From cfc786f2d7a9831e7fa102de35b8d2222e469ae9 Mon Sep 17 00:00:00 2001
From: Florian Dejonckheere <florian@floriandejonckheere.be>
Date: Thu, 19 Sep 2024 09:52:53 +0200
Subject: [PATCH] Pass access/refresh claims to session for claim verification

---
 lib/jwt_sessions/authorization.rb             |  11 +-
 test/units/jwt_sessions/test_authorization.rb | 102 ++++++++++++++++++
 2 files changed, 111 insertions(+), 2 deletions(-)

diff --git a/lib/jwt_sessions/authorization.rb b/lib/jwt_sessions/authorization.rb
index 073c57f..9e5f649 100644
--- a/lib/jwt_sessions/authorization.rb
+++ b/lib/jwt_sessions/authorization.rb
@@ -79,11 +79,11 @@ def request_method
     end
 
     def valid_csrf_token?(csrf_token, token_type)
-      JWTSessions::Session.new.valid_csrf?(found_token, csrf_token, token_type)
+      JWTSessions::Session.new(claims).valid_csrf?(found_token, csrf_token, token_type)
     end
 
     def session_exists?(token_type)
-      JWTSessions::Session.new.session_exists?(found_token, token_type)
+      JWTSessions::Session.new(claims).session_exists?(found_token, token_type)
     end
 
     def cookieless_auth(token_type)
@@ -150,5 +150,12 @@ def authorize_request(token_type)
       invalid_authorization unless session_exists?(token_type)
       check_csrf(token_type)
     end
+
+    def claims
+      {
+        access_claims: token_claims,
+        refresh_claims: token_claims
+      }
+    end
   end
 end
diff --git a/test/units/jwt_sessions/test_authorization.rb b/test/units/jwt_sessions/test_authorization.rb
index 9d31727..522efa8 100644
--- a/test/units/jwt_sessions/test_authorization.rb
+++ b/test/units/jwt_sessions/test_authorization.rb
@@ -6,10 +6,22 @@
 class TestAuthorization < Minitest::Test
   include JWTSessions::Authorization
 
+  def token_claims
+    {
+      iss: "issuer",
+      aud: "audience",
+    }
+  end
+
   def setup
     JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
   end
 
+  def teardown
+    JWTSessions.jwt_options[:verify_iss] = false
+    JWTSessions.jwt_options[:verify_aud] = false
+  end
+
   def test_payload_when_token_is_nil
     @_raw_token = nil
 
@@ -23,4 +35,94 @@ def test_payload_when_token_is_present
     assert_equal payload['user_id'], 1
     assert_equal payload['secret'], 'mystery'
   end
+
+  def test_verify_iss
+    JWTSessions.jwt_options[:verify_iss] = true
+
+    session = JWTSessions::Session.new(payload: { user_id: 1, iss: "issuer" })
+    tokens = session.login
+
+    # Extract uid from access token
+    uid = JWT.decode(tokens[:access], JWTSessions.public_key).first["uid"]
+
+    @_raw_token =
+      JWTSessions::Token.encode({ user_id: 1, uid: uid, iss: "issuer" })
+
+    assert session_exists?(:access)
+  end
+
+  def test_verify_iss_when_iss_is_not_correct
+    JWTSessions.jwt_options[:verify_iss] = true
+
+    session = JWTSessions::Session.new(payload: { user_id: 1, iss: "issuer" })
+    tokens = session.login
+
+    # Extract uid from access token
+    uid = JWT.decode(tokens[:access], JWTSessions.public_key).first["uid"]
+
+    @_raw_token =
+      JWTSessions::Token.encode({ user_id: 1, uid: uid, iss: "another_issuer" })
+
+    assert !session_exists?(:access)
+  end
+
+  def test_verify_iss_when_iss_is_not_present
+    JWTSessions.jwt_options[:verify_iss] = true
+
+    session = JWTSessions::Session.new(payload: { user_id: 1, iss: "issuer" })
+    tokens = session.login
+
+    # Extract uid from access token
+    uid = JWT.decode(tokens[:access], JWTSessions.public_key).first["uid"]
+
+    @_raw_token =
+      JWTSessions::Token.encode({ user_id: 1, uid: uid })
+
+    assert !session_exists?(:access)
+  end
+
+  def test_verify_aud
+    JWTSessions.jwt_options[:verify_aud] = true
+
+    session = JWTSessions::Session.new(payload: { user_id: 1, aud: "audience" })
+    tokens = session.login
+
+    # Extract uid from access token
+    uid = JWT.decode(tokens[:access], JWTSessions.public_key).first["uid"]
+
+    @_raw_token =
+      JWTSessions::Token.encode({ user_id: 1, uid: uid, aud: "audience" })
+
+    assert session_exists?(:access)
+  end
+
+  def test_verify_aud_when_aud_is_not_correct
+    JWTSessions.jwt_options[:verify_aud] = true
+
+    session = JWTSessions::Session.new(payload: { user_id: 1, aud: "audience" })
+    tokens = session.login
+
+    # Extract uid from access token
+    uid = JWT.decode(tokens[:access], JWTSessions.public_key).first["uid"]
+
+    @_raw_token =
+      JWTSessions::Token.encode({ user_id: 1, uid: uid, aud: "another_audience" })
+
+    assert !session_exists?(:access)
+  end
+
+  def test_verify_aud_when_aud_is_not_present
+    JWTSessions.jwt_options[:verify_aud] = true
+
+    session = JWTSessions::Session.new(payload: { user_id: 1, aud: "audience" })
+    tokens = session.login
+
+    # Extract uid from access token
+    uid = JWT.decode(tokens[:access], JWTSessions.public_key).first["uid"]
+
+    @_raw_token =
+      JWTSessions::Token.encode({ user_id: 1, uid: uid })
+
+    assert !session_exists?(:access)
+  end
 end