Properly validate issuer & audience when supplied

Previously JWTVerifier didn't validate issuer & audience if those claims where
missing from the token, deeming it valid.

Author: hzalaz

src/main/java/com/auth0/jwt/JWTAudienceException.java

@@ -14,13 +14,11 @@ public class JWTAudienceException extends JWTVerifyException {
     private JsonNode audienceNode;
 
     public JWTAudienceException(final JsonNode audienceNode) {
-        Validate.notNull(audienceNode);
         this.audienceNode = audienceNode;
     }
 
     public JWTAudienceException(final String message, final JsonNode audienceNode) {
         super(message);
-        Validate.notNull(audienceNode);
         this.audienceNode = audienceNode;
     }
 

src/main/java/com/auth0/jwt/JWTIssuerException.java

@@ -1,7 +1,5 @@
 package com.auth0.jwt;
 
-import org.apache.commons.lang3.Validate;
-
 /**
  * Represents Exception related to Issuer - for example issuer mismatch / missing upon verification
  */
@@ -10,13 +8,11 @@ public class JWTIssuerException extends JWTVerifyException {
     private final String issuer;
 
     public JWTIssuerException(final String issuer) {
-        Validate.notNull(issuer);
         this.issuer = issuer;
     }
 
     public JWTIssuerException(final String message, final String issuer) {
         super(message);
-        Validate.notNull(issuer);
         this.issuer = issuer;
     }
 

src/main/java/com/auth0/jwt/JWTVerifier.java

@@ -185,27 +185,37 @@ protected void verifyExpiration(final JsonNode jwtClaims) throws JWTExpiredExcep
 
     protected void verifyIssuer(final JsonNode jwtClaims) throws JWTIssuerException {
         Validate.notNull(jwtClaims);
+
+        if (this.issuer == null ) {
+            return;
+        }
+
         final String issuerFromToken = jwtClaims.has("iss") ? jwtClaims.get("iss").asText() : null;
-        if (issuerFromToken != null && issuer != null && !issuer.equals(issuerFromToken)) {
+
+        if (issuerFromToken == null || !issuer.equals(issuerFromToken)) {
             throw new JWTIssuerException("jwt issuer invalid", issuerFromToken);
         }
     }
 
     protected void verifyAudience(final JsonNode jwtClaims) throws JWTAudienceException {
         Validate.notNull(jwtClaims);
-        if (audience == null)
+        if (audience == null) {
             return;
+        }
         final JsonNode audNode = jwtClaims.get("aud");
-        if (audNode == null)
-            return;
+        if (audNode == null) {
+            throw new JWTAudienceException("jwt audience invalid", null);
+        }
         if (audNode.isArray()) {
             for (final JsonNode jsonNode : audNode) {
-                if (audience.equals(jsonNode.textValue()))
+                if (audience.equals(jsonNode.textValue())) {
                     return;
+                }
             }
         } else if (audNode.isTextual()) {
-            if (audience.equals(audNode.textValue()))
+            if (audience.equals(audNode.textValue())) {
                 return;
+            }
         }
         throw new JWTAudienceException("jwt audience invalid", audNode);
     }

src/test/java/com/auth0/jwt/JWTVerifierTest.java

@@ -6,7 +6,9 @@
 import com.fasterxml.jackson.databind.node.JsonNodeFactory;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.apache.commons.codec.binary.Base64;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 
 import java.security.SignatureException;
 
@@ -19,6 +21,8 @@ public class JWTVerifierTest {
 
     private static final Base64 decoder = new Base64(true);
 
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
 
     @Test(expected = IllegalArgumentException.class)
     public void constructorShouldFailOnEmptySecret() {
@@ -85,7 +89,7 @@ public void shouldVerifySignature() throws Exception {
                 "cGxlLmNvbS9pc19yb290Ijp0cnVlfQ" +
                 "." +
                 "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
-        byte[] secret = decoder.decodeBase64("AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow");
+        byte[] secret = decoder.decode("AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow");
         new JWTVerifier(secret, "audience")
                 .verifySignature(jws.split("\\."), Algorithm.HS256);
     }
@@ -116,6 +120,7 @@ public void shouldFailIssuer() throws Exception {
 
     @Test
     public void shouldVerifyIssuerWhenNotFoundInClaimsSet() throws Exception {
+        expectedException.expect(JWTIssuerException.class);
         new JWTVerifier("such secret", "amaze audience", "very issuer")
                 .verifyIssuer(JsonNodeFactory.instance.objectNode());
     }
@@ -134,6 +139,7 @@ public void shouldFailAudience() throws Exception {
 
     @Test
     public void shouldVerifyAudienceWhenNotFoundInClaimsSet() throws Exception {
+        expectedException.expect(JWTAudienceException.class);
         new JWTVerifier("such secret", "amaze audience")
                 .verifyAudience(JsonNodeFactory.instance.objectNode());
     }
@@ -171,6 +177,19 @@ public void decodeAndParse() throws Exception {
         assertEquals("123", decodedJSON.get("number").asText());
     }
 
+    @Test
+    public void shouldVerifyAudienceFromToken() throws Exception {
+        expectedException.expect(JWTAudienceException.class);
+        JWTVerifier verifier = new JWTVerifier("I.O.U a secret", "samples-api", null);
+        verifier.verify("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.wLlz9xDltxqKHQC7BeauPi5Q4KQK4nDjlRqQPvKVLYk");
+    }
+
+    @Test
+    public void shouldVerifyIssuerFromToken() throws Exception {
+        expectedException.expect(JWTIssuerException.class);
+        JWTVerifier verifier = new JWTVerifier("I.O.U a secret", null, "samples.auth0.com");
+        verifier.verify("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.wLlz9xDltxqKHQC7BeauPi5Q4KQK4nDjlRqQPvKVLYk");
+    }
 
     public static JsonNode createSingletonJSONNode(String key, String value) {
         final ObjectNode jsonNodes = JsonNodeFactory.instance.objectNode();