From 4d484ce467dbc20b70d69c45b0da371573c5b8f7 Mon Sep 17 00:00:00 2001
From: Eugenio Oddone <121885756+eugenio-oddone@users.noreply.github.com>
Date: Thu, 3 Aug 2023 10:10:09 -0700
Subject: [PATCH] check the base URL of the signature domain when verifying
 allowed domains list

---
 src/get-jwks.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/get-jwks.js b/src/get-jwks.js
index ffc6033..a5753e9 100644
--- a/src/get-jwks.js
+++ b/src/get-jwks.js
@@ -63,8 +63,10 @@ function buildGetJwks(options = {}) {
     const { domain, alg, kid } = signature
 
     const normalizedDomain = ensureTrailingSlash(domain)
+    const url = new URL(normalizedDomain)
+    const baseUrl = `${url.protocol}//${url.hostname}/`
 
-    if (allowedDomains.length && !allowedDomains.includes(normalizedDomain)) {
+    if (allowedDomains.length && !allowedDomains.includes(baseUrl)) {
       const error = new GetJwksError(errorCode.DOMAIN_NOT_ALLOWED)
       return Promise.reject(error)
     }