updates to handle token validation for app varients

examples/rownd-test/README.md

@@ -1,7 +1,7 @@
 
 ```bash
-git clone https://github.com/yourusername/rownd-test.git
-cd rownd-test
+git clone https://github.com/rownd/client-go.git
+cd client-go/examples/rownd-test
 ```
 
 2. Create a `.env` file in the project root:

pkg/rownd/middleware/http.go

@@ -18,7 +18,8 @@ func WithAuthentication(handler Handler) func(next http.Handler) http.Handler {
 			}
 
 			ctx := r.Context()
-			validated, err := handler.Validator.Validate(ctx, token)
+			// Pass validation options to Validate
+			validated, err := handler.Validator.Validate(ctx, token, handler.ValidationOpts)
 			if err != nil {
 				handler.ErrorHandler(w, r, errors.New("Forbidden"))
 				return

pkg/rownd/middleware/middleware.go

@@ -19,7 +19,8 @@ type (
 type Handler struct {
 	Validator      rownd.TokenValidator
 	TokenExtractor TokenExtractor
-	ErrorHandler   func(w http.ResponseWriter, r *http.Request, err error)
+	ErrorHandler   ErrorHandler
+	ValidationOpts *rownd.TokenValidationOptions
 }
 
 func NewHandler(validator rownd.TokenValidator, opts ...HandlerOption) (*Handler, error) {

pkg/rownd/token.go

@@ -20,6 +20,11 @@ const (
 	AuthLevelVerified   AuthLevel = "verified"
 )
 
+// TokenValidationOptions ...
+type TokenValidationOptions struct {
+	VariantID string
+}
+
 // Token ...
 type Token struct {
 	Token       *jwt.Token `json:"-"` // The parsed JWT token
@@ -100,15 +105,15 @@ func TokenFromCtx(ctx context.Context) *Token {
 
 // TokenValidator ...
 type TokenValidator interface {
-	Validate(ctx context.Context, token string) (*Token, error)
+	Validate(ctx context.Context, token string, opts *TokenValidationOptions) (*Token, error)
 }
 
 type tokenValidator struct {
 	*Client
 }
 
 // Validate ...
-func (c *tokenValidator) Validate(ctx context.Context, token string) (*Token, error) {
+func (c *tokenValidator) Validate(ctx context.Context, token string, opts *TokenValidationOptions) (*Token, error) {
 	if token == "" {
 		return nil, NewError(ErrAuthentication, "invalid token", nil)
 	}
@@ -175,6 +180,21 @@ func (c *tokenValidator) Validate(ctx context.Context, token string) (*Token, er
 		return nil, NewError(ErrAuthentication, "invalid token audience", nil)
 	}
 
+	// Add variant validation if specified
+	if opts != nil && opts.VariantID != "" {
+		expectedVariantAud := fmt.Sprintf("app_variant:%s", opts.VariantID)
+		hasValidVariant := false
+		for _, aud := range claims.Aud {
+			if aud == expectedVariantAud {
+				hasValidVariant = true
+				break
+			}
+		}
+		if !hasValidVariant {
+			return nil, NewError(ErrAuthentication, "invalid token variant audience", nil)
+		}
+	}
+
 	r := &Token{
 		Token:       parsedToken,
 		Claims:      *claims,
@@ -186,9 +206,9 @@ func (c *tokenValidator) Validate(ctx context.Context, token string) (*Token, er
 }
 
 // Add this method to expose token validation on the Client
-func (c *Client) ValidateToken(ctx context.Context, token string) (*Token, error) {
+func (c *Client) ValidateToken(ctx context.Context, token string, opts *TokenValidationOptions) (*Token, error) {
 	validator := &tokenValidator{Client: c}
-	return validator.Validate(ctx, token)
+	return validator.Validate(ctx, token, opts)
 }
 
 // Add JWKS types