feat: removes auth origin comparison from jwt audience validation (#214)

feat: changes jwt validation to only check app id in audience using the jwt libs validation options
passageidentity · Dec 30, 2024 · 351d067 · 351d067
1 parent 85dcb1f
commit 351d067
Showing 1 changed file with 3 additions and 9 deletions.
diff --git a/src/classes/Auth/Auth.ts b/src/classes/Auth/Auth.ts
@@ -50,17 +50,11 @@ export class Auth extends PassageBase {
         }
 
         const {
-            payload: { sub: userId, aud },
-        } = await jwtVerify(jwt, this.jwks);
+            payload: { sub: userId },
+        } = await jwtVerify(jwt, this.jwks, { audience: [this.config.appId] });
 
         if (!userId) {
-            throw new Error('Could not validate auth token. You must catch this error.');
-        }
-
-        if (Array.isArray(aud)) {
-            if (!aud.includes(this.config.appId)) {
-                throw new Error('Incorrect app ID claim in token. You must catch this error.');
-            }
+            throw new Error('sub missing in jwt claims.');
         }
 
         return userId;