From 546d1a9cbe3dc95764ba7160f481d3cebd87fff4 Mon Sep 17 00:00:00 2001
From: Jonathan Bernard <jonathan@jdbernard.com>
Date: Mon, 7 Feb 2022 13:40:35 -0600
Subject: [PATCH] Separate two cases for validation of `aud` claim.

---
 src/buffoonery/auth.nim | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/buffoonery/auth.nim b/src/buffoonery/auth.nim
index ce042b5..13a570a 100644
--- a/src/buffoonery/auth.nim
+++ b/src/buffoonery/auth.nim
@@ -136,10 +136,13 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
 
     if jwt.header.alg.isNone: failAuth "Missing 'alg' header property."
 
-    if jwt.claims.aud.isNone or
-       not ctx.validAudiences.contains(jwt.claims.aud.get):
+    if jwt.claims.aud.isNone: failAuth "Missing 'aud' claim."
+
+    if not ctx.validAudiences.contains(jwt.claims.aud.get):
+      log.debug(
+        "Valid audiences: $#\ttoken audience: $#" %
+        [$ctx.validAudiences, jwt.claims.aud.get])
       failAuth "JWT is not for us (invalid audience)."
-      failAuth "Issuer is trusted, but the token is not for the expected audience."
 
     let signingAlgorithm = jwt.header.alg.get