From e6da8277c44d21e76af56a968a6b6aeec5c3b353 Mon Sep 17 00:00:00 2001
From: tigerbot <seth.gibelyou@daplie.com>
Date: Mon, 5 Jun 2017 11:20:15 -0600
Subject: [PATCH] added audience to the tokens we generate

---
 bin/stunnel.js | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/bin/stunnel.js b/bin/stunnel.js
index 66a9012..fc0c5b6 100755
--- a/bin/stunnel.js
+++ b/bin/stunnel.js
@@ -120,8 +120,8 @@ program
   })
   .option('-k --insecure', 'Allow TLS connections to stunneld without valid certs (rejectUnauthorized: false)')
   .option('--locals <LIST>', 'comma separated list of <proto>:<port> to which matching incoming http and https should forward (reverse proxy). Ex: https:8443,smtps:8465', collectProxies, [ ]) // --reverse-proxies
-  .option('--domains <LIST>', 'comma separated list of domain names to set to the tunnel (to caputer a specific protocol to a specific local port use the format https:example.com:1337 instead). Ex: example.com,example.net', collectDomains, [ ])
-  .option('--device [HOSTNAME]', 'Tunnel all domains associated with this device instead of specific domainnames. Use with --locals <proto>:*:<port>. Ex: macbook-pro.local (the output of `hostname`)')
+  .option('--domains <LIST>', 'comma separated list of domain names to set to the tunnel (to capture a specific protocol to a specific local port use the format https:example.com:1337 instead). Ex: example.com,example.net', collectDomains, [ ])
+  .option('--device [HOSTNAME]', 'Tunnel all domains associated with this device instead of specific domainnames. Use with --locals <proto>:<port>. Ex: macbook-pro.local (the output of `hostname`)')
   .option('--stunneld <URL>', 'the domain (or ip address) at which you are running stunneld.js (the proxy)') // --proxy
   .option('--secret <STRING>', 'the same secret used by stunneld (used for JWT authentication)')
   .option('--token <STRING>', 'a pre-generated token for use with stunneld (instead of generating one with --secret)')
@@ -181,21 +181,23 @@ function rawTunnel() {
     return;
   }
 
-  if (!program.token) {
-    var jwt = require('jsonwebtoken');
-    var tokenData = {
-      domains: Object.keys(domainsMap).filter(Boolean)
-    };
-
-    program.token = jwt.sign(tokenData, program.secret);
-  }
-
   var location = url.parse(program.stunneld);
   if (!location.protocol || /\./.test(location.protocol)) {
     program.stunneld = 'wss://' + program.stunneld;
     location = url.parse(program.stunneld);
   }
-  program.stunneld = location.protocol + '//' + location.hostname + (location.port ? ':' + location.port : '');
+  var aud = location.hostname + (location.port ? ':' + location.port : '');
+  program.stunneld = location.protocol + '//' + aud;
+
+  if (!program.token) {
+    var jwt = require('jsonwebtoken');
+    var tokenData = {
+      domains: Object.keys(domainsMap).filter(Boolean)
+    , aud: aud
+    };
+
+    program.token = jwt.sign(tokenData, program.secret);
+  }
 
   connectTunnel();
 }