Skip to content

Commit 4fc8b7d

Browse files
jillesmejillesme
committed
Add checks for POLICY_AUD
1 parent 2cf616c commit 4fc8b7d

File tree

1 file changed

+34
-7
lines changed

1 file changed

+34
-7
lines changed

src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx

Lines changed: 34 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,14 @@ import { jwtVerify, createRemoteJWKSet } from 'jose';
113113

114114
export default {
115115
async fetch(request, env, ctx) {
116+
// Verify the POLICY_AUD environment variable is set
117+
if (!env.POLICY_AUD) {
118+
return new Response('Missing required audience', {
119+
status: 403,
120+
headers: { 'Content-Type': 'text/plain' }
121+
});
122+
}
123+
116124
// Get the JWT from the request headers
117125
const token = request.headers.get('cf-access-jwt-assertion');
118126

@@ -268,6 +276,10 @@ def verify_token(f):
268276
Decorator that wraps a Flask API call to verify the CF Access JWT
269277
"""
270278
def wrapper():
279+
# Check for the POLICY_AUD environment variable
280+
if not POLICY_AUD:
281+
return "missing required audience", 403
282+
271283
token = ''
272284
if 'CF_Authorization' in request.cookies:
273285
token = request.cookies['CF_Authorization']
@@ -319,6 +331,14 @@ const JWKS = jose.createRemoteJWKSet(new URL(CERTS_URL));
319331

320332
// verifyToken is a middleware to verify a CF authorization token
321333
const verifyToken = async (req, res, next) => {
334+
// Check for the AUD environment variable
335+
if (!AUD) {
336+
return res.status(403).send({
337+
status: false,
338+
message: "missing required audience",
339+
});
340+
}
341+
322342
const token = req.headers["cf-access-jwt-assertion"];
323343

324344
// Make sure that the incoming request has our token header
@@ -329,13 +349,20 @@ const verifyToken = async (req, res, next) => {
329349
});
330350
}
331351

332-
const result = await jose.jwtVerify(token, JWKS, {
333-
issuer: TEAM_DOMAIN,
334-
audience: AUD,
335-
});
352+
try {
353+
const result = await jose.jwtVerify(token, JWKS, {
354+
issuer: TEAM_DOMAIN,
355+
audience: AUD,
356+
});
336357

337-
req.user = result.payload;
338-
next();
358+
req.user = result.payload;
359+
next();
360+
} catch (err) {
361+
return res.status(403).send({
362+
status: false,
363+
message: "invalid token",
364+
});
365+
}
339366
};
340367

341368
const app = express();
@@ -347,4 +374,4 @@ app.get("/", (req, res) => {
347374
});
348375

349376
app.listen(3333);
350-
```
377+
```

0 commit comments

Comments
 (0)