From 37cc9d29d15b1bf450d002769a90de5c68030d37 Mon Sep 17 00:00:00 2001
From: Warren Parad <gpg@warrenparad.net>
Date: Sat, 27 Jan 2024 21:29:50 +0100
Subject: [PATCH] Fix problems with localhost cached tokens between issuers.

---
 src/extensionClient.js | 2 +-
 src/index.js           | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/extensionClient.js b/src/extensionClient.js
index 4429661..d623e48 100644
--- a/src/extensionClient.js
+++ b/src/extensionClient.js
@@ -37,7 +37,7 @@ class ExtensionClient {
    * @return {Promise<Record<string, unknown>>} The user data object.
    */
   async getUserIdentity() {
-    const userData = await this.accessToken && jwtManager.decode(this.accessToken);
+    const userData = this.accessToken && await jwtManager.decode(this.accessToken);
     if (!userData) {
       return null;
     }
diff --git a/src/index.js b/src/index.js
index 313505c..6fc238c 100644
--- a/src/index.js
+++ b/src/index.js
@@ -112,6 +112,14 @@ class LoginClient {
     if (!userData) {
       return null;
     }
+
+    // We use startsWith because the issuer will be limited to only the authress custom domain FQDN subdomain, the hostUrl could be a specific subdomain subdomain for the tenant.
+    if (!this.hostUrl.startsWith(userData.iss)) {
+      this.logger && this.logger.log && this.logger.log({ title: 'Token saved in browser is for a different issuer, discarding', currentHostUrl: this.hostUrl, savedUserData: userData });
+      userIdentityTokenStorageManager.clear();
+      return null;
+    }
+
     userData.userId = userData.sub;
     return userData;
   }