From 4bba232c540e19b1197d00c4885b0f5ca5c784ce Mon Sep 17 00:00:00 2001
From: Steve Teti <steveteti@gmail.com>
Date: Tue, 3 Jan 2017 20:06:43 -0500
Subject: [PATCH] Validate audience when payload audience is a scalar and
 options audience is an array

---
 lib/jwt/verify.rb       | 16 ++--------------
 spec/jwt/verify_spec.rb | 18 +++++++++++++++++-
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/lib/jwt/verify.rb b/lib/jwt/verify.rb
index 7379c2d2..e5fab8ec 100644
--- a/lib/jwt/verify.rb
+++ b/lib/jwt/verify.rb
@@ -20,23 +20,11 @@ def initialize(payload, options)
     def verify_aud
       return unless (options_aud = extract_option(:aud))
 
-      if @payload['aud'].is_a?(Array)
-        verify_aud_array(@payload['aud'], options_aud)
-      else
+      if ([*@payload['aud']] & [*options_aud]).empty?
         raise(
           JWT::InvalidAudError,
           "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}"
-        ) unless @payload['aud'].to_s == options_aud.to_s
-      end
-    end
-
-    def verify_aud_array(audience, options_aud)
-      if options_aud.is_a?(Array)
-        options_aud.each do |aud|
-          raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(aud.to_s)
-        end
-      else
-        raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(options_aud.to_s)
+        )
       end
     end
 
diff --git a/spec/jwt/verify_spec.rb b/spec/jwt/verify_spec.rb
index 31a8167e..4b00d60e 100644
--- a/spec/jwt/verify_spec.rb
+++ b/spec/jwt/verify_spec.rb
@@ -8,7 +8,7 @@ module JWT
     let(:options) { { leeway: 0 } }
 
     context '.verify_aud(payload, options)' do
-      let(:scalar_aud) { 'ruby-jwt-audience' }
+      let(:scalar_aud) { 'ruby-jwt-aud' }
       let(:array_aud) { %w(ruby-jwt-aud test-aud ruby-ruby-ruby) }
       let(:scalar_payload) { base_payload.merge('aud' => scalar_aud) }
       let(:array_payload) { base_payload.merge('aud' => array_aud) }
@@ -47,6 +47,22 @@ module JWT
         Verify.verify_aud(array_payload, options.merge('aud' => array_aud.first))
       end
 
+      it 'must allow an array with any value matching any value in the options array' do
+        Verify.verify_aud(array_payload, options.merge(aud: array_aud))
+      end
+
+      it 'must allow an array with any value matching any value in the options array with a string options key' do
+        Verify.verify_aud(array_payload, options.merge("aud" => array_aud))
+      end
+
+      it 'must allow a singular audience payload matching any value in the options array' do
+        Verify.verify_aud(scalar_payload, options.merge(aud: array_aud))
+      end
+
+      it 'must allow a singular audience payload matching any value in the options array with a string options key' do
+        Verify.verify_aud(scalar_payload, options.merge("aud" => array_aud))
+      end
+
       it 'should allow strings or symbols in options array' do
         options['aud'] = [
           'ruby-jwt-aud',