From ed61ae6db6b2e2f34ce1e5781379ad710deb1c94 Mon Sep 17 00:00:00 2001
From: Andrea Carraro <andrea.carraro@nearform.com>
Date: Fri, 21 Apr 2023 16:01:12 +0200
Subject: [PATCH] refactor: fix unit tests and assign allowedIss default based
 on domain

---
 index.js     | 18 +++++++++++++-----
 test/test.js | 37 +++++++++++++++++++++++++++----------
 2 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/index.js b/index.js
index ed8e342..5451086 100644
--- a/index.js
+++ b/index.js
@@ -41,28 +41,36 @@ function verifyOptions(options) {
   // Prepare verification options
   const verify = Object.assign({}, options, { algorithms: [] })
 
+  let domainURLObject
+  // @NOTE This is going to be renamed domain once we rename current domain :)
+  let domainOrigin
+
   if (domain) {
     domain = domain.toString()
 
     // Normalize the domain in order to get a complete URL for JWKS fetching
     if (!domain.match(/^http(?:s?)/)) {
-      domain = new URL(`https://${domain}`).toString()
+      domainURLObject = new URL(`https://${domain}`)
+      domain = domainURLObject.toString()
     } else {
       // adds missing trailing slash if it's not been provided in the config
-      domain = new URL(domain).toString()
+      domainURLObject = new URL(domain)
+      domain = domainURLObject.toString()
     }
 
+    domainOrigin = domainURLObject.origin + '/'
+
     verify.algorithms.push('RS256')
     // @TODO normalize issuer url like done for domain
-    verify.allowedIss = issuer || domain
+    verify.allowedIss = issuer || domainOrigin
 
     if (audience) {
-      verify.allowedAud = domain
+      verify.allowedAud = domainOrigin
     }
   }
 
   if (audience) {
-    verify.allowedAud = audience === true ? domain : audience
+    verify.allowedAud = audience === true ? domainOrigin : audience
   }
 
   if (secret) {
diff --git a/test/test.js b/test/test.js
index dacbaee..3ed0b2c 100644
--- a/test/test.js
+++ b/test/test.js
@@ -553,14 +553,13 @@ describe('RS256 JWT token validation', function () {
   let server
 
   beforeEach(async function () {
-    server = await buildServer({ domain: 'https://localhost/' })
+    server = await buildServer({ domain: 'https://localhost/.well-known/jwks.json' })
   })
 
   afterEach(() => server.close())
 
   beforeEach(function () {
     nock.disableNetConnect()
-
     nock('https://localhost/').get('/.well-known/jwks.json').reply(200, jwks)
   })
 
@@ -585,9 +584,12 @@ describe('RS256 JWT token validation', function () {
     })
   })
 
-  it('should make the complete token informations available through request.user', async function () {
+  it('should make the complete token information available through request.user', async function () {
     await server.close()
-    server = await buildServer({ domain: 'localhost', complete: true })
+    server = await buildServer({
+      domain: 'https://localhost/.well-known/jwks.json',
+      complete: true
+    })
 
     const response = await server.inject({
       method: 'GET',
@@ -615,7 +617,10 @@ describe('RS256 JWT token validation', function () {
 
   it('should validate the audience', async function () {
     await server.close()
-    server = await buildServer({ domain: 'localhost', audience: 'foo' })
+    server = await buildServer({
+      domain: 'https://localhost/.well-known/jwks.json',
+      audience: 'foo'
+    })
 
     const response = await server.inject({
       method: 'GET',
@@ -635,7 +640,11 @@ describe('RS256 JWT token validation', function () {
 
   it('should validate the audience using the domain', async function () {
     await server.close()
-    server = await buildServer({ domain: 'localhost', audience: true, secret: 'secret' })
+    server = await buildServer({
+      domain: 'https://localhost/.well-known/jwks.json',
+      audience: true,
+      secret: 'secret'
+    })
 
     const response = await server.inject({
       method: 'GET',
@@ -653,10 +662,10 @@ describe('RS256 JWT token validation', function () {
     })
   })
 
-  it('should validate with multiple audiences ', async function () {
+  it('should validate with multiple audiences', async function () {
     await server.close()
     server = await buildServer({
-      domain: 'localhost',
+      domain: 'https://localhost/.well-known/jwks.json',
       audience: ['https://otherhost/', 'foo', 'https://somehost/'],
       secret: 'secret'
     })
@@ -798,7 +807,11 @@ describe('RS256 JWT token validation', function () {
 
   it('should correctly get the key again from the well-known URL if cache expired', async function () {
     await server.close()
-    server = await buildServer({ domain: 'localhost', secret: 'secret', secretsTtl: 10 })
+    server = await buildServer({
+      domain: 'https://localhost/.well-known/jwks.json',
+      secret: 'secret',
+      secretsTtl: 10
+    })
 
     let response
 
@@ -831,7 +844,11 @@ describe('RS256 JWT token validation', function () {
 
   it('should not cache the key if cache was disabled', async function () {
     await server.close()
-    server = await buildServer({ domain: 'localhost', secret: 'secret', secretsTtl: 0 })
+    server = await buildServer({
+      domain: 'https://localhost/.well-known/jwks.json',
+      secret: 'secret',
+      secretsTtl: 0
+    })
 
     let response