| 23 | } |
| 24 | |
| 25 | func (a *API) requestAud(ctx context.Context, r *http.Request) string { |
| 26 | config := a.config |
| 27 | // First check for an audience in the header |
| 28 | if aud := r.Header.Get(audHeaderName); aud != "" { |
| 29 | return aud |
| 30 | } |
| 31 | |
| 32 | // Then check the token |
| 33 | claims := getClaims(ctx) |
| 34 | |
| 35 | // ignore the JWT's aud claim if the role is admin |
| 36 | // this is because anon, service_role never had an aud claim to begin with |
| 37 | if claims != nil && !slices.Contains(config.JWT.AdminRoles, claims.Role) { |
| 38 | aud, _ := claims.GetAudience() |
| 39 | if len(aud) != 0 && aud[0] != "" { |
| 40 | return aud[0] |
| 41 | } |
| 42 | } |
| 43 | |
| 44 | // Finally, return the default if none of the above methods are successful |
| 45 | return config.JWT.Aud |
| 46 | } |
| 47 | |
| 48 | type RequestParams interface { |
| 49 | AdminUserParams | |