@villedemontreal/jwt-validator 5.7.7

package/dist/src/jwtValidator.js

@@ -0,0 +1,129 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jwtValidator = void 0;
+const general_utils_1 = require("@villedemontreal/general-utils");
+const jwt = require("jsonwebtoken");
+const moment = require("moment");
+const constants_1 = require("./config/constants");
+const customError_1 = require("./models/customError");
+const jwtPayload_1 = require("./models/jwtPayload");
+const publicKey_1 = require("./models/publicKey");
+const cachedPublicKeyRepository_1 = require("./repositories/cachedPublicKeyRepository");
+/**
+ * JWT Validator
+ */
+class JwtValidator {
+    async verifyAuthorizationHeader(header) {
+        if (general_utils_1.utils.isBlank(header)) {
+            throw (0, customError_1.createInvalidAuthHeaderError)({
+                code: constants_1.constants.errors.codes.NULL_VALUE,
+                target: 'Authorization header',
+                message: 'Empty Authorization header',
+            });
+        }
+        const parts = header.trim().split(' ');
+        if (parts[0] !== 'Bearer') {
+            throw (0, customError_1.createInvalidAuthHeaderError)({
+                code: constants_1.constants.errors.codes.INVALID_VALUE,
+                target: 'Authorization header',
+                message: 'Bad authentication scheme, "Bearer" required',
+            });
+        }
+        return await this.verifyToken(parts[1]);
+    }
+    async verifyToken(token) {
+        const payload = this.parseJwt(token);
+        const key = await this.getJwtPublicKey(payload);
+        this.validateJwtCreationTimestamp(payload, key);
+        this.validateJwtExpirationTimestamp(payload, key);
+        return this.verifyJwt(token, key.publicKey);
+    }
+    parseJwt(token) {
+        const payload = jwt.decode(token);
+        if (!payload) {
+            throw (0, customError_1.createInvalidJwtError)({
+                code: constants_1.constants.errors.codes.INVALID_VALUE,
+                target: 'jwt',
+                message: 'jwt malformed',
+            });
+        }
+        return payload;
+    }
+    verifyJwt(token, publicKey) {
+        let payload;
+        try {
+            payload = jwt.verify(token, publicKey);
+        }
+        catch (err) {
+            throw (0, customError_1.createInvalidJwtError)({
+                code: constants_1.constants.errors.codes.INVALID_VALUE,
+                target: 'jwt',
+                message: err.message,
+            });
+        }
+        if ((0, jwtPayload_1.isJWTPayload)(payload)) {
+            return payload;
+        }
+        throw (0, customError_1.createInvalidJwtError)({
+            code: constants_1.constants.errors.codes.INVALID_VALUE,
+            target: 'jwt',
+            message: 'expected a valid JWT payload',
+        });
+    }
+    async getJwtPublicKey(payload) {
+        const keyId = payload.keyId;
+        if (!keyId || keyId <= 0) {
+            throw (0, customError_1.createInvalidJwtError)({
+                code: constants_1.constants.errors.codes.INVALID_VALUE,
+                target: 'jwt',
+                message: 'missing public key ID',
+            });
+        }
+        const key = await cachedPublicKeyRepository_1.cachedPublicKeyRepository.getOne(keyId);
+        // Check key state
+        if (!key || key.state !== publicKey_1.PublicKeyState.ACTIVE) {
+            throw (0, customError_1.createInvalidJwtError)({
+                code: constants_1.constants.errors.codes.INVALID_VALUE,
+                target: 'jwt',
+                message: 'this keyId is no longer active',
+            });
+        }
+        return key;
+    }
+    validateJwtCreationTimestamp(payload, key) {
+        // Check the jwt was not created before the creation date of the key
+        const payloadIat = moment.utc(payload.iat * 1000);
+        const keyCreatedAt = moment.utc(key.createdAt);
+        if (payloadIat.diff(keyCreatedAt) < 0) {
+            throw (0, customError_1.createInvalidJwtError)({
+                code: constants_1.constants.errors.codes.INVALID_VALUE,
+                target: 'jwt',
+                message: "this jwt can't be created before the public key",
+            });
+        }
+    }
+    validateJwtExpirationTimestamp(payload, key) {
+        // Check expiration date
+        if (key.expiresAt) {
+            const keyexpiresAt = moment.utc(key.expiresAt);
+            if (moment.utc().diff(keyexpiresAt) > 0) {
+                throw (0, customError_1.createInvalidJwtError)({
+                    code: constants_1.constants.errors.codes.INVALID_VALUE,
+                    target: 'jwt',
+                    message: 'this keyId is expired',
+                });
+            }
+            // Check the jwt was not created after the expiration date of the key
+            const payloadIat = moment.utc(payload.iat * 1000);
+            if (payloadIat.diff(keyexpiresAt) > 0) {
+                throw (0, customError_1.createInvalidJwtError)({
+                    code: constants_1.constants.errors.codes.INVALID_VALUE,
+                    target: 'jwt',
+                    message: "this jwt can't be created after the expiration of the public key",
+                });
+            }
+        }
+    }
+}
+exports.jwtValidator = new JwtValidator();
+//# sourceMappingURL=jwtValidator.js.map

package/dist/src/jwtValidator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtValidator.js","sourceRoot":"","sources":["../../src/jwtValidator.ts"],"names":[],"mappings":";;;AAAA,kEAAuD;AACvD,oCAAoC;AACpC,iCAAiC;AACjC,kDAA+C;AAC/C,sDAA2F;AAC3F,oDAAgE;AAChE,kDAAgE;AAChE,wFAAqF;AAuBrF;;GAEG;AACH,MAAM,YAAY;IACT,KAAK,CAAC,yBAAyB,CAAC,MAAc;QACnD,IAAI,qBAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE;YACzB,MAAM,IAAA,0CAA4B,EAAC;gBACjC,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU;gBACvC,MAAM,EAAE,sBAAsB;gBAC9B,OAAO,EAAE,4BAA4B;aACtC,CAAC,CAAC;SACJ;QAED,MAAM,KAAK,GAAa,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE;YACzB,MAAM,IAAA,0CAA4B,EAAC;gBACjC,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;gBAC1C,MAAM,EAAE,sBAAsB;gBAC9B,OAAO,EAAE,8CAA8C;aACxD,CAAC,CAAC;SACJ;QAED,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IAEM,KAAK,CAAC,WAAW,CAAC,KAAa;QACpC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAErC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAEhD,IAAI,CAAC,4BAA4B,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAChD,IAAI,CAAC,8BAA8B,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAElD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC;IAEO,QAAQ,CAAC,KAAa;QAC5B,MAAM,OAAO,GAAgB,GAAG,CAAC,MAAM,CAAC,KAAK,CAAgB,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE;YACZ,MAAM,IAAA,mCAAqB,EAAC;gBAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;gBAC1C,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,eAAe;aACzB,CAAC,CAAC;SACJ;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,SAAS,CAAC,KAAa,EAAE,SAAiB;QAChD,IAAI,OAAY,CAAC;QACjB,IAAI;YACF,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;SACxC;QAAC,OAAO,GAAG,EAAE;YACZ,MAAM,IAAA,mCAAqB,EAAC;gBAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;gBAC1C,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;SACJ;QAED,IAAI,IAAA,yBAAY,EAAC,OAAO,CAAC,EAAE;YACzB,OAAO,OAAO,CAAC;SAChB;QACD,MAAM,IAAA,mCAAqB,EAAC;YAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;YAC1C,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,8BAA8B;SACxC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,OAAoB;QAChD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC5B,IAAI,CAAC,KAAK,IAAI,KAAK,IAAI,CAAC,EAAE;YACxB,MAAM,IAAA,mCAAqB,EAAC;gBAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;gBAC1C,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,uBAAuB;aACjC,CAAC,CAAC;SACJ;QAED,MAAM,GAAG,GAAe,MAAM,qDAAyB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEtE,kBAAkB;QAClB,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,KAAK,0BAAc,CAAC,MAAM,EAAE;YAC/C,MAAM,IAAA,mCAAqB,EAAC;gBAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;gBAC1C,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,gCAAgC;aAC1C,CAAC,CAAC;SACJ;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,4BAA4B,CAAC,OAAoB,EAAE,GAAe;QACxE,oEAAoE;QACpE,MAAM,UAAU,GAAkB,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;QACjE,MAAM,YAAY,GAAkB,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC9D,IAAI,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;YACrC,MAAM,IAAA,mCAAqB,EAAC;gBAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;gBAC1C,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,iDAAiD;aAC3D,CAAC,CAAC;SACJ;IACH,CAAC;IAEO,8BAA8B,CAAC,OAAoB,EAAE,GAAe;QAC1E,wBAAwB;QACxB,IAAI,GAAG,CAAC,SAAS,EAAE;YACjB,MAAM,YAAY,GAAkB,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC9D,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBACvC,MAAM,IAAA,mCAAqB,EAAC;oBAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;oBAC1C,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,uBAAuB;iBACjC,CAAC,CAAC;aACJ;YAED,qEAAqE;YACrE,MAAM,UAAU,GAAkB,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YACjE,IAAI,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE;gBACrC,MAAM,IAAA,mCAAqB,EAAC;oBAC1B,IAAI,EAAE,qBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa;oBAC1C,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,kEAAkE;iBAC5E,CAAC,CAAC;aACJ;SACF;IACH,CAAC;CACF;AAEY,QAAA,YAAY,GAAkB,IAAI,YAAY,EAAE,CAAC"}

package/dist/src/jwtValidator.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/jwtValidator.test.js

@@ -0,0 +1,500 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const src_1 = require("@villedemontreal/general-utils/dist/src");
+const chai_1 = require("chai");
+const jwt = require("jsonwebtoken");
+const nock = require("nock");
+const validator = require("validator");
+const configs_1 = require("./config/configs");
+const constants_1 = require("./config/constants");
+const jwtValidator_1 = require("./jwtValidator");
+const expressRequest_1 = require("./models/expressRequest");
+const cachedPublicKeyRepository_1 = require("./repositories/cachedPublicKeyRepository");
+const jwtMock_1 = require("./utils/jwtMock");
+const testingConfigurations_1 = require("./utils/testingConfigurations");
+const httpMocks = require('node-mocks-http');
+// ==========================================
+// Set Testing configurations
+// ==========================================
+(0, testingConfigurations_1.setTestingConfigurations)();
+// ==========================================
+// JWT Validator
+// ==========================================
+let date;
+let publicKeys;
+function createPathRegex() {
+    const regExpEscape = (s) => {
+        return s.replace(/[-/\\^$*+?.()|[\]{}]/g, '\\$&');
+    };
+    return new RegExp(`${regExpEscape(configs_1.configs.getEndpoint())}(.*)`);
+}
+before('JWT Validator - init app & get jwt public key', async () => {
+    nock.cleanAll();
+    // Use mock keys
+    await jwtMock_1.jwtMock.mockPublicKeys();
+    publicKeys = await cachedPublicKeyRepository_1.cachedPublicKeyRepository.getAll();
+    chai_1.assert.match(publicKeys[1].publicKey, /^-----BEGIN PUBLIC KEY-----\n/m);
+    chai_1.assert.match(publicKeys[1].publicKey, /^-----BEGIN PUBLIC KEY-----\n/m);
+    chai_1.assert.match(publicKeys[1].publicKey, /\n-----END PUBLIC KEY-----$/m);
+    const key = publicKeys[1].publicKey
+        .replace(/^-----BEGIN PUBLIC KEY-----\n/m, '')
+        .replace(/\n-----END PUBLIC KEY-----$/m, '')
+        .split('\n')
+        .join('');
+    chai_1.assert.isTrue(validator.default.isBase64(key));
+});
+it('JWT Validator - verifyHeader - should reject null header', async () => {
+    const response = await jwtValidator_1.jwtValidator.verifyAuthorizationHeader(null).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_AUTHORIZATION_HEADER);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid Authorization header');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.NULL_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'Empty Authorization header');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verifyHeader - should reject empty header', async () => {
+    const response = await jwtValidator_1.jwtValidator.verifyAuthorizationHeader('').catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_AUTHORIZATION_HEADER);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid Authorization header');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.NULL_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'Empty Authorization header');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verifyHeader - should reject unknow authentication scheme', async () => {
+    const response = await jwtValidator_1.jwtValidator.verifyAuthorizationHeader('Unknow JWT').catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_AUTHORIZATION_HEADER);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid Authorization header');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'Bad authentication scheme, "Bearer" required');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verifyHeader - should reject bad token', async () => {
+    const response = await jwtValidator_1.jwtValidator.verifyAuthorizationHeader('Bearer JWT').catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'jwt malformed');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verifyHeader - should accept good token', async () => {
+    date = new Date(publicKeys[5].createdAt);
+    date.setHours(date.getHours() + 24);
+    const payload = {
+        accessToken: 'c9ba5a95-d7f9-41f9-9a24-a7e41882f7ef',
+        iss: 'Issuer',
+        inum: 'MyInum',
+        iat: date.getTime() / 1000,
+        exp: date.getTime() / 1000 + 3600,
+        sub: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0000!0000.0001',
+        keyId: 5,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyAuthorizationHeader('Bearer ' + token);
+    chai_1.assert.deepEqual(response, payload);
+});
+it('JWT Validator - verify - should reject bad token', async () => {
+    const response = await jwtValidator_1.jwtValidator.verifyToken('JWT').catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'jwt malformed');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject invalid token: missing signature', async () => {
+    let token = '';
+    token += Buffer.from('{}', 'base64');
+    token += '.';
+    token += Buffer.from('{}', 'base64');
+    token += '.';
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'jwt malformed');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject invalid token: empty JSON', async () => {
+    let token = '';
+    token += Buffer.from('{}', 'base64');
+    token += '.';
+    token += Buffer.from('{}', 'base64');
+    token += '.';
+    token += 'TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ';
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'jwt malformed');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject invalid token: missing public key ID', async () => {
+    const token = jwt.sign('{"a":"a"}', 'key', { algorithm: 'HS256' });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'missing public key ID');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject invalid token: keyId is no longer active', async () => {
+    const token = jwt.sign('{"a":"a", "keyId": "1"}', 'key', { algorithm: 'HS256' });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'this keyId is no longer active');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject invalid token: keyId not found', async () => {
+    const pathRegex = createPathRegex();
+    // Intercept request
+    nock(configs_1.configs.getHost()).get(pathRegex).reply(404);
+    const token = jwt.sign('{"a":"a", "keyId": "25"}', 'key', { algorithm: 'HS256' });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'this keyId is no longer active');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject invalid algorithm: bad signature', async () => {
+    let token = '';
+    token += Buffer.from('{"alg":"HS256","typ":"JWT"}', 'base64');
+    token += '.';
+    token += Buffer.from('{"a":"a", "keyId": 5}', 'base64');
+    token += '.';
+    token += 'TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ';
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'jwt malformed');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject invalid algorithm: bad signature (algorithm)', async () => {
+    const token = jwt.sign('{"a":"a", "keyId": 5}', 'key', { algorithm: 'HS256' });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'invalid algorithm');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject expired token', async () => {
+    date = new Date(publicKeys[5].createdAt);
+    date.setHours(date.getHours() + 24);
+    const payload = {
+        b: 'b',
+        iat: date.getTime() / 1000,
+        exp: 1,
+        keyId: 5,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'jwt expired');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject expired public key', async () => {
+    const payload = {
+        b: 'b',
+        keyId: 2,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'this keyId is expired');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject expired public key (by state)', async () => {
+    const payload = {
+        b: 'b',
+        keyId: 1,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'this keyId is no longer active');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject revoked public key', async () => {
+    const payload = {
+        b: 'b',
+        keyId: 3,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'this keyId is no longer active');
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject jwt created after the expiration date of the key', async () => {
+    date = new Date(publicKeys[4].expiresAt);
+    date.setHours(date.getHours() + 24);
+    const payload = {
+        b: 'b',
+        iat: date.getTime() / 1000,
+        keyId: 4,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, "this jwt can't be created after the expiration of the public key");
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should reject jwt created before the creation date of the key', async () => {
+    date = new Date(publicKeys[4].createdAt);
+    date.setHours(date.getHours() - 48);
+    const payload = {
+        b: 'b',
+        iat: date.getTime() / 1000,
+        keyId: 4,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, "this jwt can't be created before the public key");
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - verify - should accept good token', async () => {
+    date = new Date();
+    const payload = {
+        accessToken: 'c9ba5a95-d7f9-41f9-9a24-a7e41882f7ef',
+        iss: 'Issuer',
+        inum: 'MyInum',
+        iat: date.getTime() / 1000,
+        exp: date.getTime() / 1000 + 3600,
+        sub: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0000!0000.0001',
+        keyId: 4,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token);
+    chai_1.assert.deepEqual(response, payload);
+});
+it('isRequestWithJwt', async () => {
+    const req = httpMocks.createRequest({ method: 'GET', url: '/' });
+    chai_1.assert.isFalse((0, expressRequest_1.isRequestWithJwt)(req));
+    req[constants_1.constants.requestExtraVariables.JWT] = 'Bonjour la police';
+    chai_1.assert.isTrue((0, expressRequest_1.isRequestWithJwt)(req));
+});
+it('JWT Validator - unable to get public key', async () => {
+    const pathRegex = createPathRegex();
+    // Intercept request
+    nock(configs_1.configs.getHost()).get(pathRegex).reply(500);
+    const token = jwt.sign('{"a":"a", "keyId": "25"}', 'key', { algorithm: 'HS256' });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token).catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.UNABLE_TO_GET_PUBLIC_KEY);
+        chai_1.assert.strictEqual(err.httpStatus, 500);
+    });
+    chai_1.assert.isUndefined(response);
+});
+it('JWT Validator - network error - should accept good token if cached', async () => {
+    // Invalidate cache
+    const currentNextUpdate = cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate;
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = undefined;
+    const pathRegex = createPathRegex();
+    // Intercept request
+    nock(configs_1.configs.getHost()).get(pathRegex).replyWithError({ code: 'ABORTED' });
+    date = new Date();
+    const payload = {
+        accessToken: 'c9ba5a95-d7f9-41f9-9a24-a7e41882f7ef',
+        iss: 'Issuer',
+        inum: 'MyInum',
+        iat: date.getTime() / 1000,
+        exp: date.getTime() / 1000 + 3600,
+        sub: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0000!0000.0001',
+        keyId: 4,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token);
+    chai_1.assert.deepEqual(response, payload);
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = currentNextUpdate;
+});
+it('JWT Validator - 500 error from api - should accept good token if cached', async () => {
+    // Invalidate cache
+    const currentNextUpdate = cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate;
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = undefined;
+    const pathRegex = createPathRegex();
+    // Error from api
+    // Intercept request
+    nock(configs_1.configs.getHost())
+        .get(pathRegex)
+        .reply(500, (0, src_1.createServerError)('Error while sending request'));
+    date = new Date();
+    const payload = {
+        accessToken: 'c9ba5a95-d7f9-41f9-9a24-a7e41882f7ef',
+        iss: 'Issuer',
+        inum: 'MyInum',
+        iat: date.getTime() / 1000,
+        exp: date.getTime() / 1000 + 3600,
+        sub: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0000!0000.0001',
+        keyId: 4,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token);
+    chai_1.assert.deepEqual(response, payload);
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = currentNextUpdate;
+});
+it('JWT Validator - 429 error from api - should accept good token if cached', async () => {
+    // Invalidate cache
+    const currentNextUpdate = cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate;
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = undefined;
+    const pathRegex = createPathRegex();
+    // Error from api
+    // Intercept request
+    nock(configs_1.configs.getHost()).get(pathRegex).reply(429);
+    date = new Date();
+    const payload = {
+        accessToken: 'c9ba5a95-d7f9-41f9-9a24-a7e41882f7ef',
+        iss: 'Issuer',
+        inum: 'MyInum',
+        iat: date.getTime() / 1000,
+        exp: date.getTime() / 1000 + 3600,
+        sub: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0000!0000.0001',
+        keyId: 4,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    const response = await jwtValidator_1.jwtValidator.verifyToken(token);
+    chai_1.assert.deepEqual(response, payload);
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = currentNextUpdate;
+});
+it('JWT Validator - 400 error from api - should reject', async () => {
+    // Invalidate cache
+    const currentNextUpdate = cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate;
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = undefined;
+    const pathRegex = createPathRegex();
+    // Error from api
+    // Intercept request
+    nock(configs_1.configs.getHost())
+        .get(pathRegex)
+        .reply(400, (0, src_1.createInvalidParameterError)('Something is wrong'));
+    date = new Date();
+    const payload = {
+        accessToken: 'c9ba5a95-d7f9-41f9-9a24-a7e41882f7ef',
+        iss: 'Issuer',
+        inum: 'MyInum',
+        iat: date.getTime() / 1000,
+        exp: date.getTime() / 1000 + 3600,
+        sub: '@!4025.CA62.9BB6.16C5!0001!2212.0010!0000!0000.0001',
+        keyId: 4,
+    };
+    const token = jwt.sign(JSON.stringify(payload), jwtMock_1.jwtMock.getPrivateKey(), {
+        algorithm: 'RS256',
+    });
+    let error;
+    try {
+        await jwtValidator_1.jwtValidator.verifyToken(token);
+    }
+    catch (e) {
+        error = e;
+    }
+    chai_1.assert.isDefined(error);
+    chai_1.assert.instanceOf(error, src_1.ApiErrorAndInfo);
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = currentNextUpdate;
+});
+it('JWT Validator - network error - should reject bad token anyway', async () => {
+    // Invalidate cache
+    const currentNextUpdate = cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate;
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = undefined;
+    const pathRegex = createPathRegex();
+    // Intercept request
+    nock(configs_1.configs.getHost()).get(pathRegex).replyWithError({ code: 'ABORTED' });
+    const response = await jwtValidator_1.jwtValidator.verifyToken('JWT').catch((err) => {
+        chai_1.assert.strictEqual(err.error.code, constants_1.constants.errors.codes.INVALID_JWT);
+        chai_1.assert.strictEqual(err.error.target, 'Authorization header');
+        chai_1.assert.strictEqual(err.error.message, 'Invalid JWT');
+        chai_1.assert.strictEqual(err.error.details[0].code, constants_1.constants.errors.codes.INVALID_VALUE);
+        chai_1.assert.strictEqual(err.error.details[0].target, 'jwt');
+        chai_1.assert.strictEqual(err.error.details[0].message, 'jwt malformed');
+    });
+    chai_1.assert.isUndefined(response);
+    cachedPublicKeyRepository_1.cachedPublicKeyRepository._nextUpdate = currentNextUpdate;
+});
+//# sourceMappingURL=jwtValidator.test.js.map