Merge pull request #100 from bookernath/jwt

bookernath · web-flow · commit 03a2f5c0741d · 2021-06-20T18:25:00.000-05:00
Refine JWT checks
diff --git a/bigcommerce/api.py b/bigcommerce/api.py
@@ -28,8 +28,8 @@ def oauth_verify_payload(cls, signed_payload, client_secret):
         return connection.OAuthConnection.verify_payload(signed_payload, client_secret)
 
     @classmethod
-    def oauth_verify_payload_jwt(cls, signed_payload, client_secret):
-        return connection.OAuthConnection.verify_payload_jwt(signed_payload, client_secret)
+    def oauth_verify_payload_jwt(cls, signed_payload, client_secret, client_id):
+        return connection.OAuthConnection.verify_payload_jwt(signed_payload, client_secret, client_id)
 
     def __getattr__(self, item):
         return ApiResourceWrapper(item, self)
diff --git a/bigcommerce/connection.py b/bigcommerce/connection.py
@@ -230,12 +230,16 @@ def verify_payload(signed_payload, client_secret):
         return loads(dc_json.decode()) if authorised else False
 
     @staticmethod
-    def verify_payload_jwt(signed_payload, client_secret):
+    def verify_payload_jwt(signed_payload, client_secret, client_id):
         """
         Given a signed payload JWT (usually passed as parameter in a GET request to the app's load URL)
         and a client secret, authenticates the payload and returns the user's data, or error on fail.
         """
-        return jwt.decode(signed_payload, client_secret, algorithms="HS256")
+        return jwt.decode(signed_payload,
+                          client_secret,
+                          algorithms=["HS256"],
+                          audience=client_id,
+                          verify_iss=False)
 
     def fetch_token(self, client_secret, code, context, scope, redirect_uri,
                     token_url='https://login.bigcommerce.com/oauth2/token'):
