sampleCookie}`);
+
+      expect(status).toBe(AuthenticationStatus.AUTHORISED);
+    });
+
+    it('should return expired if expired', async () => {
+      jest.setSystemTime(10_000);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const { status } = await panda.verify(`cookiename=${sampleCookie}`);
+
+      expect(status).toBe(AuthenticationStatus.EXPIRED);
+    });
+
+    it('should return not authenticated if validation fails', async () => {
+      jest.setSystemTime(100);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', guardianValidation);
+      const { status } = await panda.verify(`cookiename=${sampleNonGuardianCookie}`);
+
+      expect(status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+    });
+
+  });
+
+});