Current Time Should Be Time Zone Aware

Keats / jsonwebtoken

JWT lib in rust

MIT License

1.69k stars 271 forks source link

Current Time Should Be Time Zone Aware #189

Closed devinlyons closed 3 years ago

devinlyons commented 3 years ago

SystemTime::new() is used to validate the nbf date in a token. This causes issues if the token is generated in a different timezone, such as UTC. I think this needs to be configurable so a timezone offset can be specified.

https://github.com/Keats/jsonwebtoken/blob/2f25cbed0a906e091a278c10eeb6cc1cf30dc24a/src/validation.rs#L101

Keats commented 3 years ago

This causes issues if the token is generated in a different timezone, such as UTC

Times in a JWT should only be in UTC and this function gets the current UTC timestamp. I think the only possible issue is if your server is not in UTC?

devinlyons commented 3 years ago

I confirmed this with a little testing. I wish it was mentioned in the SystemTime documentation. Thank you for looking at this!