add support for validating multiples issuers. closes #163

auth0 · Feb 16, 2016 · 39d9309 · 39d9309
1 parent 1959404
commit 39d9309
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -78,7 +78,7 @@ encoded public key for RSA and ECDSA.
 
 * `algorithms`: List of strings with the names of the allowed algorithms. For instance, `["HS256", "HS384"]`.
 * `audience`: if you want to check audience (`aud`), provide a value here
-* `issuer`: if you want to check issuer (`iss`), provide a value here
+* `issuer` (optional): string or array of strings of valid values for the `iss` field.
 * `ignoreExpiration`: if `true` do not validate the expiration of the token.
 * `ignoreNotBefore`...
 * `subject`: if you want to check subject (`sub`), provide a value here

diff --git a/index.js b/index.js
@@ -254,8 +254,13 @@ JWT.verify = function(jwtString, secretOrPublicKey, options, callback) {
   }
 
   if (options.issuer) {
-    if (payload.iss !== options.issuer)
+    var invalid_issuer =
+        (typeof options.issuer === 'string' && payload.iss !== options.issuer) ||
+        (Array.isArray(options.issuer) && options.issuer.indexOf(payload.iss) === -1);
+
+    if (invalid_issuer) {
       return done(new JsonWebTokenError('jwt issuer invalid. expected: ' + options.issuer));
+    }
   }
 
   if (options.subject) {

diff --git a/test/jwt.rs.tests.js b/test/jwt.rs.tests.js
@@ -267,6 +267,14 @@ describe('RS256', function() {
       });
     });
 
+    it('should check the issuer when providing a list of valid issuers', function(done) {
+      jwt.verify(token, pub, { issuer: [ 'urn:foo', 'urn:bar' ] }, function(err, decoded) {
+        assert.isNotNull(decoded);
+        assert.isNull(err);
+        done();
+      });
+    });
+
     it('should throw when invalid issuer', function(done) {
       jwt.verify(token, pub, { issuer: 'urn:wrong' }, function(err, decoded) {
         assert.isUndefined(decoded);