Added test coverage for JWKS token verification

refs https://github.com/TryGhost/Team/issues/1640

- Adds coverage for token verification based on public key exposed through the `/.well-known/jwks.json` endpoint

ghost/members-api/package.json

@@ -20,6 +20,7 @@
   "devDependencies": {
     "@types/node-jose": "1.1.8",
     "c8": "7.11.3",
+    "jwk-to-pem": "2.0.5",
     "mocha": "10.0.0",
     "nock": "13.2.4",
     "should": "13.2.3",

ghost/members-api/test/unit/lib/services/token.test.js

@@ -1,4 +1,6 @@
 const assert = require('assert');
+const jwt = require('jsonwebtoken');
+const jwkToPem = require('jwk-to-pem');
 const TokenService = require('../../../../lib/services/token');
 
 describe('TokenService', function () {
@@ -27,4 +29,22 @@ describe('TokenService', function () {
             assert.equal(decodedToken.sub, 'member@example.com');
         });
     });
+
+    describe('getPublicKeys', function () {
+        it('can verify the token using public keys', async function () {
+            const token = await tokenService.encodeIdentityToken({sub: 'member@example.com'});
+            const jwks = await tokenService.getPublicKeys();
+            const publicKey = jwkToPem(jwks.keys[0]);
+
+            const decodedToken = jwt.verify(token, publicKey, {
+                algorithms: ['RS512'],
+                issuer: this._issuer
+            });
+
+            assert.deepEqual(Object.keys(decodedToken), ['sub', 'kid', 'iat', 'exp', 'aud', 'iss']);
+            assert.equal(decodedToken.aud, 'http://127.0.0.1:2369/members/api');
+            assert.equal(decodedToken.iss, 'http://127.0.0.1:2369/members/api');
+            assert.equal(decodedToken.sub, 'member@example.com');
+        });
+    });
 });