api/middleware/middleware.go

@@ -3,7 +3,6 @@ package middleware
 import (
 	"context"
 	"crypto/ed25519"
-	"errors"
 	"net/http"
 	"slices"
 	"strconv"
@@ -104,7 +103,6 @@ type AuthMiddlewareOptions struct {
 	AuthContextKey string
 	Config         *config.Manager
 	EmptyAllowed   bool
-	ExpiredAllowed bool
 }
 
 func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handler {
@@ -130,22 +128,17 @@ func AuthMiddleware(options AuthMiddlewareOptions) func(http.Handler) http.Handl
 			claim, err := account.JWTVerifyToken(authToken, domain, options.Identity, func(claim *jwt.RegisteredClaims) error {
 				aud, _ := claim.GetAudience()
 
-				if options.Purpose != account.JWTPurposeNone && jwtPurposeEqual(aud, options.Purpose) == false {
+				if options.Purpose != account.JWTPurposeNone && slices.Contains[jwt.ClaimStrings, string](aud, string(options.Purpose)) == false {
-					return account.ErrJWTInvalid
+					if !options.EmptyAllowed {
+						return account.ErrJWTInvalid
+					}
 				}
 
 				return nil
 			})
 
 			if err != nil {
-				unauthorized := true
+				http.Error(w, err.Error(), http.StatusUnauthorized)
-				if errors.Is(err, jwt.ErrTokenExpired) && options.ExpiredAllowed {
-					unauthorized = false
-				}
-
-				if unauthorized && jwtPurposeEqual(claim.Audience, options.Purpose) == true {
-					http.Error(w, err.Error(), http.StatusUnauthorized)
-				}
 				return
 			}
 
@@ -222,7 +215,3 @@ func CtxAborted(ctx context.Context) bool {
 		return false
 	}
 }
-
-func jwtPurposeEqual(aud jwt.ClaimStrings, purpose account.JWTPurpose) bool {
-	return slices.Contains[jwt.ClaimStrings, string](aud, string(purpose))
-}