check the base URL of the signature domain when verifying allowed dom…

…ains list
nearform · Aug 3, 2023 · 4d484ce · 4d484ce
1 parent c8e2649
commit 4d484ce
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/get-jwks.js b/src/get-jwks.js
@@ -63,8 +63,10 @@ function buildGetJwks(options = {}) {
     const { domain, alg, kid } = signature
 
     const normalizedDomain = ensureTrailingSlash(domain)
+    const url = new URL(normalizedDomain)
+    const baseUrl = `${url.protocol}//${url.hostname}/`
 
-    if (allowedDomains.length && !allowedDomains.includes(normalizedDomain)) {
+    if (allowedDomains.length && !allowedDomains.includes(baseUrl)) {
       const error = new GetJwksError(errorCode.DOMAIN_NOT_ALLOWED)
       return Promise.reject(error)
     }