verify audience on auth

bcgov · Apr 23, 2024 · ffdb81e · ffdb81e
1 parent 28a8cb1
commit ffdb81e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/app/src/docs/v1.api-spec.yaml b/app/src/docs/v1.api-spec.yaml
@@ -41,8 +41,8 @@ paths:
                     description: A list of Health states
                     items:
                       $ref: "#/components/schemas/Health"
-        "403":
-          $ref: "#/components/responses/Forbidden"
+        "401":
+          $ref: "#/components/responses/UnauthorizedError"
         default:
           description: Unexpected error
           content:
@@ -75,7 +75,7 @@ paths:
                 $ref: "#/components/schemas/TransactionResponse"
         "400":
           $ref: "#/components/responses/BadRequest"
-        "403":
+        "401":
           $ref: "#/components/responses/Forbidden"
         "422":
           $ref: "#/components/responses/UnprocessableEntity"
@@ -112,7 +112,7 @@ paths:
                 $ref: "#/components/schemas/MergeResponse"
         "400":
           $ref: "#/components/responses/BadRequest"
-        "403":
+        "401":
           $ref: "#/components/responses/Forbidden"
         "422":
           $ref: "#/components/responses/UnprocessableEntity"
@@ -147,7 +147,7 @@ paths:
                   $ref: "#/components/schemas/MessageObject"
         "400":
           $ref: "#/components/responses/BadRequest"
-        "403":
+        "401":
           $ref: "#/components/responses/Forbidden"
         "422":
           $ref: "#/components/responses/UnprocessableEntity"
@@ -182,7 +182,7 @@ paths:
                 description: A list of message statuses
                 items:
                   $ref: "#/components/schemas/StatusObject"
-        "403":
+        "401":
           $ref: "#/components/responses/Forbidden"
         "422":
           $ref: "#/components/responses/UnprocessableEntity"
@@ -211,7 +211,7 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/StatusObject"
-        "403":
+        "401":
           $ref: "#/components/responses/Forbidden"
         "404":
           $ref: "#/components/responses/NotFound"

diff --git a/app/src/middleware/authentication.js b/app/src/middleware/authentication.js
@@ -39,17 +39,18 @@ async function tokenValidator(req, res, next) {
         : _spkiWrapper(publicKey);
 
       jwt.verify(bearerToken, pemKey, {
-        issuer: `${config.get('keycloak.serverUrl')}/realms/${config.get('keycloak.realm')}`
+        issuer: `${config.get('keycloak.serverUrl')}/realms/${config.get('keycloak.realm')}`,
+        audience: config.get('keycloak.clientId')
       });
     }
     else {
-      return new Problem(400, {
+      return new Problem(500, {
         detail: 'OIDC environment variable KC_PUBLICKEY, KC_SERVERURL and KC_REALM must be defined'
       }).send(res);
     }
   } catch (err) {
     log.error(err.message, { function: 'tokenValidator' });
-    return next(new Problem(403, { detail: 'Access token is missing or invalid', instance: req.originalUrl }));
+    return next(new Problem(401, { detail: 'Access token is missing or invalid', instance: req.originalUrl }));
   }
   next();
 }