Enabling blacklisting of expired-but-refreshable tokens

Change the behavior of `$blacklist->add` to support expired tokens until `iat + refresh_ttl`. Add `setRefreshTTL` function and call it in the package SP.
tymondesigns · Jan 27, 2016 · 7b89b50 · 7b89b50
1 parent df1cd98
commit 7b89b50
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 6 deletions.
diff --git a/src/Blacklist.php b/src/Blacklist.php
@@ -19,6 +19,13 @@ class Blacklist
      * @var \Tymon\JWTAuth\Providers\Storage\StorageInterface
      */
     protected $storage;
+
+    /**
+     * Number of minutes from issue date in which a JWT can be refreshed.
+     *
+     * @var int
+     */
+    protected $refreshTTL = 20160;
 
     /**
      * @param \Tymon\JWTAuth\Providers\Storage\StorageInterface  $storage
@@ -37,17 +44,21 @@ public function __construct(StorageInterface $storage)
     public function add(Payload $payload)
     {
         $exp = Utils::timestamp($payload['exp']);
+        $refreshExp = Utils::timestamp($payload['iat'])->addMinutes($this->refreshTTL);
 
         // there is no need to add the token to the blacklist
-        // if the token has already expired
-        if ($exp->isPast()) {
+        // if the token has already expired AND the refresh_ttl
+        // has gone by
+        if ($exp->isPast() && $refreshExp->isPast()) {
             return false;
         }
 
-        // add a minute to abate potential overlap
-        $minutes = $exp->diffInMinutes(Utils::now()->subMinute());
+        // Set the cache entry's lifetime to be equal to the amount
+        // of refreshable time it has remaining (which is the larger
+        // of `exp` and `iat+refresh_ttl`), rounded up a minute
+        $cacheLifetime = $exp->max($refreshExp)->diffInMinutes(Utils::now()->subMinute());
 
-        $this->storage->add($payload['jti'], [], $minutes);
+        $this->storage->add($payload['jti'], [], $cacheLifetime);
 
         return true;
     }
@@ -85,4 +96,17 @@ public function clear()
 
         return true;
     }
+
+    /**
+     * Set the refresh time limit
+     *
+     * @param  int
+     *
+     * @return $this
+     */
+    public function setRefreshTTL($ttl)
+    {
+        $this->refreshTTL = (int) $ttl;
+        return $this;
+    }
 }
diff --git a/src/Providers/JWTAuthServiceProvider.php b/src/Providers/JWTAuthServiceProvider.php
@@ -210,7 +210,8 @@ protected function registerJWTAuth()
     protected function registerJWTBlacklist()
     {
         $this->app['tymon.jwt.blacklist'] = $this->app->share(function ($app) {
-            return new Blacklist($app['tymon.jwt.provider.storage']);
+            $instance =  new Blacklist($app['tymon.jwt.provider.storage']);
+            return $instance->setRefreshTTL($this->config('refresh_ttl'));
         });
     }