Added test coverage proving token back compatibility

refs https://github.com/TryGhost/Toolbox/issues/169 - There was not much clarity around how the tokens created for the versioned API audience would behave when non-versioned API is introduced. The tests added here illustrate the tokens being forward compabible (created for versioned -> verified at non-versioned API) and not backwards combatible (created for non-versioned -> verified at versioned)
2025-02-17 23:44:39 -05:00 · 2022-03-14 15:16:49 +08:00 · 2022-03-14 15:16:49 +08:00 · 1dd47c4191
commit 1dd47c4191
parent 7becf0a2b2
1 changed files with 52 additions and 0 deletions
--- a/test/unit/server/services/auth/api-key/admin.test.js
+++ b/test/unit/server/services/auth/api-key/admin.test.js
@ -82,6 +82,58 @@ describe('Admin API Key Auth', function () {
        });
    });
    it('should authenticate known+valid non-versioned API key with a token created for versioned API', function (done) {
        const token = jwt.sign({
        }, this.secret, {
            keyid: this.fakeApiKey.id,
            algorithm: 'HS256',
            expiresIn: '5m',
            audience: 'v4/admin/',
            issuer: this.fakeApiKey.id
        });
        const req = {
            originalUrl: `${ADMIN_API_URL_NON_VERSIONED}session/`,
            headers: {
                authorization: `Ghost ${token}`
            }
        };
        const res = {};
        apiKeyAuth.admin.authenticate(req, res, (err) => {
            should.not.exist(err);
            req.api_key.should.eql(this.fakeApiKey);
            done();
        });
    });
    it('should NOT authenticate known+valid versioned API key with a token created for non-versioned API', function (done) {
        const token = jwt.sign({
        }, this.secret, {
            keyid: this.fakeApiKey.id,
            algorithm: 'HS256',
            expiresIn: '5m',
            audience: 'admin/',
            issuer: this.fakeApiKey.id
        });
        const req = {
            originalUrl: `${ADMIN_API_URL}session/`,
            headers: {
                authorization: `Ghost ${token}`
            }
        };
        const res = {};
        apiKeyAuth.admin.authenticate(req, res, (err) => {
            should.exist(err);
            should.equal(err instanceof errors.UnauthorizedError, true);
            err.code.should.eql('INVALID_JWT');
            should.not.exist(req.api_key);
            done();
        });
    });
    it('shouldn\'t authenticate with missing Ghost token', function (done) {
        const token = '';
        const req = {