Closed ploftness-tesla closed 6 months ago
@Keats thanks for the quick response!
I have not been able to identify a leeway value that fixes the following issue. Here is a drawing representing a token which is about to expire, but has not expired yet.
I would like to make the current code fail for this case since the token may expire in transit over the network.
if matches!(claims.exp, TryParse::Parsed(exp) if options.validate_exp && exp < now - options.leeway)
{
return Err(new_error(ErrorKind::ExpiredSignature));
}
It looks like it will succeed for all unsigned integers.
Can you suggest a leeway value that will allow me to return ErrorKind::ExpiredSignature
when the token is about to expire? As a specific example, maybe you could suggest a value that would work when time now=1
and time exp=2
.
It seems that what you want, rather than negative leeway which is imo a bit confusing is another option to reject tokens that are x
seconds or less from expiration?
It seems that what you want, rather than negative leeway which is imo a bit confusing is another option to reject tokens that are
x
seconds or less from expiration?
@Keats yes, rejecting tokens that are x
seconds or less prior to expiration is our goal.
Configuring this as a separate setting rather than as a negative leeway value should work fine.
Something like Validation::reject_tokens_expiring_in_less_than(seconds: int)
?
Something like
Validation::reject_tokens_expiring_in_less_than(seconds: int)
?
Yes, that is a clear name in my opinion.
Would you like me to update the existing PR to reflect?
@Keats Here is a new PR implementing Validation::reject_tokens_expiring_in_less_than
. Can you review and approve?
Fix released as part of version 9.3.0; closing this issue
I use
jsonwebtoken
as part of a client application. During the course of development, I have encountered two issues with how token expiration is handled:In order to allow library users to work around both these problems, I propose the following solution.
leeway
option into separate settings for validating tokenexp
andnbf
claims. These settings can be namedexp_leeway
andnbf_leeway
.exp_leeway
values to be negative numbers. This allows library users to specify that a token needs to be replaced at some time interval before expiration to account for inconsistent handling of fractional time values by other software or delays imposed by network latency.nbf_leeway
values to be negative numbers for consistency.Update: Here is a PR implementing the proposed solution.