-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When exp indicates the present, make it invalid. #86
Conversation
@soranoba the PR was just merged into main, so you should be able to test this via Lines 237 to 242 in 80625fb
|
I fear the new claim is just replicating the old claim behaviour. However, since we did not do a release yet, we are somewhat free to change it. I need to double check the exact wording on the RFC again and will have a look at how other libraries handle this. |
Thank you for the information. I will check it. |
Now that the main branch uses time.Time (It is same In the current v4, it checks expires in 1s units, so there was a problem that it is not regarded as expire even if several ms have passed in the test code. However, I think the main branch is RFC incompliant either. - return now.Before(*exp) || now.Equal(*exp)
+ return now.Before(*exp) I think it's correct to do this, but I'm not firmly reading the RFC, so I'll leave it to you. |
Your proposed patch looks correct to me @soranoba. |
There is a merge conflict on the PR. Should we fix it up? |
I also agree with this proposal. Likewise the time-based verification should just be: func verifyExp(exp *time.Time, now time.Time, required bool) bool {
if exp == nil {
return !required
}
- return now.Before(*exp) || now.Equal(*exp)
+ return now.Before(*exp)
} Line 241 in 205b3dc
|
Yes. Looks like this is correct. I fixed the merge conflict. |
@@ -97,3 +98,26 @@ func TestMapclaimsVerifyExpiresAtInvalidTypeString(t *testing.T) { | |||
t.Fatalf("Failed to verify claims, wanted: %v got %v", want, got) | |||
} | |||
} | |||
|
|||
func TestMapClaimsVerifyExpiresAtExpire(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm.
note to self to consider rewriting these tests as table tests
…icate presents = invalid This is correct behaviour as it is in alignment with specification. For more info see: - https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 - https://github.com/golang-jwt/jwt/releases/tag/v4.1.0 - golang-jwt/jwt#86
…6113) * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.0.0 to 4.5.1 Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) from 4.0.0 to 4.5.1. - [Release notes](https://github.com/golang-jwt/jwt/releases) - [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md) - [Commits](golang-jwt/jwt@v4.0.0...v4.5.1) --- updated-dependencies: - dependency-name: github.com/golang-jwt/jwt/v4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * fix(tests): `jwt` library change behaviour about ExpiresAt - when indicate presents = invalid This is correct behaviour as it is in alignment with specification. For more info see: - https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 - https://github.com/golang-jwt/jwt/releases/tag/v4.1.0 - golang-jwt/jwt#86 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Bednar <jakub.bednar@gmail.com>
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
it is written on the reference.
So, it seems invalid when exp indicates the present. Isn't it right?