npm - @velocitycareerlabs/server-careerwallet - Versions diffs - 1.25.0-dev-build.12642c864 - Mend

@velocitycareerlabs/server-careerwallet 1.25.0-dev-build.12642c864

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

package/test/oauth-controller.test.js ADDED Viewed

@@ -0,0 +1,639 @@
+const { map, slice, size, set } = require('lodash/fp');
+const {
+  generateCredentialJwt,
+  generatePresentationJwt,
+  tamperJwt,
+  jwkFromSecp256k1Key,
+  jwtVerify,
+} = require('@velocitycareerlabs/jwt');
+const {
+  generateKeyPair,
+  hashAndEncodeHex,
+} = require('@velocitycareerlabs/crypto');
+const { nanoid } = require('nanoid/non-secure');
+const { mapWithIndex } = require('@velocitycareerlabs/common-functions');
+const { errorResponseMatcher } = require('@velocitycareerlabs/tests-helpers');
+const { mongoDb } = require('@spencejs/spence-mongo-repos');
+const buildFastify = require('./helpers/careerwallet-build-fastify');
+const { accountsRepoPlugin } = require('../src/entities');
+const initAccountsFactory = require('./factories/accounts-factory');
+const oauthUrl = '/api/v0.6/oauth/token';
+const vnfPresentationGrantType =
+  'https://velocitynetwork.foundation/oauth/presentation';
+const audience = 'walletapi.velocitycareerlabs.io';
+const testUserDid = 'did:kid-it-is-test_user_did';
+const phonePayload = {
+  sub: 'did:velocity:0x0a63c18d09d5430363b2f3b270698a677fb513e4',
+  vc: {
+    '@context': ['https://www.w3.org/2018/credentials/v1'],
+    id: 'did:velocity:0x0a63c18d09d5430363b2f3b270698a677fb513e4',
+    issuer: { id: 'did:velocity:0x0b154da48d0f213c26c4b1d040dc5ff1dbf99ffa' },
+    issuanceDate: '2020-08-17T11:27:06.000Z',
+    type: ['PhoneV1.0', 'VerifiableCredential'],
+    credentialSubject: {
+      phone: '+447309917830',
+      id: testUserDid,
+    },
+  },
+};
+const generatePresentation = async (
+  credentials,
+  {
+    isBrokeVCS = false,
+    privateKeyToSignCredential = generateKeyPair().privateKey,
+    privateKeyToSignPresentation = generateKeyPair().privateKey,
+    tamperCredentials = false,
+  }
+) => {
+  const signedCredentials = await Promise.all(
+    map(async (c) => {
+      const signedCredential = await generateCredentialJwt(
+        c,
+        privateKeyToSignCredential
+      );
+      if (!tamperCredentials) {
+        return signedCredential;
+      }
+      return tamperJwt(signedCredential, { foo: 'foo' });
+    }, credentials)
+  );
+  const presentation = {
+    id: nanoid(),
+    verifiableCredential: isBrokeVCS
+      ? [
+          ...slice(0, 1, signedCredentials),
+          ...Array(size(signedCredentials) - 1).fill(''),
+        ]
+      : signedCredentials,
+    presentation_submission: {
+      id: nanoid(),
+      definition_id: nanoid(),
+      descriptor_map: mapWithIndex(
+        (c, i) => ({
+          id: nanoid(),
+          path: `$.verifiableCredential[${i}]`,
+          format: 'jwt_vc',
+        }),
+        signedCredentials
+      ),
+    },
+  };
+  return {
+    presentation,
+    credentials,
+    selfSign() {
+      return generatePresentationJwt(
+        this.presentation,
+        privateKeyToSignPresentation
+      );
+    },
+  };
+};
+const accessTokenJwtMatcher = async (
+  accessTokenJwt,
+  verificationKey,
+  iss,
+  sub
+) => {
+  const decodedJwt = await jwtVerify(
+    accessTokenJwt,
+    jwkFromSecp256k1Key(verificationKey, false)
+  );
+  expect(decodedJwt).toEqual({
+    header: {
+      alg: 'ES256K',
+      jwk: jwkFromSecp256k1Key(verificationKey, false),
+      typ: 'JWT',
+    },
+    payload: {
+      exp: expect.any(Number),
+      iat: expect.any(Number),
+      nbf: expect.any(Number),
+      nonce: expect.any(String),
+      scope: expect.any(String),
+      sub,
+      iss,
+    },
+  });
+  expect(decodedJwt.payload.exp).toBeGreaterThan(decodedJwt.payload.iat);
+  expect(decodedJwt.payload.exp).toBeGreaterThan(decodedJwt.payload.nbf);
+  expect(decodedJwt.payload.nonce).toHaveLength(8);
+};
+describe('oauth test suite', () => {
+  let fastify;
+  let accountsCollection;
+  let accountsRepo;
+  let persistAccounts;
+  let validScopes;
+  beforeAll(async () => {
+    fastify = await buildFastify();
+    await fastify.ready();
+    const {
+      config: { holderAppServerOAuthScopes },
+    } = fastify;
+    validScopes = holderAppServerOAuthScopes.split(' ');
+    accountsCollection = mongoDb().collection('accounts');
+    accountsRepo = accountsRepoPlugin(fastify)({
+      log: fastify.log,
+      config: fastify.config,
+    });
+    ({ persistAccounts } = initAccountsFactory(fastify));
+  });
+  beforeEach(async () => {
+    await accountsCollection.deleteMany({});
+  });
+  afterAll(async () => {
+    await fastify.close();
+  });
+  it('should 400 if grant_type is not equal to one of the allowed values', async () => {
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: { grant_type: 'foo' },
+    });
+    expect(response.statusCode).toBe(400);
+  });
+  it('should 400 if refresh_token grant type and no refresh_token value', async () => {
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'foo',
+        scope: 'foo',
+        audience: 'foo',
+      },
+    });
+    expect(response.statusCode).toBe(400);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 400,
+        errorCode: 'missing_error_code',
+        message: 'Refresh token required with grant type "refresh_token"',
+        error: 'Bad Request',
+      })
+    );
+  });
+  it('should 400 if vnf presentation grant type and no presentation value', async () => {
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: vnfPresentationGrantType,
+        client_id: 'foo',
+        scope: 'foo',
+        audience: 'foo',
+      },
+    });
+    expect(response.statusCode).toBe(400);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 400,
+        errorCode: 'missing_error_code',
+        message: `Presentation required with grant type "${vnfPresentationGrantType}"`,
+        error: 'Bad Request',
+      })
+    );
+  });
+  it('should 401 if client id is not valid', async () => {
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'foo',
+        scope: 'foo',
+        audience: 'foo',
+        refresh_token: 'foo',
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        errorCode: 'missing_error_code',
+        message: 'Unknown client id: foo',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it('should 401 if unrecognized scopes are provided', async () => {
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'abc',
+        scope: 'foo',
+        audience: 'foo',
+        refresh_token: 'foo',
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        errorCode: 'missing_error_code',
+        message: 'Unrecognized scopes: ["foo"]',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it('should 401 if unknown audience is provided', async () => {
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience: 'foo',
+        refresh_token: 'foo',
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        message: 'Unknown audience: foo',
+        errorCode: 'missing_error_code',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it("should 401 if credential in presentation doesn't verify", async () => {
+    const tempVclKeyPair = generateKeyPair();
+    const presentationPhone = await generatePresentation([phonePayload], {
+      tamperCredentials: true,
+      privateKeyToSignCredential: tempVclKeyPair.privateKey,
+    });
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      oauthVclCredentialVerificationPublicKey: tempVclKeyPair.publicKey,
+    });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: vnfPresentationGrantType,
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience,
+        presentation: await presentationPhone.selfSign(),
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        errorCode: 'missing_error_code',
+        message: 'Credential verification failed',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it('should 401 if credential is not of type PhoneV1.0', async () => {
+    const tempVclKeyPair = generateKeyPair({ format: 'jwk' });
+    const phonePayloadWithInvalidType = set('vc.type', ['foo'], phonePayload);
+    const presentationPhone = await generatePresentation(
+      [phonePayloadWithInvalidType],
+      {
+        privateKeyToSignCredential: tempVclKeyPair.privateKey,
+      }
+    );
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      oauthVclCredentialVerificationPublicKey: tempVclKeyPair.publicKey,
+    });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: vnfPresentationGrantType,
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience,
+        presentation: await presentationPhone.selfSign(),
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        errorCode: 'missing_error_code',
+        message: 'Credential is not of type PhoneV1.0',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it('should 401 with refresh_token grant type and unknown refresh token', async () => {
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience,
+        refresh_token: 'foo',
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        errorCode: 'missing_error_code',
+        message: 'Unknown refresh_token, user id or scope',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it('should 200 with presentation grant type and proper credential when account has single did value', async () => {
+    const testCredentialVerificationKeyPair = generateKeyPair({
+      format: 'jwk',
+    });
+    const testAccessTokenSigningKeyPair = generateKeyPair();
+    const presentationPhone = await generatePresentation([phonePayload], {
+      privateKeyToSignCredential: testCredentialVerificationKeyPair.privateKey,
+    });
+    await persistAccounts({
+      didKeyMetadatum: [
+        {
+          did: testUserDid,
+        },
+      ],
+      scope: [validScopes[0], validScopes[1]],
+    });
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      oauthVclCredentialVerificationPublicKey:
+        testCredentialVerificationKeyPair.publicKey,
+      holderAppServerAccessTokenSigningKey:
+        testAccessTokenSigningKeyPair.privateKey,
+    });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: vnfPresentationGrantType,
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience,
+        presentation: await presentationPhone.selfSign(),
+      },
+    });
+    expect(response.statusCode).toBe(200);
+    expect(response.json).toEqual({
+      access_token: expect.any(String),
+      token_type: 'Bearer',
+      refresh_token: expect.any(String),
+    });
+    expect(response.json.refresh_token).toHaveLength(128);
+    const accountDocument = await accountsRepo.findOne();
+    await accessTokenJwtMatcher(
+      response.json.access_token,
+      testAccessTokenSigningKeyPair.publicKey,
+      fastify.config.holderAppServerHolderAppProviderDid,
+      accountDocument._id.toString()
+    );
+    expect(accountDocument.refreshToken).toEqual(
+      hashAndEncodeHex(response.json.refresh_token)
+    );
+  });
+  it('should 200 with presentation grant type and proper credential when account has array did value', async () => {
+    const testCredentialVerificationKeyPair = generateKeyPair({
+      format: 'jwk',
+    });
+    const testAccessTokenSigningKeyPair = generateKeyPair();
+    const presentationPhone = await generatePresentation([phonePayload], {
+      privateKeyToSignCredential: testCredentialVerificationKeyPair.privateKey,
+    });
+    await persistAccounts({
+      didKeyMetadatum: [
+        {
+          did: testUserDid,
+        },
+        {
+          did: 'foo',
+        },
+      ],
+      scope: [validScopes[0], validScopes[1]],
+    });
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      oauthVclCredentialVerificationPublicKey:
+        testCredentialVerificationKeyPair.publicKey,
+      holderAppServerAccessTokenSigningKey:
+        testAccessTokenSigningKeyPair.privateKey,
+    });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: vnfPresentationGrantType,
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience,
+        presentation: await presentationPhone.selfSign(),
+      },
+    });
+    expect(response.statusCode).toBe(200);
+    expect(response.json).toEqual({
+      access_token: expect.any(String),
+      token_type: 'Bearer',
+      refresh_token: expect.any(String),
+    });
+    expect(response.json.refresh_token).toHaveLength(128);
+    const accountDocument = await accountsRepo.findOne();
+    await accessTokenJwtMatcher(
+      response.json.access_token,
+      testAccessTokenSigningKeyPair.publicKey,
+      fastify.config.holderAppServerHolderAppProviderDid,
+      accountDocument._id.toString()
+    );
+    expect(accountDocument.refreshToken).toEqual(
+      hashAndEncodeHex(response.json.refresh_token)
+    );
+  });
+  it('should 200 and update refresh_token with refresh_token grant type and known refresh_token', async () => {
+    const testAccessTokenSigningKeyPair = generateKeyPair();
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      holderAppServerAccessTokenSigningKey:
+        testAccessTokenSigningKeyPair.privateKey,
+    });
+    await persistAccounts({
+      did: testUserDid,
+      scope: [validScopes[0], validScopes[1]],
+    });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience,
+        refresh_token: 'test_refresh_token',
+      },
+    });
+    expect(response.statusCode).toBe(200);
+    expect(response.json).toEqual({
+      access_token: expect.any(String),
+      token_type: 'Bearer',
+      refresh_token: expect.any(String),
+    });
+    const accountDocument = await accountsRepo.findOne();
+    await accessTokenJwtMatcher(
+      response.json.access_token,
+      testAccessTokenSigningKeyPair.publicKey,
+      fastify.config.holderAppServerHolderAppProviderDid,
+      accountDocument._id.toString()
+    );
+    expect(accountDocument.refreshToken).toEqual(
+      hashAndEncodeHex(response.json.refresh_token)
+    );
+  });
+  it('Should 401 when account`s not allowed scope (stored in DB) is requested', async () => {
+    const testAccessTokenSigningKeyPair = generateKeyPair();
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      holderAppServerAccessTokenSigningKey:
+        testAccessTokenSigningKeyPair.privateKey,
+    });
+    const initialScopeValue = [validScopes[0], validScopes[1]];
+    const requestedScope = `${validScopes[0]} ${validScopes[1]} ${validScopes[2]}`;
+    await persistAccounts({ did: testUserDid, scopes: initialScopeValue });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'abc',
+        scope: requestedScope,
+        audience,
+        refresh_token: 'test_refresh_token',
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        errorCode: 'missing_error_code',
+        message: 'Unknown refresh_token, user id or scope',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it('Should return 401 if incorrect refresh_token in request', async () => {
+    const testAccessTokenSigningKeyPair = generateKeyPair();
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      holderAppServerAccessTokenSigningKey:
+        testAccessTokenSigningKeyPair.privateKey,
+    });
+    await persistAccounts({ did: testUserDid });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'abc',
+        scope: validScopes[0],
+        audience,
+        refresh_token: 'incorrect_test_refresh_token',
+      },
+    });
+    expect(response.statusCode).toBe(401);
+    expect(response.json).toEqual(
+      errorResponseMatcher({
+        statusCode: 401,
+        errorCode: 'missing_error_code',
+        message: 'Unknown refresh_token, user id or scope',
+        error: 'Unauthorized',
+      })
+    );
+  });
+  it('Should return requested scope only in access_token', async () => {
+    const testAccessTokenSigningKeyPair = generateKeyPair();
+    fastify.overrides.reqConfig = (config) => ({
+      ...config,
+      holderAppServerAccessTokenSigningKey:
+        testAccessTokenSigningKeyPair.privateKey,
+    });
+    await persistAccounts({
+      did: testUserDid,
+      scope: [validScopes[0], validScopes[1]],
+    });
+    const response = await fastify.injectJson({
+      method: 'POST',
+      url: oauthUrl,
+      payload: {
+        grant_type: 'refresh_token',
+        client_id: 'abc',
+        scope: validScopes[1],
+        audience,
+        refresh_token: 'test_refresh_token',
+      },
+    });
+    expect(response.statusCode).toBe(200);
+    const { access_token: accessToken } = response.json;
+    const {
+      payload: { scope },
+    } = await jwtVerify(
+      accessToken,
+      jwkFromSecp256k1Key(testAccessTokenSigningKeyPair.publicKey, false)
+    );
+    expect(scope).toEqual(validScopes[1]);
+  });
+});