1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330 |
- // Load modules
-
- var Url = require('url');
- var Code = require('code');
- var Hawk = require('../lib');
- var Hoek = require('hoek');
- var Lab = require('lab');
-
-
- // Declare internals
-
- var internals = {};
-
-
- // Test shortcuts
-
- var lab = exports.lab = Lab.script();
- var describe = lab.experiment;
- var it = lab.test;
- var expect = Code.expect;
-
-
- describe('Server', function () {
-
- var credentialsFunc = function (id, callback) {
-
- var credentials = {
- id: id,
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: (id === '1' ? 'sha1' : 'sha256'),
- user: 'steve'
- };
-
- return callback(null, credentials);
- };
-
- describe('authenticate()', function () {
-
- it('parses a valid authentication header (sha1)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.not.exist();
- expect(credentials.user).to.equal('steve');
- done();
- });
- });
-
- it('parses a valid authentication header (sha256)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/1?b=1&a=2',
- host: 'example.com',
- port: 8000,
- authorization: 'Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", mac="m8r1rHbXN6NgO+KIIhjO7sFRyd78RNGVUwehe8Cp2dU=", ext="some-app-data"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353832234000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.not.exist();
- expect(credentials.user).to.equal('steve');
- done();
- });
- });
-
- it('parses a valid authentication header (host override)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- headers: {
- host: 'example1.com:8080',
- authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
- }
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { host: 'example.com', localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.not.exist();
- expect(credentials.user).to.equal('steve');
- done();
- });
- });
-
- it('parses a valid authentication header (host port override)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- headers: {
- host: 'example1.com:80',
- authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
- }
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { host: 'example.com', port: 8080, localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.not.exist();
- expect(credentials.user).to.equal('steve');
- done();
- });
- });
-
- it('parses a valid authentication header (POST with payload)', function (done) {
-
- var req = {
- method: 'POST',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123456", ts="1357926341", nonce="1AwuJD", hash="qAiXIVv+yjDATneWxZP2YCTa9aHRgQdnH9b3Wc+o3dg=", ext="some-app-data", mac="UeYcj5UoTVaAWXNvJfLVia7kU3VabxCqrccXP8sUGC4="'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1357926341000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.not.exist();
- expect(credentials.user).to.equal('steve');
- done();
- });
- });
-
- it('errors on missing hash', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/1?b=1&a=2',
- host: 'example.com',
- port: 8000,
- authorization: 'Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", mac="m8r1rHbXN6NgO+KIIhjO7sFRyd78RNGVUwehe8Cp2dU=", ext="some-app-data"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { payload: 'body', localtimeOffsetMsec: 1353832234000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Missing required payload hash');
- done();
- });
- });
-
- it('errors on a stale timestamp', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123456", ts="1362337299", nonce="UzmxSs", ext="some-app-data", mac="wnNUxchvvryMH2RxckTdZ/gY3ijzvccx4keVvELC61w="'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Stale timestamp');
- var header = err.output.headers['WWW-Authenticate'];
- var ts = header.match(/^Hawk ts\=\"(\d+)\"\, tsm\=\"([^\"]+)\"\, error=\"Stale timestamp\"$/);
- var now = Hawk.utils.now();
- expect(parseInt(ts[1], 10) * 1000).to.be.within(now - 1000, now + 1000);
-
- var res = {
- headers: {
- 'www-authenticate': header
- }
- };
-
- expect(Hawk.client.authenticate(res, credentials, artifacts)).to.equal(true);
- done();
- });
- });
-
- it('errors on a replay', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="bXx7a7p1h9QYQNZ8x7QhvDQym8ACgab4m3lVSFn4DBw=", ext="hello"'
- };
-
- var memoryCache = {};
- var options = {
- localtimeOffsetMsec: 1353788437000 - Hawk.utils.now(),
- nonceFunc: function (key, nonce, ts, callback) {
-
- if (memoryCache[key + nonce]) {
- return callback(new Error());
- }
-
- memoryCache[key + nonce] = true;
- return callback();
- }
- };
-
- Hawk.server.authenticate(req, credentialsFunc, options, function (err, credentials1, artifacts1) {
-
- expect(err).to.not.exist();
- expect(credentials1.user).to.equal('steve');
-
- Hawk.server.authenticate(req, credentialsFunc, options, function (err, credentials2, artifacts2) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Invalid nonce');
- done();
- });
- });
- });
-
- it('does not error on nonce collision if keys differ', function (done) {
-
- var reqSteve = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="bXx7a7p1h9QYQNZ8x7QhvDQym8ACgab4m3lVSFn4DBw=", ext="hello"'
- };
-
- var reqBob = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="456", ts="1353788437", nonce="k3j4h2", mac="LXfmTnRzrLd9TD7yfH+4se46Bx6AHyhpM94hLCiNia4=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- var credentials = {
- '123': {
- id: id,
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: (id === '1' ? 'sha1' : 'sha256'),
- user: 'steve'
- },
- '456': {
- id: id,
- key: 'xrunpaw3489ruxnpa98w4rxnwerxhqb98rpaxn39848',
- algorithm: (id === '1' ? 'sha1' : 'sha256'),
- user: 'bob'
- }
- };
-
- return callback(null, credentials[id]);
- };
-
- var memoryCache = {};
- var options = {
- localtimeOffsetMsec: 1353788437000 - Hawk.utils.now(),
- nonceFunc: function (key, nonce, ts, callback) {
-
- if (memoryCache[key + nonce]) {
- return callback(new Error());
- }
-
- memoryCache[key + nonce] = true;
- return callback();
- }
- };
-
- Hawk.server.authenticate(reqSteve, credentialsFuncion, options, function (err, credentials1, artifacts1) {
-
- expect(err).to.not.exist();
- expect(credentials1.user).to.equal('steve');
-
- Hawk.server.authenticate(reqBob, credentialsFuncion, options, function (err, credentials2, artifacts2) {
-
- expect(err).to.not.exist();
- expect(credentials2.user).to.equal('bob');
- done();
- });
- });
- });
-
- it('errors on an invalid authentication header: wrong scheme', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Basic asdasdasdasd'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.not.exist();
- done();
- });
- });
-
- it('errors on an invalid authentication header: no scheme', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: '!@#'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Invalid header syntax');
- done();
- });
- });
-
- it('errors on an missing authorization header', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080
- };
-
- Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.isMissing).to.equal(true);
- done();
- });
- });
-
- it('errors on an missing host header', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- headers: {
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- }
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Invalid Host header');
- done();
- });
- });
-
- it('errors on an missing authorization attribute (id)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Missing attributes');
- done();
- });
- });
-
- it('errors on an missing authorization attribute (ts)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Missing attributes');
- done();
- });
- });
-
- it('errors on an missing authorization attribute (nonce)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Missing attributes');
- done();
- });
- });
-
- it('errors on an missing authorization attribute (mac)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Missing attributes');
- done();
- });
- });
-
- it('errors on an unknown authorization attribute', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", x="3", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Unknown attribute: x');
- done();
- });
- });
-
- it('errors on an bad authorization header format', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123\\", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Bad header format');
- done();
- });
- });
-
- it('errors on an bad authorization attribute value', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="\t", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Bad attribute value: id');
- done();
- });
- });
-
- it('errors on an empty authorization attribute value', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Bad attribute value: id');
- done();
- });
- });
-
- it('errors on duplicated authorization attribute key', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", id="456", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Duplicate attribute: id');
- done();
- });
- });
-
- it('errors on an invalid authorization header format', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk'
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Invalid header syntax');
- done();
- });
- });
-
- it('errors on an bad host header (missing host)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- headers: {
- host: ':8080',
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- }
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Invalid Host header');
- done();
- });
- });
-
- it('errors on an bad host header (pad port)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- headers: {
- host: 'example.com:something',
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- }
- };
-
- Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Invalid Host header');
- done();
- });
- });
-
- it('errors on credentialsFunc error', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- return callback(new Error('Unknown user'));
- };
-
- Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Unknown user');
- done();
- });
- });
-
- it('errors on credentialsFunc error (with credentials)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- return callback(new Error('Unknown user'), { some: 'value' });
- };
-
- Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Unknown user');
- expect(credentials.some).to.equal('value');
- done();
- });
- });
-
- it('errors on missing credentials', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- return callback(null, null);
- };
-
- Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Unknown credentials');
- done();
- });
- });
-
- it('errors on invalid credentials (id)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- var credentials = {
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- user: 'steve'
- };
-
- return callback(null, credentials);
- };
-
- Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid credentials');
- expect(err.output.payload.message).to.equal('An internal server error occurred');
- done();
- });
- });
-
- it('errors on invalid credentials (key)', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- var credentials = {
- id: '23434d3q4d5345d',
- user: 'steve'
- };
-
- return callback(null, credentials);
- };
-
- Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid credentials');
- expect(err.output.payload.message).to.equal('An internal server error occurred');
- done();
- });
- });
-
- it('errors on unknown credentials algorithm', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- var credentials = {
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'hmac-sha-0',
- user: 'steve'
- };
-
- return callback(null, credentials);
- };
-
- Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Unknown algorithm');
- expect(err.output.payload.message).to.equal('An internal server error occurred');
- done();
- });
- });
-
- it('errors on unknown bad mac', function (done) {
-
- var req = {
- method: 'GET',
- url: '/resource/4?filter=a',
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcU4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
- };
-
- var credentialsFuncion = function (id, callback) {
-
- var credentials = {
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- return callback(null, credentials);
- };
-
- Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
-
- expect(err).to.exist();
- expect(err.output.payload.message).to.equal('Bad mac');
- done();
- });
- });
- });
-
- describe('header()', function () {
-
- it('generates header', function (done) {
-
- var credentials = {
- id: '123456',
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- var artifacts = {
- method: 'POST',
- host: 'example.com',
- port: '8080',
- resource: '/resource/4?filter=a',
- ts: '1398546787',
- nonce: 'xUwusx',
- hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
- ext: 'some-app-data',
- mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
- id: '123456'
- };
-
- var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
- expect(header).to.equal('Hawk mac=\"n14wVJK4cOxAytPUMc5bPezQzuJGl5n7MYXhFQgEKsE=\", hash=\"f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=\", ext=\"response-specific\"');
- done();
- });
-
- it('generates header (empty payload)', function (done) {
-
- var credentials = {
- id: '123456',
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- var artifacts = {
- method: 'POST',
- host: 'example.com',
- port: '8080',
- resource: '/resource/4?filter=a',
- ts: '1398546787',
- nonce: 'xUwusx',
- hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
- ext: 'some-app-data',
- mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
- id: '123456'
- };
-
- var header = Hawk.server.header(credentials, artifacts, { payload: '', contentType: 'text/plain', ext: 'response-specific' });
- expect(header).to.equal('Hawk mac=\"i8/kUBDx0QF+PpCtW860kkV/fa9dbwEoe/FpGUXowf0=\", hash=\"q/t+NNAkQZNlq/aAD6PlexImwQTxwgT2MahfTa9XRLA=\", ext=\"response-specific\"');
- done();
- });
-
- it('generates header (pre calculated hash)', function (done) {
-
- var credentials = {
- id: '123456',
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- var artifacts = {
- method: 'POST',
- host: 'example.com',
- port: '8080',
- resource: '/resource/4?filter=a',
- ts: '1398546787',
- nonce: 'xUwusx',
- hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
- ext: 'some-app-data',
- mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
- id: '123456'
- };
-
- var options = { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' };
- options.hash = Hawk.crypto.calculatePayloadHash(options.payload, credentials.algorithm, options.contentType);
- var header = Hawk.server.header(credentials, artifacts, options);
- expect(header).to.equal('Hawk mac=\"n14wVJK4cOxAytPUMc5bPezQzuJGl5n7MYXhFQgEKsE=\", hash=\"f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=\", ext=\"response-specific\"');
- done();
- });
-
- it('generates header (null ext)', function (done) {
-
- var credentials = {
- id: '123456',
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- var artifacts = {
- method: 'POST',
- host: 'example.com',
- port: '8080',
- resource: '/resource/4?filter=a',
- ts: '1398546787',
- nonce: 'xUwusx',
- hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
- mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
- id: '123456'
- };
-
- var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: null });
- expect(header).to.equal('Hawk mac=\"6PrybJTJs20jsgBw5eilXpcytD8kUbaIKNYXL+6g0ns=\", hash=\"f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=\"');
- done();
- });
-
- it('errors on missing artifacts', function (done) {
-
- var credentials = {
- id: '123456',
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- var header = Hawk.server.header(credentials, null, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
- expect(header).to.equal('');
- done();
- });
-
- it('errors on invalid artifacts', function (done) {
-
- var credentials = {
- id: '123456',
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- var header = Hawk.server.header(credentials, 5, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
- expect(header).to.equal('');
- done();
- });
-
- it('errors on missing credentials', function (done) {
-
- var artifacts = {
- method: 'POST',
- host: 'example.com',
- port: '8080',
- resource: '/resource/4?filter=a',
- ts: '1398546787',
- nonce: 'xUwusx',
- hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
- ext: 'some-app-data',
- mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
- id: '123456'
- };
-
- var header = Hawk.server.header(null, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
- expect(header).to.equal('');
- done();
- });
-
- it('errors on invalid credentials (key)', function (done) {
-
- var credentials = {
- id: '123456',
- algorithm: 'sha256',
- user: 'steve'
- };
-
- var artifacts = {
- method: 'POST',
- host: 'example.com',
- port: '8080',
- resource: '/resource/4?filter=a',
- ts: '1398546787',
- nonce: 'xUwusx',
- hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
- ext: 'some-app-data',
- mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
- id: '123456'
- };
-
- var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
- expect(header).to.equal('');
- done();
- });
-
- it('errors on invalid algorithm', function (done) {
-
- var credentials = {
- id: '123456',
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
- algorithm: 'x',
- user: 'steve'
- };
-
- var artifacts = {
- method: 'POST',
- host: 'example.com',
- port: '8080',
- resource: '/resource/4?filter=a',
- ts: '1398546787',
- nonce: 'xUwusx',
- hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
- ext: 'some-app-data',
- mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
- id: '123456'
- };
-
- var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
- expect(header).to.equal('');
- done();
- });
- });
-
- describe('authenticateBewit()', function () {
-
- it('errors on uri too long', function (done) {
-
- var long = '/';
- for (var i = 0; i < 5000; ++i) {
- long += 'x';
- }
-
- var req = {
- method: 'GET',
- url: long,
- host: 'example.com',
- port: 8080,
- authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
- };
-
- Hawk.server.authenticateBewit(req, credentialsFunc, {}, function (err, credentials, bewit) {
-
- expect(err).to.exist();
- expect(err.output.statusCode).to.equal(400);
- expect(err.message).to.equal('Resource path exceeds max length');
- done();
- });
- });
- });
-
- describe('authenticateMessage()', function () {
-
- it('errors on invalid authorization (ts)', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- delete auth.ts;
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid authorization');
- done();
- });
- });
- });
-
- it('errors on invalid authorization (nonce)', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- delete auth.nonce;
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid authorization');
- done();
- });
- });
- });
-
- it('errors on invalid authorization (hash)', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- delete auth.hash;
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid authorization');
- done();
- });
- });
- });
-
- it('errors with credentials', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, function (id, callback) {
-
- callback(new Error('something'), { some: 'value' });
- }, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('something');
- expect(credentials2.some).to.equal('value');
- done();
- });
- });
- });
-
- it('errors on nonce collision', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {
- nonceFunc: function (key, nonce, ts, nonceCallback) {
-
- nonceCallback(true);
- }
- }, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid nonce');
- done();
- });
- });
- });
-
- it('should generate an authorization then successfully parse it', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
-
- expect(err).to.not.exist();
- expect(credentials2.user).to.equal('steve');
- done();
- });
- });
- });
-
- it('should fail authorization on mismatching host', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- Hawk.server.authenticateMessage('example1.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Bad mac');
- done();
- });
- });
- });
-
- it('should fail authorization on stale timestamp', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { localtimeOffsetMsec: 100000 }, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Stale timestamp');
- done();
- });
- });
- });
-
- it('overrides timestampSkewSec', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1, localtimeOffsetMsec: 100000 });
- expect(auth).to.exist();
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { timestampSkewSec: 500 }, function (err, credentials2) {
-
- expect(err).to.not.exist();
- done();
- });
- });
- });
-
- it('should fail authorization on invalid authorization', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
- delete auth.id;
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid authorization');
- done();
- });
- });
- });
-
- it('should fail authorization on bad hash', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message1', auth, credentialsFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Bad message hash');
- done();
- });
- });
- });
-
- it('should fail authorization on nonce error', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {
- nonceFunc: function (key, nonce, ts, callback) {
-
- callback(new Error('kaboom'));
- }
- }, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid nonce');
- done();
- });
- });
- });
-
- it('should fail authorization on credentials error', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- var errFunc = function (id, callback) {
-
- callback(new Error('kablooey'));
- };
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('kablooey');
- done();
- });
- });
- });
-
- it('should fail authorization on missing credentials', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- var errFunc = function (id, callback) {
-
- callback();
- };
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Unknown credentials');
- done();
- });
- });
- });
-
- it('should fail authorization on invalid credentials', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- var errFunc = function (id, callback) {
-
- callback(null, {});
- };
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Invalid credentials');
- done();
- });
- });
- });
-
- it('should fail authorization on invalid credentials algorithm', function (done) {
-
- credentialsFunc('123456', function (err, credentials1) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
- expect(auth).to.exist();
-
- var errFunc = function (id, callback) {
-
- callback(null, { key: '123', algorithm: '456' });
- };
-
- Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
-
- expect(err).to.exist();
- expect(err.message).to.equal('Unknown algorithm');
- done();
- });
- });
- });
-
- it('should fail on missing host', function (done) {
-
- credentialsFunc('123456', function (err, credentials) {
-
- var auth = Hawk.client.message(null, 8080, 'some message', { credentials: credentials });
- expect(auth).to.not.exist();
- done();
- });
- });
-
- it('should fail on missing credentials', function (done) {
-
- var auth = Hawk.client.message('example.com', 8080, 'some message', {});
- expect(auth).to.not.exist();
- done();
- });
-
- it('should fail on invalid algorithm', function (done) {
-
- credentialsFunc('123456', function (err, credentials) {
-
- var creds = Hoek.clone(credentials);
- creds.algorithm = 'blah';
- var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: creds });
- expect(auth).to.not.exist();
- done();
- });
- });
- });
-
- describe('authenticatePayloadHash()', function () {
-
- it('checks payload hash', function (done) {
-
- expect(Hawk.server.authenticatePayloadHash('abcdefg', { hash: 'abcdefg' })).to.equal(true);
- expect(Hawk.server.authenticatePayloadHash('1234567', { hash: 'abcdefg' })).to.equal(false);
- done();
- });
- });
- });
-
|