Update allowedDomains to issuersWhitelist (#229)

* Update allowedDomains to issuersWhitelist

* update language to refer to issuers instead of domains

* support backwards compatibility

* add deprecation details for allowedDomains

README.md

@@ -22,7 +22,7 @@ const getJwks = buildGetJwks({
   max: 100,
   ttl: 60 * 1000,
   timeout: 5000,
-  allowedDomains: ['https://example.com'],
+  issuersWhitelist: ['https://example.com'],
   checkIssuer: (issuer) => {
     return issuer === 'https://example.com'
   },
@@ -36,8 +36,9 @@ const getJwks = buildGetJwks({
 - `max`: Max items to hold in cache. Defaults to 100.
 - `ttl`: Milliseconds an item will remain in cache. Defaults to 60s.
 - `timeout`: Specifies how long it should wait to retrieve a JWK before it fails. The time is set in milliseconds. Defaults to 5s.
-- `allowedDomains`: Array of allowed domains. By default all domains are allowed.
-- `checkIssuer`: Optional user defined function to validate a token's domain
+- `issuersWhitelist`: Array of allowed issuers. By default all issuers are allowed.
+- `allowedDomains`: This has been **deprecated** and replaced with `issuersWhitelist`.
+- `checkIssuer`: Optional user defined function to validate a token's domain.
 - `providerDiscovery`: Indicates if the Provider Configuration Information is used to automatically get the jwks_uri from the [OpenID Provider Discovery Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig). This endpoint is exposing the [Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). With this flag set to true the domain will be treated as the OpenID Issuer which is the iss property in the token. Defaults to false. Ignored if jwksPath is specified.
 - `jwksPath`: Specify a relative path to the jwks_uri. Example `/otherdir/jwks.json`. Takes precedence over providerDiscovery. Optional.
 - `agent`: The custom agent to use for requests, as specified in [node-fetch documentation](https://github.com/node-fetch/node-fetch#custom-agent). Defaults to `null`.
@@ -132,7 +133,7 @@ const buildGetJwks = require('get-jwks')
 // often encoded as the `iss` property of the token payload
 const domain = 'https://...'
 
-const getJwks = buildGetJwks({ allowedDomains: [...]})
+const getJwks = buildGetJwks({ issuersWhitelist: [...]})
 
 // create a verifier function with key as a function
 const verifyWithPromise = createVerifier({

src/get-jwks.d.ts

@@ -13,7 +13,7 @@ type GetPublicKeyOptions = {
 type GetJwksOptions = {
   max?: number
   ttl?: number
-  allowedDomains?: string[]
+  issuersWhitelist?: string[]
   providerDiscovery?: boolean
   jwksPath?: string
   agent?: Agent

src/get-jwks.js

@@ -18,7 +18,7 @@ function buildGetJwks(options = {}) {
   const max = options.max || 100
   const ttl = options.ttl || 60 * 1000 /* 1 minute */
   const timeout = options.timeout || 5 * 1000 /* 5 seconds */
-  const allowedDomains = (options.allowedDomains || []).map(ensureTrailingSlash)
+  const issuersWhitelist = (options.issuersWhitelist || options.allowedDomains || []).map(ensureTrailingSlash)
   const checkIssuer = options.checkIssuer
   const providerDiscovery = options.providerDiscovery || false
   const jwksPath = options.jwksPath
@@ -65,7 +65,7 @@ function buildGetJwks(options = {}) {
 
     const normalizedDomain = ensureTrailingSlash(domain)
 
-    if (allowedDomains.length && !allowedDomains.includes(normalizedDomain)) {
+    if (issuersWhitelist.length && !issuersWhitelist.includes(normalizedDomain)) {
       const error = new GetJwksError(errorCode.DOMAIN_NOT_ALLOWED)
       return Promise.reject(error)
     }

test/getJwk.spec.js

@@ -235,7 +235,7 @@ t.test('allowed domains', async t => {
         nock(allowedDomain).get('/.well-known/jwks.json').reply(200, jwks)
 
         const getJwks = buildGetJwks({
-          allowedDomains: [allowedDomain],
+          issuersWhitelist: [allowedDomain],
         })
 
         const [{ alg, kid }] = jwks.keys
@@ -252,7 +252,7 @@ t.test('allowed domains', async t => {
     nock(domain1).get('/.well-known/jwks.json').reply(200, jwks)
     nock(domain2).get('/.well-known/jwks.json').reply(200, jwks)
 
-    const getJwks = buildGetJwks({ allowedDomains: [domain1, domain2] })
+    const getJwks = buildGetJwks({ issuersWhitelist: [domain1, domain2] })
 
     const [{ alg, kid }] = jwks.keys
 
@@ -297,7 +297,7 @@ t.test('allowed domains', async t => {
 
   t.test('forbids domain outside of the allow list', async t => {
     const getJwks = buildGetJwks({
-      allowedDomains: ['https://example.com/'],
+      issuersWhitelist: ['https://example.com/'],
     })
 
     const [{ alg, kid }] = jwks.keys

test/getJwkDiscovery.spec.js

@@ -244,23 +244,23 @@ t.test('allowed domains for discovery', async t => {
     ['https://example.com/', 'https://example.com'],
   ]
 
-  allowedCombinations.forEach(([allowedDomain, domainFromToken]) => {
+  allowedCombinations.forEach(([allowedIssuer, domainFromToken]) => {
     t.test(
-      `allows domain ${allowedDomain} requested with ${domainFromToken} for discovery`,
+      `allows domain ${allowedIssuer} requested with ${domainFromToken} for discovery`,
       async t => {
-        const allowedDomainSlash = allowedDomain.endsWith('/')
-          ? allowedDomain
-          : `${allowedDomain}/`
-        nock(allowedDomain)
+        const allowedIssuerSlash = allowedIssuer.endsWith('/')
+          ? allowedIssuer
+          : `${allowedIssuer}/`
+        nock(allowedIssuer)
           .get('/.well-known/openid-configuration')
           .reply(200, {
-            issuer: allowedDomain,
-            jwks_uri: `${allowedDomainSlash}.well-known/certs`,
+            issuer: allowedIssuer,
+            jwks_uri: `${allowedIssuerSlash}.well-known/certs`,
           })
-        nock(allowedDomain).get('/.well-known/certs').reply(200, jwks)
+        nock(allowedIssuer).get('/.well-known/certs').reply(200, jwks)
         const getJwks = buildGetJwks({
           providerDiscovery: true,
-          allowedDomains: [allowedDomain],
+          issuersWhitelist: [allowedIssuer],
         })
 
         const [{ alg, kid }] = jwks.keys
@@ -290,7 +290,7 @@ t.test('allowed domains for discovery', async t => {
 
     const getJwks = buildGetJwks({
       providerDiscovery: true,
-      allowedDomains: [domain1, domain2],
+      issuersWhitelist: [domain1, domain2],
     })
 
     const [{ alg, kid }] = jwks.keys
@@ -302,7 +302,7 @@ t.test('allowed domains for discovery', async t => {
   t.test('forbids domain outside of the allow list', async t => {
     const getJwks = buildGetJwks({
       providerDiscovery: true,
-      allowedDomains: ['https://example.com/'],
+      issuersWhitelist: ['https://example.com/'],
     })
 
     const [{ alg, kid }] = jwks.keys