JWT.decode always raises JWT::ExpiredSignature for tokens created with Time objects passed as the exp parameter

[abevoelker]

require "jwt"

secret = SecureRandom.hex(64)
exp_time = Time.now + 3600 # one hour from now
payload = {data: "test", exp: exp_time}
token = JWT.encode(payload, secret, "HS256")
JWT.decode(token, secret, true, { algorithm: "HS256" }) # => JWT::ExpiredSignature: Signature has expired

If I paste the generated token into jwt.io, this is the payload that JWT.encode generated:

{
  "data": "test",
  "exp": "2016-04-30 13:57:44 -0500"
}

If I instead change the code to do exp_time = (Time.now + 3600).to_i (i.e. cast to Unix epoch), it works correctly and doesn't raise a JWT::ExpiredSignature. The payload generated by that code is obviously different:

{
  "data": "test",
  "exp": 1462042886
}

So I'm guessing that the decoding is not converting time values like 2016-04-30 13:57:44 -0500 back into Time objects correctly.

Although the examples in the README explicitly do .to_i, it would be nice to either handle other time values or raise an exception if they are not supported at the encoding step.

[excpt]

Hi @abevoelker,

thanks for the detailed report.

As written in the RFC specs (https://tools.ietf.org/html/rfc7519#section-4.1.4):

Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

That's why we only allow Unix timestamps as valid values.

For the 1.x versions I will improve the exception that will be raised if the format for the exp claim does not fit the requirements.

[abevoelker]

Makes sense. Thank you for the quick response and the excellent gem! I'm new to JWT and the gem has made things very easy for me. ❤️

[excpt]

@abevoelker I improved the error message. :)

[abevoelker]

@excpt You rock!