Merge pull request #8 from yehted/fix/validate_audience_type_issue

ah-f3 · web-flow · commit 5b2d2b5f6c34 · 2021-05-11T17:32:31.000+01:00
add check for []interface{} type when validating audience
diff --git a/map_claims.go b/map_claims.go
@@ -13,15 +13,23 @@ type MapClaims map[string]interface{}
 // Compares the aud claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (m MapClaims) VerifyAudience(cmp string, req bool) bool {
-	aud, ok := m["aud"].([]string)
-	if !ok {
-		strAud, ok := m["aud"].(string)
-		if !ok {
-			return false
+	var aud []string
+	switch v := m["aud"].(type) {
+	case []string:
+		aud = v
+	case []interface{}:
+		for _, a := range v {
+			vs, ok := a.(string)
+			if !ok {
+				return false
+			}
+			aud = append(aud, vs)
 		}
-		aud = append(aud, strAud)
+	case string:
+		aud = append(aud, v)
+	default:
+		return false
 	}
-
 	return verifyAud(aud, cmp, req)
 }
 
diff --git a/map_claims_test.go b/map_claims_test.go
@@ -2,7 +2,7 @@ package jwt
 
 import "testing"
 
-func Test_mapClaims_list_aud(t *testing.T){
+func Test_mapClaims_list_aud(t *testing.T) {
 	mapClaims := MapClaims{
 		"aud": []string{"foo"},
 	}
@@ -13,7 +13,18 @@ func Test_mapClaims_list_aud(t *testing.T){
 		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 }
-func Test_mapClaims_string_aud(t *testing.T){
+func Test_mapClaims_list_interface_aud(t *testing.T) {
+	mapClaims := MapClaims{
+		"aud": []interface{}{"foo"},
+	}
+	want := true
+	got := mapClaims.VerifyAudience("foo", true)
+
+	if want != got {
+		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
+	}
+}
+func Test_mapClaims_string_aud(t *testing.T) {
 	mapClaims := MapClaims{
 		"aud": "foo",
 	}
@@ -25,7 +36,7 @@ func Test_mapClaims_string_aud(t *testing.T){
 	}
 }
 
-func Test_mapClaims_list_aud_no_match(t *testing.T){
+func Test_mapClaims_list_aud_no_match(t *testing.T) {
 	mapClaims := MapClaims{
 		"aud": []string{"bar"},
 	}
@@ -36,7 +47,7 @@ func Test_mapClaims_list_aud_no_match(t *testing.T){
 		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
 }
-func Test_mapClaims_string_aud_fail(t *testing.T){
+func Test_mapClaims_string_aud_fail(t *testing.T) {
 	mapClaims := MapClaims{
 		"aud": "bar",
 	}
@@ -48,9 +59,8 @@ func Test_mapClaims_string_aud_fail(t *testing.T){
 	}
 }
 
-func Test_mapClaims_string_aud_no_claim(t *testing.T){
-	mapClaims := MapClaims{
-	}
+func Test_mapClaims_string_aud_no_claim(t *testing.T) {
+	mapClaims := MapClaims{}
 	want := false
 	got := mapClaims.VerifyAudience("foo", true)
 
@@ -59,13 +69,12 @@ func Test_mapClaims_string_aud_no_claim(t *testing.T){
 	}
 }
 
-func Test_mapClaims_string_aud_no_claim_not_required(t *testing.T){
-	mapClaims := MapClaims{
-	}
+func Test_mapClaims_string_aud_no_claim_not_required(t *testing.T) {
+	mapClaims := MapClaims{}
 	want := false
 	got := mapClaims.VerifyAudience("foo", false)
 
 	if want != got {
 		t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
 	}
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ package jwt`
`2`	`2`
`3`	`3`	`import "testing"`
`4`	`4`
`5`		`-func Test_mapClaims_list_aud(t *testing.T){`
	`5`	`+func Test_mapClaims_list_aud(t *testing.T) {`
`6`	`6`	`mapClaims := MapClaims{`
`7`	`7`	`"aud": []string{"foo"},`
`8`	`8`	`}`
`@@ -13,7 +13,18 @@ func Test_mapClaims_list_aud(t *testing.T){`
`13`	`13`	`t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)`
`14`	`14`	`}`
`15`	`15`	`}`
`16`		`-func Test_mapClaims_string_aud(t *testing.T){`
	`16`	`+func Test_mapClaims_list_interface_aud(t *testing.T) {`
	`17`	`+ mapClaims := MapClaims{`
	`18`	`+ "aud": []interface{}{"foo"},`
	`19`	`+ }`
	`20`	`+ want := true`
	`21`	`+ got := mapClaims.VerifyAudience("foo", true)`
	`22`	`+`
	`23`	`+ if want != got {`
	`24`	`+ t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)`
	`25`	`+ }`
	`26`	`+}`
	`27`	`+func Test_mapClaims_string_aud(t *testing.T) {`
`17`	`28`	`mapClaims := MapClaims{`
`18`	`29`	`"aud": "foo",`
`19`	`30`	`}`
`@@ -25,7 +36,7 @@ func Test_mapClaims_string_aud(t *testing.T){`
`25`	`36`	`}`
`26`	`37`	`}`
`27`	`38`
`28`		`-func Test_mapClaims_list_aud_no_match(t *testing.T){`
	`39`	`+func Test_mapClaims_list_aud_no_match(t *testing.T) {`
`29`	`40`	`mapClaims := MapClaims{`
`30`	`41`	`"aud": []string{"bar"},`
`31`	`42`	`}`
`@@ -36,7 +47,7 @@ func Test_mapClaims_list_aud_no_match(t *testing.T){`
`36`	`47`	`t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)`
`37`	`48`	`}`
`38`	`49`	`}`
`39`		`-func Test_mapClaims_string_aud_fail(t *testing.T){`
	`50`	`+func Test_mapClaims_string_aud_fail(t *testing.T) {`
`40`	`51`	`mapClaims := MapClaims{`
`41`	`52`	`"aud": "bar",`
`42`	`53`	`}`
`@@ -48,9 +59,8 @@ func Test_mapClaims_string_aud_fail(t *testing.T){`
`48`	`59`	`}`
`49`	`60`	`}`
`50`	`61`
`51`		`-func Test_mapClaims_string_aud_no_claim(t *testing.T){`
`52`		`- mapClaims := MapClaims{`
`53`		`- }`
	`62`	`+func Test_mapClaims_string_aud_no_claim(t *testing.T) {`
	`63`	`+ mapClaims := MapClaims{}`
`54`	`64`	`want := false`
`55`	`65`	`got := mapClaims.VerifyAudience("foo", true)`
`56`	`66`
`@@ -59,13 +69,12 @@ func Test_mapClaims_string_aud_no_claim(t *testing.T){`
`59`	`69`	`}`
`60`	`70`	`}`
`61`	`71`
`62`		`-func Test_mapClaims_string_aud_no_claim_not_required(t *testing.T){`
`63`		`- mapClaims := MapClaims{`
`64`		`- }`
	`72`	`+func Test_mapClaims_string_aud_no_claim_not_required(t *testing.T) {`
	`73`	`+ mapClaims := MapClaims{}`
`65`	`74`	`want := false`
`66`	`75`	`got := mapClaims.VerifyAudience("foo", false)`
`67`	`76`
`68`	`77`	`if want != got {`
`69`	`78`	`t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)`
`70`	`79`	`}`
`71`		`-}`
	`80`	`+}`