corbado · corbadoman · Oct 2, 2024 · Sep 30, 2024 · Oct 2, 2024
diff --git a/internal/services/session/session.go b/internal/services/session/session.go
@@ -136,6 +136,10 @@ func (i *Impl) ValidateToken(shortSession string) (*entities.User, error) {
 }
 
 func (i *Impl) validateIssuer(jwtIssuer string, shortSession string) error {
+	if jwtIssuer == "" {
+		return newValidationError("Issuer is empty", shortSession, validationerror.CodeJWTIssuerEmpty)
+	}
+
 	// Compare to old Frontend API (without .cloud.) to make our Frontend API host name change downwards compatible
 	if jwtIssuer == fmt.Sprintf("https://%s.frontendapi.corbado.io", i.Config.ProjectID) {
 		return nil
@@ -149,7 +153,7 @@ func (i *Impl) validateIssuer(jwtIssuer string, shortSession string) error {
 	// Compare to configured issuer (from FrontendAPI), needed if you set a CNAME for example
 	if jwtIssuer != i.Config.JWTIssuer {
 		return newValidationError(
-			fmt.Sprintf("JWT issuer mismatch (configured trough FrontendAPI: '%s', JWT issuer: '%s')", i.Config.JWTIssuer, jwtIssuer),
+			fmt.Sprintf("Issuer mismatch (configured trough FrontendAPI: '%s', JWT issuer: '%s')", i.Config.JWTIssuer, jwtIssuer),
 			shortSession,
 			validationerror.CodeJWTIssuerMismatch,
 		)

diff --git a/pkg/validationerror/code.go b/pkg/validationerror/code.go
@@ -9,4 +9,5 @@ const (
 	CodeJWTInvalidSignature
 	CodeJWTBefore
 	CodeJWTExpired
+	CodeJWTIssuerEmpty
 )
diff --git a/tests/unit/session/session_test.go b/tests/unit/session/session_test.go
@@ -192,6 +192,13 @@ func TestValidateToken(t *testing.T) {
 			validationErrorCode: validationerror.CodeJWTExpired,
 			success:             false,
 		},
+		{
+			name:                "Empty issuer (iss)",
+			issuer:              "https://pro-1.frontendapi.corbado.io",
+			shortSession:        generateJWT("", time.Now().Add(100*time.Second).Unix(), time.Now().Unix(), validPrivateKey),
+			validationErrorCode: validationerror.CodeJWTIssuerEmpty,
+			success:             false,
+		},
 		{
 			name:                "Invalid issuer 1 (iss)",
 			issuer:              "https://pro-1.frontendapi.corbado.io",
@@ -200,7 +207,7 @@ func TestValidateToken(t *testing.T) {
 			success:             false,
 		},
 		{
-			name:                "Invalid issuer 1 (iss)",
+			name:                "Invalid issuer 2 (iss)",
 			issuer:              "https://pro-1.frontendapi.cloud.corbado.io",
 			shortSession:        generateJWT("https://pro-2.frontendapi.corbado.io", time.Now().Add(100*time.Second).Unix(), time.Now().Unix(), validPrivateKey),
 			validationErrorCode: validationerror.CodeJWTIssuerMismatch,