Support ISS claims

Author: kylef

JWT/JWT.swift

@@ -4,11 +4,14 @@ public typealias Payload = [String:AnyObject]
 
 public enum InvalidToken : Printable {
   case DecodeError(String)
+  case InvalidIssuer
 
   public var description:String {
     switch self {
       case .DecodeError(let error):
         return "Decode Error: \(error)"
+      case .InvalidIssuer:
+        return "Invalid Issuer"
     }
   }
 }
@@ -20,9 +23,15 @@ public enum DecodeResult {
 
 
 /// Decode a JWT
-public func decode(jwt:String, verify:Bool = false) -> DecodeResult {
+public func decode(jwt:String, verify:Bool = true, audience:String? = nil, issuer:String? = nil) -> DecodeResult {
   switch load(jwt) {
     case let .Success(header, payload, signature, signatureInput):
+      if verify {
+        if let failure = validateClaims(payload, audience, issuer) {
+          return .Failure(failure)
+        }
+      }
+
       return .Success(payload)
     case .Failure(let failure):
       return .Failure(failure)
@@ -90,3 +99,18 @@ func load(jwt:String) -> LoadResult {
 
   return .Success(header:header!, payload:payload!, signature:signature!, signatureInput:signatureInput)
 }
+
+// MARK: Validation
+
+func validateClaims(payload:Payload, audience:String?, issuer:String?) -> InvalidToken? {
+  if let issuer = issuer {
+    if let iss = payload["iss"] as? String {
+      if iss != issuer {
+        return .InvalidIssuer
+      }
+    } else {
+      return .InvalidIssuer
+    }
+  }
+  return nil
+}

JWTTests/JWTTests.swift

@@ -12,6 +12,25 @@ class JWTDecodeTests : XCTestCase {
   func testFailsToDecodeInvalidStringWithoutThreeSegments() {
     assertDecodeError(decode("a.b"), "Not enough segments")
   }
+
+  // MARK : Issuer validation
+
+  func testSuccessfulIssuerValidation() {
+    let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.wOhJ9_6lx-3JGJPmJmtFCDI3kt7uMAMmhHIslti7ryI"
+    assertSuccess(decode(jwt, issuer:"fuller.li")) { payload in
+      XCTAssertEqual(payload as NSDictionary, ["iss": "fuller.li"])
+    }
+  }
+
+  func testIncorrectIssuerValidation() {
+    let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.wOhJ9_6lx-3JGJPmJmtFCDI3kt7uMAMmhHIslti7ryI"
+    assertFailure(decode(jwt, issuer:"querykit.org"))
+  }
+
+  func testMissingIssuerValidation() {
+    let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"
+    assertFailure(decode(jwt, issuer:"fuller.li"))
+  }
 }
 
 // MARK: Helpers
@@ -47,6 +66,8 @@ func assertDecodeError(result:DecodeResult, error:String) {
       if decodeError != error {
         XCTFail("Incorrect decode error \(decodeError) != \(error)")
       }
+    default:
+      XCTFail("Failure for the wrong reason")
     }
   }
 }

README.md

@@ -14,12 +14,18 @@ pod 'JWT'
 
 ## Usage
 
+### Verify a JWT
+
 ```swift
 import JWT
 
-JWT.verify(claims)
+JWT.verify("eyJhbG...y5w")
 ```
 
+#### Supported claims
+
+- Issuer (`iss`) Claim
+
 ## License
 
 JWT is licensed under the BSD license. See [LICENSE](LICENSE) for more info.