@guardian/pan-domain-node 0.4.2 → 0.5.1

package/.changeset/README.md

@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets)
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)

package/.changeset/config.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3.0.4/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": []
+}

package/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,3 @@
+
+@guardian/digital-cms
+<!-- Please include the Editorial Tools Team in PRs especially if it is a major change. We rely on this library for log in across all our tools. Thank you. -->

package/.github/workflows/ci.yml

@@ -0,0 +1,29 @@
+name: CI
+on:
+  workflow_dispatch:
+  pull_request:
+
+  # triggering CI default branch improves caching
+  # see https://docs.github.com/en/free-pro-team@latest/actions/guides/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
+  push:
+    branches:
+      - main
+
+jobs:
+  CI:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+          cache-dependency-path: 'package-lock.json'
+
+      - name: JS Build
+        run: |
+          npm ci
+          npm run build
+          npm test

package/.github/workflows/node-release.yml

@@ -0,0 +1,57 @@
+name: CD
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  CD:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version-file: ".nvmrc"
+          cache: npm
+          cache-dependency-path: "package-lock.json"
+
+      - name: Install
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
+        run: npm run test
+
+      - name: Use GitHub App Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.GU_CHANGESETS_APP_ID }}
+          private-key: ${{ secrets.GU_CHANGESETS_PRIVATE_KEY }}
+
+      - name: Set git user to Gu Changesets app
+        run: |
+          git config user.name "gu-changesets-release-pr[bot]"
+          git config user.email "gu-changesets-release-pr[bot]@users.noreply.github.com"
+
+      - name: Create Release Pull Request or Publish to npm
+        id: changesets
+        uses: changesets/action@v1
+        with:
+          publish: npx changeset publish
+          title: "🦋 Release package updates"
+          commit: "Bump package version"
+          setupGitUser: false
+
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/snyk.yml

@@ -0,0 +1,19 @@
+name: Snyk
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  security:
+    uses: guardian/.github/.github/workflows/sbt-node-snyk.yml@main
+    with:
+      DEBUG: true
+      ORG: guardian
+      SKIP_NODE: false
+      NODE_VERSION_FILE: .nvmrc
+
+    secrets:
+       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

package/.nvmrc

@@ -1 +1 @@
-8
+v20.18.1

package/CHANGELOG.md

@@ -0,0 +1,13 @@
+# @guardian/pan-domain-node
+
+## 0.5.1
+
+### Patch Changes
+
+- bdd4adb: Testing changeset release and capitalising some text
+
+## 0.5.0
+
+### Minor Changes
+
+- 01ddac5: Fix bug preventing cookie expiry from being correctly validated

package/CODEOWNERS

@@ -0,0 +1 @@
+* @guardian/digital-cms

package/LICENSE

@@ -0,0 +1,201 @@
+Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,55 @@
+# Pan Domain Node 
+
+Pan domain authentication provides distributed authentication for multiple webapps running in the same domain. Each
+application can authenticate users against an OAuth provider and store the authentication information in a common cookie.
+Each application can read this cookie and check if the user is allowed in the specific application and allow access accordingly.
+
+This means that users are only prompted to provide authentication credentials once across the domain and any inter-app
+interactions (e.g javascript Cross-Origin requests) can be easily secured.
+
+## What's provided
+
+The main [pan-domain-authentication](https://github.com/guardian/pan-domain-authentication) repository provides the
+functionality for signing and verifying login cookies in Scala.
+
+The `pan-domain-node` library provides an implementation of *verification only* for node apps.
+
+## To verify login in NodeJS
+
+[![npm version](https://badge.fury.io/js/%40guardian%2Fpan-domain-node.svg)](https://badge.fury.io/js/%40guardian%2Fpan-domain-node)
+
+```
+npm install --save-dev @guardian/pan-domain-node
+```
+
+```typescript
+import { PanDomainAuthentication, AuthenticationStatus, User, guardianValidation } from '@guardian/pan-domain-node';
+
+const panda = new PanDomainAuthentication(
+  "gutoolsAuth-assym", // cookie name
+  "eu-west-1", // AWS region
+  "pan-domain-auth-settings", // Settings bucket
+  "local.dev-gutools.co.uk.settings.public", // Settings file
+  guardianValidation
+);
+
+// alternatively customise the validation function and pass at construction
+function customValidation(user: User): boolean {
+  const isInCorrectDomain = user.email.indexOf('test.com') !== -1;
+  return isInCorrectDomain && user.multifactor;
+}
+
+// when handling a request
+function(request) {
+  // Pass the raw unparsed cookies
+  return panda.verify(request.headers['Cookie']).then(( { status, user }) => {
+    switch(status) {
+      case AuthenticationStatus.Authorised:
+        // Good user, handle the request!
+
+      default:
+        // Bad user. Return 4XX
+    }
+  });
+}
+```

package/dist/src/api.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.guardianValidation = exports.AuthenticationStatus = void 0;
 var panda_1 = require("./panda");
-exports.PanDomainAuthentication = panda_1.PanDomainAuthentication;
+Object.defineProperty(exports, "PanDomainAuthentication", { enumerable: true, get: function () { return panda_1.PanDomainAuthentication; } });
 var AuthenticationStatus;
 (function (AuthenticationStatus) {
     AuthenticationStatus["INVALID_COOKIE"] = "Invalid Cookie";

package/dist/src/fetch-public-key.d.ts

@@ -0,0 +1,5 @@
+export interface PublicKeyHolder {
+    key: string;
+    lastUpdated: Date;
+}
+export declare function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder>;

package/dist/src/fetch-public-key.js

@@ -0,0 +1,40 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchPublicKey = void 0;
+const iniparser = __importStar(require("iniparser"));
+const utils_1 = require("./utils");
+function fetchPublicKey(region, bucket, keyFile) {
+    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
+    return utils_1.httpGet(path).then(response => {
+        const config = iniparser.parseString(response);
+        if (config.publicKey) {
+            return {
+                key: utils_1.base64ToPEM(config.publicKey, "PUBLIC"),
+                lastUpdated: new Date()
+            };
+        }
+        else {
+            throw new Error("Missing publicKey setting from config");
+        }
+    });
+}
+exports.fetchPublicKey = fetchPublicKey;

package/dist/src/panda.d.ts

@@ -1,11 +1,8 @@
 /// <reference types="node" />
 import { User, AuthenticationResult, ValidateUserFn } from './api';
-interface PublicKeyHolder {
-    key: string;
-    lastUpdated: Date;
-}
+import { PublicKeyHolder } from './fetch-public-key';
 export declare function createCookie(user: User, privateKey: string): string;
-export declare function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTimestamp: number, validateUser: ValidateUserFn): AuthenticationResult;
+export declare function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult;
 export declare class PanDomainAuthentication {
     cookieName: string;
     region: string;
@@ -20,4 +17,3 @@ export declare class PanDomainAuthentication {
     getPublicKey(): Promise<string>;
     verify(requestCookies: string): Promise<AuthenticationResult>;
 }
-export {};

package/dist/src/panda.js

@@ -1,31 +1,29 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const iniparser = __importStar(require("iniparser"));
+exports.PanDomainAuthentication = exports.verifyUser = exports.createCookie = void 0;
 const cookie = __importStar(require("cookie"));
 const utils_1 = require("./utils");
 const api_1 = require("./api");
-function fetchPublicKey(region, bucket, keyFile) {
-    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
-    return utils_1.httpGet(path).then(response => {
-        const config = iniparser.parseString(response);
-        if (config.publicKey) {
-            return {
-                key: utils_1.base64ToPEM(config.publicKey, "PUBLIC"),
-                lastUpdated: new Date()
-            };
-        }
-        else {
-            throw new Error("Missing publicKey setting from config");
-        }
-    });
-}
+const fetch_public_key_1 = require("./fetch-public-key");
 function createCookie(user, privateKey) {
     let queryParams = [];
     queryParams.push("firstName=" + user.firstName);
@@ -42,7 +40,7 @@ function createCookie(user, privateKey) {
     return queryParamsString + "." + signature;
 }
 exports.createCookie = createCookie;
-function verifyUser(pandaCookie, publicKey, currentTimestamp, validateUser) {
+function verifyUser(pandaCookie, publicKey, currentTime, validateUser) {
     if (!pandaCookie) {
         return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
     }
@@ -50,9 +48,10 @@ function verifyUser(pandaCookie, publicKey, currentTimestamp, validateUser) {
     if (!utils_1.verifySignature(data, signature, publicKey)) {
         return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
     }
+    const currentTimestampInMilliseconds = currentTime.getTime();
     try {
         const user = utils_1.parseUser(data);
-        const isExpired = user.expires < currentTimestamp;
+        const isExpired = user.expires < currentTimestampInMilliseconds;
         if (isExpired) {
             return { status: api_1.AuthenticationStatus.EXPIRED, user };
         }
@@ -75,20 +74,21 @@ class PanDomainAuthentication {
         this.bucket = bucket;
         this.keyFile = keyFile;
         this.validateUser = validateUser;
-        this.publicKey = fetchPublicKey(region, bucket, keyFile);
+        this.publicKey = fetch_public_key_1.fetchPublicKey(region, bucket, keyFile);
         this.keyUpdateTimer = setInterval(() => this.getPublicKey(), this.keyCacheTime);
     }
     stop() {
         if (this.keyUpdateTimer) {
             clearInterval(this.keyUpdateTimer);
+            this.keyUpdateTimer = undefined;
         }
     }
     getPublicKey() {
         return this.publicKey.then(({ key, lastUpdated }) => {
             const now = new Date();
-            const diff = now.getMilliseconds() - lastUpdated.getMilliseconds();
+            const diff = now.getTime() - lastUpdated.getTime();
             if (diff > this.keyCacheTime) {
-                this.publicKey = fetchPublicKey(this.region, this.bucket, this.keyFile);
+                this.publicKey = fetch_public_key_1.fetchPublicKey(this.region, this.bucket, this.keyFile);
                 return this.publicKey.then(({ key }) => key);
             }
             else {
@@ -100,8 +100,7 @@ class PanDomainAuthentication {
         return this.getPublicKey().then(publicKey => {
             const cookies = cookie.parse(requestCookies);
             const pandaCookie = cookies[this.cookieName];
-            const now = new Date().getMilliseconds();
-            return verifyUser(pandaCookie, publicKey, now, this.validateUser);
+            return verifyUser(pandaCookie, publicKey, new Date(), this.validateUser);
         });
     }
 }

package/dist/src/utils.js

@@ -1,12 +1,25 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseUser = exports.httpGet = exports.base64ToPEM = exports.sign = exports.verifySignature = exports.parseCookie = exports.decodeBase64 = void 0;
 const crypto = __importStar(require("crypto"));
 const https = __importStar(require("https"));
 const url_1 = require("url");

package/dist/test/fixtures.js

@@ -1,5 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.sampleNonGuardianCookie = exports.sampleCookieWithoutMultifactor = exports.sampleCookie = exports.publicKey = exports.encodedPublicKey = exports.privateKey = exports.encodedPrivateKey = void 0;
 const utils_1 = require("../src/utils");
 exports.encodedPrivateKey = "MIIJKAIBAAKCAgEAur0hOjhB2QWjwOopCR+Qo27AYv97BJkVaKWPXpj9RfvY1wtpIratDN6tkXN9WCRPzVX8+5qaW034Kvf9WwBZD1ntS8iHYwY1YUaU8Mrp2sRT3K0RqyBlTswIH3HIqpASqv7ZtwDHdhk7Cbd13P5aomJSOjYFhCDUi3sRbjJP1kb6uQLdkZj8fIU518HzSR7Kw7p2mbDqSrGbnaeHWd0Tr3BvDHp9Pi0KpSAVm2qWAXix+BcjMA4ar7kLU1Pre0lt4K4DlSvq5XoHdX9/yvS6KGf+8pXDR9bY6dgRPSG4mzKpiKfkv1eXE8WKs0q3217QZItaSjocw4d0o47vSN+/MAh9V5Zewyb6ogs8JicX3Y3FPG29I1g8iLf3kBZ7V4mUimGuOq/L+1YVvyOTb2zWWMjNmECO2lrxXJc5LWRs5FmSJyCdilRktDE0WTGUo89O+DcF2752qtpUmlV2fllU1LXIAn0TJKiAZspKakamifrgYFIzZK4oZ8wDeFesQB/a/U7wtyv85vknzCtMLI28dnpGQ/ZFHNqWYVaHoHsnEmWion7lgMctnpY5pwKFfUSfZecl2Xqwjk1HZj71A9TFNQj+/x4z957cNtx+utAkGinK3eZF+H1o5YnSgjg4hN41kbXttk8nADerPdF7hDS6np7xzUl6qOicJhEOJ5x0c18CAwEAAQKCAgAFEDXDb10Rtl5vT6oXLjzswYcD6Ct8v23eLYcKqJlNeXuysQODxnJAxBTuubPvXOSxC6DVbaa7zQxqldjPy92eVfDiOii5naR648AMG2Rl4ybm9+Zfvnwgu9WIjLxFK6zl6A0dMi82W47HP6s5d8gbWREjtO1HXOCGe6rIUyLpC3mm5JX/aaeG9NHRsNeY5vXWgsrOdgaUSeaPSsiXvi/XdPP94aBdvDjqq0kKssQofA5PTMlOd0Nv+lN9Sew7po0NJ4q/U7aFzF5BaFidty8JA3DdQQRPgVrWVF57StvHkYMZSnwgWA6noZaWL/N2RkbeQw0KsDKxdo3KFYkVb8OuTN68b3J5sKIo48LaDbfWbuThcdUFdpKXUd6lvJ2vCnbN6e1fzJdjpCNg9mb2g8KnSW9xqXek8cx0b+LNh+p/YDUI/BZDfsXjeqODiGEruYWfaYiL4STOOXIq5SoyP6XEDbX41UHcb/P3pJExBB7R6fpUFREUd0tUAQAQ93YUitWIs8U1tVAB9/qaUO6BFgOghrbswUiX4twVdmqhrBVOcYUImu7LUdcpMLIdR/gyy47w8xEhiv/oudWVx7rkJS4+l949KtUmyd5x+MNT7nAF99eSIv3iNpL6eS7OWiak5gfoVATy0shNd48H62mGtYjfoGzndGE26tNCHXoAkTrbQQKCAQEA47QXH0Y5xbnq8rlqukwVt+EDMJUtZBqfxGDnkDmtfGefxiyE1VLb+Q0Z1es3lxjcmb1Qupl9tjrWeejK2QymSOzPaluOTpIFOZbFqzNha68nONoiWjqwkCg7VvTo0mRKLwSEnCrCOB8HiLKQAhirdPwtW/8PLd+B8HZSB3UKFylbT+ghHIz5b4P81GksRGbsb6g3+ipz53mvtJpe77J7Y84wPQppj6Ry0WjsQr4iv2hF5PWNMhHVDj8eO80DJvWRCFVTWqTE3WYxZJ/5jdeOdVTwtrYghP72X0zAnVpQCVzcn8tLghKsfePhCw3zNtFE3dk4XHQD4uhPU88GtxJ3vwKCAQEA0fHVZmW8EwxYUEzhFl+2J4evszh8R2Sga+LHv4hy2qGydiciVnv4Y/IoScc0IQ+YHoj9fNad+/UoR8ctSBgrPDzeiY/7ldSp/j5Tbqb4h3Ioaqf9uNg7qHpnciz1o8AI8fFelXZ5hA8GuXo8VGy60xMCyapjkLzTXshdRPjUzcLX1PrUy+me4ZR/KdIkqOOmzgvBVII3gb0iN70gTqn2HSIUC3yMiXA+X6OkHoDL7tn8tkF/aD+uenxOvOadsoJPtaFPaMD0X5vJ8LIjsBThAncVApx93XJIdkJm2ffXq2JhQJfZ6ZXypa6ooepzmB58kxA+TZiJpQLLQJ17xC/sYQKCAQBwuzJPW3cyuw7kyINcZFrERHRN0y07yCqdENTUBJotYygo9tV0v6cEMEZAMEm/VqGww5d6Ko+gbpTMmkIDH04cAJHXuChGIejQUCLg1Xk/1OF4NhaX0UKkvCZUsL+rmddYW8ZDgq/RFRunw6+kOg54xni2eRpMvcEZCZsm8fzi5qi8cNIjzm+XlCLSDpfJ7aLUzNWZ1va2/PnOUjb6OMT57pTXQ5ZrdSEbJ/UAPh354WfpKOCUj1uJyBnxxVfwK9d35rZzw+trKTL+/GySmst+r2TVMGn9LjVPjTI3NQU2/XCE9CMX7KLVWMKLtIZa91Q++VH8A7wA1L6hYXeTn2MFAoIBAEb5xvdTNX4LEmAzXXU+7kn26UNhuUI5lrJifL0X2BxpxfeDy2wJhTPkzhIDMnBq4TaRgYEO3WIsw21gvMI+yX8X5PQEpT1GJCI71+D0udiwk1Fbcb9n+uM+XnKPGIw/g8annx5Qa0xl+BQEaxjvmUl6h9q9q+Nmst68RivnI6pcULNECWTWmkwQ89yjmpkuPVozRyzWyQUnd8X4Pk/ZzcaTmss3VBuywqN6oyVczZT2RSUoh3Yq8UWfeM8L+Aw9Wc1Bt6LmeLdJ579jugTxShCXSZcUaMjQtgak9DiEPXlHTTGVJKp/cwToQ0JaDLJEvEDLoQSCqSYMB8LUet8chIECggEBANxvUJxCLbx4CZrUJC5O2w01GMDFdTfYOUcK75pFAbXkpBPXDLsuz2dK1y8ANk3ibWWrlV6YKDUwl+gWDHmJOcvKqKKAeUnrhIMmJGaO6C++5DxPE/n7g5M86GA0bu/+B+32wL/65B8HoJrkHnSMJp9GcCsVZA3+2xcJfo+xAiXeiRobRIxCQMYCDDM7Hr7X5jGa7l9bQr4GuWRKRYTroE9LCDnH/LLUN+0ny3UXrSjtTUVL4mVAJT0Ws2H1zUzVDbu7ZQgA0u3GjtdFvAnS/E+ln8DS3Q1DeD6Zsf0hrrJbtwU4zZIU445SZ+IUaTjueB9v/skukoIQi/0Mj+gpZ1c=";
 exports.privateKey = utils_1.base64ToPEM(exports.encodedPrivateKey, "RSA PRIVATE");

package/dist/test/panda.test.js

@@ -1,28 +1,41 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const api_1 = require("../src/api");
 const panda_1 = require("../src/panda");
+const fetch_public_key_1 = require("../src/fetch-public-key");
 const fixtures_1 = require("./fixtures");
 const utils_1 = require("../src/utils");
+jest.mock('../src/fetch-public-key');
+jest.useFakeTimers('modern');
 describe('verifyUser', function () {
     test("return invalid cookie if missing", () => {
-        expect(panda_1.verifyUser(undefined, "", 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
+        expect(panda_1.verifyUser(undefined, "", new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
     });
     test("return invalid cookie for a malformed signature", () => {
         const [data, signature] = fixtures_1.sampleCookie.split(".");
         const testCookie = data + ".1234";
-        expect(panda_1.verifyUser(testCookie, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
+        expect(panda_1.verifyUser(testCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.INVALID_COOKIE);
     });
     test("return expired", () => {
-        const someTimeInTheFuture = 5678;
+        const someTimeInTheFuture = new Date(5678);
+        expect(someTimeInTheFuture.getTime()).toBe(5678);
         expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, someTimeInTheFuture, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.EXPIRED);
     });
     test("return not authenticated if user fails validation function", () => {
-        expect(panda_1.verifyUser(fixtures_1.sampleCookieWithoutMultifactor, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
-        expect(panda_1.verifyUser(fixtures_1.sampleNonGuardianCookie, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
+        expect(panda_1.verifyUser(fixtures_1.sampleCookieWithoutMultifactor, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
+        expect(panda_1.verifyUser(fixtures_1.sampleNonGuardianCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
     });
     test("return authenticated", () => {
-        expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, 0, api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.AUTHORISED);
+        expect(panda_1.verifyUser(fixtures_1.sampleCookie, fixtures_1.publicKey, new Date(0), api_1.guardianValidation).status).toBe(api_1.AuthenticationStatus.AUTHORISED);
     });
 });
 describe('createCookie', function () {
@@ -41,3 +54,61 @@ describe('createCookie', function () {
         expect(cookie).toEqual(fixtures_1.sampleCookie);
     });
 });
+describe('panda class', function () {
+    beforeEach(() => {
+        fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: new Date() });
+    });
+    describe('stop', () => {
+        it('stops auto refresh', () => {
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            expect(panda.keyUpdateTimer).not.toBeUndefined();
+            panda.stop();
+            expect(panda.keyUpdateTimer).toBeUndefined();
+        });
+    });
+    describe('getPublicKey', () => {
+        it('getsPublicKey immediately when last fetch is within the cache time', () => __awaiter(this, void 0, void 0, function* () {
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const fetchesBeforeGet = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+            const fetchesAfterGet = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            expect(fetchesAfterGet).toEqual(fetchesBeforeGet);
+        }));
+        it('getsPublicKey after refetching when last fetch is outside the cache time', () => __awaiter(this, void 0, void 0, function* () {
+            // cache time is 1 min
+            const fiveMinsAgo = new Date();
+            fiveMinsAgo.setMinutes(fiveMinsAgo.getMinutes() - 5);
+            fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: fiveMinsAgo });
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const fetchesBefore = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+            fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: 'PUBLIC KEY 2', lastUpdated: fiveMinsAgo });
+            const fetchesAfter = fetch_public_key_1.fetchPublicKey.mock.calls.length;
+            yield expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY 2');
+            expect(fetchesAfter).toEqual(fetchesBefore + 1);
+        }));
+    });
+    describe('verify', () => {
+        beforeEach(() => {
+            fetch_public_key_1.fetchPublicKey.mockResolvedValue({ key: fixtures_1.publicKey, lastUpdated: new Date() });
+        });
+        it('should return authenticated if valid', () => __awaiter(this, void 0, void 0, function* () {
+            jest.setSystemTime(100);
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleCookie}`);
+            expect(status).toBe(api_1.AuthenticationStatus.AUTHORISED);
+        }));
+        it('should return expired if expired', () => __awaiter(this, void 0, void 0, function* () {
+            jest.setSystemTime(10000);
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u) => true);
+            const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleCookie}`);
+            expect(status).toBe(api_1.AuthenticationStatus.EXPIRED);
+        }));
+        it('should return not authenticated if validation fails', () => __awaiter(this, void 0, void 0, function* () {
+            jest.setSystemTime(100);
+            const panda = new panda_1.PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', api_1.guardianValidation);
+            const { status } = yield panda.verify(`cookiename=${fixtures_1.sampleNonGuardianCookie}`);
+            expect(status).toBe(api_1.AuthenticationStatus.NOT_AUTHORISED);
+        }));
+    });
+});

package/jest.config.js

@@ -3,6 +3,7 @@ module.exports = {
     "<rootDir>/src",
     "<rootDir>/test"
   ],
+  "clearMocks": true,
   "transform": {
     "^.+\\.tsx?$": "ts-jest"
   },
@@ -15,4 +16,4 @@ module.exports = {
     "json",
     "node"
   ],
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@guardian/pan-domain-node",
-  "version": "0.4.2",
+  "version": "0.5.1",
   "description": "NodeJs implementation of Guardian pan-domain auth verification",
   "main": "dist/src/api.js",
   "types": "dist/src/api.d.ts",
@@ -22,16 +22,17 @@
   },
   "homepage": "https://github.com/guardian/pan-domain-authentication",
   "devDependencies": {
-    "@types/cookie": "^0.3.2",
+    "@changesets/cli": "^2.27.10",
+    "@types/cookie": "^0.4.0",
     "@types/iniparser": "0.0.29",
-    "@types/jest": "^24.0.9",
-    "@types/node": "^11.10.5",
-    "jest": "^24.3.1",
-    "ts-jest": "^24.0.0",
-    "typescript": "^3.3.3333"
+    "@types/jest": "^26.0.9",
+    "@types/node": "^14.0.27",
+    "jest": "^26.2.2",
+    "ts-jest": "^26.1.4",
+    "typescript": "^3.9.7"
   },
   "dependencies": {
-    "cookie": "^0.3.1",
+    "cookie": "^0.4.1",
     "iniparser": "^1.0.5"
   },
   "scripts": {

package/src/fetch-public-key.ts

@@ -0,0 +1,27 @@
+import * as iniparser from 'iniparser';
+import {base64ToPEM, httpGet} from './utils';
+
+export interface PublicKeyHolder {
+    key: string,
+    lastUpdated: Date
+}
+
+
+export function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder> {
+    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
+
+    return httpGet(path).then(response => {
+        const config: { publicKey?: string} = iniparser.parseString(response);
+
+        if(config.publicKey) {
+            return {
+                key: base64ToPEM(config.publicKey, "PUBLIC"),
+                lastUpdated: new Date()
+            };
+        } else {
+            throw new Error("Missing publicKey setting from config");
+        }
+    });
+}
+
+

package/src/panda.ts

@@ -1,30 +1,8 @@
-import * as iniparser from 'iniparser';
 import * as cookie from 'cookie';
 
-import {base64ToPEM, httpGet, parseCookie, parseUser, sign, verifySignature} from './utils';
+import {parseCookie, parseUser, sign, verifySignature} from './utils';
 import {AuthenticationStatus, User, AuthenticationResult, ValidateUserFn} from './api';
-
-interface PublicKeyHolder {
-    key: string,
-    lastUpdated: Date
-}
-
-function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder> {
-    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
-
-    return httpGet(path).then(response => {
-        const config: { publicKey?: string} = iniparser.parseString(response);
-
-        if(config.publicKey) {
-            return {
-                key: base64ToPEM(config.publicKey, "PUBLIC"),
-                lastUpdated: new Date()
-            };
-        } else {
-            throw new Error("Missing publicKey setting from config");
-        }
-    });
-}
+import { fetchPublicKey, PublicKeyHolder } from './fetch-public-key';
 
 export function createCookie(user: User, privateKey: string): string {
     let queryParams: string[] = [];
@@ -46,7 +24,7 @@ export function createCookie(user: User, privateKey: string): string {
     return queryParamsString + "." + signature
 }
 
-export function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTimestamp: number, validateUser: ValidateUserFn): AuthenticationResult {
+export function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult {
     if(!pandaCookie) {
         return { status: AuthenticationStatus.INVALID_COOKIE };
     }
@@ -57,9 +35,11 @@ export function verifyUser(pandaCookie: string | undefined, publicKey: string, c
         return { status: AuthenticationStatus.INVALID_COOKIE };
     }
 
+    const currentTimestampInMilliseconds = currentTime.getTime();
+
     try {
         const user: User = parseUser(data);
-        const isExpired = user.expires < currentTimestamp;
+        const isExpired = user.expires < currentTimestampInMilliseconds;
 
         if(isExpired) {
             return { status: AuthenticationStatus.EXPIRED, user };
@@ -102,13 +82,14 @@ export class PanDomainAuthentication {
     stop(): void {
         if(this.keyUpdateTimer) {
             clearInterval(this.keyUpdateTimer);
+            this.keyUpdateTimer = undefined;
         }
     }
 
     getPublicKey(): Promise<string> {
         return this.publicKey.then(({ key, lastUpdated }) => {
             const now = new Date();
-            const diff = now.getMilliseconds() - lastUpdated.getMilliseconds();
+            const diff = now.getTime() - lastUpdated.getTime();
 
             if(diff > this.keyCacheTime) {
                 this.publicKey = fetchPublicKey(this.region, this.bucket, this.keyFile);
@@ -124,8 +105,7 @@ export class PanDomainAuthentication {
             const cookies = cookie.parse(requestCookies);
             const pandaCookie = cookies[this.cookieName];
 
-            const now = new Date().getMilliseconds();
-            return verifyUser(pandaCookie, publicKey, now, this.validateUser);
+            return verifyUser(pandaCookie, publicKey, new Date(), this.validateUser);
         });
     }
 }

package/test/panda.test.ts

@@ -1,5 +1,6 @@
 import {guardianValidation, AuthenticationStatus, User} from '../src/api';
-import { verifyUser, createCookie } from '../src/panda';
+import { verifyUser, createCookie, PanDomainAuthentication } from '../src/panda';
+import { fetchPublicKey } from '../src/fetch-public-key';
 
 import {
     sampleCookie,
@@ -10,31 +11,35 @@ import {
 } from './fixtures';
 import {decodeBase64} from "../src/utils";
 
+jest.mock('../src/fetch-public-key');
+jest.useFakeTimers('modern');
+
 describe('verifyUser', function () {
 
     test("return invalid cookie if missing", () => {
-        expect(verifyUser(undefined, "", 0, guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
+        expect(verifyUser(undefined, "", new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
     });
 
     test("return invalid cookie for a malformed signature", () => {
         const [data, signature] = sampleCookie.split(".");
         const testCookie = data + ".1234";
 
-        expect(verifyUser(testCookie, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
+        expect(verifyUser(testCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
     });
 
     test("return expired", () => {
-        const someTimeInTheFuture = 5678;
+        const someTimeInTheFuture = new Date(5678);
+        expect(someTimeInTheFuture.getTime()).toBe(5678);
         expect(verifyUser(sampleCookie, publicKey, someTimeInTheFuture, guardianValidation).status).toBe(AuthenticationStatus.EXPIRED);
     });
 
     test("return not authenticated if user fails validation function", () => {
-        expect(verifyUser(sampleCookieWithoutMultifactor, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
-        expect(verifyUser(sampleNonGuardianCookie, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+        expect(verifyUser(sampleCookieWithoutMultifactor, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+        expect(verifyUser(sampleNonGuardianCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
     });
 
     test("return authenticated", () => {
-        expect(verifyUser(sampleCookie, publicKey, 0, guardianValidation).status).toBe(AuthenticationStatus.AUTHORISED);
+        expect(verifyUser(sampleCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.AUTHORISED);
     });
 });
 
@@ -56,3 +61,93 @@ describe('createCookie', function () {
         expect(cookie).toEqual(sampleCookie)
     });
 });
+
+describe('panda class', function () {
+  beforeEach(() => {
+    (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: new Date() });
+  });
+
+  describe('stop', () => {
+
+    it('stops auto refresh', () => {
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      expect(panda.keyUpdateTimer).not.toBeUndefined();
+      panda.stop();
+      expect(panda.keyUpdateTimer).toBeUndefined();
+    });
+
+  });
+
+  describe('getPublicKey', () => {
+
+    it('getsPublicKey immediately when last fetch is within the cache time', async () => {
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const fetchesBeforeGet = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+      const fetchesAfterGet = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      expect(fetchesAfterGet).toEqual(fetchesBeforeGet);
+
+    });
+
+    it('getsPublicKey after refetching when last fetch is outside the cache time', async () => {
+      // cache time is 1 min
+      const fiveMinsAgo = new Date();
+      fiveMinsAgo.setMinutes(fiveMinsAgo.getMinutes() - 5);
+
+      (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY', lastUpdated: fiveMinsAgo });
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+
+      const fetchesBefore = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY');
+
+      (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: 'PUBLIC KEY 2', lastUpdated: fiveMinsAgo });
+
+      const fetchesAfter = (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mock.calls.length;
+
+      await expect(panda.getPublicKey()).resolves.toEqual('PUBLIC KEY 2');
+
+      expect(fetchesAfter).toEqual(fetchesBefore + 1);
+    });
+
+  });
+
+  describe('verify', () => {
+
+    beforeEach(() => {
+      (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: publicKey, lastUpdated: new Date() });
+    });
+
+    it('should return authenticated if valid', async () => {
+      jest.setSystemTime(100);
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const { status } = await panda.verify(`cookiename=${sampleCookie}`);
+
+      expect(status).toBe(AuthenticationStatus.AUTHORISED);
+    });
+
+    it('should return expired if expired', async () => {
+      jest.setSystemTime(10_000);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const { status } = await panda.verify(`cookiename=${sampleCookie}`);
+
+      expect(status).toBe(AuthenticationStatus.EXPIRED);
+    });
+
+    it('should return not authenticated if validation fails', async () => {
+      jest.setSystemTime(100);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', guardianValidation);
+      const { status } = await panda.verify(`cookiename=${sampleNonGuardianCookie}`);
+
+      expect(status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+    });
+
+  });
+
+});