From fc82d456f61876509325ddda04ab4cf483755d0e Mon Sep 17 00:00:00 2001
From: Raghav Katyal <rkatyal@twilio.com>
Date: Thu, 5 Jan 2023 17:55:05 -0800
Subject: [PATCH] Making AccessToken Identity required

---
 lib/jwt/AccessToken.ts            | 14 +++---
 spec/unit/jwt/AccessToken.spec.js | 75 +++++++++++++++----------------
 2 files changed, 44 insertions(+), 45 deletions(-)

diff --git a/lib/jwt/AccessToken.ts b/lib/jwt/AccessToken.ts
index 5debb82095..7b7c390082 100644
--- a/lib/jwt/AccessToken.ts
+++ b/lib/jwt/AccessToken.ts
@@ -79,9 +79,9 @@ export interface AccessTokenOptions {
    */
   ttl?: number;
   /**
-   * The identity of the first person
+   * The identity of the first person. Required.
    */
-  identity?: string;
+  identity: string;
   /**
    * Time from epoch in seconds for not before value
    */
@@ -329,7 +329,7 @@ export default class AccessToken implements AccessTokenOptions {
   keySid: string;
   secret: string;
   ttl: number;
-  identity?: string;
+  identity: string;
   nbf?: number;
   region?: string;
   grants: Grant<any, any, any>[];
@@ -340,7 +340,7 @@ export default class AccessToken implements AccessTokenOptions {
    * @param secret - The secret to sign the token with
    * @param options - ...
    * @param options.ttl - Time to live in seconds (default 3600)
-   * @param options.identity - The identity of the first person
+   * @param options.identity - The identity of the first person. Required.
    * @param options.nbf - Time from epoch in seconds for not before value
    * @param options.region - The region value associated with this account
    */
@@ -348,7 +348,7 @@ export default class AccessToken implements AccessTokenOptions {
     accountSid: string,
     keySid: string,
     secret: string,
-    options?: AccessTokenOptions
+    options: AccessTokenOptions
   ) {
     if (!accountSid) {
       throw new Error("accountSid is required");
@@ -359,7 +359,9 @@ export default class AccessToken implements AccessTokenOptions {
     if (!secret) {
       throw new Error("secret is required");
     }
-    options = options || {};
+    if (!options || !options.identity) {
+      throw new Error("identity is required to be specified in options");
+    }
 
     this.accountSid = accountSid;
     this.keySid = keySid;
diff --git a/spec/unit/jwt/AccessToken.spec.js b/spec/unit/jwt/AccessToken.spec.js
index af7ebe9c23..b44e96b7c5 100644
--- a/spec/unit/jwt/AccessToken.spec.js
+++ b/spec/unit/jwt/AccessToken.spec.js
@@ -7,10 +7,21 @@ describe("AccessToken", function () {
   var accountSid = "ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
   var keySid = "SKb5aed9ca12bf5890f37930e63cad6d38";
 
+  function getToken() {
+    return new twilio.jwt.AccessToken(accountSid, keySid, "secret", {
+      identity: "ID@example.com",
+    });
+  }
+
   describe("constructor", function () {
     var initWithoutIndex = function (index) {
       return function () {
-        var constructorArgs = [accountSid, keySid, "secret"];
+        var constructorArgs = [
+          accountSid,
+          keySid,
+          "secret",
+          { identity: "foo" },
+        ];
         constructorArgs[index] = undefined;
 
         // add context
@@ -30,6 +41,11 @@ describe("AccessToken", function () {
     it("should require secret", function () {
       expect(initWithoutIndex(2)).toThrow(new Error("secret is required"));
     });
+    it("should require identity", function () {
+      expect(initWithoutIndex(3)).toThrow(
+        new Error("identity is required to be specified in options")
+      );
+    });
     it("should convert identity from integer to string", function () {
       var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret", {
         identity: 4444,
@@ -41,12 +57,9 @@ describe("AccessToken", function () {
 
   describe("generate", function () {
     describe("home region", function () {
-      var secret = "aTBl1PhJnykIjWll4TOiXKtD1ugxiz6f";
-
       it("should add twr header when region is provided", function () {
-        var token = new twilio.jwt.AccessToken(accountSid, keySid, secret, {
-          region: "foo",
-        });
+        var token = getToken();
+        token.region = "foo";
         var decoded = jwt.decode(token.toJwt(), { complete: true });
 
         expect(decoded.header.twr).toBe("foo");
@@ -54,9 +67,8 @@ describe("AccessToken", function () {
 
       ["", undefined, null, {}, 1, 0].forEach(function (value) {
         it("should not add twr header if region is " + value, function () {
-          var token = new twilio.jwt.AccessToken(accountSid, keySid, secret, {
-            region: value,
-          });
+          var token = getToken();
+          token.region = value;
           var decoded = jwt.decode(token.toJwt(), { complete: true });
 
           expect(decoded.header.twr).toBe(undefined);
@@ -68,7 +80,8 @@ describe("AccessToken", function () {
       var token = new twilio.jwt.AccessToken(
         accountSid,
         keySid,
-        "aTBl1PhJnykIjWll4TOiXKtD1ugxiz6f"
+        "aTBl1PhJnykIjWll4TOiXKtD1ugxiz6f",
+        { identity: "foo" }
       );
       var decoded = jwt.decode(token.toJwt(), { complete: true });
 
@@ -81,7 +94,7 @@ describe("AccessToken", function () {
 
     it("should accept different algorithms", function () {
       var validateAlg = function (alg) {
-        var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
+        var token = getToken();
         var decoded = jwt.decode(token.toJwt(alg), {
           complete: true,
           algorithms: twilio.jwt.AccessToken.ALGORITHMS,
@@ -97,7 +110,8 @@ describe("AccessToken", function () {
     it("should throw on invalid algorithm", function () {
       var generateWithAlg = function (alg) {
         return function () {
-          new twilio.jwt.AccessToken(accountSid, keySid, "secret").toJwt(alg);
+          var token = getToken();
+          token.toJwt(alg);
         };
       };
 
@@ -109,9 +123,7 @@ describe("AccessToken", function () {
     });
 
     it("should create a token without any grants", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
-      token.identity = "ID@example.com";
-
+      var token = getToken();
       var decoded = jwt.verify(token.toJwt(), "secret");
       expect(decoded.jti.indexOf(keySid)).toBe(0);
       expect(decoded.iss).toBe(keySid);
@@ -123,11 +135,9 @@ describe("AccessToken", function () {
     });
 
     it("should accept nbf", function () {
+      var token = getToken();
       var nbf = Math.floor(Date.now() / 1000);
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret", {
-        nbf: nbf,
-      });
-      token.identity = "ID@example.com";
+      token.nbf = nbf;
 
       var decoded = jwt.verify(token.toJwt(), "secret");
       expect(decoded.jti.indexOf(keySid)).toBe(0);
@@ -144,18 +154,15 @@ describe("AccessToken", function () {
     });
 
     it("should accept user defined ttl", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
+      var token = getToken();
       token.ttl = 100;
-      token.identity = "ID@example.com";
 
       var decoded = jwt.verify(token.toJwt(), "secret");
       expect(decoded.exp - decoded.iat).toBe(100);
     });
 
     it("should create token with chat grant", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
-      token.identity = "ID@example.com";
-
+      var token = getToken();
       var grant = new twilio.jwt.AccessToken.ChatGrant();
       grant.serviceSid = "SRaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
       grant.endpointId = "endpointId";
@@ -176,9 +183,7 @@ describe("AccessToken", function () {
     });
 
     it("should create token with video grant", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
-      token.identity = "ID@example.com";
-
+      var token = getToken();
       var grant = new twilio.jwt.AccessToken.VideoGrant();
       grant.room = "room";
       token.addGrant(grant);
@@ -193,9 +198,7 @@ describe("AccessToken", function () {
     });
 
     it("should create token with sync grant", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
-      token.identity = "ID@example.com";
-
+      var token = getToken();
       var grant = new twilio.jwt.AccessToken.SyncGrant();
       grant.serviceSid = "ISaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
       grant.endpointId = "endpointId";
@@ -212,9 +215,7 @@ describe("AccessToken", function () {
     });
 
     it("should create token with taskrouter grant", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
-      token.identity = "ID@example.com";
-
+      var token = getToken();
       var grant = new twilio.jwt.AccessToken.TaskRouterGrant();
       grant.workspaceSid = "WSxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
       grant.workerSid = "WKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
@@ -233,9 +234,7 @@ describe("AccessToken", function () {
     });
 
     it("should create token with playback grant", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
-      token.identity = "ID@example.com";
-
+      var token = getToken();
       var playbackGrant = {
         requestCredentials: null,
         playbackUrl:
@@ -255,9 +254,7 @@ describe("AccessToken", function () {
     });
 
     it("should create token with multiple grants", function () {
-      var token = new twilio.jwt.AccessToken(accountSid, keySid, "secret");
-      token.identity = "ID@example.com";
-
+      var token = getToken();
       var grant = new twilio.jwt.AccessToken.ChatGrant();
       grant.serviceSid = "SRaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
       grant.endpointId = "endpointId";