test: add a check that signatures are verified before claims set

panva · Sep 9, 2022 · ec6a6a5 · ec6a6a5
1 parent f64cadd
commit ec6a6a5
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/test/jwt/verify.test.mjs b/test/jwt/verify.test.mjs
@@ -380,3 +380,14 @@ test('Signed JWTs cannot use unencoded payload', async (t) => {
     { code: 'ERR_JWT_INVALID', message: 'JWTs MUST NOT use unencoded payload' },
   )
 })
+
+test('signatures are compared before claim set', async (t) => {
+  // https://github.com/panva/jose/discussions/447
+  const jwt = await new SignJWT({ exp: 0 }).setProtectedHeader({ alg: 'HS256' }).sign(t.context.secret);
+
+  // with valid secret should throw exp failing to verify
+  await t.throwsAsync(jwtVerify(jwt, t.context.secret), { code: 'ERR_JWT_EXPIRED' })
+
+  // with invalid secret should throw signature failing to verify
+  await t.throwsAsync(jwtVerify(jwt, new Uint8Array([0x00, 0x01])), { code: 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED' })
+})