GetStream · ferhatelmas · Jan 21, 2021 · Jan 21, 2021 · Jan 21, 2021 · Jan 21, 2021
diff --git a/src/signing.ts b/src/signing.ts
@@ -1,28 +1,43 @@
 import jwt, { SignOptions } from 'jsonwebtoken';
 
+// for a claim in jwt
+function joinClaimValue(items: string | string[]): string {
+  const values = Array.isArray(items) ? items : [items];
+  const claims = [];
+  for (let i = 0; i < values.length; i += 1) {
+    const s = values[i].trim();
+    if (s === '*') return s;
+    claims.push(s);
+  }
+  return claims.join(',');
+}
+
 /**
  * Creates the JWT token for feedId, resource and action using the apiSecret
  * @method JWTScopeToken
  * @memberof signing
  * @private
  * @param {string} apiSecret - API Secret key
- * @param {string} resource - JWT payload resource
- * @param {string} action - JWT payload action
+ * @param {string | string[]} resource - JWT payload resource
+ * @param {string | string[]} action - JWT payload action
  * @param {object} [options] - Optional additional options
- * @param {string} [options.feedId] - JWT payload feed identifier
+ * @param {string | string[]} [options.feedId] - JWT payload feed identifier
  * @param {string} [options.userId] - JWT payload user identifier
  * @param {boolean} [options.expireTokens] - JWT noTimestamp
  * @return {string} JWT Token
  */
 export function JWTScopeToken(
   apiSecret: string,
-  resource: string,
-  action: string,
-  options: { expireTokens?: boolean; feedId?: string; userId?: string } = {},
+  resource: string | string[],
+  action: string | string[],
+  options: { expireTokens?: boolean; feedId?: string | string[]; userId?: string } = {},
 ) {
   const noTimestamp = options.expireTokens ? !options.expireTokens : true;
-  const payload: { action: string; resource: string; feed_id?: string; user_id?: string } = { resource, action };
-  if (options.feedId) payload.feed_id = options.feedId;
+  const payload: { action: string; resource: string; feed_id?: string; user_id?: string } = {
+    resource: joinClaimValue(resource),
+    action: joinClaimValue(action),
+  };
+  if (options.feedId) payload.feed_id = joinClaimValue(options.feedId);
   if (options.userId) payload.user_id = options.userId;
 
   return jwt.sign(payload, apiSecret, { algorithm: 'HS256', noTimestamp });

diff --git a/test/unit/node/token_test.js b/test/unit/node/token_test.js
@@ -33,4 +33,13 @@ describe('[UNIT] Creating tokens', function () {
 
     expect(token).to.be(expected);
   });
+
+  it('#multiClaimToken', () => {
+    const token = JWTScopeToken('abcdefghijklmnop', ['personalization', 'collections'], ['read', 'delete'], {
+      feedId: ['timeline:me', 'timeline:you'],
+    });
+    expect(token).to.be(
+      'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZXNvdXJjZSI6InBlcnNvbmFsaXphdGlvbixjb2xsZWN0aW9ucyIsImFjdGlvbiI6InJlYWQsZGVsZXRlIiwiZmVlZF9pZCI6InRpbWVsaW5lOm1lLHRpbWVsaW5lOnlvdSJ9.zWwZIdeWl2HCFvFPC9aMK4h832bmoQuifmUlyPq9knE',
+    );
+  });
 });