Open carwyn opened 3 years ago
You can see via this example that the default dates in the encoded token are zero, meaning that expiry won't be checked due to how jwt.Validate()
is written.
package main
import (
"fmt"
"github.com/go-chi/jwtauth/v5"
//"github.com/lestrrat-go/jwx/jwt"
)
func main() {
tokenAuth := jwtauth.New("HS256", []byte("secret"), nil)
ptoken, _, _ := tokenAuth.Encode(map[string]interface{}{})
fmt.Printf("Parsed Token = %+v\n", ptoken)
fmt.Printf("iat = %v\n", ptoken.IssuedAt())
fmt.Printf("exp = %v\n", ptoken.Expiration())
}
Prints:
Parsed Token = &{mu:0xc0000ca0c0 audience:[] expiration:<nil> issuedAt:<nil> issuer:<nil> jwtID:<nil> notBefore:<nil> subject:<nil> privateClaims:map[]}
iat = 0001-01-01 00:00:00 +0000 UTC
exp = 0001-01-01 00:00:00 +0000 UTC
Meanwhile over in github.com/lestrrat-go/jwx/jwt/validate.go
if the times are time.IsZero()
they will not be checked:
This is misleading, the current code won't check if the token has expired unless the user explicitly sets dates:
https://github.com/go-chi/jwtauth/blob/9448513887112ff1d7f7ebed4f5fdf39569bcc8c/README.md#L13-L14
The default no longer looks for the token in the query string:
https://github.com/go-chi/jwtauth/blob/9448513887112ff1d7f7ebed4f5fdf39569bcc8c/jwtauth.go#L50
No longer using this library:
https://github.com/go-chi/jwtauth/blob/9448513887112ff1d7f7ebed4f5fdf39569bcc8c/jwtauth.go#L55