3 var Http = require('http');
4 var Url = require('url');
5 var Code = require('code');
6 var Hawk = require('../lib');
7 var Hoek = require('hoek');
8 var Lab = require('lab');
18 var lab = exports.lab = Lab.script();
19 var describe = lab.experiment;
21 var expect = Code.expect;
24 describe('Uri', function () {
26 var credentialsFunc = function (id, callback) {
30 key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
31 algorithm: (id === '1' ? 'sha1' : 'sha256'),
35 return callback(null, credentials);
38 it('should generate a bewit then successfully authenticate it', function (done) {
42 url: '/resource/4?a=1&b=2',
47 credentialsFunc('123456', function (err, credentials1) {
49 var bewit = Hawk.uri.getBewit('http://example.com/resource/4?a=1&b=2', { credentials: credentials1, ttlSec: 60 * 60 * 24 * 365 * 100, ext: 'some-app-data' });
50 req.url += '&bewit=' + bewit;
52 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials2, attributes) {
54 expect(err).to.not.exist();
55 expect(credentials2.user).to.equal('steve');
56 expect(attributes.ext).to.equal('some-app-data');
62 it('should generate a bewit then successfully authenticate it (no ext)', function (done) {
66 url: '/resource/4?a=1&b=2',
71 credentialsFunc('123456', function (err, credentials1) {
73 var bewit = Hawk.uri.getBewit('http://example.com/resource/4?a=1&b=2', { credentials: credentials1, ttlSec: 60 * 60 * 24 * 365 * 100 });
74 req.url += '&bewit=' + bewit;
76 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials2, attributes) {
78 expect(err).to.not.exist();
79 expect(credentials2.user).to.equal('steve');
85 it('should successfully authenticate a request (last param)', function (done) {
89 url: '/resource/4?a=1&b=2&bewit=MTIzNDU2XDQ1MTE0ODQ2MjFcMzFjMmNkbUJFd1NJRVZDOVkva1NFb2c3d3YrdEVNWjZ3RXNmOGNHU2FXQT1cc29tZS1hcHAtZGF0YQ',
94 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
96 expect(err).to.not.exist();
97 expect(credentials.user).to.equal('steve');
98 expect(attributes.ext).to.equal('some-app-data');
103 it('should successfully authenticate a request (first param)', function (done) {
107 url: '/resource/4?bewit=MTIzNDU2XDQ1MTE0ODQ2MjFcMzFjMmNkbUJFd1NJRVZDOVkva1NFb2c3d3YrdEVNWjZ3RXNmOGNHU2FXQT1cc29tZS1hcHAtZGF0YQ&a=1&b=2',
112 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
114 expect(err).to.not.exist();
115 expect(credentials.user).to.equal('steve');
116 expect(attributes.ext).to.equal('some-app-data');
121 it('should successfully authenticate a request (only param)', function (done) {
125 url: '/resource/4?bewit=MTIzNDU2XDQ1MTE0ODQ2NDFcZm1CdkNWT3MvcElOTUUxSTIwbWhrejQ3UnBwTmo4Y1VrSHpQd3Q5OXJ1cz1cc29tZS1hcHAtZGF0YQ',
130 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
132 expect(err).to.not.exist();
133 expect(credentials.user).to.equal('steve');
134 expect(attributes.ext).to.equal('some-app-data');
139 it('should fail on multiple authentication', function (done) {
143 url: '/resource/4?bewit=MTIzNDU2XDQ1MTE0ODQ2NDFcZm1CdkNWT3MvcElOTUUxSTIwbWhrejQ3UnBwTmo4Y1VrSHpQd3Q5OXJ1cz1cc29tZS1hcHAtZGF0YQ',
146 authorization: 'Basic asdasdasdasd'
149 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
151 expect(err).to.exist();
152 expect(err.output.payload.message).to.equal('Multiple authentications');
157 it('should fail on method other than GET', function (done) {
159 credentialsFunc('123456', function (err, credentials1) {
163 url: '/resource/4?filter=a',
168 var exp = Math.floor(Hawk.utils.now() / 1000) + 60;
169 var ext = 'some-app-data';
170 var mac = Hawk.crypto.calculateMac('bewit', credentials1, {
180 var bewit = credentials1.id + '\\' + exp + '\\' + mac + '\\' + ext;
182 req.url += '&bewit=' + Hoek.base64urlEncode(bewit);
184 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials2, attributes) {
186 expect(err).to.exist();
187 expect(err.output.payload.message).to.equal('Invalid method');
193 it('should fail on invalid host header', function (done) {
197 url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
199 host: 'example.com:something'
203 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
205 expect(err).to.exist();
206 expect(err.output.payload.message).to.equal('Invalid Host header');
211 it('should fail on empty bewit', function (done) {
215 url: '/resource/4?bewit=',
220 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
222 expect(err).to.exist();
223 expect(err.output.payload.message).to.equal('Empty bewit');
224 expect(err.isMissing).to.not.exist();
229 it('should fail on invalid bewit', function (done) {
233 url: '/resource/4?bewit=*',
238 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
240 expect(err).to.exist();
241 expect(err.output.payload.message).to.equal('Invalid bewit encoding');
242 expect(err.isMissing).to.not.exist();
247 it('should fail on missing bewit', function (done) {
256 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
258 expect(err).to.exist();
259 expect(err.output.payload.message).to.not.exist();
260 expect(err.isMissing).to.equal(true);
265 it('should fail on invalid bewit structure', function (done) {
269 url: '/resource/4?bewit=abc',
274 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
276 expect(err).to.exist();
277 expect(err.output.payload.message).to.equal('Invalid bewit structure');
282 it('should fail on empty bewit attribute', function (done) {
286 url: '/resource/4?bewit=YVxcY1xk',
291 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
293 expect(err).to.exist();
294 expect(err.output.payload.message).to.equal('Missing bewit attributes');
299 it('should fail on missing bewit id attribute', function (done) {
303 url: '/resource/4?bewit=XDQ1NTIxNDc2MjJcK0JFbFhQMXhuWjcvd1Nrbm1ldGhlZm5vUTNHVjZNSlFVRHk4NWpTZVJ4VT1cc29tZS1hcHAtZGF0YQ',
308 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
310 expect(err).to.exist();
311 expect(err.output.payload.message).to.equal('Missing bewit attributes');
316 it('should fail on expired access', function (done) {
320 url: '/resource/4?a=1&b=2&bewit=MTIzNDU2XDEzNTY0MTg1ODNcWk1wZlMwWU5KNHV0WHpOMmRucTRydEk3NXNXTjFjeWVITTcrL0tNZFdVQT1cc29tZS1hcHAtZGF0YQ',
325 Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
327 expect(err).to.exist();
328 expect(err.output.payload.message).to.equal('Access expired');
333 it('should fail on credentials function error', function (done) {
337 url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
342 Hawk.uri.authenticate(req, function (id, callback) {
344 callback(Hawk.error.badRequest('Boom'));
345 }, {}, function (err, credentials, attributes) {
347 expect(err).to.exist();
348 expect(err.output.payload.message).to.equal('Boom');
353 it('should fail on credentials function error with credentials', function (done) {
357 url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
362 Hawk.uri.authenticate(req, function (id, callback) {
364 callback(Hawk.error.badRequest('Boom'), { some: 'value' });
365 }, {}, function (err, credentials, attributes) {
367 expect(err).to.exist();
368 expect(err.output.payload.message).to.equal('Boom');
369 expect(credentials.some).to.equal('value');
374 it('should fail on null credentials function response', function (done) {
378 url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
383 Hawk.uri.authenticate(req, function (id, callback) {
385 callback(null, null);
386 }, {}, function (err, credentials, attributes) {
388 expect(err).to.exist();
389 expect(err.output.payload.message).to.equal('Unknown credentials');
394 it('should fail on invalid credentials function response', function (done) {
398 url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
403 Hawk.uri.authenticate(req, function (id, callback) {
406 }, {}, function (err, credentials, attributes) {
408 expect(err).to.exist();
409 expect(err.message).to.equal('Invalid credentials');
414 it('should fail on invalid credentials function response (unknown algorithm)', function (done) {
418 url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
423 Hawk.uri.authenticate(req, function (id, callback) {
425 callback(null, { key: 'xxx', algorithm: 'xxx' });
426 }, {}, function (err, credentials, attributes) {
428 expect(err).to.exist();
429 expect(err.message).to.equal('Unknown algorithm');
434 it('should fail on expired access', function (done) {
438 url: '/resource/4?bewit=MTIzNDU2XDQ1MDk5OTE3MTlcTUE2eWkwRWRwR0pEcWRwb0JkYVdvVDJrL0hDSzA1T0Y3MkhuZlVmVy96Zz1cc29tZS1hcHAtZGF0YQ',
443 Hawk.uri.authenticate(req, function (id, callback) {
445 callback(null, { key: 'xxx', algorithm: 'sha256' });
446 }, {}, function (err, credentials, attributes) {
448 expect(err).to.exist();
449 expect(err.output.payload.message).to.equal('Bad mac');
454 describe('getBewit()', function () {
456 it('returns a valid bewit value', function (done) {
460 key: '2983d45yun89q',
464 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
465 expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdca3NjeHdOUjJ0SnBQMVQxekRMTlBiQjVVaUtJVTl0T1NKWFRVZEc3WDloOD1ceGFuZHlhbmR6');
469 it('returns a valid bewit value (explicit port)', function (done) {
473 key: '2983d45yun89q',
477 var bewit = Hawk.uri.getBewit('https://example.com:8080/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
478 expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdcaFpiSjNQMmNLRW80a3kwQzhqa1pBa1J5Q1p1ZWc0V1NOYnhWN3ZxM3hIVT1ceGFuZHlhbmR6');
482 it('returns a valid bewit value (null ext)', function (done) {
486 key: '2983d45yun89q',
490 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: null });
491 expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdcSUdZbUxnSXFMckNlOEN4dktQczRKbFdJQStValdKSm91d2dBUmlWaENBZz1c');
495 it('returns a valid bewit value (parsed uri)', function (done) {
499 key: '2983d45yun89q',
503 var bewit = Hawk.uri.getBewit(Url.parse('https://example.com/somewhere/over/the/rainbow'), { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
504 expect(bewit).to.equal('MTIzNDU2XDEzNTY0MjA3MDdca3NjeHdOUjJ0SnBQMVQxekRMTlBiQjVVaUtJVTl0T1NKWFRVZEc3WDloOD1ceGFuZHlhbmR6');
508 it('errors on invalid options', function (done) {
512 key: '2983d45yun89q',
516 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', 4);
517 expect(bewit).to.equal('');
521 it('errors on missing uri', function (done) {
525 key: '2983d45yun89q',
529 var bewit = Hawk.uri.getBewit('', { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
530 expect(bewit).to.equal('');
534 it('errors on invalid uri', function (done) {
538 key: '2983d45yun89q',
542 var bewit = Hawk.uri.getBewit(5, { credentials: credentials, ttlSec: 300, localtimeOffsetMsec: 1356420407232 - Hawk.utils.now(), ext: 'xandyandz' });
543 expect(bewit).to.equal('');
547 it('errors on invalid credentials (id)', function (done) {
550 key: '2983d45yun89q',
554 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 3000, ext: 'xandyandz' });
555 expect(bewit).to.equal('');
559 it('errors on missing credentials', function (done) {
561 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { ttlSec: 3000, ext: 'xandyandz' });
562 expect(bewit).to.equal('');
566 it('errors on invalid credentials (key)', function (done) {
573 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 3000, ext: 'xandyandz' });
574 expect(bewit).to.equal('');
578 it('errors on invalid algorithm', function (done) {
582 key: '2983d45yun89q',
583 algorithm: 'hmac-sha-0'
586 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow', { credentials: credentials, ttlSec: 300, ext: 'xandyandz' });
587 expect(bewit).to.equal('');
591 it('errors on missing options', function (done) {
595 key: '2983d45yun89q',
596 algorithm: 'hmac-sha-0'
599 var bewit = Hawk.uri.getBewit('https://example.com/somewhere/over/the/rainbow');
600 expect(bewit).to.equal('');
605 describe('authenticateMessage()', function () {
607 it('should generate an authorization then successfully parse it', function (done) {
609 credentialsFunc('123456', function (err, credentials1) {
611 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
612 expect(auth).to.exist();
614 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
616 expect(err).to.not.exist();
617 expect(credentials2.user).to.equal('steve');
623 it('should fail authorization on mismatching host', function (done) {
625 credentialsFunc('123456', function (err, credentials1) {
627 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
628 expect(auth).to.exist();
630 Hawk.server.authenticateMessage('example1.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
632 expect(err).to.exist();
633 expect(err.message).to.equal('Bad mac');
639 it('should fail authorization on stale timestamp', function (done) {
641 credentialsFunc('123456', function (err, credentials1) {
643 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
644 expect(auth).to.exist();
646 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { localtimeOffsetMsec: 100000 }, function (err, credentials2) {
648 expect(err).to.exist();
649 expect(err.message).to.equal('Stale timestamp');
655 it('overrides timestampSkewSec', function (done) {
657 credentialsFunc('123456', function (err, credentials1) {
659 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1, localtimeOffsetMsec: 100000 });
660 expect(auth).to.exist();
662 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, { timestampSkewSec: 500 }, function (err, credentials2) {
664 expect(err).to.not.exist();
670 it('should fail authorization on invalid authorization', function (done) {
672 credentialsFunc('123456', function (err, credentials1) {
674 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
675 expect(auth).to.exist();
678 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {}, function (err, credentials2) {
680 expect(err).to.exist();
681 expect(err.message).to.equal('Invalid authorization');
687 it('should fail authorization on bad hash', function (done) {
689 credentialsFunc('123456', function (err, credentials1) {
691 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
692 expect(auth).to.exist();
694 Hawk.server.authenticateMessage('example.com', 8080, 'some message1', auth, credentialsFunc, {}, function (err, credentials2) {
696 expect(err).to.exist();
697 expect(err.message).to.equal('Bad message hash');
703 it('should fail authorization on nonce error', function (done) {
705 credentialsFunc('123456', function (err, credentials1) {
707 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
708 expect(auth).to.exist();
710 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, credentialsFunc, {
711 nonceFunc: function (key, nonce, ts, callback) {
713 callback(new Error('kaboom'));
715 }, function (err, credentials2) {
717 expect(err).to.exist();
718 expect(err.message).to.equal('Invalid nonce');
724 it('should fail authorization on credentials error', function (done) {
726 credentialsFunc('123456', function (err, credentials1) {
728 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
729 expect(auth).to.exist();
731 var errFunc = function (id, callback) {
733 callback(new Error('kablooey'));
736 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
738 expect(err).to.exist();
739 expect(err.message).to.equal('kablooey');
745 it('should fail authorization on missing credentials', function (done) {
747 credentialsFunc('123456', function (err, credentials1) {
749 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
750 expect(auth).to.exist();
752 var errFunc = function (id, callback) {
757 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
759 expect(err).to.exist();
760 expect(err.message).to.equal('Unknown credentials');
766 it('should fail authorization on invalid credentials', function (done) {
768 credentialsFunc('123456', function (err, credentials1) {
770 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
771 expect(auth).to.exist();
773 var errFunc = function (id, callback) {
778 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
780 expect(err).to.exist();
781 expect(err.message).to.equal('Invalid credentials');
787 it('should fail authorization on invalid credentials algorithm', function (done) {
789 credentialsFunc('123456', function (err, credentials1) {
791 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: credentials1 });
792 expect(auth).to.exist();
794 var errFunc = function (id, callback) {
796 callback(null, { key: '123', algorithm: '456' });
799 Hawk.server.authenticateMessage('example.com', 8080, 'some message', auth, errFunc, {}, function (err, credentials2) {
801 expect(err).to.exist();
802 expect(err.message).to.equal('Unknown algorithm');
808 it('should fail on missing host', function (done) {
810 credentialsFunc('123456', function (err, credentials1) {
812 var auth = Hawk.client.message(null, 8080, 'some message', { credentials: credentials1 });
813 expect(auth).to.not.exist();
818 it('should fail on missing credentials', function (done) {
820 var auth = Hawk.client.message('example.com', 8080, 'some message', {});
821 expect(auth).to.not.exist();
825 it('should fail on invalid algorithm', function (done) {
827 credentialsFunc('123456', function (err, credentials1) {
829 var creds = Hoek.clone(credentials1);
830 creds.algorithm = 'blah';
831 var auth = Hawk.client.message('example.com', 8080, 'some message', { credentials: creds });
832 expect(auth).to.not.exist();