From 0db15d63b0cab008495f60e7be9d715fed62719d Mon Sep 17 00:00:00 2001
From: Konstantin Wohlwend <n2d4xc@gmail.com>
Date: Thu, 12 Dec 2024 09:41:37 -0800
Subject: [PATCH] Disallow `kid` audience

---
 packages/stack-shared/src/utils/jwt.tsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/stack-shared/src/utils/jwt.tsx b/packages/stack-shared/src/utils/jwt.tsx
index 8e581433f..4c35fc63d 100644
--- a/packages/stack-shared/src/utils/jwt.tsx
+++ b/packages/stack-shared/src/utils/jwt.tsx
@@ -3,7 +3,7 @@ import elliptic from "elliptic";
 import * as jose from "jose";
 import { JOSEError } from "jose/errors";
 import { encodeBase64Url } from "./bytes";
-import { getEnvVariable } from "./env";
+import { StackAssertionError } from "./errors";
 import { globalVar } from "./globals";
 import { pick } from "./objects";
 
@@ -112,6 +112,9 @@ export function getPerAudienceSecret(options: {
   audience: string,
   secret: string,
 }) {
+  if (options.audience === "kid") {
+    throw new StackAssertionError("You cannot use the 'kid' audience for a per-audience secret, see comment below in jwt.tsx");
+  }
   return jose.base64url.encode(
     crypto
       .createHash('sha256')