Honor expiration time in id_token. (#259)

Eric Koleda · web-flow · commit 606bcbe07f33 · 2020-12-14T19:59:09.000-05:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -28,7 +28,8 @@
     "gulp-expose": "0.0.7",
     "gulp-rename": "^1.4.0",
     "jsdoc": "^3.6.4",
-    "mocha": "^4.1.0"
+    "mocha": "^4.1.0",
+    "urlsafe-base64": "^1.0.0"
   },
   "scripts": {
     "preversion": "npm test && cd src/ && clasp push",
diff --git a/src/Service.js b/src/Service.js
@@ -636,20 +636,35 @@ Service_.prototype.getToken = function(optSkipMemoryCheck) {
 };
 
 /**
- * Determines if a retrieved token is still valid.
+ * Determines if a retrieved token is still valid. This will return false if
+ * either the authorization token or the ID token has expired.
  * @param {Object} token The token to validate.
  * @return {boolean} True if it has expired, false otherwise.
  * @private
  */
 Service_.prototype.isExpired_ = function(token) {
+  var expired = false;
+  var now = getTimeInSeconds_(new Date());
+
+  // Check the authorization token's expiration.
   var expiresIn = token.expires_in_sec || token.expires_in || token.expires;
-  if (!expiresIn) {
-    return false;
-  } else {
+  if (expiresIn) {
     var expiresTime = token.granted_time + Number(expiresIn);
-    var now = getTimeInSeconds_(new Date());
-    return expiresTime - now < Service_.EXPIRATION_BUFFER_SECONDS_;
+    if (expiresTime - now < Service_.EXPIRATION_BUFFER_SECONDS_) {
+      expired = true;
+    }
   }
+
+  // Check the ID token's expiration, if it exists.
+  if (token.id_token) {
+    var payload = decodeJwt_(token.id_token);
+    if (payload.exp &&
+        payload.exp - now < Service_.EXPIRATION_BUFFER_SECONDS_) {
+      expired = true;
+    }
+  }
+
+  return expired;
 };
 
 /**
@@ -700,10 +715,6 @@ Service_.prototype.createJwt_ = function() {
     'Token URL': this.tokenUrl_,
     'Issuer or Client ID': this.issuer_ || this.clientId_
   });
-  var header = {
-    alg: 'RS256',
-    typ: 'JWT'
-  };
   var now = new Date();
   var expires = new Date(now.getTime());
   expires.setMinutes(expires.getMinutes() + this.expirationMinutes_);
@@ -725,12 +736,7 @@ Service_.prototype.createJwt_ = function() {
       claimSet[key] = additionalClaims[key];
     });
   }
-  var toSign = Utilities.base64EncodeWebSafe(JSON.stringify(header)) + '.' +
-      Utilities.base64EncodeWebSafe(JSON.stringify(claimSet));
-  var signatureBytes =
-      Utilities.computeRsaSha256Signature(toSign, this.privateKey_);
-  var signature = Utilities.base64EncodeWebSafe(signatureBytes);
-  return toSign + '.' + signature;
+  return encodeJwt_(claimSet, this.privateKey_);
 };
 
 /**
diff --git a/src/Utilities.js b/src/Utilities.js
@@ -82,7 +82,7 @@ function extend_(destination, source) {
  * Gets a copy of an object with all the keys converted to lower-case strings.
  *
  * @param {Object} obj The object to copy.
- * @return {Object} a shallow copy of the object with all lower-case keys.
+ * @return {Object} A shallow copy of the object with all lower-case keys.
  */
 function toLowerCaseKeys_(obj) {
   if (obj === null || typeof obj !== 'object') {
@@ -95,3 +95,37 @@ function toLowerCaseKeys_(obj) {
     return result;
   }, {});
 }
+
+/* exported encodeJwt_ */
+/**
+ * Encodes and signs a JWT.
+ *
+ * @param {Object} payload The JWT payload.
+ * @param {string} key The key to use when generating the signature.
+ * @return {string} The encoded and signed JWT.
+ */
+function encodeJwt_(payload, key) {
+  var header = {
+    alg: 'RS256',
+    typ: 'JWT'
+  };
+  var toSign = Utilities.base64EncodeWebSafe(JSON.stringify(header)) + '.' +
+      Utilities.base64EncodeWebSafe(JSON.stringify(payload));
+  var signatureBytes =
+      Utilities.computeRsaSha256Signature(toSign, key);
+  var signature = Utilities.base64EncodeWebSafe(signatureBytes);
+  return toSign + '.' + signature;
+}
+
+/* exported decodeJwt_ */
+/**
+ * Decodes and returns the parts of the JWT. The signature is not verified.
+ *
+ * @param {string} jwt The JWT to decode.
+ * @return {Object} The decoded payload.
+ */
+function decodeJwt_(jwt) {
+  var payload = jwt.split('.')[1];
+  var blob = Utilities.newBlob(Utilities.base64DecodeWebSafe(payload));
+  return JSON.parse(blob.getDataAsString());
+}
diff --git a/test/mocks/blob.js b/test/mocks/blob.js
@@ -0,0 +1,9 @@
+var MockBlob = function(buffer) {
+  this.buffer = buffer;
+};
+
+MockBlob.prototype.getDataAsString = function() {
+  return this.buffer.toString();
+};
+
+module.exports = MockBlob;
diff --git a/test/test.js b/test/test.js
@@ -5,15 +5,29 @@ var MockProperties = require('./mocks/properties');
 var MockCache = require('./mocks/cache');
 var MockLock = require('./mocks/lock');
 var MockScriptApp = require('./mocks/script');
+var MockBlob = require('./mocks/blob');
 var Future = require('fibers/future');
+var URLSafeBase64 = require('urlsafe-base64');
 
 var mocks = {
   ScriptApp: new MockScriptApp(),
   UrlFetchApp: new MockUrlFetchApp(),
   Utilities: {
     base64Encode: function(data) {
       return Buffer.from(data).toString('base64');
-    }
+    },
+    base64EncodeWebSafe: function(data) {
+      return URLSafeBase64.encode(Buffer.from(data));
+    },
+    base64DecodeWebSafe: function(data) {
+      return URLSafeBase64.decode(data);
+    },
+    computeRsaSha256Signature: function(data, key) {
+      return Math.random().toString(36);
+    },
+    newBlob: function(data) {
+      return new MockBlob(data);
+    },
   },
   __proto__: gas.globalMockDefault
 };
@@ -483,6 +497,155 @@ describe('Service', function() {
       assert.equal(state.arguments.foo, 'bar');
     });
   });
+
+  describe('#isExpired_()', function() {
+    const NOW_SECONDS = OAuth2.getTimeInSeconds_(new Date());
+    const ONE_HOUR_AGO_SECONDS = NOW_SECONDS - 360;
+
+
+    it('should return false if there is no expiration time in the token',
+        function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {};
+
+      assert.isFalse(service.isExpired_(token));
+    });
+
+    it('should return false if before the time in expires_in', function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {
+        expires_in: 360, // One hour.
+        granted_time: NOW_SECONDS,
+      };
+
+      assert.isFalse(service.isExpired_(token));
+    });
+
+    it('should return true if past the time in "expires_in"', function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {
+        expires_in: 60, // One minute.
+        granted_time: ONE_HOUR_AGO_SECONDS,
+      };
+
+      assert.isTrue(service.isExpired_(token));
+    });
+
+    it('should return false if before the time in "expires"', function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {
+        expires_in: 360, // One hour.
+        granted_time: NOW_SECONDS,
+      };
+
+      assert.isFalse(service.isExpired_(token));
+    });
+
+    it('should return true if past the time in "expires"', function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {
+        expires_in: 60, // One minute.
+        granted_time: ONE_HOUR_AGO_SECONDS,
+      };
+
+      assert.isTrue(service.isExpired_(token));
+    });
+
+    it('should return false if before the time in "expires_in_sec"',
+        function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {
+        expires_in: 360, // One hour.
+        granted_time: NOW_SECONDS,
+      };
+
+      assert.isFalse(service.isExpired_(token));
+    });
+
+    it('should return true if past the time in "expires_in_sec"', function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {
+        expires_in: 60, // One minute.
+        granted_time: ONE_HOUR_AGO_SECONDS,
+      };
+
+      assert.isTrue(service.isExpired_(token));
+    });
+
+    it('should return true if within the buffer', function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var token = {
+        expires_in: 30, // 30 seconds.
+        granted_time: NOW_SECONDS,
+      };
+
+      assert.isTrue(service.isExpired_(token));
+    });
+
+    it('should return true if past the JWT expiration', function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var idToken = OAuth2.encodeJwt_({
+            exp: NOW_SECONDS - 60, // One minute ago.
+          }, 'key');
+      var token = {
+        id_token: idToken,
+      };
+
+      assert.isTrue(service.isExpired_(token));
+    });
+
+    it('should return false if the JWT is expired but the token is not',
+        function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var idToken = OAuth2.encodeJwt_({
+            exp: NOW_SECONDS - 60, // One minute ago.
+          }, 'key');
+      var token = {
+        id_token: idToken,
+        expires_in: 360, // One hour.
+        granted_time: NOW_SECONDS,
+      };
+
+      assert.isTrue(service.isExpired_(token));
+    });
+
+    it('should return false if the token expired but the JWT is not',
+        function() {
+      var service = OAuth2.createService('test')
+          .setPropertyStore(new MockProperties())
+          .setCache(new MockCache());
+      var idToken = OAuth2.encodeJwt_({
+            exp: NOW_SECONDS + 360, // One hour from now.
+          }, 'key');
+      var token = {
+        id_token: idToken,
+        expires_in: 60, // One minute.
+        granted_time: ONE_HOUR_AGO_SECONDS,
+      };
+
+      assert.isTrue(service.isExpired_(token));
+    });
+  });
 });
 
 describe('Utilities', function() {
@@ -531,4 +694,33 @@ describe('Utilities', function() {
       assert.isEmpty(toLowerCaseKeys_({}));
     });
   });
+
+  describe('#encodeJwt_()', function() {
+    var encodeJwt_ = OAuth2.encodeJwt_;
+
+    it('should encode correctly', function() {
+      var payload = {
+         'foo': 'bar'
+      };
+
+      var jwt = encodeJwt_(payload, 'key');
+      var parts = jwt.split('.');
+
+      // Expexted values from jwt.io.
+      assert.equal(parts[0], 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9');
+      assert.equal(parts[1], 'eyJmb28iOiJiYXIifQ');
+    });
+  });
+
+  describe('#decodeJwt_()', function() {
+    var decodeJwt_ = OAuth2.decodeJwt_;
+
+    it('should decode correctly', function() {
+      var jwt = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.sig';
+
+      var payload = decodeJwt_(jwt);
+
+      assert.deepEqual(payload, {'foo': 'bar'});
+    });
+  });
 });
