fix: safeguard TokenSet prototype methods

closes #511
panva · Aug 23, 2022 · 7468674 · 7468674 · fredericoo · Aug 26, 2022
1 parent 2e02d5b
commit 7468674
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/lib/token_set.js b/lib/token_set.js
@@ -4,6 +4,11 @@ const now = require('./helpers/unix_timestamp');
 class TokenSet {
   constructor(values) {
     Object.assign(this, values);
+    const { constructor, ...properties } = Object.getOwnPropertyDescriptors(
+      this.constructor.prototype,
+    );
+
+    Object.defineProperties(this, properties);
   }
 
   set expires_in(value) {

diff --git a/test/tokenset/tokenset.test.js b/test/tokenset/tokenset.test.js
@@ -54,4 +54,30 @@ describe('TokenSet', function () {
 
     expect(JSON.parse(JSON.stringify(ts))).to.eql(ts);
   });
+
+  it('cannot have its prototype methods overloaded', function () {
+    let ts = new TokenSet({
+      claims: null,
+      id_token:
+        'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ',
+    });
+
+    expect(ts.claims).to.be.a('function');
+    expect(ts.claims()).to.eql({ admin: true, name: 'John Doe', sub: '1234567890' });
+
+    ts = new TokenSet({ expires_in: 'foo' });
+    ts.expires_in = 200;
+    expect(ts.expires_in).to.be.a('number');
+    expect(ts.expired()).to.eql(false);
+
+    const e = new Error();
+    class CustomTokenSet extends TokenSet {
+      expired() {
+        throw e;
+      }
+    }
+
+    ts = new CustomTokenSet({});
+    expect(() => ts.expired()).to.throw(e);
+  });
 });