Support cases where the aud token is a list of valid audiences.

2025-01-10 21:01:19 -06:00 · 2025-01-10 21:01:19 -06:00 · 3c3edacd7c
commit 3c3edacd7c
parent 9f302556f6
2 changed files with 10 additions and 3 deletions
--- a/buffoonery.nimble
+++ b/buffoonery.nimble
@ -1,6 +1,6 @@
 # Package

-version       = "0.4.2"
+version       = "0.4.3"
 author        = "Jonathan Bernard"
 description   = "Jonathan's opinionated extensions and auth layer for Jester."
 license       = "MIT"
--- a/src/buffoonery/auth.nim
+++ b/src/buffoonery/auth.nim
@ -143,8 +143,15 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
    if jwt.claims.sub.isNone: failAuth "Missing 'sub' claim."
    if jwt.claims.exp.isNone: failAuth "Missing or invalid 'exp' claim."

+    if jwt.claims["aud"].get.kind == JString:
+      # If the token is for a single audience, check that it is for us.
      if not ctx.validAudiences.contains(jwt.claims.aud.get):
        failAuth "JWT is not for us (invalid audience)."
+    elif jwt.claims["aud"].get.kind == JArray:
+      # If the token is for multiple audiences, check that at least one is for us.
+      let auds = jwt.claims["aud"].get.getElems
+      if not auds.anyIt(ctx.validAudiences.contains(it.getStr)):
+        failAuth "JWT is not for us (invalid audience)."

    let signingAlgorithm = jwt.header.alg.get