AUTH-6633 Fix cloudflared access login + warp as auth

## Summary cloudflared access login and cloudflared access curl fails when the Access application has warp_as_auth enabled. This bug originates from a 4 year old inconsistency where tokens signed by the nginx-fl-access module include 'aud' as a string, while tokens signed by the access authentication worker include 'aud' as an array of strings. When the new(ish) feature warp_as_auth is enabled for the app, the fl module signs the token as opposed to the worker like usually. I'm going to bring this up to the Access team, and try to figure out a way to consolidate this discrepancy without breaking behaviour. Meanwhile we have this [CUSTESC ](https://jira.cfdata.org/browse/CUSTESC-47987), so I'm making cloudflared more lenient by accepting both []string and string in the token 'aud' field. Tested this by compiling and running cloudflared access curls to my domains Closes AUTH-6633
2025-07-27 20:39:57 +00:00 · 2025-01-21 04:00:28 -08:00
parent 4eb0f8ce5f
commit 18eecaf151
2 changed files with 89 additions and 8 deletions
--- a/token/token_test.go
+++ b/token/token_test.go
@@ -1,6 +1,7 @@
 package token

 import (
+	"encoding/json"
 	"net/http"
 	"net/url"
 	"testing"
@@ -11,7 +12,7 @@ func TestHandleRedirects_AttachOrgToken(t *testing.T) {
 	via := []*http.Request{}
 	orgToken := "orgTokenValue"

-	handleRedirects(req, via, orgToken)
+	_ = handleRedirects(req, via, orgToken)

 	// Check if the orgToken cookie is attached
 	cookies := req.Cookies()
@@ -80,3 +81,55 @@ func TestHandleRedirects_StopAtAuthorizedEndpoint(t *testing.T) {
 		t.Errorf("Expected ErrUseLastResponse, got %v", err)
 	}
 }
+
+func TestJwtPayloadUnmarshal_AudAsString(t *testing.T) {
+	jwt := `{"aud":"7afbdaf987054f889b3bdd0d29ebfcd2"}`
+	var payload jwtPayload
+	if err := json.Unmarshal([]byte(jwt), &payload); err != nil {
+		t.Errorf("Expected no error, got %v", err)
+	}
+	if len(payload.Aud) != 1 || payload.Aud[0] != "7afbdaf987054f889b3bdd0d29ebfcd2" {
+		t.Errorf("Expected aud to be 7afbdaf987054f889b3bdd0d29ebfcd2, got %v", payload.Aud)
+	}
+}
+
+func TestJwtPayloadUnmarshal_AudAsSlice(t *testing.T) {
+	jwt := `{"aud":["7afbdaf987054f889b3bdd0d29ebfcd2", "f835c0016f894768976c01e076844efe"]}`
+	var payload jwtPayload
+	if err := json.Unmarshal([]byte(jwt), &payload); err != nil {
+		t.Errorf("Expected no error, got %v", err)
+	}
+	if len(payload.Aud) != 2 || payload.Aud[0] != "7afbdaf987054f889b3bdd0d29ebfcd2" || payload.Aud[1] != "f835c0016f894768976c01e076844efe" {
+		t.Errorf("Expected aud to be [7afbdaf987054f889b3bdd0d29ebfcd2, f835c0016f894768976c01e076844efe], got %v", payload.Aud)
+	}
+}
+
+func TestJwtPayloadUnmarshal_FailsWhenAudIsInt(t *testing.T) {
+	jwt := `{"aud":123}`
+	var payload jwtPayload
+	err := json.Unmarshal([]byte(jwt), &payload)
+	wantErr := "aud field is not a string or an array of strings"
+	if err.Error() != wantErr {
+		t.Errorf("Expected %v, got %v", wantErr, err)
+	}
+}
+
+func TestJwtPayloadUnmarshal_FailsWhenAudIsArrayOfInts(t *testing.T) {
+	jwt := `{"aud": [999, 123] }`
+	var payload jwtPayload
+	err := json.Unmarshal([]byte(jwt), &payload)
+	wantErr := "aud array contains non-string elements"
+	if err.Error() != wantErr {
+		t.Errorf("Expected %v, got %v", wantErr, err)
+	}
+}
+
+func TestJwtPayloadUnmarshal_FailsWhenAudIsOmitted(t *testing.T) {
+	jwt := `{}`
+	var payload jwtPayload
+	err := json.Unmarshal([]byte(jwt), &payload)
+	wantErr := "aud field is not a string or an array of strings"
+	if err.Error() != wantErr {
+		t.Errorf("Expected %v, got %v", wantErr, err)
+	}
+}