Skip to content

Commit

Permalink
Merge pull request #183 from steti/master
Browse files Browse the repository at this point in the history 
Validate audience when payload is a scalar and options is an array
  • Loading branch information
@excpt
excpt authored Feb 2, 2017
2 parents efa3e96 + 4bba232 commit 6c0e93f
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 15 deletions.
16 changes: 2 additions & 14 deletions lib/jwt/verify.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,23 +20,11 @@ def initialize(payload, options)
def verify_aud
return unless (options_aud = extract_option(:aud))

if @payload['aud'].is_a?(Array)
verify_aud_array(@payload['aud'], options_aud)
else
if ([*@payload['aud']] & [*options_aud]).empty?
raise(
JWT::InvalidAudError,
"Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}"
) unless @payload['aud'].to_s == options_aud.to_s
end
end

def verify_aud_array(audience, options_aud)
if options_aud.is_a?(Array)
options_aud.each do |aud|
raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(aud.to_s)
end
else
raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(options_aud.to_s)
)
end
end

Expand Down
18 changes: 17 additions & 1 deletion spec/jwt/verify_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module JWT
let(:options) { { leeway: 0 } }

context '.verify_aud(payload, options)' do
let(:scalar_aud) { 'ruby-jwt-audience' }
let(:scalar_aud) { 'ruby-jwt-aud' }
let(:array_aud) { %w(ruby-jwt-aud test-aud ruby-ruby-ruby) }
let(:scalar_payload) { base_payload.merge('aud' => scalar_aud) }
let(:array_payload) { base_payload.merge('aud' => array_aud) }
Expand Down Expand Up @@ -47,6 +47,22 @@ module JWT
Verify.verify_aud(array_payload, options.merge('aud' => array_aud.first))
end

it 'must allow an array with any value matching any value in the options array' do
Verify.verify_aud(array_payload, options.merge(aud: array_aud))
end

it 'must allow an array with any value matching any value in the options array with a string options key' do
Verify.verify_aud(array_payload, options.merge("aud" => array_aud))
end

it 'must allow a singular audience payload matching any value in the options array' do
Verify.verify_aud(scalar_payload, options.merge(aud: array_aud))
end

it 'must allow a singular audience payload matching any value in the options array with a string options key' do
Verify.verify_aud(scalar_payload, options.merge("aud" => array_aud))
end

it 'should allow strings or symbols in options array' do
options['aud'] = [
'ruby-jwt-aud',
Expand Down

0 comments on commit 6c0e93f

Please sign in to comment.