Add access token validation for google

supertokens · Sep 7, 2023 · a6c0dea · a6c0dea
1 parent b8f2841
commit a6c0dea
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/lib/build/recipe/thirdparty/providers/google.js b/lib/build/recipe/thirdparty/providers/google.js
@@ -48,6 +48,14 @@ function Google(input) {
         { included_grant_scopes: "true", access_type: "offline" },
         input.config.authorizationEndpointQueryParams
     );
+    if (input.config.validateAccessToken === undefined) {
+        input.config.validateAccessToken = ({ accessTokenPayload, clientConfig }) =>
+            __awaiter(this, void 0, void 0, function* () {
+                if (accessTokenPayload.aud !== clientConfig.clientId) {
+                    throw Error("accessTokenPayload.aud does not match clientId");
+                }
+            });
+    }
     const oOverride = input.override;
     input.override = function (originalImplementation) {
         const oGetConfig = originalImplementation.getConfigForClientType;

diff --git a/lib/ts/recipe/thirdparty/providers/google.ts b/lib/ts/recipe/thirdparty/providers/google.ts
@@ -30,6 +30,14 @@ export default function Google(input: ProviderInput): TypeProvider {
         ...input.config.authorizationEndpointQueryParams,
     };
 
+    if (input.config.validateAccessToken === undefined) {
+        input.config.validateAccessToken = async ({ accessTokenPayload, clientConfig }) => {
+            if (accessTokenPayload.aud !== clientConfig.clientId) {
+                throw Error("accessTokenPayload.aud does not match clientId");
+            }
+        };
+    }
+
     const oOverride = input.override;
 
     input.override = function (originalImplementation) {