Fix problems with localhost cached tokens between issuers.

Authress · Jan 27, 2024 · 37cc9d2 · 37cc9d2
1 parent 9eb9f65
commit 37cc9d2
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/src/extensionClient.js b/src/extensionClient.js
@@ -37,7 +37,7 @@ class ExtensionClient {
    * @return {Promise<Record<string, unknown>>} The user data object.
    */
   async getUserIdentity() {
-    const userData = await this.accessToken && jwtManager.decode(this.accessToken);
+    const userData = this.accessToken && await jwtManager.decode(this.accessToken);
     if (!userData) {
       return null;
     }

diff --git a/src/index.js b/src/index.js
@@ -112,6 +112,14 @@ class LoginClient {
     if (!userData) {
       return null;
     }
+
+    // We use startsWith because the issuer will be limited to only the authress custom domain FQDN subdomain, the hostUrl could be a specific subdomain subdomain for the tenant.
+    if (!this.hostUrl.startsWith(userData.iss)) {
+      this.logger && this.logger.log && this.logger.log({ title: 'Token saved in browser is for a different issuer, discarding', currentHostUrl: this.hostUrl, savedUserData: userData });
+      userIdentityTokenStorageManager.clear();
+      return null;
+    }
+
     userData.userId = userData.sub;
     return userData;
   }