Check cert validity

[levino]

I was looking at the tests and checked the mock data. More specifically the certificate used for mocks in the tests:

node-jwks-rsa/tests/mocks/keys.js

Lines 1 to 17 in dba6315

	export const publicKey = `-----BEGIN CERTIFICATE-----
	MIICsDCCAhmgAwIBAgIJAP0uzO56NPNDMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
	BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
	aWRnaXRzIFB0eSBMdGQwHhcNMTYwODAyMTIyMjMyWhcNMTYwOTAxMTIyMjMyWjBF
	MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
	ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
	gQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvw
	UAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03G
	UnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQABo4GnMIGkMB0G
	A1UdDgQWBBR7ZjPnt+i/E8VUy4tinxi0+H5vbTB1BgNVHSMEbjBsgBR7ZjPnt+i/
	E8VUy4tinxi0+H5vbaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
	U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAP0uzO56
	NPNDMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAnMA5ZAyEQgXrUl6J
	T/JFcg6HGXj9yTy71EEMVp3Md3B8WwDvs+di4JFcq8FKSoGtTY4Pb5WE9QVUAmwE
	sSQoETNYW3quRmYJCkpIHWnvUW/OAf2/Ejr6zXquhBC6WoCeKQuesMvo2qO1rStC
	UWahUh2/RQt9XozEWPWJ9Oe6a7c=
	-----END CERTIFICATE-----`;

It has the following props:

And is used for example here:

node-jwks-rsa/tests/koa.tests.js

Lines 172 to 196 in dba6315

	it('should work if the token matches a signing key', (done) => {
	const app = new Koa();
	app.use(koaJwt({
	debug: true,
	secret: jwksRsa.koaJwtSecret({
	jwksUri: 'http://localhost/.well-known/jwks.json'
	}),
	algorithms: ['RS256']
	}));
	app.use((ctx) => {
	ctx.body = ctx.state.user;
	ctx.status = 200;
	});
	const token = createToken(privateKey, '123', { sub: 'john' });
	jwksEndpoint('http://localhost', [ { pub: publicKey, kid: '123' } ]);
	request(app.listen())
	.get('/')
	.set('Authorization', `Bearer ${ token }`)
	.expect(200)
	.end((err, res) => {
	expect(res.body.sub).to.equal('john');
	done();
	});

The fact the in the tests JWTs are being recognized as valid when I run these tests today makes be believe, that the validity of the cert is not checked (The cert is invalid because it is not 2016 any more).

• The integrations for koa, express, etc, in this package should check the validity of the cert provided by the JWKSClient. At least the lifetime and the hostname.
• The variable publicKey should be renamed to certificate because it is a cert, not a public key, which is quite confusing.

[levino]

Is there anyone maintaining this?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️