The jwt logic assumes exp is in ms timestamp format (time.getUnixTime is just Date.now), but the JWT RFC (https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4) states it should be seconds since epoch, not ms. This means that if something is using lib0 to validate a JWT token, but that JWT token was generated to the RFC, the expiration check will fail.
To Reproduce
Steps to reproduce the behavior:
Generate a standards compliant JWT token (e.g., with a JWT library in another platform)
Verify the token with lib0
See false expiration error
Expected behavior
Expect epoch seconds for exp claims.
Possibly add logic to support both since the bug was out there.
Describe the bug
The jwt logic assumes
expis in ms timestamp format (time.getUnixTime is just Date.now), but the JWT RFC (https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4) states it should be seconds since epoch, not ms. This means that if something is using lib0 to validate a JWT token, but that JWT token was generated to the RFC, the expiration check will fail.To Reproduce Steps to reproduce the behavior:
Expected behavior Expect epoch seconds for
expclaims.Possibly add logic to support both since the bug was out there.
Relevant code: https://github.com/dmonad/lib0/blob/e8bb1550fdb5394d7b72345db91fe409ede4111a/crypto/jwt.js#L50