search

Zaubrik / djwt

Create and verify JSON Web Tokens (JWT) with Deno or the browser.
MIT License
228 stars 23 forks source link

setExpiration should return seconds not milliseconds #19

Closed coldino closed 4 years ago

coldino commented 4 years ago

May have found the root cause of some of your previous bug reports around expiry times.

The spec makes it clear that times in claims should be in seconds, not in milliseconds. The specification uses the term NumericDate which it defines as A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC and should apply to all time fields: iat, exp and nbf.

This is backed up by decoding tokens created with this package using JWT debugger showing around 50,000 years in the future (50 years since 1970 times 1000).

Edit: This also requires a change in isExpired to match.

timonson commented 4 years ago

You are right @coldino , thank you!

Fixed with https://github.com/timonson/djwt/commit/f74248818dce62d1da21a3115697d46b95064181.

coldino commented 4 years ago

Seems to work. Thanks for the quick turnaround!