Check for either convex audience in auth flow (#40010)

atrakh · Convex, Inc. · commit b98d752eb0db · 2025-08-16T00:21:25.000Z
Valid auth0 tokens can also have the alternate convex audience

GitOrigin-RevId: 8c6dd044524cfaa43e14c209e8bb47a8bd569fa7
diff --git a/crates/authentication/src/lib.rs b/crates/authentication/src/lib.rs
@@ -717,14 +717,13 @@ where
             "Access Token could not be decoded to determine provider type",
         ))?;
 
-    let audience = payload.registered.audience;
-    let is_auth0 = match audience {
+    let is_auth0 = match payload.registered.audience {
         None => false,
-        Some(aud) => match aud {
-            biscuit::SingleOrMultiple::Multiple(auds) => auds
-                .iter()
-                .any(|audience| audience.contains("console.convex.dev")),
-            biscuit::SingleOrMultiple::Single(aud) => aud.contains("console.convex.dev"),
+        Some(biscuit::SingleOrMultiple::Multiple(auds)) => auds.iter().any(|audience| {
+            audience == CONVEX_CONSOLE_API_AUDIENCE || audience == ALTERNATE_CONVEX_API_AUDIENCE
+        }),
+        Some(biscuit::SingleOrMultiple::Single(audience)) => {
+            audience == CONVEX_CONSOLE_API_AUDIENCE || audience == ALTERNATE_CONVEX_API_AUDIENCE
         },
     };
 
