From c8ab900b831c4e859620c964d25737bf95d5eeb8 Mon Sep 17 00:00:00 2001
From: "Ajitomi, Daisuke" <ajitomi@gmail.com>
Date: Fri, 30 Jul 2021 22:00:54 +0900
Subject: [PATCH] Fix aud validation to support {'aud': null} case. (#670)

* Fix aud validation to support {'aud': null} case.

* Fix aud validation to support {'aud': null} case.
---
 CHANGELOG.rst         |  2 ++
 jwt/api_jwt.py        | 15 +++++++--------
 tests/test_api_jwt.py | 19 +++++++++++++++++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index b138569a..763822a1 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -13,6 +13,8 @@ Changed
 Fixed
 ~~~~~
 
+- Fix aud validation to support {'aud': null} case. `#670 <https://github.com/jpadilla/pyjwt/pull/670>`__
+
 Added
 ~~~~~
 
diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
index 70a5e537..55a8f291 100644
--- a/jwt/api_jwt.py
+++ b/jwt/api_jwt.py
@@ -177,19 +177,18 @@ def _validate_exp(self, payload, now, leeway):
             raise ExpiredSignatureError("Signature has expired")
 
     def _validate_aud(self, payload, audience):
-        if audience is None and "aud" not in payload:
-            return
+        if audience is None:
+            if "aud" not in payload or not payload["aud"]:
+                return
+            # Application did not specify an audience, but
+            # the token has the 'aud' claim
+            raise InvalidAudienceError("Invalid audience")
 
-        if audience is not None and "aud" not in payload:
+        if "aud" not in payload or not payload["aud"]:
             # Application specified an audience, but it could not be
             # verified since the token does not contain a claim.
             raise MissingRequiredClaimError("aud")
 
-        if audience is None and "aud" in payload:
-            # Application did not specify an audience, but
-            # the token has the 'aud' claim
-            raise InvalidAudienceError("Invalid audience")
-
         audience_claims = payload["aud"]
 
         if isinstance(audience_claims, str):
diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
index 56de90c9..1faa05f3 100644
--- a/tests/test_api_jwt.py
+++ b/tests/test_api_jwt.py
@@ -202,6 +202,16 @@ def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
         with pytest.raises(DecodeError):
             jwt.decode(example_jwt, "secret", algorithms=["HS256"])
 
+    def test_decode_raises_exception_if_aud_is_none(self, jwt):
+        # >>> jwt.encode({'aud': None}, 'secret')
+        example_jwt = (
+            "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9."
+            "eyJhdWQiOm51bGx9."
+            "-Peqc-pTugGvrc5C8Bnl0-X1V_5fv-aVb_7y7nGBVvQ"
+        )
+        decoded = jwt.decode(example_jwt, "secret", algorithms=["HS256"])
+        assert decoded["aud"] is None
+
     def test_encode_datetime(self, jwt):
         secret = "secret"
         current_datetime = datetime.utcnow()
@@ -413,6 +423,15 @@ def test_raise_exception_token_without_audience(self, jwt):
 
         assert exc.value.claim == "aud"
 
+    def test_raise_exception_token_with_aud_none_and_without_audience(self, jwt):
+        payload = {"some": "payload", "aud": None}
+        token = jwt.encode(payload, "secret")
+
+        with pytest.raises(MissingRequiredClaimError) as exc:
+            jwt.decode(token, "secret", audience="urn:me", algorithms=["HS256"])
+
+        assert exc.value.claim == "aud"
+
     def test_check_issuer_when_valid(self, jwt):
         issuer = "urn:foo"
         payload = {"some": "payload", "iss": "urn:foo"}