I wrote some unit tests for the JWT vulnerabilities (#398), testing the controller functions and some validator exploits to the best of my ability.
I refactored some relatively minor things to make the controller easier to test:
created a method to create a token with a JWK header in the existing IJWTTokenGenerator, so I can also use it in the test without too much duplication
removed the static initialization logic in JWTAlgorithmKMS, manage it's singleton lifecycle via Spring instead, mainly so I can inject it into the controller and spy on it in the test
replace the String type of the RequestEntity parameters with Void, this should be the correct type for GET-Requests and allows creation of test objects
I wrote some unit tests for the JWT vulnerabilities (#398), testing the controller functions and some validator exploits to the best of my ability.
I refactored some relatively minor things to make the controller easier to test:
IJWTTokenGenerator
, so I can also use it in the test without too much duplicationJWTAlgorithmKMS
, manage it's singleton lifecycle via Spring instead, mainly so I can inject it into the controller and spy on it in the testString
type of the RequestEntity parameters withVoid
, this should be the correct type for GET-Requests and allows creation of test objects