Skip to content
This repository has been archived by the owner on Aug 10, 2021. It is now read-only.

fix!: NumericDate parsing conformance #11

Closed
wants to merge 1 commit into from

Conversation

dunglas
Copy link

@dunglas dunglas commented Apr 1, 2021

The current implementation of the standard claims parser is invalid. It doesn't allow NumericDate value to be floats, while it's explicitly allowed by the RFC:

NumericDate
A JSON numeric value representing the number of seconds from
1970-01-01T00:00:00Z UTC until the specified UTC date/time,
ignoring leap seconds. This is equivalent to the IEEE Std 1003.1,
2013 Edition [POSIX.1] definition "Seconds Since the Epoch", in
which each day is accounted for by exactly 86400 seconds, other
than that non-integer values can be represented
. See RFC 3339
[RFC3339] for details regarding date/times in general and UTC in
particular.

(Emphasis mine).

This is annoying because popular libraries generate tokens containing floats in the exp, iat and nbf fields. For intstance, it's the case of lcobucci/jwt, one of the most popular JWT library written in PHP.

This PR fixes this, and also allows comparing fractions of seconds.

This is a BC break, so it should be merged in the 4.0 version.

Closes dunglas/mercure#404.

@joshua-hill-form3
Copy link

This fork is now archived. Please contribute to the community maintained project https://github.com/golang-jwt/jwt

@dunglas dunglas deleted the fix/NumericDate branch August 9, 2021 19:11
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

json: cannot unmarshal string into Go struct field claims.iat of type int64
2 participants