From 8092715ea0a13d478cd5d8064f47c17482f3bd42 Mon Sep 17 00:00:00 2001
From: Daniel Holmgren <dtholmgren@gmail.com>
Date: Tue, 6 Aug 2024 20:02:00 -0400
Subject: [PATCH] Allow aud of pds or entryway for service auth tokens on pds
 (#2694)

allow aud of pds or entryway for service auth tokens on pds
---
 packages/pds/src/auth-verifier.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/packages/pds/src/auth-verifier.ts b/packages/pds/src/auth-verifier.ts
index bc23b2e6e69..953e7a79806 100644
--- a/packages/pds/src/auth-verifier.ts
+++ b/packages/pds/src/auth-verifier.ts
@@ -224,9 +224,18 @@ export class AuthVerifier {
 
   userServiceAuth = async (ctx: ReqCtx): Promise<UserServiceAuthOutput> => {
     const payload = await this.verifyServiceJwt(ctx, {
-      aud: this.dids.entryway ?? this.dids.pds,
+      aud: null,
       iss: null,
     })
+    if (
+      payload.aud !== this.dids.pds &&
+      (!this.dids.entryway || payload.aud !== this.dids.entryway)
+    ) {
+      throw new AuthRequiredError(
+        'jwt audience does not match service did',
+        'BadJwtAudience',
+      )
+    }
     return {
       credentials: {
         type: 'user_service_auth',