JWT: JWTPayloadHolder.getListClaim() throws NPE when specified claim is absent (#3249)

* KTOR-5098 Return an empty list if a claim is NullClaim

JWT: JWTPayloadHolder.getListClaim() throws NPE when specified claim is absent (#3249)
* KTOR-5098 Return an empty list if a claim is NullClaim
113e2715 · Aleksei Tirman · GitHub · 75a15395 · 113e2715 · 113e2715
--- a/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/src/io/ktor/server/auth/jwt/JWTAuth.kt
+++ b/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/src/io/ktor/server/auth/jwt/JWTAuth.kt
@@ -8,13 +8,11 @@ import com.auth0.jwk.*
 import com.auth0.jwt.*
 import com.auth0.jwt.algorithms.*
 import com.auth0.jwt.exceptions.*
-import com.auth0.jwt.impl.*
 import com.auth0.jwt.interfaces.*
 import com.auth0.jwt.interfaces.JWTVerifier
 import io.ktor.http.auth.*
 import io.ktor.server.application.*
 import io.ktor.server.auth.*
-import io.ktor.server.request.*
 import io.ktor.server.response.*
 import org.slf4j.*
 import java.util.*
@@ -110,7 +108,7 @@ public abstract class JWTPayloadHolder(
     */
    public fun <T : Any> getListClaim(name: String, clazz: KClass<T>): List<T> {
        return try {
-            payload.getClaim(name).asList(clazz.javaObjectType)
+            payload.getClaim(name).asList(clazz.javaObjectType) ?: emptyList()
        } catch (ex: JWTDecodeException) {
            emptyList()
        }

--- a/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/test/io/ktor/server/auth/jwt/JWTPayloadHolderTest.kt
+++ b/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/test/io/ktor/server/auth/jwt/JWTPayloadHolderTest.kt
+/*
+ * Copyright 2014-2022 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package io.ktor.server.auth.jwt
+
+import com.auth0.jwt.impl.*
+import kotlin.test.*
+
+class JWTPayloadHolderTest {
+
+    @Test
+    fun noListClaim() {
+        val payload = JWTParser().parsePayload("{}")
+        val holder = object : JWTPayloadHolder(payload) {}
+        assertEquals(emptyList(), holder.getListClaim("iss", String::class))
+    }
+
+    @Test
+    fun claimListOfDifferentTypes() {
+        val payload = JWTParser().parsePayload(
+            """
+            {
+                "iss": ["issuer1", "issuer2"],
+                "sub": [true, false],
+                "aud": []
+            }
+            """.trimIndent()
+        )
+        val holder = object : JWTPayloadHolder(payload) {}
+
+        assertEquals(listOf("issuer1", "issuer2"), holder.getListClaim("iss", String::class))
+        assertEquals(listOf(true, false), holder.getListClaim("sub", Boolean::class))
+        assertEquals(emptyList(), holder.getListClaim("aud", Any::class))
+    }
+}