fix NPE when missing expected array claim

auth0 · Feb 14, 2020 · cbe8eeb · cbe8eeb
1 parent 5fa3fe3
commit cbe8eeb
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 11 deletions.
diff --git a/lib/src/main/java/com/auth0/jwt/JWTVerifier.java b/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -168,7 +168,7 @@ public Verification withArrayClaim(String name, Integer... items) throws Illegal
             requireClaim(name, items);
             return this;
         }
-        
+
         /**
          * Require a specific Array Claim to contain at least the given items.
          *
@@ -178,11 +178,11 @@ public Verification withArrayClaim(String name, Integer... items) throws Illegal
          * @throws IllegalArgumentException if the name is null.
          */
         @Override
-        public Verification withArrayClaim(String name, Long ... items) throws IllegalArgumentException {
+        public Verification withArrayClaim(String name, Long... items) throws IllegalArgumentException {
             assertNonNull(name);
             requireClaim(name, items);
             return this;
-        }        
+        }
 
         @Override
         public JWTVerifier build() {
@@ -220,7 +220,7 @@ private void addLeewayToDateClaims() {
             if (!claims.containsKey(PublicClaims.NOT_BEFORE)) {
                 claims.put(PublicClaims.NOT_BEFORE, defaultLeeway);
             }
-            if(ignoreIssuedAt) {
+            if (ignoreIssuedAt) {
                 claims.remove(PublicClaims.ISSUED_AT);
                 return;
             }
@@ -329,18 +329,18 @@ private void assertValidClaim(Claim claim, String claimName, Object value) {
             Object[] claimAsObject = claim.as(Object[].class);
 
             // Jackson uses 'natural' mapping which uses Integer if value fits in 32 bits.
-            if(value instanceof Long[]) {
+            if (value instanceof Long[]) {
                 // convert Integers to Longs for comparison with equals
                 claimArr = new ArrayList<>(claimAsObject.length);
-                for(Object cao : claimAsObject) {
-                    if(cao instanceof Integer) {
-                        claimArr.add(((Integer)cao).longValue());
+                for (Object cao : claimAsObject) {
+                    if (cao instanceof Integer) {
+                        claimArr.add(((Integer) cao).longValue());
                     } else {
                         claimArr.add(cao);
                     }
                 }
             } else {
-                claimArr = Arrays.asList(claim.as(Object[].class));
+                claimArr = claim.isNull() ? Collections.emptyList() : Arrays.asList(claim.as(Object[].class));
             }
             List<Object> valueArr = Arrays.asList((Object[]) value);
             isValid = claimArr.containsAll(valueArr);

diff --git a/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java b/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java
@@ -170,6 +170,28 @@ public void shouldThrowOnNullCustomClaimName() throws Exception {
                 .withClaim(null, "value");
     }
 
+    @Test
+    public void shouldThrowWhenExpectedArrayClaimIsMissing() throws Exception {
+        exception.expect(InvalidClaimException.class);
+        exception.expectMessage("The Claim 'missing' value doesn't match the required one.");
+        String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhcnJheSI6WzEsMiwzXX0.wKNFBcMdwIpdF9rXRxvexrzSM6umgSFqRO1WZj992YM";
+        JWTVerifier.init(Algorithm.HMAC256("secret"))
+                .withArrayClaim("missing", 1, 2, 3)
+                .build()
+                .verify(token);
+    }
+
+    @Test
+    public void shouldThrowWhenExpectedClaimIsMissing() throws Exception {
+        exception.expect(InvalidClaimException.class);
+        exception.expectMessage("The Claim 'missing' value doesn't match the required one.");
+        String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGFpbSI6InRleHQifQ.aZ27Ze35VvTqxpaSIK5ZcnYHr4SrvANlUbDR8fw9qsQ";
+        JWTVerifier.init(Algorithm.HMAC256("secret"))
+                .withClaim("missing", "text")
+                .build()
+                .verify(token);
+    }
+
     @Test
     public void shouldThrowOnInvalidCustomClaimValueOfTypeString() throws Exception {
         exception.expect(InvalidClaimException.class);
@@ -546,8 +568,8 @@ public void shouldThrowOnNegativeNotBeforeLeeway() throws Exception {
                 .acceptNotBefore(-1);
     }
 
-// Issued At with future date
-    @Test (expected = InvalidClaimException.class)
+    // Issued At with future date
+    @Test(expected = InvalidClaimException.class)
     public void shouldThrowOnFutureIssuedAt() throws Exception {
         Clock clock = mock(Clock.class);
         when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));