add audience claim data to jwt

src/risotto/config.py

@@ -11,6 +11,7 @@ URI = 'http://localhost'
 PORT = 8080
 JWT_SECRET = 'MY_SUPER_SECRET'
 JWT_TOKEN_EXPIRE = 3600
+JWT_TOKEN_AUDIENCE = "Risotto"
 
 import os
 from pathlib import PurePosixPath
@@ -38,6 +39,7 @@ def get_config():
             'jwt': {
                 'secret': JWT_SECRET,
                 'token_expire': JWT_TOKEN_EXPIRE,
-                'issuer': URI}
+                'issuer': URI,
+                'audience': JWT_TOKEN_AUDIENCE}
             }
 

src/risotto/http.py

@@ -186,10 +186,12 @@ def gen_token(auth):
     secret = get_config()['jwt']['secret']
     expire = get_config()['jwt']['token_expire']
     issuer = get_config()['jwt']['issuer']
+    audience = get_config()['jwt']['audience']
     payload = {
                 'user': auth.login,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=expire),
-                'iss': issuer
+                'iss': issuer,
+                'aud': audience
               }
     
     token = jwt.encode(payload, secret, algorithm='HS256')
@@ -214,12 +216,15 @@ def access_token(request):
 def verify_token(token):
     secret = get_config()['jwt']['secret']
     issuer = get_config()['jwt']['issuer']
+    audience = get_config()['jwt']['audience']
     try:
-        decoded = jwt.decode(token, secret, issuer=issuer, algorithms=['HS256'])
+        decoded = jwt.decode(token, secret, issuer=issuer, audience=audience, algorithms=['HS256'])
     except jwt.ExpiredSignatureError:
         raise HTTPUnauthorized(reason='Token Expired')
     except jwt.InvalidIssuerError:
         raise HTTPUnauthorized(reason='Token could not be verified')
+    except jwt.InvalidAudienceError:
+        raise HTTPUnauthorized(reason='Token audience not match')
     return decoded
 
 tiramisu = None