├── .gitignore
├── .travis.yml
├── LICENSE
├── box.json
├── jwt.cfc
├── readme.md
└── tests
    ├── Application.cfc
    ├── index.cfm
    └── specs
        └── jwtTest.cfc


/.gitignore:
--------------------------------------------------------------------------------
1 | testbox


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | language: java
 2 | sudo: required
 3 | jdk:
 4 | - openjdk11
 5 | cache:
 6 |   directories:
 7 |   - $HOME/.CommandBox
 8 | env:
 9 |   matrix:
10 |     - ENGINE=lucee@5
11 |     - ENGINE=adobe@2016
12 |     - ENGINE=adobe@2018
13 | before_install:
14 | - sudo apt-key adv --keyserver keys.gnupg.net --recv 6DA70622
15 | - sudo echo "deb http://downloads.ortussolutions.com/debs/noarch /" | sudo tee -a
16 |   /etc/apt/sources.list.d/commandbox.list
17 | install:
18 | - sudo apt-get update && sudo apt-get --assume-yes install commandbox
19 | - box install
20 | before_script:
21 | - box server start cfengine=$ENGINE port=8500
22 | script:
23 | - box testbox run runner="http://127.0.0.1:8500/tests/index.cfm"
24 | notifications:
25 |     email: false


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014 Jason Steinshouer
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 6 | this software and associated documentation files (the "Software"), to deal in
 7 | the Software without restriction, including without limitation the rights to
 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 | 


--------------------------------------------------------------------------------
/box.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name":"CF JWT Simple",
 3 |     "slug":"cf-jwt-simple",
 4 |     "shortDescription":"CFML component for encoding and decoding JSON Web Tokens (JWT)",
 5 |     "description":"",
 6 |     "version":"1.3.0",
 7 |     "author":"Jason Steinshouer <jason.steinshouer@gmail.com>",
 8 |     "location":"https://github.com/jsteinshouer/cf-jwt-simple/archive/master.zip",
 9 |     "repository":{
10 |         "type":"git",
11 |         "url":"https://github.com/jsteinshouer/cf-jwt-simple"
12 |     },
13 |     "keywords":[
14 |         "jwt",
15 |         "JSON Web Token"
16 |     ],
17 |     "license":[
18 |         {
19 |             "type":"MIT",
20 |             "url":"http://opensource.org/licenses/MIT"
21 |         }
22 |     ],
23 |     "bugs":"https://github.com/jsteinshouer/cf-jwt-simple/issues",
24 |     "private":false,
25 |     "ignore":[
26 |         "**/.*",
27 |         "tests",
28 |         "readme.md"
29 |     ],
30 |     "devDependencies":{
31 |         "testbox":"^2.4.0+80"
32 |     },
33 |     "installPaths":{
34 |         "testbox":"testbox/"
35 |     }
36 | }
37 | 


--------------------------------------------------------------------------------
/jwt.cfc:
--------------------------------------------------------------------------------
  1 |  <!---
  2 | 	jwt.cfc
  3 | 
  4 | 	DESCRIPTION: Component for encoding and decoding JSON Web Tokens.
  5 | 
  6 | 		Based on jwt-simple node.js library (https://github.com/hokaccha/node-jwt-simple)
  7 | 
  8 | 	PARAMETERS: 
  9 | 		key - HMAC key used for token signatures
 10 | 	
 11 | 			
 12 | --->
 13 | 
 14 | <cfcomponent output="false">
 15 | 	
 16 | 	<cffunction name="init" output="false">
 17 | 		<cfargument name="key" required="true">
 18 | 		<cfargument name="ignoreExpiration" type="boolean" default="false" hint="If true, verification will ignore expiration.">
 19 | 		<cfargument name="issuer" type="string" default="" hint="If not provided, verification will ignore issuer.">
 20 | 		<cfargument name="audience" type="string" default="" hint="If not provided, verification will ignore audience.">
 21 | 		
 22 | 		<cfset variables.key = arguments.key>
 23 | 		<cfset variables.ignoreExpiration = arguments.ignoreExpiration>
 24 | 		<cfset variables.issuer = arguments.issuer>
 25 | 		<cfset variables.audience = arguments.audience>
 26 | 
 27 | 		<!--- Supported algorithms --->
 28 | 		<cfset variables.algorithmMap = {
 29 | 			"HS256" = "HmacSHA256",
 30 | 			"HS384" = "HmacSHA384",
 31 | 			"HS512" = "HmacSHA512"
 32 | 		}>
 33 | 
 34 | 		<cfreturn this>
 35 | 	</cffunction>
 36 | 
 37 | 	<!--- 	decode(string) as struct
 38 | 			Description:  Decode a JSON Web Token
 39 | 	---> 
 40 | 	<cffunction name="decode" output="false">
 41 | 		<cfargument name="token" required="true">
 42 | 
 43 | 		<!--- Token should contain 3 segments --->
 44 | 		<cfif listLen(arguments.token,".") neq 3>
 45 | 			<cfthrow type="Invalid Token" message="Token should contain 3 segments">
 46 | 		</cfif>
 47 | 
 48 | 		<!--- Decode token and catch any deserialzation errors  --->
 49 | 		<cftry>
 50 | 			<cfset var header = deserializeJSON(base64UrlDecode(listGetAt(arguments.token,1,".")))>
 51 | 			<cfset var payload = deserializeJSON(base64UrlDecode(listGetAt(arguments.token,2,".")))>
 52 | 			<cfset var signature = listGetAt(arguments.token,3,".")>
 53 | 		<cfcatch>
 54 | 			<cfthrow type="Invalid Token"  message="Signature verification failed: Token Invalid">
 55 | 		</cfcatch>
 56 | 		</cftry>
 57 | 
 58 | 		<!--- Make sure the algorithm listed in the header is supported --->
 59 | 		<cfif listFindNoCase(structKeyList(algorithmMap),header.alg) eq false>
 60 | 			<cfthrow type="Invalid Token" message="Algorithm not supported">
 61 | 		</cfif>
 62 | 
 63 | 		<!--- Verify claims --->
 64 | 		<cfif StructKeyExists(payload,"exp") and not variables.ignoreExpiration>
 65 | 			<cfif epochTimeToLocalDate(payload.exp) lt now()>
 66 | 				<cfthrow type="Invalid Token" message="Signature verification failed: Token expired">
 67 | 			</cfif>
 68 | 		</cfif>
 69 | 		<cfif StructKeyExists(payload,"nbf") and epochTimeToLocalDate(payload.nbf) gt now()>
 70 | 			<cfthrow type="Invalid Token" message="Signature verification failed: Token not yet active">
 71 | 		</cfif>
 72 | 		<cfif StructKeyExists(payload,"iss") and variables.issuer neq "" and payload.iss neq variables.issuer>
 73 | 			<cfthrow type="Invalid Token" message="Signature verification failed: Issuer does not match">
 74 | 		</cfif>
 75 | 		<cfif StructKeyExists(payload,"aud") and variables.audience neq "" and payload.aud neq variables.audience>
 76 | 			<cfthrow type="Invalid Token" message="Signature verification failed: Audience does not match">
 77 | 		</cfif>
 78 | 
 79 | 		<!--- Verify signature --->
 80 | 		<cfset var signInput = listGetAt(arguments.token,1,".") & "." & listGetAt(arguments.token,2,".")>
 81 | 		<cfif signature neq sign(signInput,algorithmMap[header.alg])>
 82 | 			<cfthrow type="Invalid Token" message="Signature verification failed: Invalid key">
 83 | 		</cfif>
 84 | 
 85 | 		<cfreturn payload>
 86 | 	</cffunction>
 87 | 
 88 | 	<!--- 	encode(struct,[string]) as String
 89 | 			Description:  encode a data structure as a JSON Web Token
 90 | 	---> 
 91 | 	<cffunction name="encode" output="false">
 92 | 		<cfargument name="payload" required="true">
 93 | 		<cfargument name="algorithm" default="HS256">
 94 | 
 95 | 		<!--- Default hash algorithm --->
 96 | 		<cfset var hashAlgorithm = "HS256">
 97 | 		<cfset var segments = "">
 98 | 
 99 | 		<!--- Make sure only supported algorithms are used --->
100 | 		<cfif listFindNoCase(structKeyList(algorithmMap),arguments.algorithm)>
101 | 			<cfset hashAlgorithm = arguments.algorithm>
102 | 		</cfif>
103 | 
104 | 		<!--- Add Header - typ and alg fields--->
105 | 		<cfset segments = listAppend(segments, base64UrlEscape(toBase64(serializeJSON({ "typ" =  "JWT", "alg" = hashAlgorithm }))),".")>
106 | 		<!--- Add payload --->
107 | 		<cfset segments = listAppend(segments, base64UrlEscape(toBase64(serializeJSON(arguments.payload))),".")>
108 | 		<cfset segments = listAppend(segments, sign(segments,algorithmMap[hashAlgorithm]),".")>
109 | 
110 | 		<cfreturn segments>
111 | 	</cffunction>
112 | 
113 | 	<!--- 	verify(token) as Boolean
114 | 			Description:  Verify the token signature
115 | 	---> 
116 | 	<cffunction name="verify" output="false">
117 | 		<cfargument name="token" required="true">
118 | 
119 | 		<cfset var isValid = true>
120 | 
121 | 		<cftry>
122 | 			<cfset decode(token)>
123 | 			<cfcatch>
124 | 				<cfset isValid = false>
125 | 			</cfcatch>
126 | 		</cftry>
127 | 
128 | 		<cfreturn isValid>
129 | 	</cffunction>
130 | 
131 | 	<!--- 	sign(string,[string]) as String
132 | 			Description: Create an MHAC of provided string using the secret key and algorithm
133 | 	---> 
134 | 	<cffunction name="sign" output="false" access="private">
135 | 		<cfargument name="msg" type="string" required="true">
136 | 		<cfargument name="algorithm" default="HmacSHA256">
137 | 
138 | 		<cfset var key = createObject("java", "javax.crypto.spec.SecretKeySpec").init(variables.key.getBytes(), arguments.algorithm)>
139 | 		<cfset var mac = createObject("java", "javax.crypto.Mac").getInstance(arguments.algorithm)>
140 | 		<cfset mac.init(key)>
141 | 
142 | 		<cfreturn base64UrlEscape(toBase64(mac.doFinal(msg.getBytes())))>
143 | 	</cffunction>
144 | 
145 | 	<!--- 	base64UrlEscape(String) as String
146 | 			Description:  Escapes unsafe url characters from a base64 string
147 | 	---> 
148 | 	<cffunction name="base64UrlEscape" output="false" access="private">
149 | 		<cfargument name="str" required="true">
150 | 
151 | 		<cfreturn reReplace(reReplace(reReplace(str, "\+", "-", "all"), "\/", "_", "all"),"=", "", "all")>
152 | 	</cffunction>
153 | 
154 | 	<!--- 	base64UrlUnescape(String) as String
155 | 			Description: restore base64 characters from an url escaped string 
156 | 	---> 
157 | 	<cffunction name="base64UrlUnescape" output="false" access="private">
158 | 		<cfargument name="str" required="true">
159 | 
160 | 		<!--- Unescape url characters --->
161 | 		<cfset var base64String = reReplace(reReplace(arguments.str, "\-", "+", "all"), "\_", "/", "all")>
162 | 		<cfset var padding = repeatstring("=",4 - len(base64String) mod 4)>
163 | 
164 | 		<cfreturn base64String & padding>
165 | 	</cffunction>
166 | 
167 | 
168 | 	<!--- 	base64UrlDecode(String) as String
169 | 			Description:  Decode a url encoded base64 string
170 | 	---> 
171 | 	<cffunction name="base64UrlDecode" output="false" access="private">
172 | 		<cfargument name="str" required="true">
173 | 
174 | 		<cfreturn toString(toBinary(base64UrlUnescape(arguments.str)))>
175 | 	</cffunction>
176 | 
177 | 	<!--- 	epochTimeToLocalDate(numeric) as Datetime
178 | 			Description:  Converts Epoch datetime to local date
179 | 
180 | 			I changed the date conversion to use Java instead of dateAdd()
181 | 			because currently (12/12/2016), ACF dateAdd uses an integer so there is a limit
182 | 			of 2147483647 (Tue, 19 Jan 2038 03:14:07 GMT) which i doubt anyone 
183 | 			will still use this in 2038 but I changed it anyway.
184 | 	---> 
185 | 	<cffunction name="epochTimeToLocalDate" output="false" access="private">
186 | 		<cfargument name="epoch" required="true" hint="Seconds from Jan 1, 1970">
187 | 
188 | 		<cfreturn createObject("java", "java.util.Date").init(javaCast("long",epoch*1000))>
189 | 	</cffunction>
190 | 
191 | </cfcomponent>


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # CF-JWT-Simple
 2 | 
 3 | ## Description
 4 | 
 5 | CFML Component for encoding and decoding [JSON Web Tokens (JWT)](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html).
 6 | 
 7 | This is a port of the node.js project [node-jwt-simple](https://github.com/hokaccha/node-jwt-simple) to cfml. It currently supports HS256, HS384, and HS512 signing algorithms.
 8 | 
 9 | 
10 | ## Usage
11 | 	<!--- Initialize the component with the secret signing key --->
12 |     <cfset jwt = new jwt(secretkey)>
13 | 	<cfset payload = {"ts" = now(), "userid" = "jdoe"}>
14 | 	<!--- Encode the data structure as a json web token --->
15 | 	<cfset token = jwt.encode(payload)>
16 | 	<!--- Decode the token and get the data structure back. This is will throw an error if the token is invalid --->
17 | 	<cfset result = jwt.decode(token)>
18 | 
19 | ## Support for registered claims
20 | 
21 | This CFC supports the `nbf` and `exp` registered claims that can be part of the payload. Verification of the token will fail if the token is not yet active or if the token is expired according to the `nbf` and `exp` claims. They should be numeric dates in Unix epoch time according to the JWT spec.
22 | 
23 | To ignore the `exp` claim during verification, pass `ignoreExpiration=true` when instantiating the CFC. For example:
24 | 
25 | 	<cfset jwt = new jwt(key=secretkey, ignoreExpiration=true)>
26 | 
27 | This CFC also supports the `aud` and `iss` registered claims during verification. If you don't pass `audience` or `issuer` during instantiation, the claims will be ignored during verification. If you do pass them, they'll be included during the verification process. Here's an example:
28 | 
29 | 	<cfset jwt = new jwt(key=secretkey, audience="myaudiencevalue", issuer="myissuervalue")>
30 | 


--------------------------------------------------------------------------------
/tests/Application.cfc:
--------------------------------------------------------------------------------
 1 | /**
 2 | * Copyright Since 2005 Ortus Solutions, Corp
 3 | * www.coldbox.org | www.luismajano.com | www.ortussolutions.com | www.gocontentbox.org
 4 | **************************************************************************************
 5 | */
 6 | component{
 7 | 	this.name = "A TestBox Runner Suite " & hash( getCurrentTemplatePath() );
 8 | 	// any other application.cfc stuff goes below:
 9 | 	this.sessionManagement = false;
10 | 
11 | 	// any mappings go here, we create one that points to the root called test.
12 | 	this.mappings[ "/test" ] = getDirectoryFromPath( getCurrentTemplatePath() );
13 | 	rootPath = REReplaceNoCase( this.mappings[ "/test" ], "tests(\\|/)", "" );
14 | 	this.mappings["/root"]   = rootPath;
15 | 
16 | 	// request start
17 | 	public boolean function onRequestStart( String targetPage ){
18 | 
19 | 		return true;
20 | 	}
21 | }


--------------------------------------------------------------------------------
/tests/index.cfm:
--------------------------------------------------------------------------------
 1 | <cfsetting showDebugOutput="false">
 2 | <!--- Executes all tests in the 'specs' folder with simple reporter by default --->
 3 | <cfparam name="url.reporter" 		default="simple">
 4 | <cfparam name="url.directory" 		default="tests.specs">
 5 | <cfparam name="url.recurse" 		default="true" type="boolean">
 6 | <cfparam name="url.bundles" 		default="">
 7 | <cfparam name="url.labels" 			default="">
 8 | <cfparam name="url.reportpath" 		default="#expandPath( "/tests/results" )#">
 9 | <cfparam name="url.propertiesFilename" 	default="TEST.properties">
10 | <cfparam name="url.propertiesSummary" 	default="false" type="boolean">
11 | <cfif structKeyExists(server, "lucee")>
12 | 	<cfoutput>Lucee Version #server.lucee.version#</cfoutput>
13 | <cfelse>
14 | 	<cfoutput>Adobe CF Version #server.coldfusion.productVersion#</cfoutput>
15 | </cfif>
16 | <!--- Include the TestBox HTML Runner --->
17 | <cfinclude template="/testbox/system/runners/HTMLRunner.cfm" >
18 | 


--------------------------------------------------------------------------------
/tests/specs/jwtTest.cfc:
--------------------------------------------------------------------------------
  1 | /**
  2 | * cf-jwt-simple TestBox Suite
  3 | */
  4 | component extends="testbox.system.BaseSpec"{
  5 | 	
  6 | /*********************************** LIFE CYCLE Methods ***********************************/
  7 | 
  8 | 	// executes before all suites+specs in the run() method
  9 | 	function beforeAll(){
 10 | 	}
 11 | 
 12 | 	// executes after all suites+specs in the run() method
 13 | 	function afterAll(){
 14 | 	}
 15 | 
 16 | 	function run( testResults, testBox ){
 17 | 		describe( "cf-jwt-simple TestBox Suite", function(){
 18 | 
 19 | 			beforeEach(function( currentSpec ){
 20 | 				myPrivateKey = "abcdefg";
 21 | 				jwt = new root.jwt(myPrivateKey);
 22 | 
 23 | 				/* Test tokens can be generated at https://jwt.io/ and Epoch time from http://www.epochconverter.com/*/
 24 | 				testData = {
 25 | 					payload = {
 26 | 					  "sub": "1234567890",
 27 | 					  "name": "John Doe",
 28 | 					  "admin": true
 29 | 					},
 30 | 					// Uses payload 
 31 | 					validToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.e0CFuBLfhSbH7bQIVrIODvMIcdiKBpmk0TVcWE288dQ",
 32 | 					invalidFormatToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0cyI6IkZlYnJ1YXJ5LCAwNSAyMDE0IDEyOjA4OjA1IiwidXNlcmlkIjoiamRvZSJ9",
 33 | 					// Payload signed with invalid signature
 34 | 					invalidToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.ruc_ziwPAc2QnO2zrrrEL_Fn-SSjtczeW4SeQGcjUn0",
 35 | 					/* 
 36 | 					exp: 2037-12-31 17:00:00 GMT Last year that we can convert using dateAdd in ACF
 37 | 					{
 38 | 					  "iss": "http://myapi",
 39 | 					  "aud": "clientid",
 40 | 					  "exp" : 2145891600
 41 | 					  "sub": "1234567890",
 42 | 					  "name": "John Doe",
 43 | 					  "admin": true
 44 | 					} */
 45 | 					tokenWithClaims = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXlhcGkiLCJhdWQiOiJjbGllbnRpZCIsImV4cCI6MjE0NTg5MTYwMCwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlfQ.EGZZwFvl9q_44Pq5wH18FZ_R4r7FsXegkf_onRvQqU8",
 46 | 					//exp: 1999-01-01 00:00:00
 47 | 					expiredTokenWithClaims = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbXlhcGkiLCJhdWQiOiJjbGllbnRpZCIsImV4cCI6OTE1MTQ4ODAwLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.HZXXIsXFO6yp8SDlL91PpuPVo_fbMXxKzOj4lCNkaV8",
 48 | 					//nbf: 1999-01-01 00:00:00 GMT
 49 | 					validNotBefore = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjkxNTE0ODgwMCwic3ViIjoieHl6In0.-KjrG0ktPVz-RrEhf79NCiWASljbA--wYjK2ykC_bbw",
 50 | 					//nbf: 2999-01-01 00:00:00 GMT
 51 | 					invalidNotBefore = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjMyNDcyMTQ0MDAwLCJzdWIiOiJ4eXoifQ.I13RhKA9iflSJ2xLHxgUARYe7IRuf7J_MlGFkNKj3cQ"
 52 | 				};
 53 | 		
 54 | 			});
 55 | 
 56 | 			describe( "encode()", function(){
 57 | 
 58 | 				it( "should return a valid JWT formatted token", function(){
 59 | 					var token = jwt.encode(testData.payload);
 60 | 
 61 | 					expect(	listLen(token,".") ).toBe(3);
 62 | 				});
 63 | 
 64 | 			});
 65 | 
 66 | 			describe( "decode()", function(){
 67 | 
 68 | 				it( "should return data decoded from JWT in a struct", function(){
 69 | 
 70 | 					var result = jwt.decode(testData.validToken);
 71 | 
 72 | 					expect(	result ).toBeStruct();
 73 | 					expect(	result.sub ).toBe(1234567890);
 74 | 					expect(	result.name ).toBe("John Doe");
 75 | 				});
 76 | 
 77 | 				it( "should throw an error for token with an invalid format", function(){
 78 | 
 79 | 					expect( function(){ 
 80 | 						jwt.decode(testData.invalidFormatToken);
 81 | 					} ).toThrow( type="Invalid Token", regex = "Token should contain 3 segments" );
 82 | 
 83 | 				});
 84 | 
 85 | 				it( "should throw an error for token signed with the wrong key", function(){
 86 | 
 87 | 					expect( function(){ 
 88 | 						jwt.decode(testData.invalidToken);
 89 | 					} ).toThrow( type="Invalid Token", regex = "Signature verification failed: Invalid key" );
 90 | 
 91 | 				});
 92 | 
 93 | 				it( "should verify token nbf (Not Before) claim ", function(){
 94 | 					var data = jwt.decode(testData.validNotBefore);
 95 | 					expect(	data.sub ).toBe("xyz");
 96 | 					expect( DateAdd("s",data.nbf,DateConvert("utc2Local","January 1 1970 00:00"))).toBeLT(now());
 97 | 				});
 98 | 
 99 | 				it( "should fail if nbf is prior to current date and time", function(){
100 | 
101 | 					expect( function(){ 
102 | 						jwt.decode(testData.expiredTokenWithClaims);
103 | 					} ).toThrow( type="Invalid Token", regex = "Signature verification failed: Token expired" );
104 | 
105 | 				});
106 | 
107 | 				it( "should verify token is not expired", function(){
108 | 					var data = jwt.decode(testData.tokenWithClaims);
109 | 					expect(	data.name ).toBe("John Doe");
110 | 				});
111 | 
112 | 				it( "should fail for an expired token", function(){
113 | 
114 | 					expect( function(){ 
115 | 						jwt.decode(testData.expiredTokenWithClaims);
116 | 					} ).toThrow( type="Invalid Token", regex = "Signature verification failed: Token expired" );
117 | 
118 | 				});
119 | 
120 | 				it( "should not fail for an expired token when ignoreExpiration is true", function(){
121 | 
122 | 					var jwt = new root.jwt(key="abcdefg",ignoreExpiration=true);
123 | 					 
124 | 					var data = local.jwt.decode(testData.expiredTokenWithClaims);
125 | 					expect(	data.name ).toBe("John Doe");
126 | 
127 | 				});
128 | 
129 | 				it( "should verify the issuer if provided", function(){
130 | 					var jwt = new root.jwt(key="abcdefg",issuer="http://myapi");
131 | 					var data = local.jwt.decode(testData.tokenWithClaims);
132 | 					expect(	data.iss ).toBe("http://myapi");
133 | 				});
134 | 
135 | 				it( "should throw an error if issuer does not match", function(){
136 | 										
137 | 					var jwt = new root.jwt(key="abcdefg",issuer="http://test.issuer.com");
138 | 					expect( function(){ 
139 | 						jwt.decode(testData.tokenWithClaims);
140 | 					} ).toThrow( type="Invalid Token", regex = "Signature verification failed: Issuer does not match" );
141 | 
142 | 				});
143 | 
144 | 				it( "should verify the audience if provided", function(){
145 | 					var jwt = new root.jwt(key="abcdefg",audience="clientid");
146 | 					var data = local.jwt.decode(testData.tokenWithClaims);
147 | 					expect(	data.aud ).toBe("clientid");
148 | 				});
149 | 
150 | 				it( "should throw an error if audience does not match", function(){
151 | 										
152 | 					var jwt = new root.jwt(key="abcdefg",audience="xyz");
153 | 					expect( function(){ 
154 | 						jwt.decode(testData.tokenWithClaims);
155 | 					} ).toThrow( type="Invalid Token", regex = "Signature verification failed: Audience does not match" );
156 | 
157 | 				});
158 | 
159 | 
160 | 
161 | 			});
162 | 
163 | 			describe( "verify()", function(){
164 | 			
165 | 				it( "should return true for a valid token", function(){
166 | 					var result = jwt.verify(testData.validToken);
167 | 
168 | 					expect(	result ).toBeTrue();
169 | 				});
170 | 
171 | 				it( "should return false for an invalid token", function(){
172 | 					var result = jwt.verify(testData.invalidToken);
173 | 
174 | 					expect(	result ).toBeFalse();
175 | 				});
176 | 
177 | 			});
178 | 
179 | 			
180 | 		});
181 | 	}
182 | 	
183 | }


--------------------------------------------------------------------------------