fix aud check on pds mod service auth

bluesky-social · Mar 5, 2024 · 7be8445 · 7be8445
1 parent 81f9d69
commit 7be8445
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/packages/pds/src/auth-verifier.ts b/packages/pds/src/auth-verifier.ts
@@ -259,9 +259,20 @@ export class AuthVerifier {
       throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
     }
     const payload = await this.verifyServiceJwt(reqCtx, {
-      aud: this.dids.entryway ?? this.dids.pds,
+      aud: null,
       iss: [this.dids.modService, `${this.dids.modService}#atproto_labeler`],
     })
+    if (
+      payload.aud !== this.dids.pds &&
+      (!this.dids.entryway || payload.aud !== this.dids.entryway)
+    ) {
+      throw new AuthRequiredError(
+        'jwt audience does not match service did',
+        'BadJwtAudience',
+      )
+    }
+
+    payload.aud
     return {
       credentials: {
         type: 'mod_service',