multiple audiences -- implements auth0#4

Author: lufzle

index.js

@@ -53,7 +53,8 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
   }
 
   if (options.audience) {
-    if (payload.aud !== options.audience)
+    var audiences = Array.isArray(options.audience)? options.audience : [options.audience];
+    if (options.audience.indexOf(payload.aud) < 0)
       return callback(new Error('jwt audience invalid. expected: ' + payload.aud));
   }
 

test/jwt.rs.tests.js

@@ -73,6 +73,14 @@ describe('RS256', function() {
       });
     });
 
+    it('should check audience in array', function(done) {
+      jwt.verify(token, pub, { audience: ['urn:foo', 'urn:other'] }, function (err, decoded) {
+        assert.isNotNull(decoded);
+        assert.isNull(err);
+        done();
+      });
+    });
+
     it('should throw when invalid audience', function(done) {
       jwt.verify(token, pub, { audience: 'urn:wrong' }, function(err, decoded) {
         assert.isUndefined(decoded);
@@ -81,6 +89,14 @@ describe('RS256', function() {
       });
     });
 
+    it('should throw when invalid audience in array', function(done) {
+      jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function(err, decoded) {
+        assert.isUndefined(decoded);
+        assert.isNotNull(err);
+        done();
+      });
+    });
+
   });
 
   describe('when signing a token without audience', function() {
@@ -94,6 +110,14 @@ describe('RS256', function() {
       });
     });
 
+    it('should check audience in array', function(done) {
+      jwt.verify(token, pub, { audience: ['urn:wrong', 'urn:morewrong'] }, function(err, decoded) {
+        assert.isUndefined(decoded);
+        assert.isNotNull(err);
+        done();
+      });
+    });
+
   });
 
   describe('when signing a token with issuer', function() {