From 9c720a685816c5155b38c309ea44b85d2d1d8a9e Mon Sep 17 00:00:00 2001 From: Adam Michael Date: Fri, 3 Jul 2015 13:34:08 -0700 Subject: [PATCH] Iat check uses leeway. --- lib/jwt.rb | 2 +- spec/jwt_spec.rb | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/jwt.rb b/lib/jwt.rb index bae10307..f3fe0e3e 100644 --- a/lib/jwt.rb +++ b/lib/jwt.rb @@ -167,7 +167,7 @@ def decode(jwt, key=nil, verify=true, options={}, &keyfinder) fail JWT::InvalidIssuerError.new("Invalid issuer. Expected #{options['iss']}, received #{payload['iss'] || ''}") unless payload['iss'].to_s == options['iss'].to_s end if options[:verify_iat] && payload.include?('iat') - fail JWT::InvalidIatError.new('Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= Time.now.to_i + fail JWT::InvalidIatError.new('Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= (Time.now.to_i + options[:leeway]) end if options[:verify_aud] && options['aud'] if payload['aud'].is_a?(Array) diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb index 141b9563..ecccf99e 100644 --- a/spec/jwt_spec.rb +++ b/spec/jwt_spec.rb @@ -138,6 +138,22 @@ expect { JWT.decode(example_jwt, example_secret, true, :verify_iat => true, 'iat' => 1425917209) }.to raise_error(JWT::InvalidIatError) end + it 'raises decode exception when iat is in the future' do + invalid_payload = @payload.clone + invalid_payload['iat'] = Time.now.to_i + 3 + secret = 'secret' + jwt = JWT.encode(invalid_payload, secret) + expect { JWT.decode(jwt, secret, true, :verify_iat => true) }.to raise_error(JWT::InvalidIatError) + end + + it 'performs normal decode if iat is within leeway' do + invalid_payload = @payload.clone + invalid_payload['iat'] = Time.now.to_i + 3 + secret = 'secret' + jwt = JWT.encode(invalid_payload, secret) + expect { JWT.decode(jwt, secret, true, :verify_iat => true, :leeway => 3) }.to_not raise_error + end + it 'decodes valid JWTs with jti' do example_payload = { 'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209') } example_secret = 'secret'