refactor: if unauthorized is true, audList may be nil, and we may have to manually parse out the aud unverified to test

2024-03-20 14:27:02 -04:00 · 2024-03-20 14:27:02 -04:00 · 6c0ae8c0e6
parent 9e170bae0d
commit 6c0ae8c0e6
1 changed files with 27 additions and 4 deletions
--- a/api/middleware/middleware.go
+++ b/api/middleware/middleware.go
@ -127,12 +127,12 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 				return
 			}

-			var audList jwt.ClaimStrings
+			var audList *jwt.ClaimStrings

 			claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
 				aud, _ := claim.GetAudience()

-				audList = aud
+				audList = &aud

 				if options.Purpose != account.JWTPurposeNone && jwtPurposeEqual(aud, options.Purpose) == false {
 					return account.ErrJWTInvalid
@ -147,8 +147,31 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 					unauthorized = false
 				}

-				if unauthorized && jwtPurposeEqual(audList, options.Purpose) == true {
-					http.Error(w, err.Error(), http.StatusUnauthorized)
+				if unauthorized && audList == nil {
+					if audList == nil {
+						var claim jwt.RegisteredClaims
+
+						unverified, _, err := jwt.NewParser().ParseUnverified(authToken, &claim)
+						if err != nil {
+							http.Error(w, err.Error(), http.StatusInternalServerError)
+							return
+						}
+
+						audList, err := unverified.Claims.GetAudience()
+						if err != nil {
+							http.Error(w, err.Error(), http.StatusInternalServerError)
+							return
+						}
+
+						if jwtPurposeEqual(audList, options.Purpose) == true {
+							unauthorized = true
+						}
+
+					}
+
+					if unauthorized {
+						http.Error(w, err.Error(), http.StatusInternalServerError)
+					}
 				}
 				return
 			}