Feat/auth : Rejects malformed JWTToken and requireValidToken Option

src/framework/auth/services/token/token.spec.ts

@@ -14,10 +14,6 @@ describe('auth token', () => {
     // tslint:disable
     const simpleToken = new NbAuthSimpleToken('token','strategy');
     const validJWTToken = new NbAuthJWTToken('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjZXJlbWEuZnIiLCJpYXQiOjE1MzIzNTA4MDAsImV4cCI6MjUzMjM1MDgwMCwic3ViIjoiQWxhaW4gQ0hBUkxFUyIsImFkbWluIjp0cnVlfQ.Rgkgb4KvxY2wp2niXIyLJNJeapFp9z3tCF-zK6Omc8c', 'strategy');
-    const emptyJWTToken = new NbAuthJWTToken('..', 'strategy');
-    const invalidBase64JWTToken = new NbAuthJWTToken('h%2BHY.h%2BHY.h%2BHY','strategy');
-
-    const invalidJWTToken = new NbAuthJWTToken('.','strategy');
 
     const noIatJWTToken = new NbAuthJWTToken('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjZXJlbWEuZnIiLCJleHAiOjE1MzI0MzcyMDAsInN1YiI6IkFsYWluIENIQVJMRVMiLCJhZG1pbiI6dHJ1ZX0.cfwQlKo6xomXkE-U-SOqse2GjdxncOuhdd1VWIOiYzA', 'strategy');
 
@@ -27,36 +23,40 @@ describe('auth token', () => {
 
     // tslint:enable
 
-    it('getPayload success', () => {
-      expect(validJWTToken.getPayload())
-      // tslint:disable-next-line
-        .toEqual(JSON.parse('{"iss":"cerema.fr","iat":1532350800,"exp":2532350800,"sub":"Alain CHARLES","admin":true}'));
-    });
-
-    it('getPayload, not valid JWT token, must consist of three parts', () => {
+    it('JWT Token getPayload(), not valid JWT token, must consist of three parts', () => {
+      const token = new NbAuthJWTToken('.', 'strategy');
       expect(() => {
-        invalidJWTToken.getPayload();
+        token.getPayload()
       })
         .toThrow(new Error(
-          `The payload ${invalidJWTToken.getValue()} is not valid JWT payload and must consist of three parts.`));
+          `The payload . is not valid JWT payload and must consist of three parts.`));
     });
 
-    it('getPayload, not valid JWT token, cannot be decoded', () => {
+    it('JWT Token getPayload(),, not valid JWT token, cannot be decoded', () => {
+      const token = new NbAuthJWTToken('..', 'strategy');
       expect(() => {
-        emptyJWTToken.getPayload();
+        token.getPayload()
       })
         .toThrow(new Error(
-          `The payload ${emptyJWTToken.getValue()} is not valid JWT payload and cannot be decoded.`));
+          `The payload .. is not valid JWT payload and cannot be decoded.`));
     });
 
     it('getPayload, not valid base64 in JWT token, cannot be decoded', () => {
+      const token = new NbAuthJWTToken('h%2BHY.h%2BHY.h%2BHY', 'strategy');
       expect(() => {
-        invalidBase64JWTToken.getPayload();
+        token.getPayload()
       })
         .toThrow(new Error(
-          `The payload ${invalidBase64JWTToken.getValue()} is not valid JWT payload and cannot be parsed.`));
+          `The payload h%2BHY.h%2BHY.h%2BHY is not valid JWT payload and cannot be parsed.`));
     });
 
+    it('getPayload success', () => {
+      expect(validJWTToken.getPayload())
+      // tslint:disable-next-line
+        .toEqual(JSON.parse('{"iss":"cerema.fr","iat":1532350800,"exp":2532350800,"sub":"Alain CHARLES","admin":true}'));
+    });
+
+
     it('getCreatedAt success : now for simpleToken', () => {
       // we consider dates are the same if differing from minus than 10 ms
       expect(simpleToken.getCreatedAt().getTime() - now.getTime() < 10);

src/framework/auth/services/token/token.ts

@@ -14,6 +14,14 @@ export abstract class NbAuthToken {
   }
 }
 
+export class InvalidJWTTokenError extends Error {
+  constructor(message: string) {
+    super(message);
+    const actualPrototype = new.target.prototype;
+    Object.setPrototypeOf(this, actualPrototype);
+  }
+}
+
 export interface NbAuthRefreshableToken {
   getRefreshToken(): string;
   setRefreshToken(refreshToken: string);
@@ -34,24 +42,27 @@ export function nbAuthCreateToken<T extends NbAuthToken>(tokenClass: NbAuthToken
 export function decodeJwtPayload(payload: string): string {
 
   if (!payload) {
-    throw new Error('Cannot extract payload from an empty token.');
+    throw new InvalidJWTTokenError('Cannot extract from an empty payload.');
   }
 
   const parts = payload.split('.');
 
   if (parts.length !== 3) {
-    throw new Error(`The payload ${payload} is not valid JWT payload and must consist of three parts.`);
+    throw new InvalidJWTTokenError(
+      `The payload ${payload} is not valid JWT payload and must consist of three parts.`);
   }
 
   let decoded;
   try {
     decoded = urlBase64Decode(parts[1]);
   } catch (e) {
-    throw new Error(`The payload ${payload} is not valid JWT payload and cannot be parsed.`);
+    throw new InvalidJWTTokenError(
+      `The payload ${payload} is not valid JWT payload and cannot be parsed.`);
   }
 
   if (!decoded) {
-    throw new Error(`The payload ${payload} is not valid JWT payload and cannot be decoded.`);
+    throw new InvalidJWTTokenError(
+      `The payload ${payload} is not valid JWT payload and cannot be decoded.`);
   }
 
   return JSON.parse(decoded);
@@ -127,12 +138,17 @@ export class NbAuthJWTToken extends NbAuthSimpleToken {
    * for JWT token, the iat (issued at) field of the token payload contains the creation Date
    */
   protected prepareCreatedAt(date: Date) {
-    let decoded;
+    // We do not want prepareCreatedAt to fail if token is empty because we have to accept it
+    // if requireValidToken is set to false
+    // We want it to fail only if payload is present but malformed.
     try {
-      decoded = this.getPayload();
-    }
-    finally {
+      const decoded = this.getPayload();
       return decoded && decoded.iat ? new Date(Number(decoded.iat) * 1000) : super.prepareCreatedAt(date);
+    } catch (err) {
+      if (err instanceof InvalidJWTTokenError) {
+        return super.prepareCreatedAt(date);
+      }
+      throw err;
     }
   }
 
@@ -221,7 +237,7 @@ export class NbAuthOAuth2Token extends NbAuthSimpleToken {
    */
   getPayload(): any {
     if (!this.token || !Object.keys(this.token).length) {
-      throw new Error('Cannot extract payload from an empty token.');
+      throw new InvalidJWTTokenError('Cannot extract payload from an empty token.');
     }
 
     return this.token;
@@ -274,12 +290,17 @@ export class NbAuthOAuth2JWTToken extends NbAuthOAuth2Token {
    * for Oauth2 JWT token, the iat (issued at) field of the access_token payload
    */
   protected prepareCreatedAt(date: Date) {
-    let decoded;
+    // We do not want prepareCreatedAt to fail if token is empty because we have to accept it
+    // if requireValidToken is set to false
+    // We want it to fail is payload is present but malformed.
     try {
-       decoded = this.getAccessTokenPayload();
-    }
-    finally {
+      const decoded = this.getAccessTokenPayload();
       return decoded && decoded.iat ? new Date(Number(decoded.iat) * 1000) : super.prepareCreatedAt(date);
+    } catch (err) {
+      if (err instanceof InvalidJWTTokenError) {
+        return super.prepareCreatedAt(date);
+      }
+      throw err;
     }
   }
 

src/framework/auth/strategies/auth-strategy-options.ts

@@ -7,6 +7,7 @@ import { NbAuthTokenClass } from '../services/';
 
 export class NbAuthStrategyOptions {
   name: string;
+  requireValidToken?: boolean = false;
   token?: {
     class?: NbAuthTokenClass;
     [key: string]: any;

src/framework/auth/strategies/auth-strategy.ts

@@ -3,7 +3,7 @@ import { Observable } from 'rxjs';
 import { NbAuthResult } from '../services/auth-result';
 import { NbAuthStrategyOptions } from './auth-strategy-options';
 import { deepExtend, getDeepFromObject } from '../helpers';
-import { NbAuthToken, nbAuthCreateToken } from '../services/token/token';
+import { NbAuthToken, nbAuthCreateToken, InvalidJWTTokenError } from '../services/token/token';
 
 export abstract class NbAuthStrategy {
 
@@ -21,7 +21,12 @@ export abstract class NbAuthStrategy {
   }
 
   createToken<T extends NbAuthToken>(value: any): T {
-    return nbAuthCreateToken<T>(this.getOption('token.class'), value, this.getName());
+    const requireValidToken: boolean = this.getOption('requireValidToken');
+    const token = nbAuthCreateToken<T>(this.getOption('token.class'), value, this.getName());
+    if (requireValidToken && !token.isValid()) {
+      throw new InvalidJWTTokenError('Token is empty or invalid.');
+    }
+    return token;
   }
 
   getName(): string {

src/framework/auth/strategies/dummy/dummy-strategy-options.ts

@@ -7,7 +7,6 @@ import { NbAuthStrategyOptions } from '../auth-strategy-options';
 import { NbAuthSimpleToken } from '../../services/';
 
 export class NbDummyAuthStrategyOptions extends NbAuthStrategyOptions {
-  name: string;
   token? = {
     class: NbAuthSimpleToken,
   };

src/framework/auth/strategies/dummy/dummy-strategy.ts

@@ -78,6 +78,7 @@ export class NbDummyAuthStrategy extends NbAuthStrategy {
   }
 
   protected createDummyResult(data?: any): NbAuthResult {
+
     if (this.getOption('alwaysFail')) {
       return new NbAuthResult(
         false,
@@ -87,6 +88,17 @@ export class NbDummyAuthStrategy extends NbAuthStrategy {
       );
     }
 
+    try {
+      this.createToken('test token')
+    } catch (err) {
+      return new NbAuthResult(
+        false,
+        this.createFailResponse(data),
+        null,
+        [err.message],
+      );
+    }
+
     return new NbAuthResult(
       true,
       this.createSuccessResponse(data),

src/framework/auth/strategies/oauth2/oauth2-strategy.options.ts

@@ -5,6 +5,7 @@
  */
 
 import { NbAuthOAuth2Token, NbAuthTokenClass } from '../../services';
+import { NbAuthStrategyOptions } from '../auth-strategy-options';
 
 export enum NbOAuth2ResponseType {
   CODE = 'code',
@@ -24,8 +25,7 @@ export enum NbOAuth2ClientAuthMethod {
   REQUEST_BODY = 'request-body',
 }
 
-export class NbOAuth2AuthStrategyOptions {
-  name: string;
+export class NbOAuth2AuthStrategyOptions extends NbAuthStrategyOptions {
   baseEndpoint?: string = '';
   clientId: string = '';
   clientSecret?: string = '';

src/framework/auth/strategies/oauth2/oauth2-strategy.ts

@@ -23,6 +23,7 @@ import {
   NbOAuth2GrantType, NbOAuth2ClientAuthMethod,
 } from './oauth2-strategy.options';
 import { NbAuthStrategyClass } from '../../auth.options';
+import { InvalidJWTTokenError } from '../../services/';
 
 
 /**
@@ -134,7 +135,6 @@ export class NbOAuth2AuthStrategy extends NbAuthStrategy {
               this.getOption('defaultMessages'),
               this.createToken(params));
           }
-
           return new NbAuthResult(
             false,
             params,
@@ -143,6 +143,21 @@ export class NbOAuth2AuthStrategy extends NbAuthStrategy {
             [],
           );
         }),
+        catchError(err => { //  createToken sent an MalformedJWTTokenError
+          const errors = [];
+          if (err instanceof InvalidJWTTokenError) {
+            errors.push(err.message)
+          } else {
+            errors.push('Something went wrong.');
+          }
+          return observableOf(
+            new NbAuthResult(
+              false,
+              err,
+              this.getOption('redirect.failure'),
+              errors,
+            ));
+        }),
       );
     },
   };
@@ -335,9 +350,12 @@ export class NbOAuth2AuthStrategy extends NbAuthStrategy {
       } else {
         errors = this.getOption('defaultErrors');
       }
+    }  else if (res instanceof InvalidJWTTokenError ) {
+      errors.push(res.message)
     } else {
-      errors.push('Something went wrong.');
-    }
+        errors.push('Something went wrong.')
+    };
+
     return observableOf(
       new NbAuthResult(
         false,

src/framework/auth/strategies/password/password-strategy-options.ts

@@ -39,7 +39,6 @@ export interface NbPasswordStrategyMessage {
 }
 
 export class NbPasswordAuthStrategyOptions extends NbAuthStrategyOptions {
-  name: string;
   baseEndpoint? = '/api/auth/';
   login?: boolean | NbPasswordStrategyModule = {
     alwaysFail: false,