From 01ce34f3d8dd532566694328a077cd11c94e1f0f Mon Sep 17 00:00:00 2001 From: Chamika J <75464293+chamikaJ@users.noreply.github.com> Date: Mon, 4 Aug 2025 16:54:17 +0530 Subject: [PATCH] feat(auth): enhance token audience validation for Google authentication - Updated the `googleMobileAuth` method in `AuthController` to accept multiple client IDs (web, Android, iOS) for token audience validation. - Improved error handling for invalid token audiences, ensuring a more flexible and robust authentication process. --- worklenz-backend/src/controllers/auth-controller.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/worklenz-backend/src/controllers/auth-controller.ts b/worklenz-backend/src/controllers/auth-controller.ts index 70056b47..d1505dc2 100644 --- a/worklenz-backend/src/controllers/auth-controller.ts +++ b/worklenz-backend/src/controllers/auth-controller.ts @@ -194,13 +194,19 @@ export default class AuthController extends WorklenzControllerBase { const response = await axios.get(`https://oauth2.googleapis.com/tokeninfo?id_token=${idToken}`); const profile = response.data; - // Validate token audience (client ID) - if (profile.aud !== process.env.GOOGLE_CLIENT_ID) { + // Validate token audience (client ID) - accept web, Android, and iOS client IDs + const allowedClientIds = [ + process.env.GOOGLE_CLIENT_ID, // Web client ID + process.env.GOOGLE_ANDROID_CLIENT_ID, // Android client ID + process.env.GOOGLE_IOS_CLIENT_ID, // iOS client ID + ].filter(Boolean); // Remove undefined values + + if (!allowedClientIds.includes(profile.aud)) { return res.status(400).send(new ServerResponse(false, null, "Invalid token audience")); } // Validate token issuer - if (!['https://accounts.google.com', 'accounts.google.com'].includes(profile.iss)) { + if (!["https://accounts.google.com", "accounts.google.com"].includes(profile.iss)) { return res.status(400).send(new ServerResponse(false, null, "Invalid token issuer")); }