Void-Homelab/tests/auth/cf_access.test.js

import { describe, it, expect, beforeEach } from 'vitest';
import crypto from 'node:crypto';
import { verifyAccessJwt, accessOwnerEmail, config, _resetJwksCache } from '../../lib/auth/cf_access.js';

const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
const KID = 'test-kid-1';
const JWK = { ...publicKey.export({ format: 'jwk' }), kid: KID, alg: 'RS256', use: 'sig' };

const AUD = 'aud-123';
const TEAM = 'team.cloudflareaccess.com';
const EMAIL = 'owner@example.com';
const NOW = () => 1_780_000_000_000;               // fixed clock (ms)
const sec = Math.floor(NOW() / 1000);

function b64url(buf) {
  return Buffer.from(buf).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
}
function mintJwt(claims, { kid = KID, key = privateKey } = {}) {
  const h = b64url(JSON.stringify({ alg: 'RS256', kid, typ: 'JWT' }));
  const p = b64url(JSON.stringify(claims));
  const s = b64url(crypto.sign('RSA-SHA256', Buffer.from(`${h}.${p}`), key));
  return `${h}.${p}.${s}`;
}
const fetchImpl = async () => ({ ok: true, status: 200, json: async () => ({ keys: [JWK] }) });
const valid = { aud: AUD, email: EMAIL, exp: sec + 300, iat: sec, nbf: sec - 5 };
const opts = { teamDomain: TEAM, aud: AUD, fetchImpl, now: NOW };

beforeEach(() => _resetJwksCache());

describe('verifyAccessJwt', () => {
  it('accepts a correctly-signed token for our audience', async () => {
    const c = await verifyAccessJwt(mintJwt(valid), opts);
    expect(c.email).toBe(EMAIL);
  });
  it('rejects a token signed by a different key', async () => {
    const { privateKey: other } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
    await expect(verifyAccessJwt(mintJwt(valid, { key: other }), opts)).rejects.toThrow();
  });
  it('rejects a wrong audience (another app cannot grant access)', async () => {
    await expect(verifyAccessJwt(mintJwt({ ...valid, aud: 'someone-else' }), opts)).rejects.toThrow(/aud/);
  });
  it('accepts any aud from a comma-separated allow-list (8b cutover: two CF apps front one origin)', async () => {
    const multi = { ...opts, aud: `void-app-aud, ${AUD}` };
    const c = await verifyAccessJwt(mintJwt(valid), multi);          // token carries AUD (the 2nd allowed)
    expect(c.email).toBe(EMAIL);
    await expect(verifyAccessJwt(mintJwt({ ...valid, aud: 'unlisted' }), multi)).rejects.toThrow(/aud/);
  });
  it('rejects an expired token', async () => {
    await expect(verifyAccessJwt(mintJwt({ ...valid, exp: sec - 10 }), opts)).rejects.toThrow(/expired/);
  });
  it('rejects a malformed token', async () => {
    await expect(verifyAccessJwt('not.a.jwt', opts)).rejects.toThrow();
  });
});

describe('accessOwnerEmail (fails closed)', () => {
  const cfg = { teamDomain: TEAM, aud: AUD, ownerEmails: [EMAIL] };
  const reqWith = (jwt) => ({ headers: jwt ? { 'cf-access-jwt-assertion': jwt } : {} });

  it('returns the email for a valid owner JWT', async () => {
    expect(await accessOwnerEmail(reqWith(mintJwt(valid)), cfg, { fetchImpl, now: NOW })).toBe(EMAIL);
  });
  it('returns null when the JWT email is not an allow-listed owner', async () => {
    const jwt = mintJwt({ ...valid, email: 'intruder@example.com' });
    expect(await accessOwnerEmail(reqWith(jwt), cfg, { fetchImpl, now: NOW })).toBeNull();
  });
  it('returns null when no Access header is present (LAN-direct path)', async () => {
    expect(await accessOwnerEmail(reqWith(null), cfg, { fetchImpl, now: NOW })).toBeNull();
  });
  it('returns null for a forged/bad JWT', async () => {
    const { privateKey: other } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
    expect(await accessOwnerEmail(reqWith(mintJwt(valid, { key: other })), cfg, { fetchImpl, now: NOW })).toBeNull();
  });
  it('is disabled (null) when CF_ACCESS env is unset', async () => {
    expect(config({})).toBeNull();
    expect(await accessOwnerEmail(reqWith(mintJwt(valid)), config({}), { fetchImpl, now: NOW })).toBeNull();
  });
});