Allow aud of pds or entryway for service auth tokens on pds (#2694)

allow aud of pds or entryway for service auth tokens on pds
bluesky-social · Aug 7, 2024 · 8092715 · 8092715
1 parent 1072ba6
commit 8092715
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/packages/pds/src/auth-verifier.ts b/packages/pds/src/auth-verifier.ts
@@ -224,9 +224,18 @@ export class AuthVerifier {
 
   userServiceAuth = async (ctx: ReqCtx): Promise<UserServiceAuthOutput> => {
     const payload = await this.verifyServiceJwt(ctx, {
-      aud: this.dids.entryway ?? this.dids.pds,
+      aud: null,
       iss: null,
     })
+    if (
+      payload.aud !== this.dids.pds &&
+      (!this.dids.entryway || payload.aud !== this.dids.entryway)
+    ) {
+      throw new AuthRequiredError(
+        'jwt audience does not match service did',
+        'BadJwtAudience',
+      )
+    }
     return {
       credentials: {
         type: 'user_service_auth',