public function TokenTest::testThatTokenWithBadAlgThrowsException in Auth0 Single Sign On 8.2
Test that a malformed token or missing algorithm fails.
Return value
void
Throws
CoreException See Auth0\SDK\JWTVerifier::verifyAndDecode().
File
- vendor/
auth0/ auth0-php/ tests/ API/ Helpers/ TokenGeneratorTest.php, line 168
Class
- TokenTest
- Class TokenTest
Namespace
Auth0\Tests\Api\HelpersCode
public function testThatTokenWithBadAlgThrowsException() {
$dummy_segment = JWT::urlsafeB64Encode('{"dummy":"yes"}');
$verifier = new JWTVerifier([
'valid_audiences' => [
uniqid(),
],
'supported_algs' => [
'HS256',
],
'client_secret' => self::CLIENT_SECRET,
]);
// 1. A token with a head that cannot be JSON decoded should throw an exception.
$caught_exception = false;
$error_msg = 'No exception caught';
try {
$verifier
->verifyAndDecode(uniqid() . '.' . uniqid() . '.' . uniqid());
} catch (InvalidTokenException $e) {
$error_msg = $e
->getMessage();
$caught_exception = $this
->errorHasString($e, 'Malformed token');
}
$this
->assertTrue($caught_exception, $error_msg);
// 2. A token with a payload that cannot be JSON decoded should throw an exception.
$caught_exception = false;
$error_msg = 'No exception caught';
try {
$verifier
->verifyAndDecode($dummy_segment . '.' . uniqid() . '.' . uniqid());
} catch (InvalidTokenException $e) {
$error_msg = $e
->getMessage();
$caught_exception = $this
->errorHasString($e, 'Malformed token');
}
$this
->assertTrue($caught_exception, $error_msg);
// 3. A token without an alg property should throw an exception.
$head_obj = (object) [
'typ' => 'JWT',
];
$jwt_head = JWT::urlsafeB64Encode(JWT::jsonEncode($head_obj));
$caught_exception = false;
$error_msg = 'No exception caught';
try {
$verifier
->verifyAndDecode($jwt_head . '.' . $dummy_segment . '.' . uniqid());
} catch (InvalidTokenException $e) {
$error_msg = $e
->getMessage();
$caught_exception = $this
->errorHasString($e, 'Token algorithm not found');
}
$this
->assertTrue($caught_exception, $error_msg);
// 4. A token with an alg not in supported_algs should throw an exception.
$head_obj->alg = 'RS256';
$jwt_head = JWT::urlsafeB64Encode(JWT::jsonEncode($head_obj));
$caught_exception = false;
$error_msg = 'No exception caught';
try {
$verifier
->verifyAndDecode($jwt_head . '.' . $dummy_segment . '.' . uniqid());
} catch (InvalidTokenException $e) {
$error_msg = $e
->getMessage();
$caught_exception = $this
->errorHasString($e, 'Token algorithm not supported');
}
$this
->assertTrue($caught_exception, $error_msg);
}