Seems exp in jwt.MapClaims is not validated.
In my test, after a token expired, it can still be used.
I've check the source code of jwtware.New(), seems there is no where exp is checked. Or, did I missed something?
The token being generated is ok, because I parsed the token and check the exp field, the value is correct.
The desired behavior is that, after the token expired, server should return http code like 401.
Seems
exp
injwt.MapClaims
is not validated. In my test, after a token expired, it can still be used.I've check the source code of
jwtware.New()
, seems there is no whereexp
is checked. Or, did I missed something? The token being generated is ok, because I parsed the token and check theexp
field, the value is correct. The desired behavior is that, after the token expired, server should return http code like401
.BTW, I tested it in both
v3.2.11
andv3.2.12
.