search

fenix-hub / godot-engine.jwt

JSON Web Token library for Godot Engine written in GDScript
https://nicolosantilio.com/godot-engine.jwt
MIT License
51 stars 11 forks source link

Unable to verify audience with multiple audiences. #21

Closed brownoxford closed 11 months ago

brownoxford commented 11 months ago

Bug report

Unable to verify the aud claim.

Describe the bug

In a JWT, the aud claim is an array.

JWT creation using JWTBaseBuilder treats the array as a PackedStringArray

func with_audience(audience: PackedStringArray) -> JWTBaseBuilder:

So does JWTVerifierBuilder:

func with_any_of_audience(audience: PackedStringArray) -> JWTVerifierBuilder:

However, the _parse_json function in JWTDecoder will treat incoming aud claims as Array. This makes verification impossible because of an error in assert_claim_values:

Invalid operands 'Array' and 'PackedStringArray' in operator '=='.

To Reproduce

# This stuff needs to be configured
var alg : JWTAlgorithm
var jwt : String

var jwt_verifier: JWTVerifier = JWT.require(alg) \
    .with_audience(["expected audience"]) \
    .build()

if jwt_verifier.verify(jwt) != JWTVerifier.JWTExceptions.OK :
    print(jwt_verifier.exception)

Expected behavior

Expectation is that the verification either succeeds or fails.

Screenshots

image

System information