search

frasertweedale / hs-jose

Haskell JOSE and JWT library
http://hackage.haskell.org/package/jose
Apache License 2.0
122 stars 46 forks source link

JWT: implement "nbf" and "exp" processing #9

Closed frasertweedale closed 8 years ago

frasertweedale commented 9 years ago

Type of JWT validator is currently:

validateJWSJWT
  :: ValidationAlgorithms
  -> ValidationPolicy
  -> JWK
  -> JWT
  -> Bool

Propose implementing the "nbf" and "exp" checks required by the spec by updating validateJWSJWT to have type such as:

validateJWSJWT
  :: ValidationAlgorithms
  -> ValidationPolicy
  -> JWK
  -> UTCTime
  -> JWT
  -> Bool

And providing a new function in IO that uses the current time:

validateJWSJWTAtCurrentTime
  :: ValidationAlgorithms
  -> ValidationPolicy
  -> JWK
  -> JWT
  -> IO Bool
whittle commented 8 years ago

I’m thinking about writing a PR to implement this feature, and before I start I’d like to ask you to consider a counter-proposal:

Create a monad class something like: class HasCurrentTime m where getCurrentTime :: m UTCTime and define instances for IO and ReaderT UTCTime.

Then update validateJWSJWT to have type: 

validateJWSJWT :: HasCurrentTime m
               => ValidationAlgorithms
               -> ValidationPolicy
               -> JWK
               -> JWT
               -> m Bool

And provide a new function validateJWSJWTWithTime with type (identical to your proposal for validateJWSJWT above): 

validateJWSJWTWithTime :: ValidationAlgorithms
                       -> ValidationPolicy
                       -> JWK
                       -> UTCTime
                       -> JWT
                       -> Bool

If you think this is a good idea, I can go ahead with it. If you have suggestions for improving it, I would love to hear them. If you think it’s a terrible idea, please let me know why. If you like the idea, but don’t want HasCurrentTime defined in this library, I can create a separate helper package for that class.

I find this library to be the best-written of the options available, and am eager to use it in production, but need this feature implemented before I can do so. Please share your thoughts.

frasertweedale commented 8 years ago

I like the HasCurrentTime m approach. Should see if any existing lib provides something like this, otherwise I'm happy for jose itself to provide it (and use it for this feature).

whittle commented 8 years ago

After a little more digging, I found https://hackage.haskell.org/package/monad-time. Unless you have an objection, I’ll use that.

frasertweedale commented 8 years ago

@whittle merged the PR; thanks a bunch! I am going to try to push jose forward a bit more over the coming weeks so some types may change a bit. I will probably avoid exporting validateClaimsSet, or move it to an 'Internal' module.

I added allowed-skew already :)