Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When exp indicates the present, make it invalid. #86

Merged
merged 3 commits into from
Sep 10, 2021

Conversation

soranoba
Copy link
Contributor

@soranoba soranoba commented Aug 5, 2021

https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4

The "exp" (expiration time) claim identifies the expiration time on
or after which the JWT MUST NOT be accepted for processing.

it is written on the reference.
So, it seems invalid when exp indicates the present. Isn't it right?

@lggomez
Copy link
Member

lggomez commented Aug 21, 2021

That's a breaking change on the current claims structure (which we want to avoid for compatibility purposes despite standards adherence) but there's an ongoing PR adding an API compatible implementation of a RFC7519 compatible claim at #15

cc @oxisto

@lggomez
Copy link
Member

lggomez commented Aug 22, 2021

@soranoba the PR was just merged into main, so you should be able to test this via go get github.com/golang-jwt/jwt/v4@main, there is a new claims type RegisteredClaims which performs the following RFC compliant validation:

jwt/claims.go

Lines 237 to 242 in 80625fb

func verifyExp(exp *time.Time, now time.Time, required bool) bool {
if exp == nil {
return !required
}
return now.Before(*exp) || now.Equal(*exp)
}

@oxisto
Copy link
Collaborator

oxisto commented Aug 22, 2021

@soranoba the PR was just merged into main, so you should be able to test this via go get github.com/golang-jwt/jwt/v4@main, there is a new claims type RegisteredClaims which performs the following RFC compliant validation:

jwt/claims.go

Lines 237 to 242 in 80625fb

func verifyExp(exp *time.Time, now time.Time, required bool) bool {
if exp == nil {
return !required
}
return now.Before(*exp) || now.Equal(*exp)
}

I fear the new claim is just replicating the old claim behaviour. However, since we did not do a release yet, we are somewhat free to change it. I need to double check the exact wording on the RFC again and will have a look at how other libraries handle this.

@soranoba
Copy link
Contributor Author

Thank you for the information. I will check it.

@soranoba
Copy link
Contributor Author

Now that the main branch uses time.Time (It is same dgrijalva/jwt-go v4.0.0-preview1), there are no real problems with RFC violations.

In the current v4, it checks expires in 1s units, so there was a problem that it is not regarded as expire even if several ms have passed in the test code.
I wanted this case to go away, so my worries have been resolved at the main branch.

However, I think the main branch is RFC incompliant either.

- return now.Before(*exp) || now.Equal(*exp) 
+ return now.Before(*exp)

I think it's correct to do this, but I'm not firmly reading the RFC, so I'll leave it to you.
Thanks.

@dunglas
Copy link
Contributor

dunglas commented Aug 24, 2021

Your proposed patch looks correct to me @soranoba.

@mfridman
Copy link
Member

There is a merge conflict on the PR. Should we fix it up?

@mfridman
Copy link
Member

I also agree with this proposal. Likewise the time-based verification should just be:

func verifyExp(exp *time.Time, now time.Time, required bool) bool {
	if exp == nil {
		return !required
	}
- 	return now.Before(*exp) || now.Equal(*exp)
+	return now.Before(*exp)
}

jwt/claims.go

Line 241 in 205b3dc

return now.Before(*exp) || now.Equal(*exp)

@oxisto
Copy link
Collaborator

oxisto commented Sep 10, 2021

I also agree with this proposal. Likewise the time-based verification should just be:

func verifyExp(exp *time.Time, now time.Time, required bool) bool {
	if exp == nil {
		return !required
	}
- 	return now.Before(*exp) || now.Equal(*exp)
+	return now.Before(*exp)
}

jwt/claims.go

Line 241 in 205b3dc

return now.Before(*exp) || now.Equal(*exp)

Yes. Looks like this is correct. I fixed the merge conflict.

map_claims_test.go Outdated Show resolved Hide resolved
@@ -97,3 +98,26 @@ func TestMapclaimsVerifyExpiresAtInvalidTypeString(t *testing.T) {
t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got)
}
}

func TestMapClaimsVerifyExpiresAtExpire(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm.

note to self to consider rewriting these tests as table tests

@mfridman mfridman merged commit 02bc1ac into golang-jwt:main Sep 10, 2021
bednar added a commit to influxdata/chronograf that referenced this pull request Nov 20, 2024
bednar added a commit to influxdata/chronograf that referenced this pull request Nov 20, 2024
…6113)

* chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.0.0 to 4.5.1

Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) from 4.0.0 to 4.5.1.
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](golang-jwt/jwt@v4.0.0...v4.5.1)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(tests): `jwt` library change behaviour about ExpiresAt - when indicate presents = invalid

This is correct behaviour as it is in alignment with specification.

For more info see:

- https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
- https://github.com/golang-jwt/jwt/releases/tag/v4.1.0
- golang-jwt/jwt#86

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jakub Bednar <jakub.bednar@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants