Closed BenRomberg closed 7 years ago
Hi Ben,
Thank you and I'm pleased that you find this project helpful.
Is it possible that the warning The JWT is no longer valid
is logged by Jose4j rather than code in this repository? I can't find that particular log message in my code.
True, NumericDateValidator
where the validation is done is part of Jose4j, and the message gets turned into an InvalidJwtException
in JwtConsumer
, also part of Jose4j. The warning however is logged in JwtAuthFilter
within dropwizard-auth-jwt.
It's probably a good idea to log the warning in most cases of an InvalidJwtException
, but for the case of an outdated JWT token it's more of an annoyance, since it happens often and there's nothing we can or want to do about it.
We'll probably end up rolling our own solution then, since I agree this is not something dropwizard-auth-jwt could easily change.
For anyone else wondering, since it would involve copy/pasting a lot of library code from either Jose4j or dropwizard-auth-jwt to fix it in code, we decided to write a logging filter instead:
public class JsonWebTokenLoggingFilterFactory implements FilterFactory<ILoggingEvent> {
@Override
public Filter<ILoggingEvent> build() {
return new JsonWebTokenLoggingFilter();
}
private static class JsonWebTokenLoggingFilter extends Filter<ILoggingEvent> {
@Override
public FilterReply decide(ILoggingEvent loggingEvent) {
if (loggingEvent.getLevel() == Level.WARN && loggingEvent.getMessage().contains("JWT is no longer valid - the evaluation time")) {
return FilterReply.DENY;
}
return FilterReply.NEUTRAL;
}
}
}
First of all, thank you for this great addition to dropwizard. We've used it since 0.8 and just migrated to the 1.0 version without much hassle.
There's one improvement we'd like to see however. Each time a JWT is expired we now get a Warning logged, even though there's nothing we can do about that. We'd prefer only to have warnings logged when there's a potential problem, not on a regular basis.
It's also pretty hard to fix, we could either override
JwtAuthFilter
and search for the "The JWT is no longer valid" substring in the catch block, or exclude theNumericDateValidator
, implement our own validator to skip expiration time validation and implement expiration time validation elsewhere.Best would be if there would be an option to suppress the Warning in this case. I'd also be happy to provide a PR if you agree that dropwizard-auth-jwt should provide an option for that.