Added test coverage proving token back compatibility

refs https://github.com/TryGhost/Toolbox/issues/169 - There was not much clarity around how the tokens created for the versioned API audience would behave when non-versioned API is introduced. The tests added here illustrate the tokens being forward compabible (created for versioned -> verified at non-versioned API) and not backwards combatible (created for non-versioned -> verified at versioned)
2025-02-17 23:44:39 -05:00 · 2022-03-14 15:16:49 +08:00 · 2022-03-14 15:16:49 +08:00 · 1dd47c4191
commit 1dd47c4191
parent 7becf0a2b2
1 changed files with 52 additions and 0 deletions
--- a/test/unit/server/services/auth/api-key/admin.test.js
+++ b/test/unit/server/services/auth/api-key/admin.test.js
@ -82,6 +82,58 @@ describe('Admin API Key Auth', function () {
        });
    });

+    it('should authenticate known+valid non-versioned API key with a token created for versioned API', function (done) {
+        const token = jwt.sign({
+        }, this.secret, {
+            keyid: this.fakeApiKey.id,
+            algorithm: 'HS256',
+            expiresIn: '5m',
+            audience: 'v4/admin/',
+            issuer: this.fakeApiKey.id
+        });
+
+        const req = {
+            originalUrl: `${ADMIN_API_URL_NON_VERSIONED}session/`,
+            headers: {
+                authorization: `Ghost ${token}`
+            }
+        };
+        const res = {};
+
+        apiKeyAuth.admin.authenticate(req, res, (err) => {
+            should.not.exist(err);
+            req.api_key.should.eql(this.fakeApiKey);
+            done();
+        });
+    });
+
+    it('should NOT authenticate known+valid versioned API key with a token created for non-versioned API', function (done) {
+        const token = jwt.sign({
+        }, this.secret, {
+            keyid: this.fakeApiKey.id,
+            algorithm: 'HS256',
+            expiresIn: '5m',
+            audience: 'admin/',
+            issuer: this.fakeApiKey.id
+        });
+
+        const req = {
+            originalUrl: `${ADMIN_API_URL}session/`,
+            headers: {
+                authorization: `Ghost ${token}`
+            }
+        };
+        const res = {};
+
+        apiKeyAuth.admin.authenticate(req, res, (err) => {
+            should.exist(err);
+            should.equal(err instanceof errors.UnauthorizedError, true);
+            err.code.should.eql('INVALID_JWT');
+            should.not.exist(req.api_key);
+            done();
+        });
+    });
+
    it('shouldn\'t authenticate with missing Ghost token', function (done) {
        const token = '';
        const req = {