From 1ebd50cb5b3bc6023e6bab62da4d1d7c7eda7374 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 26 Feb 2021 12:02:18 +0100
Subject: [PATCH] WIP

---
 .../java/org/owasp/webgoat/JWTLessonTest.java | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
index b4b422014..d3ceb0eb7 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
@@ -35,6 +35,8 @@ public class JWTLessonTest extends IntegrationTest {
     public void solveAssignment() throws IOException, InvalidKeyException, NoSuchAlgorithmException {
 
     	startLesson("JWT");
+
+    	decodingToken();
   
         resetVotes();
                 
@@ -73,6 +75,31 @@ public class JWTLessonTest extends IntegrationTest {
     	}
     	return null;
     }
+
+	private void decodingToken() throws IOException, NoSuchAlgorithmException, InvalidKeyException {
+
+		String accessToken = RestAssured.given()
+				.when()
+				.relaxedHTTPSValidation()
+				.cookie("JSESSIONID", getWebGoatCookie())
+				.get(url("/WebGoat/JWT/secret/gettoken"))
+				.then()
+				.extract().response().asString();
+
+		String secret = getSecretToken(accessToken);
+
+		MatcherAssert.assertThat(
+				RestAssured.given()
+						.when()
+						.relaxedHTTPSValidation()
+						.cookie("JSESSIONID", getWebGoatCookie())
+						.formParam("token", generateToken(secret))
+						.post(url("/WebGoat/JWT/secret"))
+						.then()
+						.statusCode(200)
+						.extract().path("lessonCompleted"), CoreMatchers.is(true));
+
+	}
     
     private void findPassword() throws IOException, NoSuchAlgorithmException, InvalidKeyException {