fix(jwt): possible NPE in jwt:encode

refs #2 The implementation of `jwt:encode` with arrow expressions failed with an NPE. It does so only when called in a test case as part of an XQSuite. Since this module is considered security relevant code the functon was refactored to be extra sure this will work under all circumstances. If the underlying NPE of the XQuery runtime is fixed the implementation can use arrow expressions again.
eXistSolutions · Jun 4, 2021 · acb738c · acb738c
1 parent 1642489
commit acb738c
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 25 deletions.
diff --git a/src/content/jwt.xqm b/src/content/jwt.xqm
@@ -108,11 +108,15 @@ declare function jwt:epoch-to-dateTime($ts as xs:integer) as xs:dateTime {
     $jwt:epoch-start + xs:dayTimeDuration(concat("PT", $ts, "S"))
 };
 
+(:~
+ : encode an item() for use in the JWT
+ : TODO: refactor to use arrow expressions again
+ : after existdb issue is fixed.
+ :)
 declare
 function jwt:encode ($data as item()) as xs:string {
-    $data
-        => serialize(map { "method": "json" })
-        => util:base64-encode-url-safe()
+    util:base64-encode-url-safe(
+        serialize($data, map { "method": "json" }))
 };
 
 declare

diff --git a/src/test/jwt-spec.xqm b/src/test/jwt-spec.xqm
@@ -124,10 +124,13 @@ function jwt-spec:future-token () {
 
 (:~
  : handle arbitrary token 
- : NOTE: this test fails with an NPE while calling it from Xquery directly works
+ : NOTE:
+ : This test failed with an NPE in jwt:encode while building
+ : the $jwt:header variable.
+ : Calling the same code in a module directly always worked fine
+ : the implementation of jwt:encode was now refactored only to be extra sure.
  :)
 declare
-    %test:pending
     %test:assertError("invalid-header")
 function jwt-spec:arbitrary-token-with-separators () {
     let $instance := jwt-spec:instance()

diff --git a/src/test/mocha/xqSuite.js b/src/test/mocha/xqSuite.js
@@ -60,30 +60,20 @@ describe('xqSuite', function () {
         .catch(done)
   })
 
-  it('should return 0 errors', done => {
-    expect(result.errors).to.equal(0)    
-    done()
-  })
+  it('should return 0 errors',
+    ()=> expect(result.errors).to.equal(0))
 
-  it('should return 0 failures', done => {
-    expect(result.failures).to.equal(0)
-    done()
-  })
+  it('should return 0 failures',
+    ()=> expect(result.failures).to.equal(0))
 
-  it.skip('should return 0 pending tests', done => {
-    expect(result.pending).to.equal(0)
-    done()
-  })
+  it('should return 0 pending tests',
+    ()=> expect(result.pending).to.equal(0))
 
-  it('should have run some tests', done => {
-    expect(result.tests).to.be.greaterThan(0)
-    done()
-  })
+  it('should have run 12 tests', 
+    ()=> expect(result.tests).to.equal(12))
 
-  it('should have finished in less than a second', done => {
-    expect(result.time).to.be.lessThan(1)
-    done()
-  })
+  it('should have finished in less than a second',
+    ()=> expect(result.time).to.be.lessThan(1))
 
   after(done => {
     client.delete(testCollection)