feat: #20 update logic for aud verification optional (#21)

DMGT-TECH · Mar 4, 2022 · 9bd43e4 · 9bd43e4
1 parent f279dbf
commit 9bd43e4
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 15 deletions.
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
@@ -13,7 +13,7 @@ This document outlines the steps necessary to deploy the Usher to a production e
 
 On the database server, run the following command to create the schema that will be used by the Usher.
 
-```
+```sh
 create schema usher
 ```
 
@@ -34,12 +34,10 @@ npm run migrate:latest
 
 The above steps that run the database migrations will ensure the database schema is deployed and up to date.
 
-
 ### Populate Database
 
 Populate The Usher's database according with the appropriate data given the [data model](./DATAMODEL.md).
 
-
 ## Set up The Usher Server
 
 The Usher was developed such that it can be deployed either as a `node.js` Express API Server or as an AWS Lambda function.
@@ -62,7 +60,7 @@ The following variables are required to be configured.
 | TOKEN_LIFETIME_SECONDS   | Number of seconds Access Token is valid                  |
 | SESSION_LIFETIME_SECONDS | Number of seconds Refresh Token is valid                 |
 | ISSUER_WHITELIST         | Comma separated list of authorized Issuer Servers        |
-| THEUSHER_AUD_CLAIMS      | Comma separated list of authorized audience (aud) claims |
+| THEUSHER_AUD_CLAIMS      | (Optional) Comma separated list of authorized audience (aud) claims |
 | PRESET_SERVER_URL        | (Optional) URI to use as `iss` claim for issued tokens   |
 | ISSUER_ALIASES           | (Optional && Experimental) [Hostname aliases](USAGE.md#migrating-idenitity-provider-domain-names-issuer-aliases-experimental) for IdP tokens issuer |
 
@@ -117,4 +115,4 @@ The Usher's express.js server is wrapped with the `serverless-http` library to a
 
 ## Conclusion
 
-With the database up and running and populated (according to the [data model](./DATAMODEL.md)), and The Usher launched with a configuration to point to it (based on https://github.com/DMGT-TECH/the-usher-server/blob/main/server/.env.sample), you're now ready to start requesting tokens!
+With the database up and running and populated (according to the [data model](./DATAMODEL.md)), and The Usher launched with a configuration based on [.env.sample](../server/.env.sample), you're now ready to start requesting tokens!
diff --git a/server/.env.sample b/server/.env.sample
@@ -20,9 +20,10 @@ TOKEN_LIFETIME_SECONDS=3600
 # Duration the session/refresh_token is valid:
 SESSION_LIFETIME_SECONDS=43200
 
-# Testing Variables
+# Dev & Testing Variables
 TEST_THEUSHER_SERVER=http://localhost:3001
-ISSUER_WHITELIST=https://dmgt-test.auth0.com/,test1.net,foo,https://auth.labs.dmgt.com/,http://branded-idp-alias.dmgt.com.mock.localhost:3002/,http://idp.dmgt.com.mock.localhost:3002/,http://whitelisted-but-not-aliased.labs.dmgt.com.mock.localhost:3002/
+PRESET_SERVER_URL=http://localhost:3001
 
+ISSUER_WHITELIST=https://dmgt-test.auth0.com/,test1.net,foo,https://auth.labs.dmgt.com/,http://branded-idp-alias.dmgt.com.mock.localhost:3002/,http://idp.dmgt.com.mock.localhost:3002/,http://whitelisted-but-not-aliased.labs.dmgt.com.mock.localhost:3002/
 ISSUER_ALIASES='{"https://auth.labs.dmgt.com/": "https://dmgt-test.auth0.com/", "http://branded-idp-alias.dmgt.com.mock.localhost:3002/": "http://idp.dmgt.com.mock.localhost:3002/"}'
 THEUSHER_AUD_CLAIMS=https://us-central1-dmgt-oocto.cloudfunctions.net/the-usher,http://localhost:3001
diff --git a/server/src/security_layer/jwt_signature_validator.js b/server/src/security_layer/jwt_signature_validator.js
@@ -43,14 +43,12 @@ async function verifyAndDecodeToken (token) {
     audience = audience[0]
   }
 
-  let whitelistedAudienceURLs = []
+  // Optional check to verify the *audience* claim
   if (env.THEUSHER_AUD_CLAIMS) {
-    whitelistedAudienceURLs = env.THEUSHER_AUD_CLAIMS.split(',')
-  } else {
-    throw createError(500, 'Internal Server Error: accepted audience claims not configured (THEUSHER_AUD_CLAIMS).')
-  }
-  if (!whitelistedAudienceURLs.includes(audience)) {
-    throw createError(403, `Forbidden: JWT contains an aud claim (${audience}) not meant for this application.`)
+    const whitelistedAudienceURLs = env.THEUSHER_AUD_CLAIMS.split(',')
+    if (!whitelistedAudienceURLs.includes(audience)) {
+      throw createError(403, `Forbidden: JWT contains an aud claim (${audience}) not meant for this application.`)
+    }
   }
 
   const jwksUri = tenant[0].jwks_uri

diff --git a/server/the-usher.js b/server/the-usher.js
@@ -56,7 +56,7 @@ const optionsObject = {
 
 function preInitCheck () {
   let missingKeyEnvVars = false
-  if (!env.ISSUER_WHITELIST || !env.THEUSHER_AUD_CLAIMS) {
+  if (!env.ISSUER_WHITELIST) {
     missingKeyEnvVars = true
   }
   return missingKeyEnvVars