Enhance audience check to verify against regular expressions (#398)

* Enhance audience check to verify against regular expressions * Enhance audience check to verify against regular expressions * Adapted README to have a showcase of the new RegExp-check for the audience validation
auth0 · Oct 9, 2017 · 81501a1 · 81501a1
1 parent 77ee965
commit 81501a1
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -120,7 +120,7 @@ As mentioned in [this comment](https://github.com/auth0/node-jsonwebtoken/issues
 `options`
 
 * `algorithms`: List of strings with the names of the allowed algorithms. For instance, `["HS256", "HS384"]`.
-* `audience`: if you want to check audience (`aud`), provide a value here
+* `audience`: if you want to check audience (`aud`), provide a value here. The audience can be checked against a string, a regular expression or a list of strings and/or regular expressions. Eg: `"urn:foo"`, `/urn:f[o]{2}/`, `[/urn:f[o]{2}/, "urn:bar"]`
 * `issuer` (optional): string or array of strings of valid values for the `iss` field.
 * `ignoreExpiration`: if `true` do not validate the expiration of the token.
 * `ignoreNotBefore`...

diff --git a/test/jwt.asymmetric_signing.tests.js b/test/jwt.asymmetric_signing.tests.js
@@ -175,6 +175,14 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should check audience using RegExp', function (done) {
+          jwt.verify(token, pub, { audience: /urn:f[o]{2}/  }, function (err, decoded) {
+            assert.isNotNull(decoded);
+            assert.isNull(err);
+            done();
+          });
+        });
+
         it('should check audience in array', function (done) {
           jwt.verify(token, pub, { audience: ['urn:foo', 'urn:other'] }, function (err, decoded) {
             assert.isNotNull(decoded);
@@ -183,6 +191,14 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should check audience in array using RegExp', function (done) {
+          jwt.verify(token, pub, { audience: ['urn:bar', /urn:f[o]{2}/, 'urn:other'] }, function (err, decoded) {
+            assert.isNotNull(decoded);
+            assert.isNull(err);
+            done();
+          });
+        });
+
         it('should throw when invalid audience', function (done) {
           jwt.verify(token, pub, { audience: 'urn:wrong' }, function (err, decoded) {
             assert.isUndefined(decoded);
@@ -193,8 +209,18 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should throw when invalid audience using RegExp', function (done) {
+          jwt.verify(token, pub, { audience: /urn:bar/ }, function (err, decoded) {
+            assert.isUndefined(decoded);
+            assert.isNotNull(err);
+            assert.equal(err.name, 'JsonWebTokenError');
+            assert.instanceOf(err, jwt.JsonWebTokenError);
+            done();
+          });
+        });
+
         it('should throw when invalid audience in array', function (done) {
-          jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function (err, decoded) {
+          jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong', /urn:bar/] }, function (err, decoded) {
             assert.isUndefined(decoded);
             assert.isNotNull(err);
             assert.equal(err.name, 'JsonWebTokenError');
@@ -224,6 +250,14 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should check audience using RegExp', function (done) {
+          jwt.verify(token, pub, { audience: /urn:f[o]{2}/ }, function (err, decoded) {
+            assert.isNotNull(decoded);
+            assert.isNull(err);
+            done();
+          });
+        });
+
         it('should check audience in array', function (done) {
           jwt.verify(token, pub, { audience: ['urn:foo', 'urn:other'] }, function (err, decoded) {
             assert.isNotNull(decoded);
@@ -232,6 +266,14 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should check audience in array using RegExp', function (done) {
+          jwt.verify(token, pub, { audience: ['urn:one', 'urn:other', /urn:f[o]{2}/] }, function (err, decoded) {
+            assert.isNotNull(decoded);
+            assert.isNull(err);
+            done();
+          });
+        });
+
         it('should throw when invalid audience', function (done) {
           jwt.verify(token, pub, { audience: 'urn:wrong' }, function (err, decoded) {
             assert.isUndefined(decoded);
@@ -242,6 +284,16 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should throw when invalid audience using RegExp', function (done) {
+          jwt.verify(token, pub, { audience: /urn:wrong/ }, function (err, decoded) {
+            assert.isUndefined(decoded);
+            assert.isNotNull(err);
+            assert.equal(err.name, 'JsonWebTokenError');
+            assert.instanceOf(err, jwt.JsonWebTokenError);
+            done();
+          });
+        });
+
         it('should throw when invalid audience in array', function (done) {
           jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function (err, decoded) {
             assert.isUndefined(decoded);
@@ -252,6 +304,16 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should throw when invalid audience in array', function (done) {
+          jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong', /urn:alsowrong/] }, function (err, decoded) {
+            assert.isUndefined(decoded);
+            assert.isNotNull(err);
+            assert.equal(err.name, 'JsonWebTokenError');
+            assert.instanceOf(err, jwt.JsonWebTokenError);
+            done();
+          });
+        });
+
       });
 
       describe('when signing a token without audience', function () {
@@ -267,8 +329,18 @@ describe('Asymmetric Algorithms', function(){
           });
         });
 
+        it('should check audience using RegExp', function (done) {
+          jwt.verify(token, pub, { audience: /urn:wrong/ }, function (err, decoded) {
+            assert.isUndefined(decoded);
+            assert.isNotNull(err);
+            assert.equal(err.name, 'JsonWebTokenError');
+            assert.instanceOf(err, jwt.JsonWebTokenError);
+            done();
+          });
+        });
+
         it('should check audience in array', function (done) {
-          jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function (err, decoded) {
+          jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong', /urn:alsowrong/] }, function (err, decoded) {
             assert.isUndefined(decoded);
             assert.isNotNull(err);
             assert.equal(err.name, 'JsonWebTokenError');

diff --git a/verify.js b/verify.js
@@ -131,7 +131,11 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
     var audiences = Array.isArray(options.audience)? options.audience : [options.audience];
     var target = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
 
-    var match = target.some(function(aud) { return audiences.indexOf(aud) != -1; });
+    var match = target.some(function(targetAudience) {
+      return audiences.some(function(audience) {
+        return audience instanceof RegExp ? audience.test(targetAudience) : audience === targetAudience;
+      });
+    });
 
     if (!match)
       return done(new JsonWebTokenError('jwt audience invalid. expected: ' + audiences.join(' or ')));