Add spec and docs for JWT_DECODE_AUDIENCE being a list

vimalloc · vimalloc · commit f300015716da · 2019-01-13T11:42:18.000-07:00
Refs #219
diff --git a/docs/options.rst b/docs/options.rst
@@ -44,8 +44,8 @@ General Options:
 ``JWT_ERROR_MESSAGE_KEY``         The key of the error message in a JSON error response when using
                                   the default error handlers.
                                   Defaults to ``'msg'``.
-``JWT_DECODE_AUDIENCE``           The audience you expect in a JWT when decoding it.
-                                  If this option differs from the 'aud' claim in a JWT, the ``'invalid_token_callback'`` is invoked.
+``JWT_DECODE_AUDIENCE``           The audience or list of audiences you expect in a JWT when decoding it.
+                                  The ``'invalid_token_callback'`` is invoked when a JWTs audience is invalid.
                                   Defaults to ``'None'``.
 ``JWT_DECODE_LEEWAY``             Define the leeway part of the expiration time definition, which
                                   means you can validate an expiration time which is in the past but
diff --git a/tests/test_decode_tokens.py b/tests/test_decode_tokens.py
@@ -229,17 +229,23 @@ def get_decode_key_1(claims, headers):
         decode_token(token)
 
 
-def test_valid_aud(app, default_access_token):
+@pytest.mark.parametrize("token_aud", ['foo', ['bar'], ['foo', 'bar', 'baz']])
+def test_valid_aud(app, default_access_token, token_aud):
+    app.config['JWT_DECODE_AUDIENCE'] = ['foo', 'bar']
+
+    default_access_token['aud'] = token_aud
+    invalid_token = encode_token(app, default_access_token)
+    with app.test_request_context():
+        decoded = decode_token(invalid_token)
+        assert decoded['aud'] == token_aud
+
+
+@pytest.mark.parametrize("token_aud", ['bar', ['bar'], ['bar', 'baz']])
+def test_invalid_aud(app, default_access_token, token_aud):
     app.config['JWT_DECODE_AUDIENCE'] = 'foo'
 
-    default_access_token['aud'] = 'bar'
+    default_access_token['aud'] = token_aud
     invalid_token = encode_token(app, default_access_token)
     with pytest.raises(InvalidAudienceError):
         with app.test_request_context():
             decode_token(invalid_token)
-
-    default_access_token['aud'] = 'foo'
-    valid_token = encode_token(app, default_access_token)
-    with app.test_request_context():
-        decoded = decode_token(valid_token)
-        assert decoded['aud'] == 'foo'
