netlify · ibrahimalbarghouthi · Jan 19, 2022 · Jan 19, 2022 · Jan 19, 2022 · Sep 8, 2023
@@ -152,6 +152,10 @@ How long tokens are valid for, in seconds. Defaults to 3600 (1 hour).
 
 The default JWT audience. Use audiences to group users.
 
+`JWT_ISS` - `string`
+
+The "iss" (issuer) claim identifies the principal that issued the JWT
+
 `JWT_ADMIN_GROUP_NAME` - `string`
 
 The name of the admin group (if enabled). Defaults to `admin`.

@@ -55,7 +55,7 @@ func (ts *AdminTestSuite) makeSuperAdmin(email string) string {
 	u.IsSuperAdmin = true
 	require.NoError(ts.T(), ts.API.db.Create(u), "Error creating user")
 
-	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+        token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret, ts.Config.JWT.Iss)
 	require.NoError(ts.T(), err, "Error generating access token")
 
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
@@ -70,7 +70,7 @@ func (ts *AdminTestSuite) makeSuperAdmin(email string) string {
 func (ts *AdminTestSuite) makeSystemUser() string {
 	u := models.NewSystemUser(uuid.Nil, ts.Config.JWT.Aud)
 
-	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+        token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret, ts.Config.JWT.Iss)
 	require.NoError(ts.T(), err, "Error generating access token")
 
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}

@@ -52,7 +52,7 @@ func (ts *AuditTestSuite) makeSuperAdmin(email string) string {
 	u.IsSuperAdmin = true
 	require.NoError(ts.T(), ts.API.db.Create(u), "Error creating user")
 
-	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret, ts.Config.JWT.Iss)
 	require.NoError(ts.T(), err, "Error generating access token")
 
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}

@@ -61,7 +61,7 @@ func (ts *InviteTestSuite) makeSuperAdmin(email string) string {
 	u.IsSuperAdmin = true
 	require.NoError(ts.T(), ts.API.db.Create(u), "Error creating user")
 
-	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret, ts.Config.JWT.Iss)
 	require.NoError(ts.T(), err, "Error generating access token")
 
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}

@@ -139,7 +139,7 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
 			return internalServerError(terr.Error())
 		}
 
-		tokenString, terr = generateAccessToken(user, time.Second*time.Duration(config.JWT.Exp), config.JWT.Secret)
+		tokenString, terr = generateAccessToken(user, time.Second*time.Duration(config.JWT.Exp), config.JWT.Secret, config.JWT.Iss)
 		if terr != nil {
 			return internalServerError("error generating jwt token").WithInternalError(terr)
 		}
@@ -163,12 +163,13 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
 	})
 }
 
-func generateAccessToken(user *models.User, expiresIn time.Duration, secret string) (string, error) {
+func generateAccessToken(user *models.User, expiresIn time.Duration, secret string, iss string) (string, error) {
 	claims := &GoTrueClaims{
 		StandardClaims: jwt.StandardClaims{
 			Subject:   user.ID.String(),
 			Audience:  user.Aud,
 			ExpiresAt: time.Now().Add(expiresIn).Unix(),
+      Issuer: Iss,
 		},
 		Email:        user.Email,
 		AppMetaData:  user.AppMetaData,
@@ -195,7 +196,7 @@ func (a *API) issueRefreshToken(ctx context.Context, conn *storage.Connection, u
 			return internalServerError("Database error granting user").WithInternalError(terr)
 		}
 
-		tokenString, terr = generateAccessToken(user, time.Second*time.Duration(config.JWT.Exp), config.JWT.Secret)
+		tokenString, terr = generateAccessToken(user, time.Second*time.Duration(config.JWT.Exp), config.JWT.Secret, config.JWT.Iss)
 		if terr != nil {
 			return internalServerError("error generating jwt token").WithInternalError(terr)
 		}

@@ -62,7 +62,7 @@ func (ts *UserTestSuite) TestUser_UpdatePassword() {
 	req := httptest.NewRequest(http.MethodPut, "http://localhost/user", &buffer)
 	req.Header.Set("Content-Type", "application/json")
 
-	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	token, err := generateAccessToken(u, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret, ts.Config.JWT.Iss)
 	require.NoError(ts.T(), err)
 	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
 

@@ -44,6 +44,7 @@ type DBConfiguration struct {
 // JWTConfiguration holds all the JWT related configuration.
 type JWTConfiguration struct {
 	Secret           string `json:"secret" required:"true"`
+  Iss              string `json:"iss"`
 	Exp              int    `json:"exp"`
 	Aud              string `json:"aud"`
 	AdminGroupName   string `json:"admin_group_name" split_words:"true"`

@@ -1,6 +1,7 @@
 GOTRUE_JWT_SECRET="CHANGE-THIS! VERY IMPORTANT!"
 GOTRUE_JWT_EXP=3600
 GOTRUE_JWT_AUD=api.netlify.com
+GOTRUE_JWT_ISS=api.netlify.com
 GOTRUE_DB_DRIVER=mysql
 DATABASE_URL="root@tcp(127.0.0.1:3306)/gotrue_development?parseTime=true&multiStatements=true"
 GOTRUE_API_HOST=localhost

@@ -1,6 +1,7 @@
 GOTRUE_JWT_SECRET=testsecret
 GOTRUE_JWT_EXP=3600
 GOTRUE_JWT_AUD=api.netlify.com
+GOTRUE_JWT_ISS=api.netlify.com
 GOTRUE_DB_DRIVER=mysql
 GOTRUE_DB_AUTOMIGRATE=true
 GOTRUE_DB_NAMESPACE=test