uri.js 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838
  1. // Load modules
  2. var Http = require('http');
  3. var Url = require('url');
  4. var Code = require('code');
  5. var Hawk = require('../lib');
  6. var Hoek = require('hoek');
  7. var Lab = require('lab');
  8. // Declare internals
  9. var internals = {};
  10. // Test shortcuts
  11. var lab = exports.lab = Lab.script();
  12. var describe = lab.experiment;
  13. var it = lab.test;
  14. var expect = Code.expect;
  15. describe('Uri', function () {
  16. var credentialsFunc = function (id, callback) {
  17. var credentials = {
  18. id: id,
  19. key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
  20. algorithm: (id === '1' ? 'sha1' : 'sha256'),
  21. user: 'steve'
  22. };
  23. return callback(null, credentials);
  24. };
  25. it('should generate a bewit then successfully authenticate it', function (done) {
  26. var req = {
  27. method: 'GET',
  28. url: '/resource/4?a=1&b=2',
  29. host: 'example.com',
  30. port: 80
  31. };
  32. credentialsFunc('123456', function (err, credentials1) {
  33. var bewit = Hawk.uri.getBewit('http://example.com/resource/4?a=1&b=2', { credentials: credentials1, ttlSec: 60 * 60 * 24 * 365 * 100, ext: 'some-app-data' });
  34. req.url += '&bewit=' + bewit;
  35. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials2, attributes) {
  36. expect(err).to.not.exist();
  37. expect(credentials2.user).to.equal('steve');
  38. expect(attributes.ext).to.equal('some-app-data');
  39. done();
  40. });
  41. });
  42. });
  43. it('should generate a bewit then successfully authenticate it (no ext)', function (done) {
  44. var req = {
  45. method: 'GET',
  46. url: '/resource/4?a=1&b=2',
  47. host: 'example.com',
  48. port: 80
  49. };
  50. credentialsFunc('123456', function (err, credentials1) {
  51. var bewit = Hawk.uri.getBewit('http://example.com/resource/4?a=1&b=2', { credentials: credentials1, ttlSec: 60 * 60 * 24 * 365 * 100 });
  52. req.url += '&bewit=' + bewit;
  53. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials2, attributes) {
  54. expect(err).to.not.exist();
  55. expect(credentials2.user).to.equal('steve');
  56. done();
  57. });
  58. });
  59. });
  60. it('should successfully authenticate a request (last param)', function (done) {
  61. var req = {
  62. method: 'GET',
  63. url: '/resource/4?a=1&b=2&bewit=MTIzNDU2XDQ1MTE0ODQ2MjFcMzFjMmNkbUJFd1NJRVZDOVkva1NFb2c3d3YrdEVNWjZ3RXNmOGNHU2FXQT1cc29tZS1hcHAtZGF0YQ',
  64. host: 'example.com',
  65. port: 8080
  66. };
  67. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  68. expect(err).to.not.exist();
  69. expect(credentials.user).to.equal('steve');
  70. expect(attributes.ext).to.equal('some-app-data');
  71. done();
  72. });
  73. });
  74. it('should successfully authenticate a request (first param)', function (done) {
  75. var req = {
  76. method: 'GET',
  77. url: '/resource/4?bewit=MTIzNDU2XDQ1MTE0ODQ2MjFcMzFjMmNkbUJFd1NJRVZDOVkva1NFb2c3d3YrdEVNWjZ3RXNmOGNHU2FXQT1cc29tZS1hcHAtZGF0YQ&a=1&b=2',
  78. host: 'example.com',
  79. port: 8080
  80. };
  81. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  82. expect(err).to.not.exist();
  83. expect(credentials.user).to.equal('steve');
  84. expect(attributes.ext).to.equal('some-app-data');
  85. done();
  86. });
  87. });
  88. it('should successfully authenticate a request (only param)', function (done) {
  89. var req = {
  90. method: 'GET',
  91. url: '/resource/4?bewit=MTIzNDU2XDQ1MTE0ODQ2NDFcZm1CdkNWT3MvcElOTUUxSTIwbWhrejQ3UnBwTmo4Y1VrSHpQd3Q5OXJ1cz1cc29tZS1hcHAtZGF0YQ',
  92. host: 'example.com',
  93. port: 8080
  94. };
  95. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  96. expect(err).to.not.exist();
  97. expect(credentials.user).to.equal('steve');
  98. expect(attributes.ext).to.equal('some-app-data');
  99. done();
  100. });
  101. });
  102. it('should fail on multiple authentication', function (done) {
  103. var req = {
  104. method: 'GET',
  105. url: '/resource/4?bewit=MTIzNDU2XDQ1MTE0ODQ2NDFcZm1CdkNWT3MvcElOTUUxSTIwbWhrejQ3UnBwTmo4Y1VrSHpQd3Q5OXJ1cz1cc29tZS1hcHAtZGF0YQ',
  106. host: 'example.com',
  107. port: 8080,
  108. authorization: 'Basic asdasdasdasd'
  109. };
  110. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  111. expect(err).to.exist();
  112. expect(err.output.payload.message).to.equal('Multiple authentications');
  113. done();
  114. });
  115. });
  116. it('should fail on method other than GET', function (done) {
  117. credentialsFunc('123456', function (err, credentials1) {
  118. var req = {
  119. method: 'POST',
  120. url: '/resource/4?filter=a',
  121. host: 'example.com',
  122. port: 8080
  123. };
  124. var exp = Math.floor(Hawk.utils.now() / 1000) + 60;
  125. var ext = 'some-app-data';
  126. var mac = Hawk.crypto.calculateMac('bewit', credentials1, {
  127. timestamp: exp,
  128. nonce: '',
  129. method: req.method,
  130. resource: req.url,
  131. host: req.host,
  132. port: req.port,
  133. ext: ext
  134. });
  135. var bewit = credentials1.id + '\\' + exp + '\\' + mac + '\\' + ext;
  136. req.url += '&bewit=' + Hoek.base64urlEncode(bewit);
  137. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials2, attributes) {
  138. expect(err).to.exist();
  139. expect(err.output.payload.message).to.equal('Invalid method');
  140. done();
  141. });
  142. });
  143. });
  144. it('should fail on invalid host header', function (done) {
  145. var req = {
  146. method: 'GET',
  147. url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
  148. headers: {
  149. host: 'example.com:something'
  150. }
  151. };
  152. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  153. expect(err).to.exist();
  154. expect(err.output.payload.message).to.equal('Invalid Host header');
  155. done();
  156. });
  157. });
  158. it('should fail on empty bewit', function (done) {
  159. var req = {
  160. method: 'GET',
  161. url: '/resource/4?bewit=',
  162. host: 'example.com',
  163. port: 8080
  164. };
  165. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  166. expect(err).to.exist();
  167. expect(err.output.payload.message).to.equal('Empty bewit');
  168. expect(err.isMissing).to.not.exist();
  169. done();
  170. });
  171. });
  172. it('should fail on invalid bewit', function (done) {
  173. var req = {
  174. method: 'GET',
  175. url: '/resource/4?bewit=*',
  176. host: 'example.com',
  177. port: 8080
  178. };
  179. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  180. expect(err).to.exist();
  181. expect(err.output.payload.message).to.equal('Invalid bewit encoding');
  182. expect(err.isMissing).to.not.exist();
  183. done();
  184. });
  185. });
  186. it('should fail on missing bewit', function (done) {
  187. var req = {
  188. method: 'GET',
  189. url: '/resource/4',
  190. host: 'example.com',
  191. port: 8080
  192. };
  193. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  194. expect(err).to.exist();
  195. expect(err.output.payload.message).to.not.exist();
  196. expect(err.isMissing).to.equal(true);
  197. done();
  198. });
  199. });
  200. it('should fail on invalid bewit structure', function (done) {
  201. var req = {
  202. method: 'GET',
  203. url: '/resource/4?bewit=abc',
  204. host: 'example.com',
  205. port: 8080
  206. };
  207. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  208. expect(err).to.exist();
  209. expect(err.output.payload.message).to.equal('Invalid bewit structure');
  210. done();
  211. });
  212. });
  213. it('should fail on empty bewit attribute', function (done) {
  214. var req = {
  215. method: 'GET',
  216. url: '/resource/4?bewit=YVxcY1xk',
  217. host: 'example.com',
  218. port: 8080
  219. };
  220. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  221. expect(err).to.exist();
  222. expect(err.output.payload.message).to.equal('Missing bewit attributes');
  223. done();
  224. });
  225. });
  226. it('should fail on missing bewit id attribute', function (done) {
  227. var req = {
  228. method: 'GET',
  229. url: '/resource/4?bewit=XDQ1NTIxNDc2MjJcK0JFbFhQMXhuWjcvd1Nrbm1ldGhlZm5vUTNHVjZNSlFVRHk4NWpTZVJ4VT1cc29tZS1hcHAtZGF0YQ',
  230. host: 'example.com',
  231. port: 8080
  232. };
  233. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  234. expect(err).to.exist();
  235. expect(err.output.payload.message).to.equal('Missing bewit attributes');
  236. done();
  237. });
  238. });
  239. it('should fail on expired access', function (done) {
  240. var req = {
  241. method: 'GET',
  242. url: '/resource/4?a=1&b=2&bewit=MTIzNDU2XDEzNTY0MTg1ODNcWk1wZlMwWU5KNHV0WHpOMmRucTRydEk3NXNXTjFjeWVITTcrL0tNZFdVQT1cc29tZS1hcHAtZGF0YQ',
  243. host: 'example.com',
  244. port: 8080
  245. };
  246. Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
  247. expect(err).to.exist();
  248. expect(err.output.payload.message).to.equal('Access expired');
  249. done();
  250. });
  251. });
  252. it('should fail on credentials function error', function (done) {
  253. var req = {
  254. method: 'GET',
  255. url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
  256. host: 'example.com',
  257. port: 8080
  258. };
  259. Hawk.uri.authenticate(req, function (id, callback) {
  260. callback(Hawk.error.badRequest('Boom'));
  261. }, {}, function (err, credentials, attributes) {
  262. expect(err).to.exist();
  263. expect(err.output.payload.message).to.equal('Boom');
  264. done();
  265. });
  266. });
  267. it('should fail on credentials function error with credentials', function (done) {
  268. var req = {
  269. method: 'GET',
  270. url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
  271. host: 'example.com',
  272. port: 8080
  273. };
  274. Hawk.uri.authenticate(req, function (id, callback) {
  275. callback(Hawk.error.badRequest('Boom'), { some: 'value' });
  276. }, {}, function (err, credentials, attributes) {
  277. expect(err).to.exist();
  278. expect(err.output.payload.message).to.equal('Boom');
  279. expect(credentials.some).to.equal('value');
  280. done();
  281. });
  282. });
  283. it('should fail on null credentials function response', function (done) {
  284. var req = {
  285. method: 'GET',
  286. url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
  287. host: 'example.com',
  288. port: 8080
  289. };
  290. Hawk.uri.authenticate(req, function (id, callback) {
  291. callback(null, null);
  292. }, {}, function (err, credentials, attributes) {
  293. expect(err).to.exist();
  294. expect(err.output.payload.message).to.equal('Unknown credentials');
  295. done();
  296. });
  297. });
  298. it('should fail on invalid credentials function response', function (done) {
  299. var req = {
  300. method: 'GET',
  301. url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
  302. host: 'example.com',
  303. port: 8080
  304. };
  305. Hawk.uri.authenticate(req, function (id, callback) {
  306. callback(null, {});
  307. }, {}, function (err, credentials, attributes) {
  308. expect(err).to.exist();
  309. expect(err.message).to.equal('Invalid credentials');
  310. done();
  311. });
  312. });
  313. it('should fail on invalid credentials function response (unknown algorithm)', function (done) {
  314. var req = {
  315. method: 'GET',
  316. url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
  317. host: 'example.com',
  318. port: 8080
  319. };
  320. Hawk.uri.authenticate(req, function (id, callback) {
  321. callback(null, { key: 'xxx', algorithm: 'xxx' });
  322. }, {}, function (err, credentials, attributes) {
  323. expect(err).to.exist();
  324. expect(err.message).to.equal('Unknown algorithm');
  325. done();
  326. });
  327. });
  328. it('should fail on expired access', function (done) {
  329. var req = {
  330. method: 'GET',
  331. url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
  332. host: 'example.com',
  333. port: 8080
  334. };
  335. Hawk.uri.authenticate(req, function (id, callback) {
  336. callback(null, { key: 'xxx', algorithm: 'sha256' });
  337. }, {}, function (err, credentials, attributes) {
  338. expect(err).to.exist();
  339. expect(err.output.payload.message).to.equal('Bad mac');
  340. done();
  341. });
  342. });
  343. describe('getBewit()', function () {
  344. it('returns a valid bewit value', function (done) {
  345. var credentials = {
  346. id: '123456',
  347. key: '2983d45yun89q',
  348. algorithm: 'sha256'
  349. };
  350. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
  351. expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdca3NjeHdOUjJ0SnBQMVQxekRMTlBiQjVVaUtJVTl0T1NKWFRVZEc3WDloOD1ceGFuZHlhbmR6');
  352. done();
  353. });
  354. it('returns a valid bewit value (explicit port)', function (done) {
  355. var credentials = {
  356. id: '123456',
  357. key: '2983d45yun89q',
  358. algorithm: 'sha256'
  359. };
  360. var bewit = Hawk.uri.getBewit('https://example.com:8080/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
  361. expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdcaFpiSjNQMmNLRW80a3kwQzhqa1pBa1J5Q1p1ZWc0V1NOYnhWN3ZxM3hIVT1ceGFuZHlhbmR6');
  362. done();
  363. });
  364. it('returns a valid bewit value (null ext)', function (done) {
  365. var credentials = {
  366. id: '123456',
  367. key: '2983d45yun89q',
  368. algorithm: 'sha256'
  369. };
  370. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: null });
  371. expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdcSUdZbUxnSXFMckNlOEN4dktQczRKbFdJQStValdKSm91d2dBUmlWaENBZz1c');
  372. done();
  373. });
  374. it('returns a valid bewit value (parsed uri)', function (done) {
  375. var credentials = {
  376. id: '123456',
  377. key: '2983d45yun89q',
  378. algorithm: 'sha256'
  379. };
  380. var bewit = Hawk.uri.getBewit(Url.parse('https://example.com/somewhere/over/the/rainbow'), { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
  381. expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdca3NjeHdOUjJ0SnBQMVQxekRMTlBiQjVVaUtJVTl0T1NKWFRVZEc3WDloOD1ceGFuZHlhbmR6');
  382. done();
  383. });
  384. it('errors on invalid options', function (done) {
  385. var credentials = {
  386. id: '123456',
  387. key: '2983d45yun89q',
  388. algorithm: 'sha256'
  389. };
  390. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', 4);
  391. expect(bewit).to.equal('');
  392. done();
  393. });
  394. it('errors on missing uri', function (done) {
  395. var credentials = {
  396. id: '123456',
  397. key: '2983d45yun89q',
  398. algorithm: 'sha256'
  399. };
  400. var bewit = Hawk.uri.getBewit('', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
  401. expect(bewit).to.equal('');
  402. done();
  403. });
  404. it('errors on invalid uri', function (done) {
  405. var credentials = {
  406. id: '123456',
  407. key: '2983d45yun89q',
  408. algorithm: 'sha256'
  409. };
  410. var bewit = Hawk.uri.getBewit(5, { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
  411. expect(bewit).to.equal('');
  412. done();
  413. });
  414. it('errors on invalid credentials (id)', function (done) {
  415. var credentials = {
  416. key: '2983d45yun89q',
  417. algorithm: 'sha256'
  418. };
  419. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 3000, ext: 'xandyandz' });
  420. expect(bewit).to.equal('');
  421. done();
  422. });
  423. it('errors on missing credentials', function (done) {
  424. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { ttlSec: 3000, ext: 'xandyandz' });
  425. expect(bewit).to.equal('');
  426. done();
  427. });
  428. it('errors on invalid credentials (key)', function (done) {
  429. var credentials = {
  430. id: '123456',
  431. algorithm: 'sha256'
  432. };
  433. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 3000, ext: 'xandyandz' });
  434. expect(bewit).to.equal('');
  435. done();
  436. });
  437. it('errors on invalid algorithm', function (done) {
  438. var credentials = {
  439. id: '123456',
  440. key: '2983d45yun89q',
  441. algorithm: 'hmac-sha-0'
  442. };
  443. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, ext: 'xandyandz' });
  444. expect(bewit).to.equal('');
  445. done();
  446. });
  447. it('errors on missing options', function (done) {
  448. var credentials = {
  449. id: '123456',
  450. key: '2983d45yun89q',
  451. algorithm: 'hmac-sha-0'
  452. };
  453. var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow');
  454. expect(bewit).to.equal('');
  455. done();
  456. });
  457. });
  458. describe('authenticateMessage()', function () {
  459. it('should generate an authorization then successfully parse it', function (done) {
  460. credentialsFunc('123456', function (err, credentials1) {
  461. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  462. expect(auth).to.exist();
  463. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
  464. expect(err).to.not.exist();
  465. expect(credentials2.user).to.equal('steve');
  466. done();
  467. });
  468. });
  469. });
  470. it('should fail authorization on mismatching host', function (done) {
  471. credentialsFunc('123456', function (err, credentials1) {
  472. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  473. expect(auth).to.exist();
  474. Hawk.server.authenticateMessage('example1.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
  475. expect(err).to.exist();
  476. expect(err.message).to.equal('Bad mac');
  477. done();
  478. });
  479. });
  480. });
  481. it('should fail authorization on stale timestamp', function (done) {
  482. credentialsFunc('123456', function (err, credentials1) {
  483. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  484. expect(auth).to.exist();
  485. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { localtimeOffsetMsec: 100000 }, function (err, credentials2) {
  486. expect(err).to.exist();
  487. expect(err.message).to.equal('Stale timestamp');
  488. done();
  489. });
  490. });
  491. });
  492. it('overrides timestampSkewSec', function (done) {
  493. credentialsFunc('123456', function (err, credentials1) {
  494. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1, localtimeOffsetMsec: 100000 });
  495. expect(auth).to.exist();
  496. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { timestampSkewSec: 500 }, function (err, credentials2) {
  497. expect(err).to.not.exist();
  498. done();
  499. });
  500. });
  501. });
  502. it('should fail authorization on invalid authorization', function (done) {
  503. credentialsFunc('123456', function (err, credentials1) {
  504. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  505. expect(auth).to.exist();
  506. delete auth.id;
  507. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
  508. expect(err).to.exist();
  509. expect(err.message).to.equal('Invalid authorization');
  510. done();
  511. });
  512. });
  513. });
  514. it('should fail authorization on bad hash', function (done) {
  515. credentialsFunc('123456', function (err, credentials1) {
  516. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  517. expect(auth).to.exist();
  518. Hawk.server.authenticateMessage('example.com', 8080, 'some message1', auth, credentialsFunc, {}, function (err, credentials2) {
  519. expect(err).to.exist();
  520. expect(err.message).to.equal('Bad message hash');
  521. done();
  522. });
  523. });
  524. });
  525. it('should fail authorization on nonce error', function (done) {
  526. credentialsFunc('123456', function (err, credentials1) {
  527. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  528. expect(auth).to.exist();
  529. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {
  530. nonceFunc: function (key, nonce, ts, callback) {
  531. callback(new Error('kaboom'));
  532. }
  533. }, function (err, credentials2) {
  534. expect(err).to.exist();
  535. expect(err.message).to.equal('Invalid nonce');
  536. done();
  537. });
  538. });
  539. });
  540. it('should fail authorization on credentials error', function (done) {
  541. credentialsFunc('123456', function (err, credentials1) {
  542. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  543. expect(auth).to.exist();
  544. var errFunc = function (id, callback) {
  545. callback(new Error('kablooey'));
  546. };
  547. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
  548. expect(err).to.exist();
  549. expect(err.message).to.equal('kablooey');
  550. done();
  551. });
  552. });
  553. });
  554. it('should fail authorization on missing credentials', function (done) {
  555. credentialsFunc('123456', function (err, credentials1) {
  556. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  557. expect(auth).to.exist();
  558. var errFunc = function (id, callback) {
  559. callback();
  560. };
  561. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
  562. expect(err).to.exist();
  563. expect(err.message).to.equal('Unknown credentials');
  564. done();
  565. });
  566. });
  567. });
  568. it('should fail authorization on invalid credentials', function (done) {
  569. credentialsFunc('123456', function (err, credentials1) {
  570. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  571. expect(auth).to.exist();
  572. var errFunc = function (id, callback) {
  573. callback(null, {});
  574. };
  575. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
  576. expect(err).to.exist();
  577. expect(err.message).to.equal('Invalid credentials');
  578. done();
  579. });
  580. });
  581. });
  582. it('should fail authorization on invalid credentials algorithm', function (done) {
  583. credentialsFunc('123456', function (err, credentials1) {
  584. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
  585. expect(auth).to.exist();
  586. var errFunc = function (id, callback) {
  587. callback(null, { key: '123', algorithm: '456' });
  588. };
  589. Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
  590. expect(err).to.exist();
  591. expect(err.message).to.equal('Unknown algorithm');
  592. done();
  593. });
  594. });
  595. });
  596. it('should fail on missing host', function (done) {
  597. credentialsFunc('123456', function (err, credentials1) {
  598. var auth = Hawk.client.message(null, 8080, 'some message', { credentials: credentials1 });
  599. expect(auth).to.not.exist();
  600. done();
  601. });
  602. });
  603. it('should fail on missing credentials', function (done) {
  604. var auth = Hawk.client.message('example.com', 8080, 'some message', {});
  605. expect(auth).to.not.exist();
  606. done();
  607. });
  608. it('should fail on invalid algorithm', function (done) {
  609. credentialsFunc('123456', function (err, credentials1) {
  610. var creds = Hoek.clone(credentials1);
  611. creds.algorithm = 'blah';
  612. var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: creds });
  613. expect(auth).to.not.exist();
  614. done();
  615. });
  616. });
  617. });
  618. });