From 9e170bae0d78ddf5ca6d986ee2a5b987490fde50 Mon Sep 17 00:00:00 2001
From: Derrick Hammer <derrick@derrickhammer.com>
Date: Wed, 20 Mar 2024 14:13:59 -0400
Subject: [PATCH] fix: capture aud in JWTVerifyToken

---
 api/middleware/middleware.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/api/middleware/middleware.go b/api/middleware/middleware.go
index 7d0c2c1..2e47e3a 100644
--- a/api/middleware/middleware.go
+++ b/api/middleware/middleware.go
@@ -127,9 +127,13 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 				return
 			}
 
+			var audList jwt.ClaimStrings
+
 			claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
 				aud, _ := claim.GetAudience()
 
+				audList = aud
+
 				if options.Purpose != account.JWTPurposeNone && jwtPurposeEqual(aud, options.Purpose) == false {
 					return account.ErrJWTInvalid
 				}
@@ -143,7 +147,7 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 					unauthorized = false
 				}
 
-				if unauthorized && jwtPurposeEqual(claim.Audience, options.Purpose) == true {
+				if unauthorized && jwtPurposeEqual(audList, options.Purpose) == true {
 					http.Error(w, err.Error(), http.StatusUnauthorized)
 				}
 				return