Merge branch 'fix/sign-params-types-and-behavior' of https://github.c…

…om/Hender-hs/jwt into Hender-hs-fix/sign-params-types-and-behavior
nestjs · Jun 12, 2023 · 18caa1c · 18caa1c
2 parents 3b4138f + 42c286c
commit 18caa1c
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 0 deletions.
diff --git a/lib/jwt.service.spec.ts b/lib/jwt.service.spec.ts
@@ -303,4 +303,79 @@ describe('JWT Service', () => {
       ).resolves.toBe(`verified_${testPayload}_by_customPublicKey`);
     });
   });
+
+  describe('should not use invalid sign options', () => {
+    let jwtService: JwtService;
+    let testPayloadStr: string = getRandomString();
+
+    beforeAll(async () => {
+      jwtService = await setup({ secretOrKeyProvider: undefined });
+    });
+
+    it('should not "sign" expect errors with a "payload" string and "secret"', () => {
+      // @ts-expect-no-error
+      expect(() => jwtService.sign(testPayloadStr, { secret: 'secret' }));
+    });
+
+    it('should not "signAsync" expect errors with a "payload" string and "privateKey"', () => {
+      // @ts-expect-no-error
+      expect(() =>
+        jwtService.signAsync(testPayloadStr, { privateKey: 'privateKey' })
+      );
+    });
+  });
+
+  describe('should use invalid sign options', () => {
+    const signOptions: jwt.SignOptions = {
+      expiresIn: '1d'
+    };
+
+    let jwtService: JwtService;
+    let testPayloadStr: string = getRandomString();
+    let testPayloadObj: object = {};
+
+    beforeAll(async () => {
+      jwtService = await setup({ signOptions, secretOrKeyProvider: undefined });
+    });
+
+    it('should "sign" expect errors with a "payload" string with "expiresIn"', () => {
+      expect(() =>
+        // @ts-expect-error
+        jwtService.sign(testPayloadStr, { expiresIn: 60 })
+      ).toThrowError(
+        'Not allowed payload as string with these sign options: expiresIn'
+      );
+    });
+
+    it('should "signAsync" expect errors with a "payload" string with "notBefore"', () => {
+      expect(() =>
+        // @ts-expect-error
+        jwtService.signAsync(testPayloadStr, { notBefore: 60 })
+      ).toThrowError(
+        'Not allowed payload as string with these sign options: expiresIn, notBefore'
+      );
+    });
+
+    it('should not "sign" expect errors with a "payload" object with "notBefore" ', () => {
+      // @ts-expect-no-error
+      expect(() => jwtService.sign(testPayloadObj, { notBefore: 60 }));
+    });
+
+    it('should not "signAsync" expect errors with a "payload" object with "notBefore" ', () => {
+      // @ts-expect-no-error
+      expect(() => jwtService.signAsync(testPayloadObj, { notBefore: 60 }));
+    });
+
+    it('should "sign" expect errors using "payload" string with already defined invalid sign options', () => {
+      expect(() => jwtService.sign(testPayloadStr)).toThrowError(
+        'Not allowed payload as string with these sign options: expiresIn'
+      );
+    });
+
+    it('should "signAsync" expect errors using "payload" string with already defined invalid sign options', () => {
+      expect(() => jwtService.signAsync(testPayloadStr)).toThrowError(
+        'Not allowed payload as string with these sign options: expiresIn'
+      );
+    });
+  });
 });
diff --git a/lib/jwt.service.ts b/lib/jwt.service.ts
@@ -18,6 +18,11 @@ export class JwtService {
     private readonly options: JwtModuleOptions = {}
   ) {}
 
+  sign(
+    payload: string,
+    options?: Omit<JwtSignOptions, keyof jwt.SignOptions>
+  ): string;
+  sign(payload: Buffer | object, options?: JwtSignOptions): string;
   sign(payload: string | Buffer | object, options?: JwtSignOptions): string {
     const signOptions = this.mergeJwtOptions(
       { ...options },
@@ -30,9 +35,29 @@ export class JwtService {
       JwtSecretRequestType.SIGN
     );
 
+    const allowedSignOptKeys = ['secret', 'privateKey'];
+    const signOptKeys = Object.keys(signOptions);
+    if (
+      typeof payload === 'string' &&
+      signOptKeys.some((k) => !allowedSignOptKeys.includes(k))
+    ) {
+      throw new Error(
+        'Not allowed payload as string with these sign options: ' +
+          signOptKeys.join(', ')
+      );
+    }
+
     return jwt.sign(payload, secret, signOptions);
   }
 
+  signAsync(
+    payload: string,
+    options?: Omit<JwtSignOptions, keyof jwt.SignOptions>
+  ): Promise<string>;
+  signAsync(
+    payload: Buffer | object,
+    options?: JwtSignOptions
+  ): Promise<string>;
   signAsync(
     payload: string | Buffer | object,
     options?: JwtSignOptions
@@ -48,6 +73,18 @@ export class JwtService {
       JwtSecretRequestType.SIGN
     );
 
+    const allowedSignOptKeys = ['secret', 'privateKey'];
+    const signOptKeys = Object.keys(signOptions);
+    if (
+      typeof payload === 'string' &&
+      signOptKeys.some((k) => !allowedSignOptKeys.includes(k))
+    ) {
+      throw new Error(
+        'Not allowed payload as string with these sign options: ' +
+          signOptKeys.join(', ')
+      );
+    }
+
     return new Promise((resolve, reject) =>
       jwt.sign(payload, secret, signOptions, (err, encoded) =>
         err ? reject(err) : resolve(encoded)