Closed dakkar closed 5 years ago
I agree with the idea you are proposing.
Please change the code in this way (please use 2-spaces indent):
if (defined $args{verify_iss}) {
if (exists $payload->{iss}) {
if (ref $args{verify_iss} eq 'Regexp') {
croak "JWT: iss claim re check failed" unless $payload->{iss} =~ $args{verify_iss};
}
elsif (ref $args{verify_iss} eq 'CODE') {
croak "JWT: iss claim check failed" unless $args{verify_iss}->($payload->{iss});
}
else {
croak "JWT: verify_iss must be Regexp or CODE";
}
}
else {
croak "JWT: iss claim required but missing";
}
}
Also please update doc like this:
=item verify_iss
B<INCOMPATIBLE CHANGE in v0.24> - if C<verify_iss> is specified and claim C<iss> is completely missing it is a failure since v0.24
C<CODE ref> - subroutine (with 'iss' claim value passed as argument) has to return C<true> otherwise verification fails
C<Regexp ref> - 'iss' claim value has to match given regexp otherwise verification fails
C<undef> (default) - do not verify 'iss' claim
I would expect that calling
decode_jwt
withverify_iss
would die if there is noiss
claim to verify (same forsub
,aud
,jti
)This commit makes that happen.
Possible incompatible change:
used to work, now it fails. Maybe if the
verify_*
is a CODE, we should call it with whatever value we have (undef
if missing) and trust it?