Skip to content

Commit 720c893

Browse files
mkleczekmkleczek
committed
change: Set jwt-aud default value to \`\' (accepting only empty string)
Fixes #4134 (JWT with aud claim should be rejected if jwt-aud is not set) Updated default jwt-aud value in Config module. Updated spec tests.
1 parent 0e99087 commit 720c893

File tree

2 files changed

+7
-7
lines changed

2 files changed

+7
-7
lines changed

src/PostgREST/Config.hs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@ parseCfgAud = fmap CfgAud . (fmap . ParsedValue . Just <*> parseRegex)
8888
bounded = ("\\`(" <>) . (<> "\\')")
8989

9090
defaultCfgAud :: CfgAud
91-
defaultCfgAud = CfgAud $ ParsedValue Nothing $ R.makeRegex (".*"::Text)
91+
defaultCfgAud = CfgAud $ ParsedValue Nothing $ R.makeRegex ("\\`\\'"::Text)
9292

9393
audMatchesCfg :: AppConfig -> Text -> Bool
9494
audMatchesCfg = R.matchTest . parsedValue . unCfgAud . configJwtAudience

test/spec/Feature/Auth/AudienceJwtSecretSpec.hs

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,7 @@ disabledSpec :: SpecWith ((), Application)
165165
disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud config is not set" $ do
166166

167167
context "when the audience claim is a string" $ do
168-
it "ignores the audience claim and suceeds" $ do
168+
it "fails when it is not empty" $ do
169169
let jwtPayload =
170170
[json|{
171171
"exp": 9999999999,
@@ -175,7 +175,7 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
175175
}|]
176176
auth = authHeaderJWT $ generateJWT jwtPayload
177177
request methodGet "/authors_only" [auth] ""
178-
`shouldRespondWith` 200
178+
`shouldRespondWith` 401
179179

180180
it "ignores the audience claim and suceeds when it's empty" $ do
181181
let jwtPayload =
@@ -205,7 +205,7 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
205205

206206

207207
context "when the audience is an array of strings" $ do
208-
it "ignores the audience claim and suceeds when it has 1 element" $ do
208+
it "fails it has 1 element" $ do
209209
let jwtPayload = [json|
210210
{
211211
"exp": 9999999999,
@@ -215,9 +215,9 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
215215
}|]
216216
auth = authHeaderJWT $ generateJWT jwtPayload
217217
request methodGet "/authors_only" [auth] ""
218-
`shouldRespondWith` 200
218+
`shouldRespondWith` 401
219219

220-
it "ignores the audience claim and suceeds when it has more than 1 element" $ do
220+
it "fails when it has more than 1 element" $ do
221221
let jwtPayload = [json|
222222
{
223223
"exp": 9999999999,
@@ -227,7 +227,7 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
227227
}|]
228228
auth = authHeaderJWT $ generateJWT jwtPayload
229229
request methodGet "/authors_only" [auth] ""
230-
`shouldRespondWith` 200
230+
`shouldRespondWith` 401
231231

232232
it "ignores the audience claim and suceeds when it's empty" $ do
233233
let jwtPayload = [json|

0 commit comments

Comments
 (0)