You are here

Home » API reference » Auth0 Single Sign On 8.2 » TokenGeneratorTest.php » TokenTest

public function TokenTest::testThatTokenWithBadAlgThrowsException in Auth0 Single Sign On 8.2

Test that a malformed token or missing algorithm fails.

Return value

void

Throws

CoreException See Auth0\SDK\JWTVerifier::verifyAndDecode().

File

vendor/auth0/auth0-php/tests/API/Helpers/TokenGeneratorTest.php, line 168

Class

TokenTest
Class TokenTest

Namespace

Auth0\Tests\Api\Helpers

Code

public function testThatTokenWithBadAlgThrowsException() {
  $dummy_segment = JWT::urlsafeB64Encode('{"dummy":"yes"}');
  $verifier = new JWTVerifier([
    'valid_audiences' => [
      uniqid(),
    ],
    'supported_algs' => [
      'HS256',
    ],
    'client_secret' => self::CLIENT_SECRET,
  ]);

  // 1. A token with a head that cannot be JSON decoded should throw an exception.
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode(uniqid() . '.' . uniqid() . '.' . uniqid());
  } catch (InvalidTokenException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'Malformed token');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);

  // 2. A token with a payload that cannot be JSON decoded should throw an exception.
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode($dummy_segment . '.' . uniqid() . '.' . uniqid());
  } catch (InvalidTokenException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'Malformed token');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);

  // 3. A token without an alg property should throw an exception.
  $head_obj = (object) [
    'typ' => 'JWT',
  ];
  $jwt_head = JWT::urlsafeB64Encode(JWT::jsonEncode($head_obj));
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode($jwt_head . '.' . $dummy_segment . '.' . uniqid());
  } catch (InvalidTokenException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'Token algorithm not found');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);

  // 4. A token with an alg not in supported_algs should throw an exception.
  $head_obj->alg = 'RS256';
  $jwt_head = JWT::urlsafeB64Encode(JWT::jsonEncode($head_obj));
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode($jwt_head . '.' . $dummy_segment . '.' . uniqid());
  } catch (InvalidTokenException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'Token algorithm not supported');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);
}