add UT to assure none algo is rejected

Signed-off-by: Harsh Vardhan <[email protected]>
mosip · Feb 14, 2025 · e5536df · e5536df
1 parent 5c41a6f
commit e5536df
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/certify-service/src/test/java/io/mosip/certify/filter/AccessTokenValidationFilterTest.java b/certify-service/src/test/java/io/mosip/certify/filter/AccessTokenValidationFilterTest.java
@@ -1,5 +1,6 @@
 package io.mosip.certify.filter;
 
+import com.nimbusds.jwt.JWTClaimsSet;
 import io.mosip.certify.core.constants.Constants;
 import io.mosip.certify.core.dto.ParsedAccessToken;
 import io.mosip.certify.core.util.CommonUtil;
@@ -19,7 +20,6 @@
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import java.io.IOException;
-import java.time.Clock;
 import java.time.Instant;
 import java.util.*;
 
@@ -76,6 +76,29 @@ public void whenNimbusJwtDecoderNull_shouldCreateNewInstance() {
         assertDoesNotThrow(() -> filter.doFilterInternal(request, response, filterChain));
     }
 
+    @Test
+    public void shouldRejectNoneAlgoJwt() throws ServletException, IOException {
+        ReflectionTestUtils.setField(filter, "issuerUri", "https://fake-authorization-host.com");
+        ReflectionTestUtils.setField(filter, "jwkSetUri", "https://fake-authorization-host.com/.well-known/jwks.json");
+        ReflectionTestUtils.setField(filter, "allowedAudiences", Arrays.asList("https://real-certify-instance.com"));
+        String noneHeader = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0"; // {"alg":"none","typ":"JWT"}
+        String payload = new JWTClaimsSet.Builder()
+                .issuer("https://fake-authorization-host.com")
+                .audience("https://real-certify-instance.com")
+                .subject("123456")
+                .claim("client_id", "allowed-client")
+                .expirationTime(Date.from(Instant.now().plusSeconds(120)))
+                .issueTime(new Date())
+                .build().toString();
+        String signature = "fake-signature";
+        request.addHeader("Authorization", String.format("Bearer %s.%s.%s", noneHeader, Base64.getUrlEncoder()
+                .encodeToString(payload.getBytes()), signature));
+        filter.doFilterInternal(request, response, filterChain);
+        verify(parsedAccessToken).setClaims(new HashMap<>());
+        assertFalse(parsedAccessToken.isActive());
+        assertNull(parsedAccessToken.getAccessTokenHash());
+    }
+
     @ParameterizedTest
     @ValueSource(strings = {"/api/v1/test", "/api/v1/secured"})
     public void shouldFilterForConfiguredUrls(String url) throws ServletException {