Successfully validates a JWT token with a timestamp in the past
Exadra37 opened this issue · 0 comments
Exadra37 commented
Steps to Reproduce
You can run the Hello server locally, and then use this curl command:
curl -ix GET 'localhost:8002' \
--header 'Approov-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM'
Output:
HTTP/1.1 200 OK
....
{"message":"Hello, World!"}
But a 401
is expected:
HTTP/1.1 401 Unauthorized
...
{}
Expected Result
iex(13)> HelloWeb.ApproovTokenPlug.decode_and_verify "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM"
{:error, :token_expired}
iex(14)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349.3777623}, []
{:error, :token_expired}
Actual Result
If we try directly from the iex
shell we also get a valid token, despite having an exp
claim in the past.
iex(13)> HelloWeb.ApproovTokenPlug.decode_and_verify "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTUwODMzNDkuMzc3NzYyM30.XzZs_ItunAmisfTAuLLHqTytNnQqnwqh0Koh3PPKAoM"
{:ok, %{"exp" => 1555083349.3777623}}
iex(14)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349.3777623}, []
{:ok, %{"exp" => 1555083349.3777623}}
iex(15)> System.system_time(:second)
1648568628
But it works ok when the timestamp is only 1555083349
:
iex(16)> Guardian.Token.Jwt.Verify.verify_claim HelloWeb.ApproovTokenPlug, "exp", %{"exp" => 1555083349}, []
{:error, :token_expired}