fix: auth audiences were unintentionally required

reearth · Apr 20, 2022 · 7ec76aa · 7ec76aa
1 parent 9851004
commit 7ec76aa
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 4 deletions.
diff --git a/internal/app/config.go b/internal/app/config.go
@@ -221,9 +221,13 @@ func (c Auth0Config) AuthConfig() *AuthConfig {
 		return nil
 	}
 	domain := prepareUrl(c.Domain)
+	var aud []string
+	if len(c.Audience) > 0 {
+		aud = []string{c.Audience}
+	}
 	return &AuthConfig{
 		ISS:      domain,
-		AUD:      []string{c.Audience},
+		AUD:      aud,
 		ClientID: &c.ClientID,
 	}
 }

diff --git a/internal/app/config_test.go b/internal/app/config_test.go
@@ -3,6 +3,7 @@ package app
 import (
 	"testing"
 
+	"github.com/reearth/reearth-backend/pkg/auth"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -23,13 +24,42 @@ func TestAuth0Config_AuthConfig(t *testing.T) {
 }
 
 func TestReadConfig(t *testing.T) {
+	clientID := auth.ClientID
+	localAuth := AuthConfig{
+		ISS:      "http://localhost:8080",
+		AUD:      []string{"http://localhost:8080"},
+		ClientID: &clientID,
+	}
+
+	cfg, err := ReadConfig(false)
+	assert.NoError(t, err)
+	assert.Nil(t, cfg.Auth)
+	assert.Equal(t, []AuthConfig{localAuth}, cfg.Auths())
+
 	t.Setenv("REEARTH_AUTH", `[{"iss":"bar"}]`)
 	t.Setenv("REEARTH_AUTH_ISS", "hoge")
-	t.Setenv("REEARTH_AUTH_AUD", "foo")
-	cfg, err := ReadConfig(false)
+	cfg, err = ReadConfig(false)
 	assert.NoError(t, err)
 	assert.Equal(t, AuthConfigs([]AuthConfig{{ISS: "bar"}}), cfg.Auth)
+	assert.Equal(t, []AuthConfig{
+		{ISS: "hoge"}, // REEARTH_AUTH_*
+		localAuth,     // local auth srv
+		{ISS: "bar"},  // REEARTH_AUTH
+	}, cfg.Auths())
 	assert.Equal(t, "hoge", cfg.Auth_ISS)
+	assert.Equal(t, "", cfg.Auth_AUD)
+
+	t.Setenv("REEARTH_AUTH_AUD", "foo")
+	t.Setenv("REEARTH_AUTH0_DOMAIN", "foo")
+	t.Setenv("REEARTH_AUTH0_CLIENTID", clientID)
+	cfg, err = ReadConfig(false)
+	assert.NoError(t, err)
+	assert.Equal(t, []AuthConfig{
+		{ISS: "https://foo", ClientID: &clientID}, // Auth0
+		{ISS: "hoge", AUD: []string{"foo"}},       // REEARTH_AUTH_*
+		localAuth,                                 // local auth srv
+		{ISS: "bar"},                              // REEARTH_AUTH
+	}, cfg.Auths())
 	assert.Equal(t, "foo", cfg.Auth_AUD)
 }
 

diff --git a/internal/app/jwt.go b/internal/app/jwt.go
@@ -59,11 +59,18 @@ func NewMultiValidator(providers []AuthConfig) (MultiValidator, error) {
 		}
 		algorithm := validator.SignatureAlgorithm(alg)
 
+		var aud []string
+		if p.AUD != nil {
+			aud = p.AUD
+		} else {
+			aud = []string{}
+		}
+
 		v, err := validator.New(
 			provider.KeyFunc,
 			algorithm,
 			issuerURL.String(),
-			p.AUD,
+			aud,
 			validator.WithCustomClaims(func() validator.CustomClaims {
 				return &customClaims{}
 			}),