3 var Url = require('url');
\r
4 var Code = require('code');
\r
5 var Hawk = require('../lib');
\r
6 var Hoek = require('hoek');
\r
7 var Lab = require('lab');
\r
10 // Declare internals
\r
17 var lab = exports.lab = Lab.script();
\r
18 var describe = lab.experiment;
\r
20 var expect = Code.expect;
\r
23 describe('Server', function () {
\r
25 var credentialsFunc = function (id, callback) {
\r
29 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
30 algorithm: (id === '1' ? 'sha1' : 'sha256'),
\r
34 return callback(null, credentials);
\r
37 describe('authenticate()', function () {
\r
39 it('parses a valid authentication header (sha1)', function (done) {
\r
43 url: '/resource/4?filter=a',
\r
44 host: 'example.com',
\r
46 authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
\r
49 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
51 expect(err).to.not.exist();
\r
52 expect(credentials.user).to.equal('steve');
\r
57 it('parses a valid authentication header (sha256)', function (done) {
\r
61 url: '/resource/1?b=1&a=2',
\r
62 host: 'example.com',
\r
64 authorization: 'Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", mac="m8r1rHbXN6NgO+KIIhjO7sFRyd78RNGVUwehe8Cp2dU=", ext="some-app-data"'
\r
67 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353832234000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
69 expect(err).to.not.exist();
\r
70 expect(credentials.user).to.equal('steve');
\r
75 it('parses a valid authentication header (host override)', function (done) {
\r
79 url: '/resource/4?filter=a',
\r
81 host: 'example1.com:8080',
\r
82 authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
\r
86 Hawk.server.authenticate(req, credentialsFunc, { host: 'example.com', localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
88 expect(err).to.not.exist();
\r
89 expect(credentials.user).to.equal('steve');
\r
94 it('parses a valid authentication header (host port override)', function (done) {
\r
98 url: '/resource/4?filter=a',
\r
100 host: 'example1.com:80',
\r
101 authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
\r
105 Hawk.server.authenticate(req, credentialsFunc, { host: 'example.com', port: 8080, localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
107 expect(err).to.not.exist();
\r
108 expect(credentials.user).to.equal('steve');
\r
113 it('parses a valid authentication header (POST with payload)', function (done) {
\r
117 url: '/resource/4?filter=a',
\r
118 host: 'example.com',
\r
120 authorization: 'Hawk id="123456", ts="1357926341", nonce="1AwuJD", hash="qAiXIVv+yjDATneWxZP2YCTa9aHRgQdnH9b3Wc+o3dg=", ext="some-app-data", mac="UeYcj5UoTVaAWXNvJfLVia7kU3VabxCqrccXP8sUGC4="'
\r
123 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1357926341000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
125 expect(err).to.not.exist();
\r
126 expect(credentials.user).to.equal('steve');
\r
131 it('errors on missing hash', function (done) {
\r
135 url: '/resource/1?b=1&a=2',
\r
136 host: 'example.com',
\r
138 authorization: 'Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", mac="m8r1rHbXN6NgO+KIIhjO7sFRyd78RNGVUwehe8Cp2dU=", ext="some-app-data"'
\r
141 Hawk.server.authenticate(req, credentialsFunc, { payload: 'body', localtimeOffsetMsec: 1353832234000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
143 expect(err).to.exist();
\r
144 expect(err.output.payload.message).to.equal('Missing required payload hash');
\r
149 it('errors on a stale timestamp', function (done) {
\r
153 url: '/resource/4?filter=a',
\r
154 host: 'example.com',
\r
156 authorization: 'Hawk id="123456", ts="1362337299", nonce="UzmxSs", ext="some-app-data", mac="wnNUxchvvryMH2RxckTdZ/gY3ijzvccx4keVvELC61w="'
\r
159 Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
\r
161 expect(err).to.exist();
\r
162 expect(err.output.payload.message).to.equal('Stale timestamp');
\r
163 var header = err.output.headers['WWW-Authenticate'];
\r
164 var ts = header.match(/^Hawk ts\=\"(\d+)\"\, tsm\=\"([^\"]+)\"\, error=\"Stale timestamp\"$/);
\r
165 var now = Hawk.utils.now();
\r
166 expect(parseInt(ts[1], 10) * 1000).to.be.within(now - 1000, now + 1000);
\r
170 'www-authenticate': header
\r
174 expect(Hawk.client.authenticate(res, credentials, artifacts)).to.equal(true);
\r
179 it('errors on a replay', function (done) {
\r
183 url: '/resource/4?filter=a',
\r
184 host: 'example.com',
\r
186 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="bXx7a7p1h9QYQNZ8x7QhvDQym8ACgab4m3lVSFn4DBw=", ext="hello"'
\r
189 var memoryCache = {};
\r
191 localtimeOffsetMsec: 1353788437000 - Hawk.utils.now(),
\r
192 nonceFunc: function (key, nonce, ts, callback) {
\r
194 if (memoryCache[key + nonce]) {
\r
195 return callback(new Error());
\r
198 memoryCache[key + nonce] = true;
\r
203 Hawk.server.authenticate(req, credentialsFunc, options, function (err, credentials1, artifacts1) {
\r
205 expect(err).to.not.exist();
\r
206 expect(credentials1.user).to.equal('steve');
\r
208 Hawk.server.authenticate(req, credentialsFunc, options, function (err, credentials2, artifacts2) {
\r
210 expect(err).to.exist();
\r
211 expect(err.output.payload.message).to.equal('Invalid nonce');
\r
217 it('does not error on nonce collision if keys differ', function (done) {
\r
221 url: '/resource/4?filter=a',
\r
222 host: 'example.com',
\r
224 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="bXx7a7p1h9QYQNZ8x7QhvDQym8ACgab4m3lVSFn4DBw=", ext="hello"'
\r
229 url: '/resource/4?filter=a',
\r
230 host: 'example.com',
\r
232 authorization: 'Hawk id="456", ts="1353788437", nonce="k3j4h2", mac="LXfmTnRzrLd9TD7yfH+4se46Bx6AHyhpM94hLCiNia4=", ext="hello"'
\r
235 var credentialsFuncion = function (id, callback) {
\r
237 var credentials = {
\r
240 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
241 algorithm: (id === '1' ? 'sha1' : 'sha256'),
\r
246 key: 'xrunpaw3489ruxnpa98w4rxnwerxhqb98rpaxn39848',
\r
247 algorithm: (id === '1' ? 'sha1' : 'sha256'),
\r
252 return callback(null, credentials[id]);
\r
255 var memoryCache = {};
\r
257 localtimeOffsetMsec: 1353788437000 - Hawk.utils.now(),
\r
258 nonceFunc: function (key, nonce, ts, callback) {
\r
260 if (memoryCache[key + nonce]) {
\r
261 return callback(new Error());
\r
264 memoryCache[key + nonce] = true;
\r
269 Hawk.server.authenticate(reqSteve, credentialsFuncion, options, function (err, credentials1, artifacts1) {
\r
271 expect(err).to.not.exist();
\r
272 expect(credentials1.user).to.equal('steve');
\r
274 Hawk.server.authenticate(reqBob, credentialsFuncion, options, function (err, credentials2, artifacts2) {
\r
276 expect(err).to.not.exist();
\r
277 expect(credentials2.user).to.equal('bob');
\r
283 it('errors on an invalid authentication header: wrong scheme', function (done) {
\r
287 url: '/resource/4?filter=a',
\r
288 host: 'example.com',
\r
290 authorization: 'Basic asdasdasdasd'
\r
293 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
295 expect(err).to.exist();
\r
296 expect(err.output.payload.message).to.not.exist();
\r
301 it('errors on an invalid authentication header: no scheme', function (done) {
\r
305 url: '/resource/4?filter=a',
\r
306 host: 'example.com',
\r
308 authorization: '!@#'
\r
311 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
313 expect(err).to.exist();
\r
314 expect(err.output.payload.message).to.equal('Invalid header syntax');
\r
319 it('errors on an missing authorization header', function (done) {
\r
323 url: '/resource/4?filter=a',
\r
324 host: 'example.com',
\r
328 Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
\r
330 expect(err).to.exist();
\r
331 expect(err.isMissing).to.equal(true);
\r
336 it('errors on an missing host header', function (done) {
\r
340 url: '/resource/4?filter=a',
\r
342 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
346 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
348 expect(err).to.exist();
\r
349 expect(err.output.payload.message).to.equal('Invalid Host header');
\r
354 it('errors on an missing authorization attribute (id)', function (done) {
\r
358 url: '/resource/4?filter=a',
\r
359 host: 'example.com',
\r
361 authorization: 'Hawk ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
364 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
366 expect(err).to.exist();
\r
367 expect(err.output.payload.message).to.equal('Missing attributes');
\r
372 it('errors on an missing authorization attribute (ts)', function (done) {
\r
376 url: '/resource/4?filter=a',
\r
377 host: 'example.com',
\r
379 authorization: 'Hawk id="123", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
382 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
384 expect(err).to.exist();
\r
385 expect(err.output.payload.message).to.equal('Missing attributes');
\r
390 it('errors on an missing authorization attribute (nonce)', function (done) {
\r
394 url: '/resource/4?filter=a',
\r
395 host: 'example.com',
\r
397 authorization: 'Hawk id="123", ts="1353788437", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
400 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
402 expect(err).to.exist();
\r
403 expect(err.output.payload.message).to.equal('Missing attributes');
\r
408 it('errors on an missing authorization attribute (mac)', function (done) {
\r
412 url: '/resource/4?filter=a',
\r
413 host: 'example.com',
\r
415 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", ext="hello"'
\r
418 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
420 expect(err).to.exist();
\r
421 expect(err.output.payload.message).to.equal('Missing attributes');
\r
426 it('errors on an unknown authorization attribute', function (done) {
\r
430 url: '/resource/4?filter=a',
\r
431 host: 'example.com',
\r
433 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", x="3", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
436 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
438 expect(err).to.exist();
\r
439 expect(err.output.payload.message).to.equal('Unknown attribute: x');
\r
444 it('errors on an bad authorization header format', function (done) {
\r
448 url: '/resource/4?filter=a',
\r
449 host: 'example.com',
\r
451 authorization: 'Hawk id="123\\", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
454 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
456 expect(err).to.exist();
\r
457 expect(err.output.payload.message).to.equal('Bad header format');
\r
462 it('errors on an bad authorization attribute value', function (done) {
\r
466 url: '/resource/4?filter=a',
\r
467 host: 'example.com',
\r
469 authorization: 'Hawk id="\t", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
472 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
474 expect(err).to.exist();
\r
475 expect(err.output.payload.message).to.equal('Bad attribute value: id');
\r
480 it('errors on an empty authorization attribute value', function (done) {
\r
484 url: '/resource/4?filter=a',
\r
485 host: 'example.com',
\r
487 authorization: 'Hawk id="", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
490 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
492 expect(err).to.exist();
\r
493 expect(err.output.payload.message).to.equal('Bad attribute value: id');
\r
498 it('errors on duplicated authorization attribute key', function (done) {
\r
502 url: '/resource/4?filter=a',
\r
503 host: 'example.com',
\r
505 authorization: 'Hawk id="123", id="456", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
508 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
510 expect(err).to.exist();
\r
511 expect(err.output.payload.message).to.equal('Duplicate attribute: id');
\r
516 it('errors on an invalid authorization header format', function (done) {
\r
520 url: '/resource/4?filter=a',
\r
521 host: 'example.com',
\r
523 authorization: 'Hawk'
\r
526 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
528 expect(err).to.exist();
\r
529 expect(err.output.payload.message).to.equal('Invalid header syntax');
\r
534 it('errors on an bad host header (missing host)', function (done) {
\r
538 url: '/resource/4?filter=a',
\r
541 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
545 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
547 expect(err).to.exist();
\r
548 expect(err.output.payload.message).to.equal('Invalid Host header');
\r
553 it('errors on an bad host header (pad port)', function (done) {
\r
557 url: '/resource/4?filter=a',
\r
559 host: 'example.com:something',
\r
560 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
564 Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
566 expect(err).to.exist();
\r
567 expect(err.output.payload.message).to.equal('Invalid Host header');
\r
572 it('errors on credentialsFunc error', function (done) {
\r
576 url: '/resource/4?filter=a',
\r
577 host: 'example.com',
\r
579 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
582 var credentialsFuncion = function (id, callback) {
\r
584 return callback(new Error('Unknown user'));
\r
587 Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
589 expect(err).to.exist();
\r
590 expect(err.message).to.equal('Unknown user');
\r
595 it('errors on credentialsFunc error (with credentials)', function (done) {
\r
599 url: '/resource/4?filter=a',
\r
600 host: 'example.com',
\r
602 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
605 var credentialsFuncion = function (id, callback) {
\r
607 return callback(new Error('Unknown user'), { some: 'value' });
\r
610 Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
612 expect(err).to.exist();
\r
613 expect(err.message).to.equal('Unknown user');
\r
614 expect(credentials.some).to.equal('value');
\r
619 it('errors on missing credentials', function (done) {
\r
623 url: '/resource/4?filter=a',
\r
624 host: 'example.com',
\r
626 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
629 var credentialsFuncion = function (id, callback) {
\r
631 return callback(null, null);
\r
634 Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
636 expect(err).to.exist();
\r
637 expect(err.output.payload.message).to.equal('Unknown credentials');
\r
642 it('errors on invalid credentials (id)', function (done) {
\r
646 url: '/resource/4?filter=a',
\r
647 host: 'example.com',
\r
649 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
652 var credentialsFuncion = function (id, callback) {
\r
654 var credentials = {
\r
655 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
659 return callback(null, credentials);
\r
662 Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
664 expect(err).to.exist();
\r
665 expect(err.message).to.equal('Invalid credentials');
\r
666 expect(err.output.payload.message).to.equal('An internal server error occurred');
\r
671 it('errors on invalid credentials (key)', function (done) {
\r
675 url: '/resource/4?filter=a',
\r
676 host: 'example.com',
\r
678 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
681 var credentialsFuncion = function (id, callback) {
\r
683 var credentials = {
\r
684 id: '23434d3q4d5345d',
\r
688 return callback(null, credentials);
\r
691 Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
693 expect(err).to.exist();
\r
694 expect(err.message).to.equal('Invalid credentials');
\r
695 expect(err.output.payload.message).to.equal('An internal server error occurred');
\r
700 it('errors on unknown credentials algorithm', function (done) {
\r
704 url: '/resource/4?filter=a',
\r
705 host: 'example.com',
\r
707 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcUyW6EEgUH4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
710 var credentialsFuncion = function (id, callback) {
\r
712 var credentials = {
\r
713 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
714 algorithm: 'hmac-sha-0',
\r
718 return callback(null, credentials);
\r
721 Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
723 expect(err).to.exist();
\r
724 expect(err.message).to.equal('Unknown algorithm');
\r
725 expect(err.output.payload.message).to.equal('An internal server error occurred');
\r
730 it('errors on unknown bad mac', function (done) {
\r
734 url: '/resource/4?filter=a',
\r
735 host: 'example.com',
\r
737 authorization: 'Hawk id="123", ts="1353788437", nonce="k3j4h2", mac="/qwS4UjfVWMcU4jlr7T/wuKe3dKijvTvSos=", ext="hello"'
\r
740 var credentialsFuncion = function (id, callback) {
\r
742 var credentials = {
\r
743 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
744 algorithm: 'sha256',
\r
748 return callback(null, credentials);
\r
751 Hawk.server.authenticate(req, credentialsFuncion, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() }, function (err, credentials, artifacts) {
\r
753 expect(err).to.exist();
\r
754 expect(err.output.payload.message).to.equal('Bad mac');
\r
760 describe('header()', function () {
\r
762 it('generates header', function (done) {
\r
764 var credentials = {
\r
766 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
767 algorithm: 'sha256',
\r
773 host: 'example.com',
\r
775 resource: '/resource/4?filter=a',
\r
778 hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
\r
779 ext: 'some-app-data',
\r
780 mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
\r
784 var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
\r
785 expect(header).to.equal('Hawk mac=\"n14wVJK4cOxAytPUMc5bPezQzuJGl5n7MYXhFQgEKsE=\", hash=\"f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=\", ext=\"response-specific\"');
\r
789 it('generates header (empty payload)', function (done) {
\r
791 var credentials = {
\r
793 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
794 algorithm: 'sha256',
\r
800 host: 'example.com',
\r
802 resource: '/resource/4?filter=a',
\r
805 hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
\r
806 ext: 'some-app-data',
\r
807 mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
\r
811 var header = Hawk.server.header(credentials, artifacts, { payload: '', contentType: 'text/plain', ext: 'response-specific' });
\r
812 expect(header).to.equal('Hawk mac=\"i8/kUBDx0QF+PpCtW860kkV/fa9dbwEoe/FpGUXowf0=\", hash=\"q/t+NNAkQZNlq/aAD6PlexImwQTxwgT2MahfTa9XRLA=\", ext=\"response-specific\"');
\r
816 it('generates header (pre calculated hash)', function (done) {
\r
818 var credentials = {
\r
820 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
821 algorithm: 'sha256',
\r
827 host: 'example.com',
\r
829 resource: '/resource/4?filter=a',
\r
832 hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
\r
833 ext: 'some-app-data',
\r
834 mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
\r
838 var options = { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' };
\r
839 options.hash = Hawk.crypto.calculatePayloadHash(options.payload, credentials.algorithm, options.contentType);
\r
840 var header = Hawk.server.header(credentials, artifacts, options);
\r
841 expect(header).to.equal('Hawk mac=\"n14wVJK4cOxAytPUMc5bPezQzuJGl5n7MYXhFQgEKsE=\", hash=\"f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=\", ext=\"response-specific\"');
\r
845 it('generates header (null ext)', function (done) {
\r
847 var credentials = {
\r
849 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
850 algorithm: 'sha256',
\r
856 host: 'example.com',
\r
858 resource: '/resource/4?filter=a',
\r
861 hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
\r
862 mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
\r
866 var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: null });
\r
867 expect(header).to.equal('Hawk mac=\"6PrybJTJs20jsgBw5eilXpcytD8kUbaIKNYXL+6g0ns=\", hash=\"f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=\"');
\r
871 it('errors on missing artifacts', function (done) {
\r
873 var credentials = {
\r
875 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
876 algorithm: 'sha256',
\r
880 var header = Hawk.server.header(credentials, null, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
\r
881 expect(header).to.equal('');
\r
885 it('errors on invalid artifacts', function (done) {
\r
887 var credentials = {
\r
889 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
890 algorithm: 'sha256',
\r
894 var header = Hawk.server.header(credentials, 5, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
\r
895 expect(header).to.equal('');
\r
899 it('errors on missing credentials', function (done) {
\r
903 host: 'example.com',
\r
905 resource: '/resource/4?filter=a',
\r
908 hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
\r
909 ext: 'some-app-data',
\r
910 mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
\r
914 var header = Hawk.server.header(null, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
\r
915 expect(header).to.equal('');
\r
919 it('errors on invalid credentials (key)', function (done) {
\r
921 var credentials = {
\r
923 algorithm: 'sha256',
\r
929 host: 'example.com',
\r
931 resource: '/resource/4?filter=a',
\r
934 hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
\r
935 ext: 'some-app-data',
\r
936 mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
\r
940 var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
\r
941 expect(header).to.equal('');
\r
945 it('errors on invalid algorithm', function (done) {
\r
947 var credentials = {
\r
949 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
\r
956 host: 'example.com',
\r
958 resource: '/resource/4?filter=a',
\r
961 hash: 'nJjkVtBE5Y/Bk38Aiokwn0jiJxt/0S2WRSUwWLCf5xk=',
\r
962 ext: 'some-app-data',
\r
963 mac: 'dvIvMThwi28J61Jc3P0ryAhuKpanU63GXdx6hkmQkJA=',
\r
967 var header = Hawk.server.header(credentials, artifacts, { payload: 'some reply', contentType: 'text/plain', ext: 'response-specific' });
\r
968 expect(header).to.equal('');
\r
973 describe('authenticateBewit()', function () {
\r
975 it('errors on uri too long', function (done) {
\r
978 for (var i = 0; i < 5000; ++i) {
\r
985 host: 'example.com',
\r
987 authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
\r
990 Hawk.server.authenticateBewit(req, credentialsFunc, {}, function (err, credentials, bewit) {
\r
992 expect(err).to.exist();
\r
993 expect(err.output.statusCode).to.equal(400);
\r
994 expect(err.message).to.equal('Resource path exceeds max length');
\r
1000 describe('authenticateMessage()', function () {
\r
1002 it('errors on invalid authorization (ts)', function (done) {
\r
1004 credentialsFunc('123456', function (err, credentials1) {
\r
1006 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1009 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
\r
1011 expect(err).to.exist();
\r
1012 expect(err.message).to.equal('Invalid authorization');
\r
1018 it('errors on invalid authorization (nonce)', function (done) {
\r
1020 credentialsFunc('123456', function (err, credentials1) {
\r
1022 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1023 delete auth.nonce;
\r
1025 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
\r
1027 expect(err).to.exist();
\r
1028 expect(err.message).to.equal('Invalid authorization');
\r
1034 it('errors on invalid authorization (hash)', function (done) {
\r
1036 credentialsFunc('123456', function (err, credentials1) {
\r
1038 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1041 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
\r
1043 expect(err).to.exist();
\r
1044 expect(err.message).to.equal('Invalid authorization');
\r
1050 it('errors with credentials', function (done) {
\r
1052 credentialsFunc('123456', function (err, credentials1) {
\r
1054 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1056 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, function (id, callback) {
\r
1058 callback(new Error('something'), { some: 'value' });
\r
1059 }, {}, function (err, credentials2) {
\r
1061 expect(err).to.exist();
\r
1062 expect(err.message).to.equal('something');
\r
1063 expect(credentials2.some).to.equal('value');
\r
1069 it('errors on nonce collision', function (done) {
\r
1071 credentialsFunc('123456', function (err, credentials1) {
\r
1073 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1074 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {
\r
1075 nonceFunc: function (key, nonce, ts, nonceCallback) {
\r
1077 nonceCallback(true);
\r
1079 }, function (err, credentials2) {
\r
1081 expect(err).to.exist();
\r
1082 expect(err.message).to.equal('Invalid nonce');
\r
1088 it('should generate an authorization then successfully parse it', function (done) {
\r
1090 credentialsFunc('123456', function (err, credentials1) {
\r
1092 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1093 expect(auth).to.exist();
\r
1095 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
\r
1097 expect(err).to.not.exist();
\r
1098 expect(credentials2.user).to.equal('steve');
\r
1104 it('should fail authorization on mismatching host', function (done) {
\r
1106 credentialsFunc('123456', function (err, credentials1) {
\r
1108 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1109 expect(auth).to.exist();
\r
1111 Hawk.server.authenticateMessage('example1.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
\r
1113 expect(err).to.exist();
\r
1114 expect(err.message).to.equal('Bad mac');
\r
1120 it('should fail authorization on stale timestamp', function (done) {
\r
1122 credentialsFunc('123456', function (err, credentials1) {
\r
1124 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1125 expect(auth).to.exist();
\r
1127 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { localtimeOffsetMsec: 100000 }, function (err, credentials2) {
\r
1129 expect(err).to.exist();
\r
1130 expect(err.message).to.equal('Stale timestamp');
\r
1136 it('overrides timestampSkewSec', function (done) {
\r
1138 credentialsFunc('123456', function (err, credentials1) {
\r
1140 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1, localtimeOffsetMsec: 100000 });
\r
1141 expect(auth).to.exist();
\r
1143 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { timestampSkewSec: 500 }, function (err, credentials2) {
\r
1145 expect(err).to.not.exist();
\r
1151 it('should fail authorization on invalid authorization', function (done) {
\r
1153 credentialsFunc('123456', function (err, credentials1) {
\r
1155 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1156 expect(auth).to.exist();
\r
1159 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
\r
1161 expect(err).to.exist();
\r
1162 expect(err.message).to.equal('Invalid authorization');
\r
1168 it('should fail authorization on bad hash', function (done) {
\r
1170 credentialsFunc('123456', function (err, credentials1) {
\r
1172 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1173 expect(auth).to.exist();
\r
1175 Hawk.server.authenticateMessage('example.com', 8080, 'some message1', auth, credentialsFunc, {}, function (err, credentials2) {
\r
1177 expect(err).to.exist();
\r
1178 expect(err.message).to.equal('Bad message hash');
\r
1184 it('should fail authorization on nonce error', function (done) {
\r
1186 credentialsFunc('123456', function (err, credentials1) {
\r
1188 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1189 expect(auth).to.exist();
\r
1191 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {
\r
1192 nonceFunc: function (key, nonce, ts, callback) {
\r
1194 callback(new Error('kaboom'));
\r
1196 }, function (err, credentials2) {
\r
1198 expect(err).to.exist();
\r
1199 expect(err.message).to.equal('Invalid nonce');
\r
1205 it('should fail authorization on credentials error', function (done) {
\r
1207 credentialsFunc('123456', function (err, credentials1) {
\r
1209 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1210 expect(auth).to.exist();
\r
1212 var errFunc = function (id, callback) {
\r
1214 callback(new Error('kablooey'));
\r
1217 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
\r
1219 expect(err).to.exist();
\r
1220 expect(err.message).to.equal('kablooey');
\r
1226 it('should fail authorization on missing credentials', function (done) {
\r
1228 credentialsFunc('123456', function (err, credentials1) {
\r
1230 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1231 expect(auth).to.exist();
\r
1233 var errFunc = function (id, callback) {
\r
1238 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
\r
1240 expect(err).to.exist();
\r
1241 expect(err.message).to.equal('Unknown credentials');
\r
1247 it('should fail authorization on invalid credentials', function (done) {
\r
1249 credentialsFunc('123456', function (err, credentials1) {
\r
1251 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1252 expect(auth).to.exist();
\r
1254 var errFunc = function (id, callback) {
\r
1256 callback(null, {});
\r
1259 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
\r
1261 expect(err).to.exist();
\r
1262 expect(err.message).to.equal('Invalid credentials');
\r
1268 it('should fail authorization on invalid credentials algorithm', function (done) {
\r
1270 credentialsFunc('123456', function (err, credentials1) {
\r
1272 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
\r
1273 expect(auth).to.exist();
\r
1275 var errFunc = function (id, callback) {
\r
1277 callback(null, { key: '123', algorithm: '456' });
\r
1280 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
\r
1282 expect(err).to.exist();
\r
1283 expect(err.message).to.equal('Unknown algorithm');
\r
1289 it('should fail on missing host', function (done) {
\r
1291 credentialsFunc('123456', function (err, credentials) {
\r
1293 var auth = Hawk.client.message(null, 8080, 'some message', { credentials: credentials });
\r
1294 expect(auth).to.not.exist();
\r
1299 it('should fail on missing credentials', function (done) {
\r
1301 var auth = Hawk.client.message('example.com', 8080, 'some message', {});
\r
1302 expect(auth).to.not.exist();
\r
1306 it('should fail on invalid algorithm', function (done) {
\r
1308 credentialsFunc('123456', function (err, credentials) {
\r
1310 var creds = Hoek.clone(credentials);
\r
1311 creds.algorithm = 'blah';
\r
1312 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: creds });
\r
1313 expect(auth).to.not.exist();
\r
1319 describe('authenticatePayloadHash()', function () {
\r
1321 it('checks payload hash', function (done) {
\r
1323 expect(Hawk.server.authenticatePayloadHash('abcdefg', { hash: 'abcdefg' })).to.equal(true);
\r
1324 expect(Hawk.server.authenticatePayloadHash('1234567', { hash: 'abcdefg' })).to.equal(false);
\r