FirebaseIdToken::Signature.verify(token) returns nil for newly issued tokens

Question

FirebaseIdToken::Signature.verify(token) returns nil for newly issued tokens

dps opened this issue 7 years ago · 1 comments

Using this library, newly issued tokens don't verify correctly until one second after they have been issued.

Found using a client example which did a forceRefresh on the token every time - had a timing dependent bug where these tokens sometimes verified OK but mostly didn't.

    def still_valid?(payload)
      payload['exp'].to_i > Time.now.to_i &&
      payload['iat'].to_i < Time.now.to_i
    end

Should be payload['iat'].to_i <= Time.now.to_i

Answer 1 · 2018-04-09T07:23:16.000Z

Thank you for spotting it.

Your PR was approved and merged.
A new version is on the web.

https://github.com/fschuindt/firebase_id_token/releases/tag/2.1.0

Cheers!