Issuer and Audience are verified only if provided

[dschenkelman]

These lines of code are the cause:

  if (payload.aud && options.audience) {
    if (payload.aud !== options.audience)
      return callback(new Error('jwt audience invalid. expected: ' + payload.aud));
  }

  if (payload.iss && options.issuer) {
    if (payload.iss !== options.issuer)
      return callback(new Error('jwt issuer invalid. expected: ' + payload.iss));
  }

Repro tests:

  describe('when signing a token without issuer', function() {
    var token = jwt.sign({ foo: 'bar' }, priv, { algorithm: 'RS256' });

    it('should check issuer', function() {
      jwt.verify(token, pub, { issuer: 'urn:foo' }, function(err, decoded) {
        assert.isUndefined(decoded);
        assert.isNotNull(err);
      });
    });
  });

  describe('when signing a token without audience', function() {
    var token = jwt.sign({ foo: 'bar' }, priv, { algorithm: 'RS256' });

    it('should check audience', function(done) {
      jwt.verify(token, pub, { audience: 'urn:wrong' }, function(err, decoded) {
        assert.isUndefined(decoded);
        assert.isNotNull(err);
        done();
      });
    });

  });

[jfromaniello]

Okay, I ve been thinking about this, this was always the intended behavior,
it verifies the things you want to verify.

Maybe we can add an extra option, "strict" defaults to true. If is in
strict mode audience, issuer and all that are required parameters, if
strict is false these parameters are not required and if not provided then
are not verified.

Make sense?

[jfromaniello]

Sorry, I didn't understand the bug first. Now I got it and you are right,
thanks