From ac2edf230dab067898167ad794d26579f7123b31 Mon Sep 17 00:00:00 2001
From: Jonathan Bernard <jonathan@jdbernard.com>
Date: Wed, 31 Dec 2025 15:07:26 -0600
Subject: [PATCH] Backport support for aud list values into 0.3.x (support
 live-budget).

---
 buffoonery.nimble       |  2 +-
 src/buffoonery/auth.nim | 14 +++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/buffoonery.nimble b/buffoonery.nimble
index dcbc085..b87cceb 100644
--- a/buffoonery.nimble
+++ b/buffoonery.nimble
@@ -1,6 +1,6 @@
 # Package
 
-version       = "0.3.0"
+version       = "0.3.1"
 author        = "Jonathan Bernard"
 description   = "Jonathan's opinionated extensions and auth layer for Jester."
 license       = "MIT"
diff --git a/src/buffoonery/auth.nim b/src/buffoonery/auth.nim
index 988a6c7..708eee3 100644
--- a/src/buffoonery/auth.nim
+++ b/src/buffoonery/auth.nim
@@ -140,11 +140,15 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
 
     if jwt.claims.aud.isNone: failAuth "Missing 'aud' claim."
 
-    if not ctx.validAudiences.contains(jwt.claims.aud.get):
-      log.debug(
-        "Valid audiences: $#\ttoken audience: $#" %
-        [$ctx.validAudiences, jwt.claims.aud.get])
-      failAuth "JWT is not for us (invalid audience)."
+    if jwt.claims["aud"].get.kind == JString:
+      # If the token is for a single audience, check that it is for us.
+      if not ctx.validAudiences.contains(jwt.claims.aud.get):
+        failAuth "JWT is not for us (invalid audience)."
+    elif jwt.claims["aud"].get.kind == JArray:
+      # If the token is for multiple audiences, check that at least one is for us.
+      let auds = jwt.claims["aud"].get.getElems
+      if not auds.anyIt(ctx.validAudiences.contains(it.getStr)):
+        failAuth "JWT is not for us (invalid audience)."
 
     let signingAlgorithm = jwt.header.alg.get