SmapiAuthTokens that expire, with sonos refreshAuthToken functionality (#81)

Bearer token to Authorization header for stream requests Versioned SMAPI Tokens
2025-12-21 17:33:29 +01:00 · 2021-12-02 11:03:52 +11:00
parent 89340dd454
commit d1300b8119
24 changed files with 1792 additions and 1330 deletions
--- a/tests/smapi_auth.test.ts
+++ b/tests/smapi_auth.test.ts
@@ -0,0 +1,188 @@
+import { v4 as uuid } from "uuid";
+import jwt from "jsonwebtoken";
+
+import {
+  ExpiredTokenError,
+  InvalidTokenError,
+  isSmapiRefreshTokenResultFault,
+  JWTSmapiLoginTokens,
+  smapiTokenAsString,
+  smapiTokenFromString,
+  SMAPI_TOKEN_VERSION,
+} from "../src/smapi_auth";
+import { either as E } from "fp-ts";
+import { FixedClock } from "../src/clock";
+import dayjs from "dayjs";
+import { b64Encode } from "../src/b64";
+
+describe("smapiTokenAsString", () => {
+  it("can round trip token to and from string", () => {
+    const smapiToken = { token: uuid(), key: uuid(), someOtherStuff: 'this needs to be explicitly ignored' };
+    const asString = smapiTokenAsString(smapiToken)
+
+    expect(asString).toEqual(b64Encode(JSON.stringify({
+      token: smapiToken.token,
+      key: smapiToken.key,
+    })));
+    expect(smapiTokenFromString(asString)).toEqual({
+      token: smapiToken.token,
+      key: smapiToken.key
+    });
+  });
+});
+
+describe("isSmapiRefreshTokenResultFault", () => {
+  it("should return true for a refreshAuthTokenResult fault", () => {
+    const faultWithRefreshAuthToken = {
+      Fault: {
+        faultcode: "",
+        faultstring: "",
+        detail: {
+          refreshAuthTokenResult: {
+            authToken: "x",
+            privateKey: "x",
+          },
+        },
+      },
+    };
+    expect(isSmapiRefreshTokenResultFault(faultWithRefreshAuthToken)).toEqual(
+      true
+    );
+  });
+
+  it("should return false when is not a refreshAuthTokenResult", () => {
+    expect(isSmapiRefreshTokenResultFault({ Fault: { faultcode: "", faultstring:" " }})).toEqual(
+      false
+    );
+  });
+});
+
+describe("auth", () => {
+  describe("JWTSmapiLoginTokens", () => {
+    const clock = new FixedClock(dayjs());
+
+    const expiresIn = "1h";
+    const secret = `secret-${uuid()}`;
+    const smapiLoginTokens = new JWTSmapiLoginTokens(clock, secret, expiresIn);
+
+    describe("issuing a new token", () => {
+      it("should issue a token that can then be verified", () => {
+        const serviceToken = uuid();
+
+        const smapiToken = smapiLoginTokens.issue(serviceToken);
+
+        expect(smapiToken.token).toEqual(
+          jwt.sign(
+            {
+              serviceToken,
+              iat: Math.floor(clock.now().toDate().getDate() / 1000),
+            },
+            secret + SMAPI_TOKEN_VERSION + smapiToken.key,
+            { expiresIn }
+          )
+        );
+        expect(smapiToken.token).not.toContain(serviceToken);
+        expect(smapiToken.token).not.toContain(secret);
+        expect(smapiToken.token).not.toContain(":");
+
+        const roundTripped = smapiLoginTokens.verify(smapiToken);
+
+        expect(roundTripped).toEqual(E.right(serviceToken));
+      });
+    });
+
+    describe("when verifying the token fails", () => {
+      describe("due to the version changing", () => {
+        it("should return an error", () => {
+          const authToken = uuid();
+
+          const v1SmapiTokens = new JWTSmapiLoginTokens(
+            clock,
+            secret,
+            expiresIn,
+            () => uuid(),
+            "1"
+          );
+
+          const v2SmapiTokens = new JWTSmapiLoginTokens(
+            clock,
+            secret,
+            expiresIn,
+            () => uuid(),
+            "2"
+          );
+
+          const v1Token = v1SmapiTokens.issue(authToken);
+          expect(v1SmapiTokens.verify(v1Token)).toEqual(E.right(authToken));
+
+          const result = v2SmapiTokens.verify(v1Token);
+          expect(result).toEqual(
+            E.left(new InvalidTokenError("invalid signature"))
+          );
+        });
+      });
+      
+      describe("due to secret changing", () => {
+        it("should return an error", () => {
+          const authToken = uuid();
+
+          const smapiToken = new JWTSmapiLoginTokens(
+            clock,
+            "A different secret",
+            expiresIn
+          ).issue(authToken);
+
+          const result = smapiLoginTokens.verify(smapiToken);
+          expect(result).toEqual(
+            E.left(new InvalidTokenError("invalid signature"))
+          );
+        });
+      });
+
+      describe("due to key changing", () => {
+        it("should return an error", () => {
+          const authToken = uuid();
+
+          const smapiToken = smapiLoginTokens.issue(authToken);
+
+          const result = smapiLoginTokens.verify({
+            ...smapiToken,
+            key: "some other key",
+          });
+          expect(result).toEqual(
+            E.left(new InvalidTokenError("invalid signature"))
+          );
+        });
+      });
+    });
+
+    describe("when the token has expired", () => {
+      it("should return an ExpiredTokenError, with the authToken", () => {
+        const authToken = uuid();
+        const now = dayjs();
+        const tokenIssuedAt = now.subtract(31, "seconds");
+
+        const tokensWith30SecondExpiry = new JWTSmapiLoginTokens(
+          clock,
+          uuid(),
+          "30s"
+        );
+
+        clock.time = tokenIssuedAt;
+        const expiredToken = tokensWith30SecondExpiry.issue(authToken);
+
+        clock.time = now;
+
+        const result = tokensWith30SecondExpiry.verify(expiredToken);
+        expect(result).toEqual(
+          E.left(
+            new ExpiredTokenError(
+              authToken,
+              tokenIssuedAt.add(30, "seconds").unix()
+            )
+          )
+        );
+      });
+    });
+  });
+});