From 8c818820ddf48fb8e63a5e138f4d98f96b1c9418 Mon Sep 17 00:00:00 2001
From: Gosha Tcherednitchenko <git@gosha.net>
Date: Fri, 6 Sep 2024 17:33:45 +0100
Subject: [PATCH] auth: Improve JWT claims format

---
 dev/test.http                        | 6 +++---
 src/apossiblespace/parts/account.clj | 2 +-
 src/apossiblespace/parts/auth.clj    | 5 ++++-
 test/apossiblespace/account_test.clj | 2 +-
 test/apossiblespace/auth_test.clj    | 2 +-
 5 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/dev/test.http b/dev/test.http
index 1f9490b..c9b8053 100644
--- a/dev/test.http
+++ b/dev/test.http
@@ -8,8 +8,8 @@ POST http://localhost:3000/api/auth/login
 Content-Type: application/json
 
 {
-  "email": "test9@example.com",
-  "password": "password9"
+  "email": "test2@example.com",
+  "password": "password2"
 }
 
 # Failing login
@@ -23,5 +23,5 @@ Content-Type: application/json
 
 # Get account info
 GET http://localhost:3000/api/account
-Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyLWlkIjoiY2M1YTVkMTYtYjgzYS00OTZkLTk5M2EtOTM2ZjQxOGUxZDNlIiwiZXhwIjoxNzI1NjE4NzIwfQ.NpBrduSxGICyTryLbuDQyOBK9VR4Wg-V23F_kRKrPMI
+Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvYXBpIiwic3ViIjoiY2M1YTVkMTYtYjgzYS00OTZkLTk5M2EtOTM2ZjQxOGUxZDNlIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwiaWF0IjoxNzI1NjMzODgzLCJleHAiOjE3MjU2Mzc0ODN9.hDjmDNvy2MNwGP6Th0Jl8THSq9bbg6APv4WndbvOBUk
 Content-Type: application/json
diff --git a/src/apossiblespace/parts/account.clj b/src/apossiblespace/parts/account.clj
index 0dcf417..93482f7 100644
--- a/src/apossiblespace/parts/account.clj
+++ b/src/apossiblespace/parts/account.clj
@@ -20,7 +20,7 @@
   "Retrieve own account info"
   [request]
   (mulog/log ::get-account :request request)
-  (let [user-id (get-in request [:identity :user-id])
+  (let [user-id (get-in request [:identity :sub])
         user-record (fetch-user user-id)]
     (if user-record
       (-> (response/response user-record)
diff --git a/src/apossiblespace/parts/auth.clj b/src/apossiblespace/parts/auth.clj
index 0c6bf48..26b9db4 100644
--- a/src/apossiblespace/parts/auth.clj
+++ b/src/apossiblespace/parts/auth.clj
@@ -32,7 +32,10 @@
   [user-id]
   (let [now (Instant/now)
         exp (.plusSeconds now 3600)
-        claims {:user-id user-id
+        claims {:iss "http://localhost:3000/api" ;; TODO: Set this from configuration?
+                :sub user-id
+                :aud "http://localhost:3000"
+                :iat (.getEpochSecond now)
                 :exp (.getEpochSecond exp)}]
     (jwt/sign claims secret {:alg :hs256})))
 
diff --git a/test/apossiblespace/account_test.clj b/test/apossiblespace/account_test.clj
index 1344ee0..6166dff 100644
--- a/test/apossiblespace/account_test.clj
+++ b/test/apossiblespace/account_test.clj
@@ -11,7 +11,7 @@
 (deftest test-get-account
   (testing "returns currently signed in user's information"
     (let [user (register-test-user)
-          mock-request {:identity {:user-id (:id user)}}
+          mock-request {:identity {:sub (:id user)}}
           response (account/get-account mock-request)]
       (is (= 200 (:status response)))
       (is (= {:email (:email user)
diff --git a/test/apossiblespace/auth_test.clj b/test/apossiblespace/auth_test.clj
index ef4ea2e..1afbab9 100644
--- a/test/apossiblespace/auth_test.clj
+++ b/test/apossiblespace/auth_test.clj
@@ -17,7 +17,7 @@
           secret auth/secret
           decoded (jwt/unsign token secret)
           now-seconds (.getEpochSecond (Instant/now))]
-      (is (= user-id (:user-id decoded)))
+      (is (= user-id (:sub decoded)))
       (is (> (:exp decoded) now-seconds))
       (is (< (:exp decoded) (+ now-seconds 3601))))))