Fix m2m token validator

Author: vas3a

.env.sample

@@ -8,6 +8,7 @@ BHMKuGsgiBjJ7xHNxaJvBzrwdArogHSxEPmT6gNr5rZeXmJUWzrpQIstMXA9gEXX
 LfKzG61idXFIwBa6t5YBCCMx+hoCxhcEiwIDAQAB
 -----END RSA PUBLIC KEY-----"
 AUTH0_CLIENT_ID=BXWXUWnilVUPdN01t2Se29Tw2ZYNGZvH
+AUTH0_M2M_AUDIENCE=https://m2m.topcoder-dev.com/
 
 DB_USERNAME=topcoderuser
 DB_PASSWORD=randompassword

src/core/auth/guards/auth.guard.ts

@@ -50,8 +50,8 @@ export class AuthGuard implements CanActivate {
       [context.getHandler(), context.getClass()],
     );
 
-    const reqScopes = req.m2mTokenScope.split(' ')
-    if (reqScopes.some(reqScope => allowedM2mScopes.includes(reqScope))) {
+    const reqScopes = req.m2mTokenScope.split(' ');
+    if (reqScopes.some((reqScope) => allowedM2mScopes.includes(reqScope))) {
       return true;
     }
     return false;

src/core/auth/middleware/tokenValidator.middleware.ts

@@ -16,23 +16,28 @@ export class TokenValidatorMiddleware implements NestMiddleware {
 
     let decoded: any;
     try {
-      decoded = jwt.verify(idToken, process.env.AUTH0_CERT, {
-        audience: process.env.AUTH0_CLIENT_ID,
-      });
+      decoded = jwt.verify(idToken, process.env.AUTH0_CERT);
     } catch (error) {
       console.error('Error verifying JWT', error);
       throw new UnauthorizedException('Invalid or expired JWT!');
     }
 
-    // TODO: verify decoded.aud
     if (!decoded) {
       req.idTokenVerified = false;
       return next();
     }
 
-    req.idTokenVerified = true;
     req.isM2M = !!decoded.scope;
+    const aud = req.isM2M
+      ? process.env.AUTH0_M2M_AUDIENCE
+      : process.env.AUTH0_CLIENT_ID;
+
+    if (decoded.aud !== aud) {
+      req.idTokenVerified = false;
+      return next();
+    }
 
+    req.idTokenVerified = true;
     if (decoded.scope) {
       req.m2mTokenScope = decoded.scope;
       req.m2mTokenAudience = decoded.aud;