Add a small test, and dont throw away the audience

2026-05-14 03:37:55 -04:00 · 2025-11-20 09:27:29 -08:00
parent 6fc761a45a
commit f3b628251b
1 changed files with 31 additions and 3 deletions
@@ -126,8 +126,7 @@ impl From<SpacetimeAuth> for TokenClaims {
        Self {
            issuer: auth.claims.issuer,
            subject: auth.claims.subject,
-            // This will need to be changed when we care about audiencies.
-            audience: Vec::new(),
+            audience: auth.claims.audience,
            extra: auth.claims.extra,
        }
    }
@@ -286,7 +285,7 @@ mod tests {
    use anyhow::Ok;

    use spacetimedb::auth::{token_validation::TokenValidator, JwtKeys};
-    use std::collections::HashSet;
+    use std::collections::{HashMap, HashSet};

    // Make sure that when we encode TokenClaims, we can decode to get the expected identity.
    #[tokio::test]
@@ -307,6 +306,35 @@ mod tests {
        Ok(())
    }

+    fn to_hashmap(value: serde_json::Value) -> HashMap<String, serde_json::Value> {
+        let mut map = HashMap::new();
+        value.as_object().unwrap().iter().for_each(|(k, v)| {
+            map.insert(k.clone(), v.clone());
+        });
+        map
+    }
+
+    // Make sure that when we encode TokenClaims, we can decode the extra claims.
+    #[tokio::test]
+    async fn decode_encoded_token_with_extra_claims() -> Result<(), anyhow::Error> {
+        let kp = JwtKeys::generate()?;
+
+        let claims = TokenClaims {
+            issuer: "localhost".to_string(),
+            subject: "test-subject".to_string(),
+            audience: vec!["spacetimedb".to_string()],
+            extra: Some(to_hashmap(serde_json::json!({"custom_claim": "value"}))),
+        };
+        let id = claims.id();
+        let (_, token) = claims.encode_and_sign(&kp.private)?;
+        let decoded = kp.public.validate_token(&token).await?;
+
+        assert_eq!(decoded.identity, id);
+        let custom_claim_value = decoded.extra.as_ref().unwrap().get("custom_claim").unwrap();
+        assert_eq!(custom_claim_value.as_str().unwrap(), "value");
+        Ok(())
+    }
+
    // Test that extracting a JWT payload from a valid token gets the json representation.
    #[tokio::test]
    async fn extract_payload() -> Result<(), anyhow::Error> {