feat: allow regex in SMARTConfig.expectedAudValue (#43)

src/smartAuthorizationHelper.test.ts

@@ -456,6 +456,20 @@ describe('verifyJwt', () => {
                 verifyJwtToken(jwt, expectedAudValue, 'https://exampleAuthServer.com/oauth2', client),
             ).resolves.toEqual(payload);
         });
+
+        test('aud provided as RegExp', async () => {
+            const aud = 'api://default';
+            const audRegExp = /api:\/\/([a-z])+/;
+
+            const payload = getDefaultPayload(
+                Math.floor(Date.now() / 1000),
+                Math.floor(Date.now() / 1000) + 10,
+                aud,
+                expectedIssValue,
+            );
+            const jwt = await getSignedJwt(payload);
+            return expect(verifyJwtToken(jwt, audRegExp, expectedIssValue, client)).resolves.toEqual(payload);
+        });
     });
 
     test('iss is incorrect', async () => {

src/smartAuthorizationHelper.ts

@@ -119,7 +119,7 @@ export function getJwksClient(jwksUri: string): JwksClient {
 
 export async function verifyJwtToken(
     token: string,
-    expectedAudValue: string,
+    expectedAudValue: string | RegExp,
     expectedIssValue: string,
     client: JwksClient,
 ) {

src/smartConfig.ts

@@ -74,8 +74,11 @@ export interface SMARTConfig {
     scopeRule: ScopeRule;
     /**
      * Per SMART spec this is the 'aud' key found in the access_token
+     *
+     * Using the string type is recommended. RegExp can be useful when the audience is not static, such as in multi-tenant setups.
+     * Caution must be taken to avoid overly permissive regular expressions (e.g. avoid using .*). Use regular expressions that are as specific as possible to avoid allowing requests from unexpected audiences.
      */
-    expectedAudValue: string;
+    expectedAudValue: string | RegExp;
     /**
      * Per SMART spec this is the 'iss' key found in the access_token
      */