larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JWT session middleware (todo §4); authenticate(): verify the session cookie via cached JWKS (key by kid) → exp/nbf/iss/aud claims (clock skew) → ctx.user/roles; iss/aud opt-in; fail-closed

Browse Source
This commit is contained in:
Lilleman auf Larv
2026-06-18 09:53:37 +02:00
parent 38157605d0
commit c8b56b85eb
11 changed files with 308 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/config.test.ts
View File

@@ -31,6 +31,15 @@ test("JWKS_URL defaults to the committed Kratos tokenizer signing key, not an ht
assert.match(url.pathname, /tokenizer\/jwks\.json$/);
});
test("JWT issuer/audience are optional: unset by default, pinned from the env", () => {
const def = loadConfig({});
assert.equal(def.jwtIssuer, undefined);
assert.equal(def.jwtAudience, undefined);
const c = loadConfig({ JWT_AUDIENCE: "plainpages", JWT_ISSUER: "https://id.example.com" });
assert.equal(c.jwtIssuer, "https://id.example.com");
assert.equal(c.jwtAudience, "plainpages");
});
test("parses explicit boolean toggles and rejects non-boolean values", () => {
assert.equal(loadConfig({ CACHE_TEMPLATES: "true" }).cacheTemplates, true);
assert.equal(loadConfig({ CACHE_TEMPLATES: "false" }).cacheTemplates, false);