feat: add JWT validation on JWT retrieval

Author: Koosha-Owji

lib/__tests__/mocks.ts

@@ -129,3 +129,24 @@ class ServerSessionManager implements SessionManager {
 export const sessionManager = new ServerSessionManager();
 
 global.fetch = fetchClient;
+
+// Mock @kinde/jwt-validator
+export const createJwtValidatorMock = () => ({
+  validateToken: vi.fn().mockImplementation(async ({ token, domain }) => {
+    if (!token) {
+      return { valid: false, message: 'Token is required' };
+    }
+
+    if (!domain) {
+      return { valid: false, message: 'Domain is required' };
+    }
+
+    const jwtParts = token.split('.');
+    if (jwtParts.length !== 3) {
+      return { valid: false, message: 'Invalid JWT format' };
+    }
+
+    // If it passes basic validation, return true (simplified for testing)
+    return { valid: true, message: 'Token is valid' };
+  }),
+});

lib/__tests__/sdk/oauth2-flows/AuthCodeWithPKCE.spec.ts

@@ -1,25 +1,3 @@
-import { vi } from 'vitest';
-
-// Mock the validateToken function - must be at the top for Vitest hoisting
-vi.mock('@kinde/jwt-validator', () => ({
-  validateToken: vi.fn().mockImplementation(async ({ token }) => {
-    try {
-      const payload = JSON.parse(atob(token.split('.')[1]));
-      const currentTime = Math.floor(Date.now() / 1000);
-      const isExpired = payload.exp && currentTime >= payload.exp;
-      return {
-        valid: !isExpired,
-        message: isExpired ? 'Token expired' : 'Token valid',
-      };
-    } catch (e) {
-      return {
-        valid: false,
-        message: 'Invalid token format',
-      };
-    }
-  }),
-}));
-
 import type {
   AuthorizationCodeOptions,
   SDKHeaderOverrideOptions,

lib/__tests__/sdk/oauth2-flows/AuthorizationCode.spec.ts

@@ -1,25 +1,3 @@
-import { vi } from 'vitest';
-
-// Mock the validateToken function - must be at the top for Vitest hoisting
-vi.mock('@kinde/jwt-validator', () => ({
-  validateToken: vi.fn().mockImplementation(async ({ token }) => {
-    try {
-      const payload = JSON.parse(atob(token.split('.')[1]));
-      const currentTime = Math.floor(Date.now() / 1000);
-      const isExpired = payload.exp && currentTime >= payload.exp;
-      return {
-        valid: !isExpired,
-        message: isExpired ? 'Token expired' : 'Token valid',
-      };
-    } catch (e) {
-      return {
-        valid: false,
-        message: 'Invalid token format',
-      };
-    }
-  }),
-}));
-
 import { getSDKHeader } from '../../../sdk/version';
 import * as mocks from '../../mocks';
 

lib/__tests__/sdk/oauth2-flows/ClientCredentials.spec.ts

@@ -1,25 +1,3 @@
-import { vi } from 'vitest';
-
-// Mock the validateToken function - must be at the top for Vitest hoisting
-vi.mock('@kinde/jwt-validator', () => ({
-  validateToken: vi.fn().mockImplementation(async ({ token }) => {
-    try {
-      const payload = JSON.parse(atob(token.split('.')[1]));
-      const currentTime = Math.floor(Date.now() / 1000);
-      const isExpired = payload.exp && currentTime >= payload.exp;
-      return {
-        valid: !isExpired,
-        message: isExpired ? 'Token expired' : 'Token valid',
-      };
-    } catch (e) {
-      return {
-        valid: false,
-        message: 'Invalid token format',
-      };
-    }
-  }),
-}));
-
 import { ClientCredentials } from '../../../sdk/oauth2-flows/ClientCredentials';
 import { type ClientCredentialsOptions } from '../../../sdk/oauth2-flows/types';
 import {

lib/__tests__/sdk/utilities/feature-flags.spec.ts

@@ -11,12 +11,13 @@ import {
 describe('feature-flags', () => {
   let mockAccessToken: Awaited<ReturnType<typeof mocks.getMockAccessToken>>;
   const { sessionManager } = mocks;
+  const authDomain = 'local-testing@kinde.com';
 
   let validationDetails: TokenValidationDetailsType;
 
   beforeAll(async () => {
     validationDetails = {
-      issuer: '',
+      issuer: authDomain,
     };
   });
 

lib/__tests__/sdk/utilities/token-claims.spec.ts

@@ -6,15 +6,22 @@ import {
   getClaimValue,
   getPermission,
   getClaim,
+  type TokenValidationDetailsType,
 } from '../../../sdk/utilities';
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 
 describe('token-claims', () => {
   let mockAccessToken: Awaited<ReturnType<typeof mocks.getMockAccessToken>>;
   let mockIdToken: Awaited<ReturnType<typeof mocks.getMockIdToken>>;
+  const authDomain = 'local-testing@kinde.com';
   const { sessionManager } = mocks;
 
+  let validationDetails: TokenValidationDetailsType;
+
   beforeAll(async () => {
+    validationDetails = {
+      issuer: authDomain,
+    };
     mockAccessToken = await mocks.getMockAccessToken();
     mockIdToken = await mocks.getMockIdToken();
     await sessionManager.setSessionItem('access_token', mockAccessToken.token);
@@ -28,7 +35,12 @@ describe('token-claims', () => {
   describe('getClaimValue', () => {
     it('returns value for a token claim if claim exists', () => {
       Object.keys(mockAccessToken.payload).forEach(async (name: string) => {
-        const claimValue = await getClaimValue(sessionManager, name, 'access_token');
+        const claimValue = await getClaimValue(
+          sessionManager,
+          name,
+          'access_token',
+          validationDetails
+        );
         const tokenPayload = mockAccessToken.payload as Record<string, unknown>;
         expect(claimValue).toStrictEqual(tokenPayload[name]);
       });
@@ -39,7 +51,8 @@ describe('token-claims', () => {
       const claimValue = await getClaimValue(
         sessionManager,
         claimName,
-        'access_token'
+        'access_token',
+        validationDetails
       );
       expect(claimValue).toBe(null);
     });
@@ -48,15 +61,25 @@ describe('token-claims', () => {
   describe('getClaim', () => {
     it('returns value for a token claim if claim exists', () => {
       Object.keys(mockAccessToken.payload).forEach(async (name: string) => {
-        const claim = await getClaim(sessionManager, name, 'access_token');
+        const claim = await getClaim(
+          sessionManager,
+          name,
+          'access_token',
+          validationDetails
+        );
         const tokenPayload = mockAccessToken.payload as Record<string, unknown>;
         expect(claim).toStrictEqual({ name, value: tokenPayload[name] });
       });
     });
 
     it('return null if claim does not exist', async () => {
       const claimName = 'non-existant-claim';
-      const claim = await getClaim(sessionManager, claimName, 'access_token');
+      const claim = await getClaim(
+        sessionManager,
+        claimName,
+        'access_token',
+        validationDetails
+      );
       expect(claim).toStrictEqual({ name: claimName, value: null });
     });
   });
@@ -65,7 +88,9 @@ describe('token-claims', () => {
     it('return orgCode and isGranted = true if permission is given', () => {
       const { permissions } = mockAccessToken.payload;
       permissions.forEach(async (permission) => {
-        expect(await getPermission(sessionManager, permission)).toStrictEqual({
+        expect(
+          await getPermission(sessionManager, permission, validationDetails)
+        ).toStrictEqual({
           orgCode: mockAccessToken.payload.org_code,
           isGranted: true,
         });
@@ -75,7 +100,9 @@ describe('token-claims', () => {
     it('return isGranted = false is permission is not given', async () => {
       const orgCode = mockAccessToken.payload.org_code;
       const permissionName = 'non-existant-permission';
-      expect(await getPermission(sessionManager, permissionName)).toStrictEqual({
+      expect(
+        await getPermission(sessionManager, permissionName, validationDetails)
+      ).toStrictEqual({
         orgCode,
         isGranted: false,
       });
@@ -84,7 +111,9 @@ describe('token-claims', () => {
   describe('getUserOrganizations', () => {
     it('lists all user organizations using id token', async () => {
       const orgCodes = mockIdToken.payload.org_codes;
-      expect(await getUserOrganizations(sessionManager)).toStrictEqual({
+      expect(
+        await getUserOrganizations(sessionManager, validationDetails)
+      ).toStrictEqual({
         orgCodes,
       });
     });
@@ -93,7 +122,9 @@ describe('token-claims', () => {
   describe('getOrganization', () => {
     it('returns organization code using accesss token', async () => {
       const orgCode = mockAccessToken.payload.org_code;
-      expect(await getOrganization(sessionManager)).toStrictEqual({ orgCode });
+      expect(await getOrganization(sessionManager, validationDetails)).toStrictEqual(
+        { orgCode }
+      );
     });
   });
 });

lib/__tests__/sdk/utilities/token-utils.spec.ts

@@ -1,25 +1,3 @@
-import { vi } from 'vitest';
-
-// Mock the validateToken function - must be at the top for Vitest hoisting
-vi.mock('@kinde/jwt-validator', () => ({
-  validateToken: vi.fn().mockImplementation(async ({ token }) => {
-    try {
-      const payload = JSON.parse(atob(token.split('.')[1]));
-      const currentTime = Math.floor(Date.now() / 1000);
-      const isExpired = payload.exp && currentTime >= payload.exp;
-      return {
-        valid: !isExpired,
-        message: isExpired ? 'Token expired' : 'Token valid',
-      };
-    } catch (e) {
-      return {
-        valid: false,
-        message: 'Invalid token format',
-      };
-    }
-  }),
-}));
-
 import * as mocks from '../../mocks';
 import { describe, it, expect, beforeAll, afterEach } from 'vitest';
 import {
@@ -117,7 +95,7 @@ describe('token-utils', () => {
         validationDetails
       );
 
-      const storedUser = await getUserFromSession(sessionManager);
+      const storedUser = await getUserFromSession(sessionManager, validationDetails);
       const expectedUser = {
         family_name: idTokenPayload.family_name,
         given_name: idTokenPayload.given_name,
@@ -134,28 +112,28 @@ describe('token-utils', () => {
 
   describe('isTokenExpired()', () => {
     it('returns true if null is provided as argument', async () => {
-      expect(isTokenExpired(null)).toBe(true);
+      expect(await isTokenExpired(null, validationDetails)).toBe(true);
     });
 
     it('returns true if provided token is expired', async () => {
       const { token: mockAccessToken } = await mocks.getMockAccessToken(
         domain,
         true
       );
-      expect(isTokenExpired(mockAccessToken)).toBe(true);
+      expect(await isTokenExpired(mockAccessToken, validationDetails)).toBe(true);
     });
 
     it('returns true if provided token is missing "exp" claim', async () => {
       const { token: mockAccessToken } = await mocks.getMockAccessToken(
         domain,
         true
       );
-      expect(isTokenExpired(mockAccessToken)).toBe(true);
+      expect(await isTokenExpired(mockAccessToken, validationDetails)).toBe(true);
     });
 
     it('returns false if provided token is not expired', async () => {
       const { token: mockAccessToken } = await mocks.getMockAccessToken(domain);
-      expect(isTokenExpired(mockAccessToken)).toBe(false);
+      expect(await isTokenExpired(mockAccessToken, validationDetails)).toBe(false);
     });
   });
 });

lib/sdk/clients/browser/authcode-with-pkce.ts

@@ -114,7 +114,10 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
     if (!(await isAuthenticated())) {
       throw new Error('Cannot get user details, no authentication credential found');
     }
-    return (await utilities.getUserFromSession(sessionManager))!;
+    return (await utilities.getUserFromSession(
+      sessionManager,
+      client.tokenValidationDetails
+    ))!;
   };
 
   /**
@@ -206,7 +209,12 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
       );
     }
 
-    return await tokenClaims.getClaimValue(sessionManager, claim, type);
+    return await tokenClaims.getClaimValue(
+      sessionManager,
+      claim,
+      type,
+      client.tokenValidationDetails
+    );
   };
 
   /**
@@ -225,7 +233,12 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
         `Cannot return claim "${claim}", no authentication credential found`
       );
     }
-    return await tokenClaims.getClaim(sessionManager, claim, type);
+    return await tokenClaims.getClaim(
+      sessionManager,
+      claim,
+      type,
+      client.tokenValidationDetails
+    );
   };
 
   /**
@@ -243,7 +256,11 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
         `Cannot return permission "${name}", no authentication credential found`
       );
     }
-    return await tokenClaims.getPermission(sessionManager, name);
+    return await tokenClaims.getPermission(
+      sessionManager,
+      name,
+      client.tokenValidationDetails
+    );
   };
 
   /**
@@ -256,7 +273,10 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
         'Cannot return user organization, no authentication credential found'
       );
     }
-    return await tokenClaims.getOrganization(sessionManager);
+    return await tokenClaims.getOrganization(
+      sessionManager,
+      client.tokenValidationDetails
+    );
   };
 
   /**
@@ -270,7 +290,10 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
         'Cannot return user organizations, no authentication credential found'
       );
     }
-    return await tokenClaims.getUserOrganizations(sessionManager);
+    return await tokenClaims.getUserOrganizations(
+      sessionManager,
+      client.tokenValidationDetails
+    );
   };
 
   /**
@@ -287,7 +310,10 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
         'Cannot return user permissions, no authentication credential found'
       );
     }
-    return await tokenClaims.getPermissions(sessionManager);
+    return await tokenClaims.getPermissions(
+      sessionManager,
+      client.tokenValidationDetails
+    );
   };
 
   /**