Skip to content

Commit 81501a1

Browse files
TheBusCantSwimziluvatar
TheBusCantSwim
authored and
ziluvatar
committed
Enhance audience check to verify against regular expressions (#398)
* Enhance audience check to verify against regular expressions * Enhance audience check to verify against regular expressions * Adapted README to have a showcase of the new RegExp-check for the audience validation
1 parent 77ee965 commit 81501a1

File tree

3 files changed

+80
-4
lines changed

3 files changed

+80
-4
lines changed

README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ As mentioned in [this comment](https://github.com/auth0/node-jsonwebtoken/issues
120120
`options`
121121

122122
* `algorithms`: List of strings with the names of the allowed algorithms. For instance, `["HS256", "HS384"]`.
123-
* `audience`: if you want to check audience (`aud`), provide a value here
123+
* `audience`: if you want to check audience (`aud`), provide a value here. The audience can be checked against a string, a regular expression or a list of strings and/or regular expressions. Eg: `"urn:foo"`, `/urn:f[o]{2}/`, `[/urn:f[o]{2}/, "urn:bar"]`
124124
* `issuer` (optional): string or array of strings of valid values for the `iss` field.
125125
* `ignoreExpiration`: if `true` do not validate the expiration of the token.
126126
* `ignoreNotBefore`...

test/jwt.asymmetric_signing.tests.js

+74-2
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,14 @@ describe('Asymmetric Algorithms', function(){
175175
});
176176
});
177177

178+
it('should check audience using RegExp', function (done) {
179+
jwt.verify(token, pub, { audience: /urn:f[o]{2}/ }, function (err, decoded) {
180+
assert.isNotNull(decoded);
181+
assert.isNull(err);
182+
done();
183+
});
184+
});
185+
178186
it('should check audience in array', function (done) {
179187
jwt.verify(token, pub, { audience: ['urn:foo', 'urn:other'] }, function (err, decoded) {
180188
assert.isNotNull(decoded);
@@ -183,6 +191,14 @@ describe('Asymmetric Algorithms', function(){
183191
});
184192
});
185193

194+
it('should check audience in array using RegExp', function (done) {
195+
jwt.verify(token, pub, { audience: ['urn:bar', /urn:f[o]{2}/, 'urn:other'] }, function (err, decoded) {
196+
assert.isNotNull(decoded);
197+
assert.isNull(err);
198+
done();
199+
});
200+
});
201+
186202
it('should throw when invalid audience', function (done) {
187203
jwt.verify(token, pub, { audience: 'urn:wrong' }, function (err, decoded) {
188204
assert.isUndefined(decoded);
@@ -193,8 +209,18 @@ describe('Asymmetric Algorithms', function(){
193209
});
194210
});
195211

212+
it('should throw when invalid audience using RegExp', function (done) {
213+
jwt.verify(token, pub, { audience: /urn:bar/ }, function (err, decoded) {
214+
assert.isUndefined(decoded);
215+
assert.isNotNull(err);
216+
assert.equal(err.name, 'JsonWebTokenError');
217+
assert.instanceOf(err, jwt.JsonWebTokenError);
218+
done();
219+
});
220+
});
221+
196222
it('should throw when invalid audience in array', function (done) {
197-
jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function (err, decoded) {
223+
jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong', /urn:bar/] }, function (err, decoded) {
198224
assert.isUndefined(decoded);
199225
assert.isNotNull(err);
200226
assert.equal(err.name, 'JsonWebTokenError');
@@ -224,6 +250,14 @@ describe('Asymmetric Algorithms', function(){
224250
});
225251
});
226252

253+
it('should check audience using RegExp', function (done) {
254+
jwt.verify(token, pub, { audience: /urn:f[o]{2}/ }, function (err, decoded) {
255+
assert.isNotNull(decoded);
256+
assert.isNull(err);
257+
done();
258+
});
259+
});
260+
227261
it('should check audience in array', function (done) {
228262
jwt.verify(token, pub, { audience: ['urn:foo', 'urn:other'] }, function (err, decoded) {
229263
assert.isNotNull(decoded);
@@ -232,6 +266,14 @@ describe('Asymmetric Algorithms', function(){
232266
});
233267
});
234268

269+
it('should check audience in array using RegExp', function (done) {
270+
jwt.verify(token, pub, { audience: ['urn:one', 'urn:other', /urn:f[o]{2}/] }, function (err, decoded) {
271+
assert.isNotNull(decoded);
272+
assert.isNull(err);
273+
done();
274+
});
275+
});
276+
235277
it('should throw when invalid audience', function (done) {
236278
jwt.verify(token, pub, { audience: 'urn:wrong' }, function (err, decoded) {
237279
assert.isUndefined(decoded);
@@ -242,6 +284,16 @@ describe('Asymmetric Algorithms', function(){
242284
});
243285
});
244286

287+
it('should throw when invalid audience using RegExp', function (done) {
288+
jwt.verify(token, pub, { audience: /urn:wrong/ }, function (err, decoded) {
289+
assert.isUndefined(decoded);
290+
assert.isNotNull(err);
291+
assert.equal(err.name, 'JsonWebTokenError');
292+
assert.instanceOf(err, jwt.JsonWebTokenError);
293+
done();
294+
});
295+
});
296+
245297
it('should throw when invalid audience in array', function (done) {
246298
jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function (err, decoded) {
247299
assert.isUndefined(decoded);
@@ -252,6 +304,16 @@ describe('Asymmetric Algorithms', function(){
252304
});
253305
});
254306

307+
it('should throw when invalid audience in array', function (done) {
308+
jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong', /urn:alsowrong/] }, function (err, decoded) {
309+
assert.isUndefined(decoded);
310+
assert.isNotNull(err);
311+
assert.equal(err.name, 'JsonWebTokenError');
312+
assert.instanceOf(err, jwt.JsonWebTokenError);
313+
done();
314+
});
315+
});
316+
255317
});
256318

257319
describe('when signing a token without audience', function () {
@@ -267,8 +329,18 @@ describe('Asymmetric Algorithms', function(){
267329
});
268330
});
269331

332+
it('should check audience using RegExp', function (done) {
333+
jwt.verify(token, pub, { audience: /urn:wrong/ }, function (err, decoded) {
334+
assert.isUndefined(decoded);
335+
assert.isNotNull(err);
336+
assert.equal(err.name, 'JsonWebTokenError');
337+
assert.instanceOf(err, jwt.JsonWebTokenError);
338+
done();
339+
});
340+
});
341+
270342
it('should check audience in array', function (done) {
271-
jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function (err, decoded) {
343+
jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong', /urn:alsowrong/] }, function (err, decoded) {
272344
assert.isUndefined(decoded);
273345
assert.isNotNull(err);
274346
assert.equal(err.name, 'JsonWebTokenError');

verify.js

+5-1
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,11 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
131131
var audiences = Array.isArray(options.audience)? options.audience : [options.audience];
132132
var target = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
133133

134-
var match = target.some(function(aud) { return audiences.indexOf(aud) != -1; });
134+
var match = target.some(function(targetAudience) {
135+
return audiences.some(function(audience) {
136+
return audience instanceof RegExp ? audience.test(targetAudience) : audience === targetAudience;
137+
});
138+
});
135139

136140
if (!match)
137141
return done(new JsonWebTokenError('jwt audience invalid. expected: ' + audiences.join(' or ')));

0 commit comments

Comments
 (0)