Reject tokens when claims has an aud, none expected (#332)

* Reject tokens when claims has an aud, none expected

From the RFC:

> Each principal intended to process the JWT MUST
> identify itself with a value in the audience claim. If the principal
> processing the claim does not identify itself with a value in the
> "aud" claim when this claim is present, then the JWT MUST be
>rejected.

Closes #329

* Note the RFC section we're complying with by rejecting None aud.

Author: grahamc

src/validation.rs

@@ -263,6 +263,14 @@ pub(crate) fn validate(claims: ClaimsForValidation, options: &Validation) -> Res
     }
 
     match (claims.aud, options.aud.as_ref()) {
+        // Each principal intended to process the JWT MUST
+        // identify itself with a value in the audience claim. If the principal
+        // processing the claim does not identify itself with a value in the
+        // "aud" claim when this claim is present, then the JWT MUST be
+        //  rejected.
+        (TryParse::Parsed(_), None) => {
+            return Err(new_error(ErrorKind::InvalidAudience));
+        }
         (TryParse::Parsed(Audience::Single(aud)), Some(correct_aud)) => {
             if !correct_aud.contains(&*aud) {
                 return Err(new_error(ErrorKind::InvalidAudience));
@@ -632,6 +640,22 @@ mod tests {
         };
     }
 
+    #[test]
+    fn aud_none_fails() {
+        let claims = json!({"aud": ["Everyone"]});
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.validate_exp = false;
+        validation.required_spec_claims = HashSet::new();
+        validation.aud = None;
+        let res = validate(deserialize_claims(&claims), &validation);
+        assert!(res.is_err());
+
+        match res.unwrap_err().kind() {
+            ErrorKind::InvalidAudience => (),
+            _ => unreachable!(),
+        };
+    }
+
     #[test]
     fn aud_missing_fails() {
         let claims = json!({});