add additional security TODO

theopensystemslab · Oct 31, 2024 · 2d24531 · 2d24531
1 parent a5fc00e
commit 2d24531
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/api.planx.uk/modules/auth/strategy/microsoft-oidc.ts b/api.planx.uk/modules/auth/strategy/microsoft-oidc.ts
@@ -47,6 +47,7 @@ const verifyCallback: StrategyVerifyCallbackReq<Express.User> = async (
   done,
 ): Promise<void> => {
   // TODO: use tokenSet.state to pass the redirectTo query param through the auth flow
+  // TODO: validate id_token sig with the public key from the jwks_uri (...v2.0/keys)
   const claims: IdTokenClaims = tokenSet.claims();
 
   // ensure the response is authentic by comparing nonce