expiration check does not give "Signature has expired" error for the exact time of expiration #157

vnc-zestfinance · 2016-07-20T03:18:20Z

If for example, you want to have a JWT expire at 4 hours after current time, it still doesn't expire at the exact time specified (exp field). But it does expire like the second afterwards but according to JWT documentation, it should expire at or after the given time. Please see the logic difference between the following two diffs:

https://github.com/jwt/ruby-jwt/blob/jwt-1.5.2/lib/jwt.rb#L161 (working version)
https://github.com/jwt/ruby-jwt/blob/v1.5.4/lib/jwt/verify.rb#L38 (not working version)

Essentially you are missing a less-than-or-equal to, I believe. Please check it out.

excpt added the bug label Jul 24, 2016

excpt added this to the Version 1.6.0 milestone Jul 24, 2016

excpt modified the milestones: Version 1.5.5, Version 1.6.0 Aug 22, 2016

excpt added the security label Aug 22, 2016

excpt mentioned this issue Aug 22, 2016

Fix: exp claim check #161

Merged

excpt added WIP and removed WIP labels Aug 22, 2016

excpt closed this as completed Aug 23, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

expiration check does not give "Signature has expired" error for the exact time of expiration #157

expiration check does not give "Signature has expired" error for the exact time of expiration #157

vnc-zestfinance commented Jul 20, 2016

expiration check does not give "Signature has expired" error for the exact time of expiration #157

expiration check does not give "Signature has expired" error for the exact time of expiration #157

Comments

vnc-zestfinance commented Jul 20, 2016