-
Notifications
You must be signed in to change notification settings - Fork 403
/
auth.test.ts
64 lines (60 loc) · 2.09 KB
/
auth.test.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import AtpAgent from '@atproto/api'
import { SeedClient, TestNetwork } from '@atproto/dev-env'
import usersSeed from './seeds/users'
import { createServiceJwt } from '@atproto/xrpc-server'
import { Keypair, Secp256k1Keypair } from '@atproto/crypto'
describe('auth', () => {
let network: TestNetwork
let agent: AtpAgent
let sc: SeedClient
beforeAll(async () => {
network = await TestNetwork.create({
dbPostgresSchema: 'bsky_auth',
})
agent = network.bsky.getClient()
sc = network.getSeedClient()
await usersSeed(sc)
await network.processAll()
})
afterAll(async () => {
await network.close()
})
it('handles signing key change for service auth.', async () => {
const issuer = sc.dids.alice
const attemptWithKey = async (keypair: Keypair) => {
const jwt = await createServiceJwt({
iss: issuer,
aud: network.bsky.ctx.cfg.serverDid,
keypair,
})
return agent.api.app.bsky.actor.getProfile(
{ actor: sc.dids.carol },
{ headers: { authorization: `Bearer ${jwt}` } },
)
}
const origSigningKey = await network.pds.ctx.actorStore.keypair(issuer)
const newSigningKey = await Secp256k1Keypair.create({ exportable: true })
// confirm original signing key works
await expect(attemptWithKey(origSigningKey)).resolves.toBeDefined()
// confirm next signing key doesn't work yet
await expect(attemptWithKey(newSigningKey)).rejects.toThrow(
'jwt signature does not match jwt issuer',
)
// update to new signing key
await network.plc
.getClient()
.updateAtprotoKey(
issuer,
network.pds.ctx.plcRotationKey,
newSigningKey.did(),
)
// old signing key still works due to did doc cache
await expect(attemptWithKey(origSigningKey)).resolves.toBeDefined()
// new signing key works
await expect(attemptWithKey(newSigningKey)).resolves.toBeDefined()
// old signing key no longer works after cache is updated
await expect(attemptWithKey(origSigningKey)).rejects.toThrow(
'jwt signature does not match jwt issuer',
)
})
})