require-audience-validation
**Severity:** � Medium
Require audience (aud) claim validation in JWT verify operations
Severity: 🟡 Medium
CWE: CWE-287
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-287 OWASP:A07 CVSS:9.8 | Improper Authentication detected | CRITICAL
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A07_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-287 OWASP:A07 CVSS:9.8 |
| Issue Description | Specific vulnerability | Improper Authentication detected |
| Severity & Compliance | Impact assessment | CRITICAL |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
This rule mandates audience validation. Without it, tokens intended for other services are accepted.
Examples
❌ Incorrect
jwt.verify(token, secret);
jwt.verify(token, secret, { issuer: 'auth.example.com' });✅ Correct
jwt.verify(token, secret, { audience: 'https://api.example.com' });
jwt.verify(token, secret, {
issuer: 'https://auth.example.com',
audience: 'https://api.example.com',
});Known False Negatives
The following patterns are not detected due to static analysis limitations:
Options from Variable
Why: Variable contents are not analyzed.
// ❌ NOT DETECTED - Options from variable
const opts = { issuer: 'auth.example.com' }; // Missing audience
jwt.verify(token, secret, opts);Mitigation: Use inline options. Create TypeScript types requiring audience.
Spread Options
Why: Spread properties hide the actual options at lint time.
// ❌ NOT DETECTED - audience may be missing in base
const baseOpts = getVerifyOptions(); // No audience
jwt.verify(token, secret, { ...baseOpts });Mitigation: Always specify audience explicitly. Avoid spreading untrusted options.
Runtime Audience Configuration
Why: Audience from runtime config is not visible.
// ❌ NOT DETECTED - Audience from config
jwt.verify(token, secret, { audience: config.audience }); // Might be undefinedMitigation: Validate config at startup. Use required fields in TypeScript config types.
Wrapper Function
Why: Options passed through wrappers are not traced.
// ❌ NOT DETECTED - Wrapper hides options
function verifyToken(token: string) {
return jwt.verify(token, secret, { algorithms: ['RS256'] }); // No audience
}Mitigation: Apply this rule to all modules including utilities.