add tests for jwt5 multiple auds and improve existing tests

backend/app/cmd/server_test.go

@@ -637,10 +637,10 @@ func TestServerAuthHooks(t *testing.T) {
 	require.NoError(t, resp.Body.Close())
 	assert.Equal(t, http.StatusCreated, resp.StatusCode, "non-blocked user able to post")
 
-	// add comment with no-aud claim
-	claimsNoAud := claims
-	claimsNoAud.Audience = jwt.ClaimStrings{""}
-	tkNoAud, err := tkService.Token(claimsNoAud)
+	// try to add comment with no-aud claim
+	badClaimsNoAud := claims
+	badClaimsNoAud.Audience = jwt.ClaimStrings{""}
+	tkNoAud, err := tkService.Token(badClaimsNoAud)
 	require.NoError(t, err)
 	t.Logf("no-aud claims: %s", tkNoAud)
 	req, err = http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/api/v1/comment", port),
@@ -655,6 +655,43 @@ func TestServerAuthHooks(t *testing.T) {
 	require.NoError(t, resp.Body.Close())
 	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode, "user without aud claim rejected, \n"+tkNoAud+"\n"+string(body))
 
+	// try to add comment with multiple auds
+	badClaimsMultipleAud := claims
+	badClaimsMultipleAud.Audience = jwt.ClaimStrings{"remark", "second_aud"}
+	tkMultipleAuds, err := tkService.Token(badClaimsMultipleAud)
+	require.NoError(t, err)
+	t.Logf("multiple aud claims: %s", tkMultipleAuds)
+	req, err = http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/api/v1/comment", port),
+		strings.NewReader(`{"text": "test 123", "locator":{"url": "https://radio-t.com/p/2018/12/29/podcast-631/",
+	"site": "remark"}}`))
+	require.NoError(t, err)
+	req.Header.Set("X-JWT", tkMultipleAuds)
+	resp, err = client.Do(req)
+	require.NoError(t, err)
+	body, err = io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.NoError(t, resp.Body.Close())
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode, "user with multiple auds claim rejected, \n"+tkMultipleAuds+"\n"+string(body))
+
+	// try to add comment without user set
+	badClaimsNoUser := claims
+	badClaimsNoUser.Audience = jwt.ClaimStrings{"remark"}
+	badClaimsNoUser.User = nil
+	tkNoUser, err := tkService.Token(badClaimsNoUser)
+	require.NoError(t, err)
+	t.Logf("no user claims: %s", tkNoUser)
+	req, err = http.NewRequest("POST", fmt.Sprintf("http://localhost:%d/api/v1/comment", port),
+		strings.NewReader(`{"text": "test 123", "locator":{"url": "https://radio-t.com/p/2018/12/29/podcast-631/",
+	"site": "remark"}}`))
+	require.NoError(t, err)
+	req.Header.Set("X-JWT", tkNoUser)
+	resp, err = client.Do(req)
+	require.NoError(t, err)
+	body, err = io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.NoError(t, resp.Body.Close())
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode, "user without user information rejected, \n"+tkNoUser+"\n"+string(body))
+
 	// block user github_dev as admin
 	req, err = http.NewRequest(http.MethodPut,
 		fmt.Sprintf("http://localhost:%d/api/v1/admin/user/github_dev?site=remark&block=1&ttl=10d", port), http.NoBody)

backend/app/rest/api/admin_test.go

@@ -835,7 +835,7 @@ func TestAdmin_DeleteMeRequestFailed(t *testing.T) {
 
 	// try with wrong audience
 	badClaimsMultipleAudience := claims
-	badClaimsMultipleAudience.StandardClaims.Audience = "something else"
+	badClaimsMultipleAudience.RegisteredClaims.Audience = jwt.ClaimStrings{"remark42", "something else"}
 	tkn, err = srv.Authenticator.TokenService().Token(badClaimsMultipleAudience)
 	assert.NoError(t, err)
 	req, err = http.NewRequest(http.MethodGet, fmt.Sprintf("%s/api/v1/admin/deleteme?token=%s", ts.URL, tkn), http.NoBody)
@@ -847,8 +847,8 @@ func TestAdmin_DeleteMeRequestFailed(t *testing.T) {
 	b, err = io.ReadAll(resp.Body)
 	assert.NoError(t, err)
 	assert.NoError(t, resp.Body.Close())
-	assert.Contains(t, string(b), `site \"something else\" not found`)
-	badClaimsMultipleAudience.StandardClaims.Audience = "remark42"
+	assert.Contains(t, string(b), "can't process token, aud is not a single element")
+	badClaimsMultipleAudience.RegisteredClaims.Audience = jwt.ClaimStrings{"remark42"}
 }
 
 func TestAdmin_GetUserInfo(t *testing.T) {