Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Successfully validates a JWT token with a timestamp in the past #699

Closed
Exadra37 opened this issue Mar 29, 2022 · 0 comments · Fixed by #700
Closed

Successfully validates a JWT token with a timestamp in the past #699

Exadra37 opened this issue Mar 29, 2022 · 0 comments · Fixed by #700

Comments

@Exadra37
Copy link

Steps to Reproduce

You can run the Hello server locally, and then use this curl command:

curl -ix GET 'localhost:8002' \
--header 'Approov-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM'

Output:

HTTP/1.1 200 OK

....

{"message":"Hello, World!"}

But a 401 is expected:

HTTP/1.1 401 Unauthorized

...

{}

Expected Result

iex(13)> HelloWeb.ApproovTokenPlug.decode_and_verify "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM"
{:error, :token_expired}

iex(14)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349.3777623}, []                                                       
{:error, :token_expired}

Actual Result

If we try directly from the iex shell we also get a valid token, despite having an exp claim in the past.

iex(13)> HelloWeb.ApproovTokenPlug.decode_and_verify "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM"
{:ok, %{"exp" => 1555083349.3777623}}

iex(14)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349.3777623}, []                                                       
{:ok, %{"exp" => 1555083349.3777623}}

iex(15)> System.system_time(:second)                                                                                                                                       
1648568628

But it works ok when the timestamp is only 1555083349:

iex(16)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349}, []                                                               
{:error, :token_expired}
@Exadra37 Exadra37 changed the title Correctly validates a JWT token with a timestamp in the past Successfully validates a JWT token with a timestamp in the past Mar 29, 2022
@danglduy danglduy mentioned this issue Jun 16, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check float values of time in time_within_drift?/2
1 participant
@Exadra37