refactor: if unauthorized is true, audList may be nil, and we may have to manually parse out the aud unverified to test

2024-03-20 14:27:02 -04:00 · 2024-03-20 14:27:02 -04:00 · 6c0ae8c0e6
parent 9e170bae0d
commit 6c0ae8c0e6
1 changed files with 27 additions and 4 deletions
--- a/api/middleware/middleware.go
+++ b/api/middleware/middleware.go
@ -127,12 +127,12 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 				return
 			}
-			var audList jwt.ClaimStrings
+			var audList *jwt.ClaimStrings
 			claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
 				aud, _ := claim.GetAudience()
-				audList = aud
+				audList = &aud
 				if options.Purpose != account.JWTPurposeNone && jwtPurposeEqual(aud, options.Purpose) == false {
 					return account.ErrJWTInvalid
@ -147,8 +147,31 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 					unauthorized = false
 				}
-				if unauthorized && jwtPurposeEqual(audList, options.Purpose) == true {
+				if unauthorized && audList == nil {
-					http.Error(w, err.Error(), http.StatusUnauthorized)
+					if audList == nil {
 						var claim jwt.RegisteredClaims
 						unverified, _, err := jwt.NewParser().ParseUnverified(authToken, &claim)
 						if err != nil {
 							http.Error(w, err.Error(), http.StatusInternalServerError)
 							return
 						}
 						audList, err := unverified.Claims.GetAudience()
 						if err != nil {
 							http.Error(w, err.Error(), http.StatusInternalServerError)
 							return
 						}
 						if jwtPurposeEqual(audList, options.Purpose) == true {
 							unauthorized = true
 						}
 					}
 					if unauthorized {
 						http.Error(w, err.Error(), http.StatusInternalServerError)
 					}
 				}
 				return
 			}