Audience Validation

Easy+50 XPA07:2021 Identification and Authentication FailuresCWE-347

JWTAuthenticationToken Validation

Scenario

Your platform issues JWT tokens for multiple services. Each token carries an 'aud' (audience) claim indicating which service it is intended for.

The validation function accepts any token without verifying its audience claim matches the expected service.

A token issued for 'billing-service' can be replayed against 'admin-api'.

Without audience validation, a token legitimately issued for one service can be replayed against a different service, bypassing access controls entirely.

Your Tasks

Inspect validateToken — it returns {valid:true} without checking payload.aud.
Fix it: if payload.aud !== expectedAudience, throw 'Invalid audience'.
Exact string match is required — no prefix or wildcard matching.

Examples

Example 1 — Wrong audience token accepted (bug)

validateToken({sub:'alice',aud:'other-service'}, 'api')
// Returns {valid:true} — should have thrown!

Example 2 — Correct audience returns valid

validateToken({sub:'alice',aud:'api'}, 'api')
// Returns {valid:true}

Constraints

›payload is a pre-parsed object with sub (string) and aud (string)
›expectedAudience is a string
›Throw exactly 'Invalid audience' — no other message

Hint

References

https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3 https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run