[IMP] add tests for channel auth keys

ThanhDodeurOdoo · alexkuhn · commit 932dfb9fdcb7 · 2025-07-29T11:34:53.000+02:00
diff --git a/src/services/auth.ts b/src/services/auth.ts
@@ -4,6 +4,7 @@ import * as config from "#src/config.ts";
 import { Logger } from "#src/utils/utils.ts";
 import { AuthenticationError } from "#src/utils/errors.ts";
 import type { SessionId } from "#src/models/session.ts";
+import type { StringLike } from "#src/shared/types.ts";
 
 /**
  * JsonWebToken (JOSE) header
@@ -124,7 +125,7 @@ function base64Decode(str: string): Buffer {
  */
 export function sign(
     claims: JWTClaims,
-    key: Buffer | string = jwtKey!,
+    key: StringLike = jwtKey!,
     options: SignOptions = {}
 ): string {
     const { algorithm = ALGORITHM.HS256 } = options;
@@ -180,7 +181,7 @@ function safeEqual(a: Buffer, b: Buffer): boolean {
 /**
  * @throws {AuthenticationError} If verification fails
  */
-export function verify(jsonWebToken: string, key: Buffer | string = jwtKey!): JWTClaims {
+export function verify(jsonWebToken: string, key: StringLike = jwtKey!): JWTClaims {
     if (!key) {
         throw new AuthenticationError("JWT verification key is not set");
     }
diff --git a/src/shared/types.ts b/src/shared/types.ts
@@ -8,6 +8,8 @@ export type JSONSerializable =
 
 export type StreamType = "audio" | "camera" | "screen";
 
+export type StringLike = Buffer | string;
+
 import type { DownloadStates } from "#src/client.ts";
 import type { SessionId, SessionInfo, TransportConfig } from "#src/models/session.ts";
 
diff --git a/tests/network.test.ts b/tests/network.test.ts
@@ -268,7 +268,7 @@ describe("Full network", () => {
         expect(closeEvent.code).toBe(SESSION_CLOSE_CODE.P_TIMEOUT);
     });
     test("A client can broadcast arbitrary messages to other clients on a channel that does not have webRTC", async () => {
-        const channelUUID = await network.getChannelUUID(false);
+        const channelUUID = await network.getChannelUUID({ useWebRtc: false });
         const user1 = await network.connect(channelUUID, 1);
         const user2 = await network.connect(channelUUID, 2);
         const sender = await network.connect(channelUUID, 3);
diff --git a/tests/security.test.ts b/tests/security.test.ts
@@ -38,4 +38,21 @@ describe("Security", () => {
         const [event] = await once(websocket, "close");
         expect(event).toBe(WS_CLOSE_CODE.TIMEOUT);
     });
+    test("cannot access a channel with the wrong key", async () => {
+        const channelUUID = await network.getChannelUUID({ key: "channel-specific-key" });
+        const channel = Channel.records.get(channelUUID);
+        // testing the default/global key
+        await expect(network.connect(channelUUID, 3)).rejects.toThrow();
+        expect(channel!.sessions.size).toBe(0);
+        // any arbitrary wrong key
+        await expect(network.connect(channelUUID, 3, { key: "wrong-key" })).rejects.toThrow();
+        expect(channel!.sessions.size).toBe(0);
+    });
+    test("can join a channel with its specific key", async () => {
+        const key = "channel-specific-key";
+        const channelUUID = await network.getChannelUUID({ key });
+        const channel = Channel.records.get(channelUUID);
+        await network.connect(channelUUID, 4, { key });
+        expect(channel!.sessions.size).toBe(1);
+    });
 });
diff --git a/tests/utils/network.ts b/tests/utils/network.ts
@@ -10,6 +10,7 @@ import { SfuClient, SfuClientState } from "#src/client";
 import { Channel } from "#src/models/channel";
 import type { Session } from "#src/models/session";
 import type { JWTClaims } from "#src/services/auth";
+import { StringLike } from "#src/shared/types.ts";
 
 /**
  * HMAC key for JWT signing in tests
@@ -21,10 +22,11 @@ const HMAC_KEY = Buffer.from(HMAC_B64_KEY, "base64");
  * Creates a JWT token for testing
  *
  * @param data - Claims to include in the JWT
+ * @param [key] - Key to sign the JWT with
  * @returns Signed JWT string
  */
-export function makeJwt(data: JWTClaims): string {
-    return auth.sign(data, HMAC_KEY, { algorithm: auth.ALGORITHM.HS256 });
+export function makeJwt(data: JWTClaims, key: StringLike = HMAC_KEY): string {
+    return auth.sign(data, key, { algorithm: auth.ALGORITHM.HS256 });
 }
 
 /**
@@ -51,7 +53,7 @@ export class LocalNetwork {
     public port?: number;
 
     /** JWT creation function (can be overridden for testing) */
-    public makeJwt: (data: JWTClaims) => string = makeJwt;
+    public makeJwt: (data: JWTClaims, key?: StringLike) => string = makeJwt;
 
     /** Active SFU client instances */
     private readonly _sfuClients: SfuClient[] = [];
@@ -74,17 +76,19 @@ export class LocalNetwork {
 
     /**
      * Creates a new channel and returns its UUID
-     *
-     * @param useWebRtc - Whether to enable WebRTC for the channel
+     * @param [param0] - options
+     * @param [param0.useWebRtc=true] - Whether to enable WebRTC for the channel
+     * @param [param0.key=HMAC_B64_KEY] - Channel key
      * @returns Promise resolving to channel UUID
      */
-    async getChannelUUID(useWebRtc: boolean = true): Promise<string> {
+    async getChannelUUID({ useWebRtc = true, key = HMAC_B64_KEY } = {}): Promise<string> {
         if (!this.hostname || !this.port) {
             throw new Error("Network not started - call start() first");
         }
 
         const jwt = this.makeJwt({
-            iss: `http://${this.hostname}:${this.port}/`
+            iss: `http://${this.hostname}:${this.port}/`,
+            key
         });
 
         const response = await fetch(
@@ -110,10 +114,16 @@ export class LocalNetwork {
      *
      * @param channelUUID - Channel UUID to connect to
      * @param sessionId - Session identifier
+     * @param [param2]
+     * @param [param2.key=HMAC_B64_KEY] - Channel key
      * @returns Promise resolving to connection result
      * @throws {Error} If client is closed before authentication
      */
-    async connect(channelUUID: string, sessionId: number): Promise<ConnectionResult> {
+    async connect(
+        channelUUID: string,
+        sessionId: number,
+        { key = HMAC_KEY }: { key?: StringLike } = {}
+    ): Promise<ConnectionResult> {
         if (!this.hostname || !this.port) {
             throw new Error("Network not started - call start() first");
         }
@@ -122,16 +132,16 @@ export class LocalNetwork {
         const sfuClient = new SfuClient();
         this._sfuClients.push(sfuClient);
 
-        // Override device creation for testing environment
-        (sfuClient as any)._createDevice = (): Device => {
+        // @ts-expect-error private property
+        sfuClient._createDevice = (): Device => {
             // Mock device creation since we're in a server environment without real WebRTC
             return new Device({
                 handlerFactory: FakeHandler.createFactory(fakeParameters)
             });
         };
 
-        // Override WebSocket creation for Node.js environment
-        (sfuClient as any)._createWebSocket = (url: string): WebSocket => {
+        // @ts-expect-error private property
+        sfuClient._createWebSocket = (url: string): WebSocket => {
             // Replace browser WebSocket with Node.js ws package
             return new WebSocket(url);
         };
@@ -164,10 +174,13 @@ export class LocalNetwork {
         // Start connection
         sfuClient.connect(
             `ws://${this.hostname}:${this.port}`,
-            this.makeJwt({
-                sfu_channel_uuid: channelUUID,
-                session_id: sessionId
-            }),
+            this.makeJwt(
+                {
+                    sfu_channel_uuid: channelUUID,
+                    session_id: sessionId
+                },
+                key
+            ),
             { channelUUID }
         );
 
