From 34d88e8db4e325fd7a745065db09ae70163d7d5c Mon Sep 17 00:00:00 2001 From: Umputun Date: Sat, 24 Aug 2019 12:55:10 -0500 Subject: [PATCH] aud promotion happened too late, move it up --- auth_test.go | 2 +- token/jwt.go | 9 ++++++--- token/jwt_test.go | 3 ++- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/auth_test.go b/auth_test.go index aa72f20..3a38c0f 100644 --- a/auth_test.go +++ b/auth_test.go @@ -205,7 +205,7 @@ func TestIntegrationUserInfo(t *testing.T) { err = json.NewDecoder(resp.Body).Decode(&u) require.NoError(t, err) - assert.Equal(t, token.User{Name: "dev_user", ID: "dev_user", + assert.Equal(t, token.User{Name: "dev_user", ID: "dev_user", Audience: "my-test-site", Picture: "http://127.0.0.1:8080/api/v1/avatar/ccfa2abd01667605b4e1fc4fcb91b1e1af323240.image"}, u) } diff --git a/token/jwt.go b/token/jwt.go index ab17d92..291fce7 100644 --- a/token/jwt.go +++ b/token/jwt.go @@ -245,6 +245,11 @@ func (j *Service) Get(r *http.Request) (Claims, string, error) { return Claims{}, "", errors.Wrap(err, "failed to get token") } + // promote claim's aud to User.Audience + if claims.User != nil { + claims.User.Audience = claims.Audience + } + if !fromCookie && j.IsExpired(claims) { return Claims{}, "", errors.New("token expired") } @@ -259,9 +264,7 @@ func (j *Service) Get(r *http.Request) (Claims, string, error) { return Claims{}, "", errors.New("xsrf mismatch") } } - if claims.User != nil { - claims.User.Audience = claims.Audience - } + return claims, tokenString, nil } diff --git a/token/jwt_test.go b/token/jwt_test.go index 7a4ac59..2e055ab 100644 --- a/token/jwt_test.go +++ b/token/jwt_test.go @@ -398,7 +398,8 @@ func TestJWT_SetAndGetWithXsrfMismatch(t *testing.T) { req.AddCookie(resp.Cookies()[0]) req.Header.Add(xsrfCustomHeaderKey, "random id wrong") c, _, err := j.Get(req) - require.Nil(t, err, "xsrf mismatch, but ignored") + require.NoError(t, err, "xsrf mismatch, but ignored") + claims.User.Audience = c.Audience // set aud to user because we don't do the normal Get call assert.Equal(t, claims, c) }