@guardian/pan-domain-node 0.5.1 → 1.0.0

package/test/panda.test.ts

@@ -1,4 +1,9 @@
-import {guardianValidation, AuthenticationStatus, User} from '../src/api';
+import {
+    CookieFailure, FreshSuccess,
+    gracePeriodInMillis,
+    guardianValidation, StaleSuccess,
+    User, UserValidationFailure
+} from '../src/api';
 import { verifyUser, createCookie, PanDomainAuthentication } from '../src/panda';
 import { fetchPublicKey } from '../src/fetch-public-key';
 
@@ -9,37 +14,132 @@ import {
     publicKey,
     privateKey
 } from './fixtures';
-import {decodeBase64} from "../src/utils";
+import {decodeBase64, parseCookie, ParsedCookie, parseUser} from "../src/utils";
 
 jest.mock('../src/fetch-public-key');
 jest.useFakeTimers('modern');
 
+function userFromCookie(cookie: string): User {
+    // This function is only used to generate a `User` object from
+    // a well-formed text fixture cookie, in order to check that successful
+    // `AuthenticationResult`s have the right shape. As such we don't want
+    // to have to deal with the case of a bad cookie so we just cast to `ParsedCookie`.
+    const parsedCookie = parseCookie(cookie) as ParsedCookie;
+    return parseUser(parsedCookie.data);
+}
+
 describe('verifyUser', function () {
 
-    test("return invalid cookie if missing", () => {
-        expect(verifyUser(undefined, "", new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
+    test("fail to authenticate if cookie is missing", () => {
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'no-cookie'
+        };
+        expect(verifyUser(undefined, "", new Date(0), guardianValidation)).toStrictEqual(expected);
     });
 
-    test("return invalid cookie for a malformed signature", () => {
+    test("fail to authenticate if signature is malformed", () => {
         const [data, signature] = sampleCookie.split(".");
         const testCookie = data + ".1234";
 
-        expect(verifyUser(testCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.INVALID_COOKIE);
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'invalid-cookie'
+        };
+        expect(verifyUser(testCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual(expected);
+    });
+
+    test("fail to authenticate if cookie expired and we're outside the grace period", () => {
+        // Cookie expires at epoch time 1234
+        const afterEndOfGracePeriod = new Date(1234 + gracePeriodInMillis + 1)
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'expired-cookie'
+        };
+        expect(verifyUser(sampleCookie, publicKey, afterEndOfGracePeriod, guardianValidation)).toStrictEqual(expected);
+    });
+
+    test("fail to authenticate if user fails validation function", () => {
+        expect(verifyUser(sampleCookieWithoutMultifactor, publicKey, new Date(0), guardianValidation)).toStrictEqual({
+            success: false,
+            reason: 'invalid-user',
+            user: userFromCookie(sampleCookieWithoutMultifactor)
+        });
+        expect(verifyUser(sampleNonGuardianCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual({
+            success: false,
+            reason: 'invalid-user',
+            user: userFromCookie(sampleNonGuardianCookie)
+        });
+    });
+
+    test("fail to authenticate with invalid-cookie reason if signature is not valid", () => {
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'invalid-cookie'
+        };
+        const slightlyBadCookie = sampleCookie.slice(0, -2);
+        expect(verifyUser(slightlyBadCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual(expected);
+    });
+
+    test("fail to authenticate with invalid-cookie reason if data part is not base64", () => {
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'invalid-cookie'
+        };
+        const [_, signature] = sampleCookie.split(".");
+        const nonBase64Data = "not-base64-data";
+        const testCookie = `${nonBase64Data}.${signature}`;
+        expect(verifyUser(testCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual(expected);
     });
 
-    test("return expired", () => {
-        const someTimeInTheFuture = new Date(5678);
-        expect(someTimeInTheFuture.getTime()).toBe(5678);
-        expect(verifyUser(sampleCookie, publicKey, someTimeInTheFuture, guardianValidation).status).toBe(AuthenticationStatus.EXPIRED);
+    test("fail to authenticate with invalid-cookie reason if signature part is not base64", () => {
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'invalid-cookie'
+        };
+        const [data, _] = sampleCookie.split(".");
+        const nonBase64Signature = "not-base64-signature";
+        const testCookie = `${data}.${nonBase64Signature}`;
+        expect(verifyUser(testCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual(expected);
     });
 
-    test("return not authenticated if user fails validation function", () => {
-        expect(verifyUser(sampleCookieWithoutMultifactor, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
-        expect(verifyUser(sampleNonGuardianCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+    test("fail to authenticate with invalid-cookie reason if cookie has no dot separator", () => {
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'invalid-cookie'
+        };
+        const noDotCookie = sampleCookie.replace(".", "");
+        expect(verifyUser(noDotCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual(expected);
     });
 
-    test("return authenticated", () => {
-        expect(verifyUser(sampleCookie, publicKey, new Date(0), guardianValidation).status).toBe(AuthenticationStatus.AUTHORISED);
+    test("fail to authenticate with invalid-cookie reason if cookie has multiple dot separators", () => {
+        const expected: CookieFailure = {
+            success: false,
+            reason: 'invalid-cookie'
+        };
+        const multipleDotsCookie = sampleCookie.replace(".", "..");
+        expect(verifyUser(multipleDotsCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual(expected);
+    });
+
+    test("authenticate if the cookie and user are valid", () => {
+        const expected: FreshSuccess = {
+            success: true,
+            // Cookie is not expired so no need to refresh credentials
+            shouldRefreshCredentials: false,
+            user: userFromCookie(sampleCookie)
+        };
+        expect(verifyUser(sampleCookie, publicKey, new Date(0), guardianValidation)).toStrictEqual(expected);
+    });
+
+    test("authenticate with shouldRefreshCredentials if cookie expired but we're within the grace period", () => {
+        const beforeEndOfGracePeriod = new Date(1234 + gracePeriodInMillis - 1);
+        const expected: StaleSuccess = {
+            success: true,
+            user: userFromCookie(sampleCookie),
+            shouldRefreshCredentials: true,
+            mustRefreshByEpochTimeMillis: 1234 + gracePeriodInMillis
+        };
+        expect(verifyUser(sampleCookie, publicKey, beforeEndOfGracePeriod, guardianValidation)).toStrictEqual(expected);
     });
 });
 
@@ -122,32 +222,133 @@ describe('panda class', function () {
       (fetchPublicKey as jest.MockedFunction<typeof fetchPublicKey>).mockResolvedValue({ key: publicKey, lastUpdated: new Date() });
     });
 
-    it('should return authenticated if valid', async () => {
+    it('should authenticate if cookie and user are valid', async () => {
       jest.setSystemTime(100);
       const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
-      const { status } = await panda.verify(`cookiename=${sampleCookie}`);
+      const authenticationResult = await panda.verify(`cookiename=${sampleCookie}`);
+
+      const expected: FreshSuccess = {
+          success: true,
+          // Cookie is not expired
+          shouldRefreshCredentials: false,
+          user: userFromCookie(sampleCookie)
+      }
+      expect(authenticationResult).toStrictEqual(expected);
+    });
 
-      expect(status).toBe(AuthenticationStatus.AUTHORISED);
+    it('should authenticate if cookie and user are valid when multiple cookies are passed', async () => {
+      jest.setSystemTime(100);
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const authenticationResult = await panda.verify(`a=blah; b=stuff; cookiename=${sampleCookie}; c=4958345`);
+
+      const expected: FreshSuccess = {
+          success: true,
+          // Cookie is not expired
+          shouldRefreshCredentials: false,
+          user: userFromCookie(sampleCookie)
+      };
+      expect(authenticationResult).toStrictEqual(expected);
     });
 
-    it('should return expired if expired', async () => {
-      jest.setSystemTime(10_000);
+    it('should fail to authenticate if cookie expired and we\'re outside the grace period', async () => {
+      // Cookie expiry is 1234
+      const afterEndOfGracePeriodEpochMillis = 1234 + gracePeriodInMillis + 1
+      jest.setSystemTime(afterEndOfGracePeriodEpochMillis);
 
       const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
-      const { status } = await panda.verify(`cookiename=${sampleCookie}`);
+      const authenticationResult = await panda.verify(`cookiename=${sampleCookie}`);
 
-      expect(status).toBe(AuthenticationStatus.EXPIRED);
+      const expected: CookieFailure = {
+          success: false,
+          reason: 'expired-cookie'
+      };
+      expect(authenticationResult).toStrictEqual(expected);
     });
 
-    it('should return not authenticated if validation fails', async () => {
+    it('authenticate with shouldRefreshCredentials if cookie expired but we\'re within the grace period', async () => {
+      // Cookie expiry is 1234
+      const beforeEndOfGracePeriodEpochMillis = 1234 + gracePeriodInMillis - 1;
+      jest.setSystemTime(beforeEndOfGracePeriodEpochMillis);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', (u)=> true);
+      const authenticationResult = await panda.verify(`cookiename=${sampleCookie}`);
+
+      const expected: StaleSuccess = {
+          success: true,
+          shouldRefreshCredentials: true,
+          mustRefreshByEpochTimeMillis: 1234 + gracePeriodInMillis,
+          user: userFromCookie(sampleCookie)
+      };
+      expect(authenticationResult).toStrictEqual(expected);
+    });
+
+    it('should fail to authenticate if user is not valid', async () => {
       jest.setSystemTime(100);
 
       const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', guardianValidation);
-      const { status } = await panda.verify(`cookiename=${sampleNonGuardianCookie}`);
+      const authenticationResult = await panda.verify(`cookiename=${sampleNonGuardianCookie}`);
+
+      const expected: UserValidationFailure = {
+          success: false,
+          reason: 'invalid-user',
+          user: userFromCookie(sampleNonGuardianCookie)
+      };
+      expect(authenticationResult).toStrictEqual(expected);
+    });
 
-      expect(status).toBe(AuthenticationStatus.NOT_AUTHORISED);
+    it('should fail to authenticate if there is no cookie with the correct name', async () => {
+      jest.setSystemTime(100);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', guardianValidation);
+      const authenticationResult = await panda.verify(`wrongcookiename=${sampleNonGuardianCookie}`);
+
+      const expected: CookieFailure = {
+          success: false,
+          reason: "no-cookie"
+      };
+      expect(authenticationResult).toStrictEqual(expected);
     });
 
+    it('should fail to authenticate if the cookie request header is malformed', async () => {
+      jest.setSystemTime(100);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', guardianValidation);
+      // The cookie headers should be semicolon-separated name=valueg
+      const authenticationResult = await panda.verify(sampleNonGuardianCookie);
+
+      const expected: CookieFailure = {
+          success: false,
+          reason: "no-cookie"
+      };
+      expect(authenticationResult).toStrictEqual(expected);
+    });
+
+    it('should fail to authenticate if there is no cookie with the correct name out of multiple cookies', async () => {
+      jest.setSystemTime(100);
+
+      const panda = new PanDomainAuthentication('cookiename', 'region', 'bucket', 'keyfile', guardianValidation);
+      const authenticationResult = await panda.verify(`wrongcookiename=${sampleNonGuardianCookie}; anotherwrongcookiename=${sampleNonGuardianCookie}`);
+
+      const expected: CookieFailure = {
+          success: false,
+          reason: "no-cookie"
+      };
+      expect(authenticationResult).toStrictEqual(expected);
+    });
+
+    it('should fail to authenticate with invalid-cookie reason if cookie is malformed', async () => {
+      jest.setSystemTime(100);
+
+      const panda = new PanDomainAuthentication('rightcookiename', 'region', 'bucket', 'keyfile', guardianValidation);
+      // There is a valid Panda cookie in here, but it's under the wrong name
+      const authenticationResult = await panda.verify(`wrongcookiename=${sampleNonGuardianCookie}; rightcookiename=not-valid-panda-cookie`);
+
+      const expected: CookieFailure = {
+        success: false,
+        reason: "invalid-cookie"
+      };
+      expect(authenticationResult).toStrictEqual(expected);
+    });
   });
 
 });

package/test/utils.test.ts

@@ -3,11 +3,17 @@ import { sampleCookie } from './fixtures';
 import { URLSearchParams } from 'url';
 
 test("decode a cookie", () => {
-    const { data, signature } = parseCookie(sampleCookie);
-    expect(signature.length).toBe(684);
+    const parsedCookie = parseCookie(sampleCookie);
+    expect(parsedCookie).toBeDefined()
 
-    const params = new URLSearchParams(data);
-    
-    expect(params.get("firstName")).toBe("Test");
-    expect(params.get("lastName")).toBe("User");
+    // Unfortunately the above expect() doesn't narrow the type
+    if (parsedCookie) {
+        const { data, signature } = parsedCookie;
+        expect(signature.length).toBe(684);
+
+        const params = new URLSearchParams(data);
+
+        expect(params.get("firstName")).toBe("Test");
+        expect(params.get("lastName")).toBe("User");
+    }
 });

package/.github/workflows/snyk.yml

@@ -1,19 +0,0 @@
-name: Snyk
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-jobs:
-  security:
-    uses: guardian/.github/.github/workflows/sbt-node-snyk.yml@main
-    with:
-      DEBUG: true
-      ORG: guardian
-      SKIP_NODE: false
-      NODE_VERSION_FILE: .nvmrc
-
-    secrets:
-       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}