pingdotgg · juliusmarminge · Jun 19, 2026 · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/packages/shared/src/dpop.test.ts b/packages/shared/src/dpop.test.ts
@@ -1,6 +1,6 @@
 import * as NodeCrypto from "node:crypto";
 
-import { describe, expect, it } from "@effect/vitest";
+import { assert, describe, it } from "@effect/vitest";
 
 import {
   computeDpopAccessTokenHash,
@@ -56,59 +56,93 @@ describe("verifyDpopProof", () => {
 
   it("verifies an ES256 DPoP proof and returns the RFC 7638 thumbprint", () => {
     const thumbprint = computeDpopJwkThumbprint(publicJwk);
-    expect(
-      verifyDpopProof({
-        proof,
-        method: "POST",
-        url: "https://example.com/oauth/token",
-        nowEpochSeconds: 101,
-        expectedThumbprint: thumbprint,
-      }),
-    ).toMatchObject({
-      ok: true,
-      thumbprint,
-      jti: "proof-1",
+    const result = verifyDpopProof({
+      proof,
+      method: "POST",
+      url: "https://example.com/oauth/token",
+      nowEpochSeconds: 101,
+      expectedThumbprint: thumbprint,
+    });
+
+    if (!result.ok) {
+      assert.fail(result.reason);
+    }
+    assert.equal(result.thumbprint, thumbprint);
+    assert.equal(result.jti, "proof-1");
+  });
+
+  it("rejects malformed DPoP header and payload JSON", () => {
+    const [header, payload, signature] = proof.split(".");
+    if (!header || !payload || !signature) {
+      assert.fail("Expected the test DPoP proof to use compact JWT format.");
+    }
+    const malformedJson = Buffer.from("{").toString("base64url");
+
+    const malformedHeader = verifyDpopProof({
+      proof: `${malformedJson}.${payload}.${signature}`,
+      method: "POST",
+      url: "https://example.com/oauth/token",
+      nowEpochSeconds: 101,
     });
+    if (malformedHeader.ok) {
+      assert.fail("Expected malformed DPoP header JSON to fail.");
+    }
+    assert.equal(malformedHeader.reason, "Invalid DPoP JWT header.");
+
+    const malformedPayload = verifyDpopProof({
+      proof: `${header}.${malformedJson}.${signature}`,
+      method: "POST",
+      url: "https://example.com/oauth/token",
+      nowEpochSeconds: 101,
+    });
+    if (malformedPayload.ok) {
+      assert.fail("Expected malformed DPoP payload JSON to fail.");
+    }
+    assert.equal(malformedPayload.reason, "Invalid DPoP JWT payload.");
   });
 
   it("rejects method, URL, thumbprint, and time-window mismatches", () => {
     const thumbprint = computeDpopJwkThumbprint(publicJwk);
-    expect(
+    assert.equal(
       verifyDpopProof({
         proof,
         method: "GET",
         url: "https://example.com/oauth/token",
         nowEpochSeconds: 101,
         expectedThumbprint: thumbprint,
-      }),
-    ).toMatchObject({ ok: false });
-    expect(
+      }).ok,
+      false,
+    );
+    assert.equal(
       verifyDpopProof({
         proof,
         method: "POST",
         url: "https://example.com/other",
         nowEpochSeconds: 101,
         expectedThumbprint: thumbprint,
-      }),
-    ).toMatchObject({ ok: false });
-    expect(
+      }).ok,
+      false,
+    );
+    assert.equal(
       verifyDpopProof({
         proof,
         method: "POST",
         url: "https://example.com/oauth/token",
         nowEpochSeconds: 101,
         expectedThumbprint: "other-thumbprint",
-      }),
-    ).toMatchObject({ ok: false });
-    expect(
+      }).ok,
+      false,
+    );
+    assert.equal(
       verifyDpopProof({
         proof,
         method: "POST",
         url: "https://example.com/oauth/token",
         nowEpochSeconds: 1_000,
         expectedThumbprint: thumbprint,
-      }),
-    ).toMatchObject({ ok: false });
+      }).ok,
+      false,
+    );
   });
 
   it("requires the RFC 9449 access token hash when an access token is expected", () => {
@@ -122,40 +156,48 @@ describe("verifyDpopProof", () => {
       accessToken: "clerk-access-token",
     });
 
-    expect(
+    assert.equal(
       verifyDpopProof({
         proof: accessTokenProof,
         method: "POST",
         url: "https://example.com/v1/environments/env/connect",
         nowEpochSeconds: 101,
         expectedThumbprint: thumbprint,
         expectedAccessToken: "clerk-access-token",
-      }),
-    ).toMatchObject({ ok: true });
-    expect(
-      verifyDpopProof({
-        proof,
-        method: "POST",
-        url: "https://example.com/oauth/token",
-        nowEpochSeconds: 101,
-        expectedThumbprint: thumbprint,
-        expectedAccessToken: "clerk-access-token",
-      }),
-    ).toMatchObject({ ok: false, reason: "DPoP access token hash mismatch." });
-    expect(
-      verifyDpopProof({
-        proof: accessTokenProof,
-        method: "POST",
-        url: "https://example.com/v1/environments/env/connect",
-        nowEpochSeconds: 101,
-        expectedThumbprint: thumbprint,
-        expectedAccessToken: "other-access-token",
-      }),
-    ).toMatchObject({ ok: false, reason: "DPoP access token hash mismatch." });
+      }).ok,
+      true,
+    );
+
+    const missingHash = verifyDpopProof({
+      proof,
+      method: "POST",
+      url: "https://example.com/oauth/token",
+      nowEpochSeconds: 101,
+      expectedThumbprint: thumbprint,
+      expectedAccessToken: "clerk-access-token",
+    });
+    if (missingHash.ok) {
+      assert.fail("Expected DPoP proof without an access token hash to fail.");
+    }
+    assert.equal(missingHash.reason, "DPoP access token hash mismatch.");
+
+    const mismatchedHash = verifyDpopProof({
+      proof: accessTokenProof,
+      method: "POST",
+      url: "https://example.com/v1/environments/env/connect",
+      nowEpochSeconds: 101,
+      expectedThumbprint: thumbprint,
+      expectedAccessToken: "other-access-token",
+    });
+    if (mismatchedHash.ok) {
+      assert.fail("Expected DPoP proof with a mismatched access token hash to fail.");
+    }
+    assert.equal(mismatchedHash.reason, "DPoP access token hash mismatch.");
   });
 
   it("normalizes htu by excluding query and fragment components per RFC 9449", () => {
-    expect(normalizeDpopHtu("https://example.com/v1/environments/env/connect?foo=bar#frag")).toBe(
+    assert.equal(
+      normalizeDpopHtu("https://example.com/v1/environments/env/connect?foo=bar#frag"),
       "https://example.com/v1/environments/env/connect",
     );
 
@@ -168,15 +210,16 @@ describe("verifyDpopProof", () => {
       publicJwk,
     });
 
-    expect(
+    assert.equal(
       verifyDpopProof({
         proof: queryProof,
         method: "POST",
         url: "https://example.com/v1/environments/env/connect?foo=bar#frag",
         nowEpochSeconds: 101,
         expectedThumbprint: thumbprint,
-      }),
-    ).toMatchObject({ ok: true });
+      }).ok,
+      true,
+    );
   });
 
   it("rejects DPoP public JWK headers that expose private key material", () => {
@@ -192,14 +235,17 @@ describe("verifyDpopProof", () => {
       publicJwk: privateJwk,
     });
 
-    expect(
-      verifyDpopProof({
-        proof: proofWithPrivateJwk,
-        method: "POST",
-        url: "https://example.com/oauth/token",
-        nowEpochSeconds: 101,
-        expectedThumbprint: thumbprint,
-      }),
-    ).toMatchObject({ ok: false, reason: "Invalid DPoP JWT header." });
+    const result = verifyDpopProof({
+      proof: proofWithPrivateJwk,
+      method: "POST",
+      url: "https://example.com/oauth/token",
+      nowEpochSeconds: 101,
+      expectedThumbprint: thumbprint,
+    });
+
+    if (result.ok) {
+      assert.fail("Expected DPoP proof with private JWK material to fail.");
+    }
+    assert.equal(result.reason, "Invalid DPoP JWT header.");
   });
 });