Successfully validates a JWT token with a timestamp in the past

Question

Successfully validates a JWT token with a timestamp in the past

Exadra37 opened this issue 2 years ago · 0 comments

Steps to Reproduce

You can run the Hello server locally, and then use this curl command:

curl -ix GET 'localhost:8002' \
--header 'Approov-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM'

Output:

HTTP/1.1 200 OK

....

{"message":"Hello, World!"}

But a 401 is expected:

HTTP/1.1 401 Unauthorized

...

{}

Expected Result

iex(13)> HelloWeb.ApproovTokenPlug.decode_and_verify "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM"
{:error, :token_expired}

iex(14)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349.3777623}, []                                                       
{:error, :token_expired}

Actual Result

If we try directly from the iex shell we also get a valid token, despite having an exp claim in the past.

iex(13)> HelloWeb.ApproovTokenPlug.decode_and_verify "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM"
{:ok, %{"exp" => 1555083349.3777623}}

iex(14)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349.3777623}, []                                                       
{:ok, %{"exp" => 1555083349.3777623}}

iex(15)> System.system_time(:second)                                                                                                                                       
1648568628

But it works ok when the timestamp is only 1555083349:

iex(16)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349}, []                                                               
{:error, :token_expired}