auth0 · adamjmcgrath · Jul 15, 2020 · Jul 14, 2020
diff --git a/test/appSession.tests.js b/test/appSession.tests.js
@@ -7,7 +7,8 @@ const request = require('request-promise-native').defaults({
 const sinon = require('sinon');
 
 const appSession = require('../lib/appSession');
-const sessionEncryption = require('./fixture/sessionEncryption');
+const { encrypted } = require('./fixture/sessionEncryption');
+const { makeIdToken } = require('./fixture/cert');
 const { get: getConfig } = require('../lib/config');
 const { create: createServer } = require('./fixture/server');
 
@@ -17,10 +18,25 @@ const defaultConfig = {
   issuerBaseURL: 'https://op.example.com',
   baseURL: 'https://example.org',
   secret: '__test_secret__',
+  errorOnRequiredAuth: true,
+};
+
+const login = async (claims) => {
+  const jar = request.jar();
+  await request.post('/session', {
+    baseUrl,
+    jar,
+    json: {
+      id_token: makeIdToken(claims),
+    },
+  });
+  return jar;
 };
 
 const baseUrl = 'http://localhost:3000';
 
+const HR_MS = 60 * 60 * 1000;
+
 describe('appSession', () => {
   let server;
 
@@ -62,7 +78,7 @@ describe('appSession', () => {
       baseUrl,
       json: true,
       headers: {
-        cookie: `appSession=${sessionEncryption.encrypted}`,
+        cookie: `appSession=${encrypted}`,
       },
     });
     assert.equal(res.statusCode, 200);
@@ -75,7 +91,7 @@ describe('appSession', () => {
       baseUrl,
       json: true,
       headers: {
-        cookie: `appSession=${sessionEncryption.encrypted}`,
+        cookie: `appSession=${encrypted}`,
       },
     });
     assert.equal(res.statusCode, 200);
@@ -158,7 +174,7 @@ describe('appSession', () => {
       json: true,
       jar,
       headers: {
-        cookie: `appSession=${sessionEncryption.encrypted}`,
+        cookie: `appSession=${encrypted}`,
       },
     });
     const [cookie] = jar.getCookies(baseUrl);
@@ -194,7 +210,7 @@ describe('appSession', () => {
       json: true,
       jar,
       headers: {
-        cookie: `appSession=${sessionEncryption.encrypted}`,
+        cookie: `appSession=${encrypted}`,
       },
     });
     const [cookie] = jar.getCookies(baseUrl);
@@ -220,7 +236,7 @@ describe('appSession', () => {
       json: true,
       jar,
       headers: {
-        cookie: `customName=${sessionEncryption.encrypted}`,
+        cookie: `customName=${encrypted}`,
       },
     });
     const [cookie] = jar.getCookies(baseUrl);
@@ -243,7 +259,7 @@ describe('appSession', () => {
       json: true,
       jar,
       headers: {
-        cookie: `appSession=${sessionEncryption.encrypted}`,
+        cookie: `appSession=${encrypted}`,
       },
     });
     const [cookie] = jar.getCookies(baseUrl);
@@ -265,7 +281,7 @@ describe('appSession', () => {
       json: true,
       jar,
       headers: {
-        cookie: `appSession=${sessionEncryption.encrypted}`,
+        cookie: `appSession=${encrypted}`,
       },
     });
     assert.equal(res.statusCode, 200);
@@ -308,4 +324,85 @@ describe('appSession', () => {
     const res = await request.get('/session', { baseUrl, json: true });
     assert.equal(res.statusCode, 200);
   });
+
+  it('should expire after 24hrs of inactivity by default', async () => {
+    const clock = sinon.useFakeTimers({ toFake: ['Date'] });
+    server = await createServer(appSession(getConfig(defaultConfig)));
+    const jar = await login({ sub: '__test_sub__' });
+    let res = await request.get('/session', { baseUrl, jar, json: true });
+    assert.isNotEmpty(res.body);
+    clock.tick(23 * HR_MS);
+    res = await request.get('/session', { baseUrl, jar, json: true });
+    assert.isNotEmpty(res.body);
+    clock.tick(25 * HR_MS);
+    res = await request.get('/session', { baseUrl, jar, json: true });
+    assert.isEmpty(res.body);
+    clock.restore();
+  });
+
+  it('should expire after 7days regardless of activity by default', async () => {
+    const clock = sinon.useFakeTimers({ toFake: ['Date'] });
+    server = await createServer(appSession(getConfig(defaultConfig)));
+    const jar = await login({ sub: '__test_sub__' });
+    let days = 7;
+    while (days--) {
+      clock.tick(23 * HR_MS);
+      let res = await request.get('/session', { baseUrl, jar, json: true });
+      assert.isNotEmpty(res.body);
+    }
+    clock.tick(8 * HR_MS);
+    let res = await request.get('/session', { baseUrl, jar, json: true });
+    assert.isEmpty(res.body);
+    clock.restore();
+  });
+
+  it('should expire only after defined absoluteDuration', async () => {
+    const clock = sinon.useFakeTimers({ toFake: ['Date'] });
+    server = await createServer(
+      appSession(
+        getConfig({
+          ...defaultConfig,
+          session: {
+            rolling: false,
+            absoluteDuration: 10 * 60 * 60,
+          },
+        })
+      )
+    );
+    const jar = await login({ sub: '__test_sub__' });
+    clock.tick(9 * HR_MS);
+    let res = await request.get('/session', { baseUrl, jar, json: true });
+    assert.isNotEmpty(res.body);
+    clock.tick(2 * HR_MS);
+    res = await request.get('/session', { baseUrl, jar, json: true });
+    assert.isEmpty(res.body);
+    clock.restore();
+  });
+
+  it('should expire only after defined rollingDuration period of inactivty', async () => {
+    const clock = sinon.useFakeTimers({ toFake: ['Date'] });
+    server = await createServer(
+      appSession(
+        getConfig({
+          ...defaultConfig,
+          session: {
+            rolling: true,
+            rollingDuration: 24 * 60 * 60,
+            absoluteDuration: false,
+          },
+        })
+      )
+    );
+    const jar = await login({ sub: '__test_sub__' });
+    let days = 30;
+    while (days--) {
+      clock.tick(23 * HR_MS);
+      let res = await request.get('/session', { baseUrl, jar, json: true });
+      assert.isNotEmpty(res.body);
+    }
+    clock.tick(25 * HR_MS);
+    let res = await request.get('/session', { baseUrl, jar, json: true });
+    assert.isEmpty(res.body);
+    clock.restore();
+  });
 });
diff --git a/test/config.tests.js b/test/config.tests.js
@@ -217,14 +217,49 @@ describe('get config', () => {
     assert.throws(() => {
       getConfig({
         ...defaultConfig,
-        secret: '__test_session_secret__',
         session: {
           rollingDuration: 3.14159,
         },
       });
     }, '"session.rollingDuration" must be an integer');
   });
 
+  it('should fail when rollingDuration is defined and rolling is false', function () {
+    assert.throws(() => {
+      getConfig({
+        ...defaultConfig,
+        session: {
+          rolling: false,
+          rollingDuration: 100,
+        },
+      });
+    }, '"session.rollingDuration" must be false when "session.rolling" is disabled');
+  });
+
+  it('should fail when rollingDuration is not defined and rolling is true', function () {
+    assert.throws(() => {
+      getConfig({
+        ...defaultConfig,
+        session: {
+          rolling: true,
+          rollingDuration: false,
+        },
+      });
+    }, '"session.rollingDuration" must be provided an integer value when "session.rolling" is true');
+  });
+
+  it('should fail when absoluteDuration is not defined and rolling is false', function () {
+    assert.throws(() => {
+      getConfig({
+        ...defaultConfig,
+        session: {
+          rolling: false,
+          absoluteDuration: false,
+        },
+      });
+    }, '"session.absoluteDuration" must be provided an integer value when "session.rolling" is false');
+  });
+
   it('should fail when app session secret is invalid', function () {
     assert.throws(() => {
       getConfig({
@@ -238,7 +273,6 @@ describe('get config', () => {
     assert.throws(() => {
       getConfig({
         ...defaultConfig,
-        secret: '__test_session_secret__',
         session: {
           cookie: {
             httpOnly: '__invalid_httponly__',

diff --git a/test/auth.tests.js → test/login.tests.js b/test/auth.tests.js → test/login.tests.js
diff --git a/test/setup.js b/test/setup.js
@@ -2,7 +2,7 @@ const nock = require('nock');
 const wellKnown = require('./fixture/well-known.json');
 const certs = require('./fixture/cert');
 
-before(function () {
+beforeEach(function () {
   nock('https://op.example.com', { allowUnmocked: true })
     .persist()
     .get('/.well-known/openid-configuration')
@@ -24,6 +24,6 @@ before(function () {
     .reply(200, certs.jwks);
 });
 
-after(function () {
+afterEach(function () {
   nock.cleanAll();
 });