bo/worklenz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): enhance token audience validation for Google authentication

Browse Source 
- Updated the `googleMobileAuth` method in `AuthController` to accept multiple client IDs (web, Android, iOS) for token audience validation.
- Improved error handling for invalid token audiences, ensuring a more flexible and robust authentication process.
This commit is contained in:
Chamika J
2025-08-04 16:54:17 +05:30
parent 8188b5c381
commit 01ce34f3d8
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
worklenz-backend/src/controllers/auth-controller.ts
View File

@@ -194,13 +194,19 @@ export default class AuthController extends WorklenzControllerBase {
const response = await axios.get(`https://oauth2.googleapis.com/tokeninfo?id_token=${idToken}`);
const profile = response.data;
// Validate token audience (client ID)
if (profile.aud !== process.env.GOOGLE_CLIENT_ID) {
// Validate token audience (client ID) - accept web, Android, and iOS client IDs
const allowedClientIds = [
process.env.GOOGLE_CLIENT_ID, // Web client ID
process.env.GOOGLE_ANDROID_CLIENT_ID, // Android client ID
process.env.GOOGLE_IOS_CLIENT_ID, // iOS client ID
].filter(Boolean); // Remove undefined values
if (!allowedClientIds.includes(profile.aud)) {
return res.status(400).send(new ServerResponse(false, null, "Invalid token audience"));
}
// Validate token issuer
if (!['https://accounts.google.com', 'accounts.google.com'].includes(profile.iss)) {
if (!["https://accounts.google.com", "accounts.google.com"].includes(profile.iss)) {
return res.status(400).send(new ServerResponse(false, null, "Invalid token issuer"));
}