change: Set jwt-aud default value to \`\' (accepting only empty string)

mkleczek · mkleczek · commit b7ebb24c0c23 · 2025-10-29T19:42:05.000+01:00
Fixes #4134 (JWT with aud claim should be rejected if jwt-aud is not set) Updated default jwt-aud value in Config module. Updated spec tests.
diff --git a/docs/references/auth.rst b/docs/references/auth.rst
@@ -203,7 +203,7 @@ It works this way:
 Examples:
 - To make PostgREST accept ``aud`` claim value from a set ``audience1``, ``audience2``, ``otheraudience``, :ref:`jwt-aud` claim should be set to ``audience1|audience2|otheraudience``.
 - To make PostgREST accept ``aud`` claim value matching any ``https`` URI pointing to a host in ``example.com`` domain, :ref:`jwt-aud` claim should be set to ``https://[a-zA-Z0-9_]*\.example\.com``.
-- To make PostgREST accept any ``aud`` claim value , :ref:`jwt-aud` claim should be set to ``.*`` (which is the default).
+- To make PostgREST accept any ``aud`` claim value , :ref:`jwt-aud` claim should be set to ``.*``.
 
 .. _jwt_caching:
 
diff --git a/src/PostgREST/Config.hs b/src/PostgREST/Config.hs
@@ -90,7 +90,7 @@ parseCfgAud = fmap CfgAud . (fmap . ParsedValue . Just <*> parseRegex)
     bounded = ("\\`(" <>) . (<> "\\')")
 
 defaultCfgAud :: CfgAud
-defaultCfgAud = CfgAud $ ParsedValue Nothing $ R.makeRegex (".*"::Text)
+defaultCfgAud = CfgAud $ ParsedValue Nothing $ R.makeRegex ("\\`\\'"::Text)
 
 audMatchesCfg :: AppConfig -> Text -> Bool
 audMatchesCfg = R.matchTest . parsedValue . unCfgAud . configJwtAudience
diff --git a/test/spec/Feature/Auth/AudienceJwtSecretSpec.hs b/test/spec/Feature/Auth/AudienceJwtSecretSpec.hs
@@ -151,7 +151,7 @@ disabledSpec :: SpecWith ((), Application)
 disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud config is not set" $ do
 
   context "when the audience claim is a string" $ do
-    it "ignores the audience claim and suceeds" $ do
+    it "fails when it is not empty" $ do
       let jwtPayload =
             [json|{
               "exp": 9999999999,
@@ -161,7 +161,7 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
             }|]
           auth = authHeaderJWT $ generateJWT jwtPayload
       request methodGet "/authors_only" [auth] ""
-        `shouldRespondWith` 200
+        `shouldRespondWith` 401
 
     it "ignores the audience claim and suceeds when it's empty" $ do
       let jwtPayload =
@@ -176,7 +176,7 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
         `shouldRespondWith` 200
 
   context "when the audience is an array of strings" $ do
-    it "ignores the audience claim and suceeds when it has 1 element" $ do
+    it "fails it has 1 element" $ do
       let jwtPayload = [json|
             {
               "exp": 9999999999,
@@ -186,9 +186,9 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
             }|]
           auth = authHeaderJWT $ generateJWT jwtPayload
       request methodGet "/authors_only" [auth] ""
-        `shouldRespondWith` 200
+        `shouldRespondWith` 401
 
-    it "ignores the audience claim and suceeds when it has more than 1 element" $ do
+    it "fails when it has more than 1 element" $ do
       let jwtPayload = [json|
             {
               "exp": 9999999999,
@@ -198,7 +198,7 @@ disabledSpec = describe "test handling of aud claims in JWT when the jwt-aud con
             }|]
           auth = authHeaderJWT $ generateJWT jwtPayload
       request methodGet "/authors_only" [auth] ""
-        `shouldRespondWith` 200
+        `shouldRespondWith` 401
 
     it "ignores the audience claim and suceeds when it's empty" $ do
       let jwtPayload = [json|
