From bcaaebe987d9e94d6c79a86261db8e56156b91dc Mon Sep 17 00:00:00 2001
From: vanessa-passage <138504893+vanessa-passage@users.noreply.github.com>
Date: Tue, 10 Dec 2024 09:43:09 -0600
Subject: [PATCH] feat: support jwt aud validation for hosted apps (#117)

* feat: add support jwt aud validation for hosted apps

---------

Co-authored-by: Vanessa Burroughs <vanessaburroughs@agilebits.com>
---
 lib/passageidentity/auth.rb | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/lib/passageidentity/auth.rb b/lib/passageidentity/auth.rb
index d8657ab..de1a20e 100644
--- a/lib/passageidentity/auth.rb
+++ b/lib/passageidentity/auth.rb
@@ -82,18 +82,21 @@ def validate_jwt(token)
         )
       end
 
+      audiences = [@auth_origin, @app_id]
+
       claims =
         JWT.decode(
           token,
           nil,
           true,
           {
-            aud: @auth_origin,
+            aud: audiences,
             verify_aud: true,
             algorithms: ['RS256'],
             jwks: @jwks
           }
         )
+
       claims[0]['sub']
     rescue JWT::InvalidIssuerError, JWT::InvalidAudError, JWT::ExpiredSignature, JWT::IncorrectAlgorithm,
            JWT::DecodeError => e
@@ -237,11 +240,6 @@ def get_cache(key)
     def set_cache(key:, jwks:)
       @app_cache.write(key, jwks, expires_in: 86_400)
     end
-
-    def jwk_exists(token)
-      kid = JWT.decode(token, nil, false)[1]['kid']
-      @jwks['keys'].any? { |jwk| jwk['kid'] == kid }
-    end
     # rubocop:enable Metrics/AbcSize
 
     deprecate(:authenticate_request, :validate_jwt, 2025, 1)