search

Keats / jsonwebtoken

JWT lib in rust
MIT License
1.69k stars 269 forks source link

`decode` returns ExpiredSignature error when the `exp` field is missing #239

Closed gbaranski closed 2 years ago

gbaranski commented 2 years ago

Hi, the decode returns ExpiredSignature error when the exp field is missing, is that the expected behaviour?

In my case the token has the exp field, which is defined as Option<DateTime<Utc>>, so that's not always there, and the code which looks like that:

#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct TokenClaims {
    pub sub: Uuid,
    #[serde(with = "chrono::serde::ts_seconds_option")]
    #[serde(skip_serializing_if = "Option::is_none")]
    #[serde(default)]
    pub exp: Option<DateTime<Utc>>,
}

let key = b"the-key";
let token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI4Njg5M2MzMC00YmM3LTRhYWItYTg2NS1mYzdmZThhYmFiMDcifQ.bm2xVzyNq_ql-dLefhPV-aTqzqfsx8ld7ahzgO_brG4";
let mut validation = Validation::default();
validation.required_spec_claims.remove("exp");
let data: TokenData<TokenClaims> = decode(token, &DecodingKey::from_secret(key), &validation).unwrap();
Keats commented 2 years ago

required_spec_claims only checks for the presence/absence of the field. validate_exp is still set to true in your example. There's no way to say "only validate if the field is present".

Keats commented 2 years ago

It should work in 8.1.0