audience vs aud

test.js

const Koa = require('koa');
const jwt = require('koa-jwt');
const expect = require('chai').expect;
const request = require('supertest');
const app = Koa();


// paste these into jwt.io to see the contents
const tokenWithAudience = "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoidGVzdCIsImF1ZGllbmNlIjoiaHR0cDovL215YXBpL3Byb3RlY3RlZCIsImlzc3VlciI6Imh0dHA6Ly9pc3N1ZXIifQ.c6bLTAnWLt-Iv-KPJt6pEPhZuIRERSCnIT1OxQSzRT0";
const tokenWithAudValid = "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoidGVzdCIsImF1ZCI6Imh0dHA6Ly9teWFwaS9wcm90ZWN0ZWQiLCJpc3MiOiJodHRwOi8vaXNzdWVyIn0.EEVyqH9shrvqJ6YpWKInnXTESzPam_PWfpsSVeEjWjY";
const tokenWithAudInvalid = "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoidGVzdCIsImF1ZCI6Indyb25nIiwiaXNzIjoiYm9ndXMifQ.0TT6OPYzXFjqAR2uMOLHPF5nss6jXk7CwTdEIonNLvY";

app.use(jwt({
    secret: 'shared-secret',
    audience: 'http://myapi/protected',
    issuer: 'http://issuer'
}));

app.use(function* () {
    if (this.state && this.state.user) {
        this.body = this.state.user;
    }
});

const server = app.listen();

describe('audience and issuer', function() {
    it('should 401 if jwt doesnt contain aud or iss, but contains audience and issuer', function(done) {
        request(server)
        .get('/')
        .set('Authorization', 'Bearer ' + tokenWithAudience)
        .expect(401)
        .end(done);
    });

    it('should 200 if aud and iss valid', function(done) {
        request(server)
        .get('/')
        .set('Authorization', 'Bearer ' + tokenWithAudValid)
        .expect(200)
        .end(function(err, res) {
            console.log('body: ', res.body);
            done();
        });
    });

    it('should 401 if aud claim does not match', function(done) {
        request(server)
        .get('/')
        .set('Authorization', 'Bearer ' + tokenWithAudInvalid)
        .expect(401)
        .end(done);
    });
})