fix(shared-nestjs-auth): accept multiple JWT issuers for Docker/public URL mismatch

In production, backends use the internal Docker URL (http://mana-auth:3001) for MANA_CORE_AUTH_URL but tokens are issued with BASE_URL (https://auth.mana.how) as the issuer. Accept both to prevent "unexpected iss claim value" errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-16 03:39:41 +02:00 · 2026-03-26 21:18:03 +01:00 · 2026-03-26 21:18:03 +01:00 · 9c8bae3dea
commit 9c8bae3dea
parent 7073756117
1 changed files with 12 additions and 3 deletions
--- a/packages/shared-nestjs-auth/src/guards/jwt-auth.guard.ts
+++ b/packages/shared-nestjs-auth/src/guards/jwt-auth.guard.ts
@ -122,14 +122,23 @@ export class JwtAuthGuard implements CanActivate {
 	 * Verify JWT token locally using JWKS
 	 */
 	private async verifyToken(token: string): Promise<CurrentUserData> {
-		const authUrl = this.configService.get<string>('MANA_CORE_AUTH_URL') || 'http://localhost:3001';
-		const issuer = this.configService.get<string>('JWT_ISSUER') || authUrl;
 		const audience = this.configService.get<string>('JWT_AUDIENCE') || 'manacore';

+		// Build issuer allowlist: explicit JWT_ISSUER, MANA_CORE_AUTH_URL, and BASE_URL may all differ
+		// (e.g. internal Docker URL vs public URL). Accept any of them.
+		const issuerCandidates = new Set<string>();
+		const jwtIssuer = this.configService.get<string>('JWT_ISSUER');
+		const authUrl = this.configService.get<string>('MANA_CORE_AUTH_URL');
+		if (jwtIssuer) issuerCandidates.add(jwtIssuer);
+		if (authUrl) issuerCandidates.add(authUrl);
+		// Always accept the well-known production issuer
+		issuerCandidates.add('https://auth.mana.how');
+		issuerCandidates.add('http://localhost:3001');
+
 		const jwks = this.getJWKS();

 		const { payload } = await jwtVerify(token, jwks, {
-			issuer,
+			issuer: [...issuerCandidates],
 			audience,
 		});