Skip to content

Commit

Permalink
Stop rejecting tokens with future 'iat' values
Browse files Browse the repository at this point in the history
RFC 7519 does not specify or even suggest this type of validation on the
'iat' claim and it has caused issues for several consumers of PyJWT.

This change removes the validation on future 'iat' values and leaves
such things up to the application developer to implement.

Fixes #190.
  • Loading branch information
mark-adams committed Apr 17, 2017
1 parent ceff941 commit ab99f9e
Show file tree
Hide file tree
Showing 4 changed files with 3 additions and 15 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244]
- Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances.
- Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230]
- Tokens with future 'iat' values are no longer rejected [#190][190]

### Fixed

Expand Down Expand Up @@ -129,5 +130,6 @@ rarely used. Users affected by this should upgrade to 3.3+.
[174]: https://github.com/jpadilla/pyjwt/pull/174
[182]: https://github.com/jpadilla/pyjwt/pull/182
[183]: https://github.com/jpadilla/pyjwt/pull/183
[190]: https://github.com/jpadilla/pyjwt/pull/190
[213]: https://github.com/jpadilla/pyjwt/pull/214
[244]: https://github.com/jpadilla/pyjwt/pull/244
3 changes: 0 additions & 3 deletions docs/usage.rst
Original file line number Diff line number Diff line change
Expand Up @@ -180,9 +180,6 @@ Issued At Claim (iat)
This claim can be used to determine the age of the JWT. Its value MUST be a
number containing a NumericDate value. Use of this claim is OPTIONAL.

If the `iat` claim is in the future, an `jwt.InvalidIssuedAtError` exception
will be raised.

.. code-block:: python
jwt.encode({'iat': 1371720939}, 'secret')
Expand Down
6 changes: 1 addition & 5 deletions jwt/api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -121,14 +121,10 @@ def _validate_required_claims(self, payload, options):

def _validate_iat(self, payload, now, leeway):
try:
iat = int(payload['iat'])
int(payload['iat'])
except ValueError:
raise DecodeError('Issued At claim (iat) must be an integer.')

if iat > (now + leeway):
raise InvalidIssuedAtError('Issued At claim (iat) cannot be in'
' the future.')

def _validate_nbf(self, payload, now, leeway):
try:
nbf = int(payload['nbf'])
Expand Down
7 changes: 0 additions & 7 deletions tests/test_api_jwt.py
Original file line number Diff line number Diff line change
Expand Up @@ -154,13 +154,6 @@ def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
with pytest.raises(DecodeError):
jwt.decode(example_jwt, 'secret')

def test_decode_raises_exception_if_iat_in_the_future(self, jwt):
now = datetime.utcnow()
token = jwt.encode({'iat': now + timedelta(days=1)}, key='secret')

with pytest.raises(InvalidIssuedAtError):
jwt.decode(token, 'secret')

def test_encode_datetime(self, jwt):
secret = 'secret'
current_datetime = datetime.utcnow()
Expand Down

0 comments on commit ab99f9e

Please sign in to comment.