Also validate nbf

jeroen · jeroen · commit f2fbc2d2adf9 · 2021-11-06T14:38:04.000+01:00
diff --git a/NEWS b/NEWS
@@ -1,6 +1,7 @@
 1.2
   - jwt_encode_sig() now allows to override the typ field via headers #15
-  - jwt_decode functions now check the 'exp' field and error if token has expired
+  - jwt_decode functions now check the 'exp' and 'nbf' fields and raise
+    and error if token has expired.
 
 1.1
   - Allow for empty list attributes in jwt_claim(), issue #13
diff --git a/R/jwt.R b/R/jwt.R
@@ -178,4 +178,11 @@ check_expiration_time <- function(payload){
       stop(paste("Token has expired on", expdate), call. = FALSE)
     }
   }
+  if(length(payload$nbf)){
+    stopifnot("nbf claim is a number" = is.numeric(payload$nbf))
+    nbfdate <- structure(payload$nbf, class = c("POSIXct", "POSIXt"))
+    if(nbfdate > (Sys.time() + 60)){
+      stop(paste("Token is not valid before", nbfdate), call. = FALSE)
+    }
+  }
 }
diff --git a/tests/testthat/test_exp.R b/tests/testthat/test_exp.R
@@ -5,13 +5,23 @@ test_that("Headers work for hmac", {
   privkey <- openssl::rsa_keygen()
   pubkey <- privkey$pubkey
   claim1 <- jwt_claim("test", exp = Sys.time())
-  claim2 <- jwt_claim("test", exp = Sys.time()-100)
+  claim2 <- jwt_claim("test", exp = Sys.time() - 100)
+  claim3 <- jwt_claim("test", nbf = Sys.time())
+  claim4 <- jwt_claim("test", nbf = Sys.time() + 100)
   jwth1 <- jwt_encode_hmac(claim1, secret = secret)
   jwth2 <- jwt_encode_hmac(claim2, secret = secret)
+  jwth3 <- jwt_encode_hmac(claim3, secret = secret)
+  jwth4 <- jwt_encode_hmac(claim4, secret = secret)
   jwtr1 <- jwt_encode_sig(claim1, privkey)
   jwtr2 <- jwt_encode_sig(claim2, privkey)
+  jwtr3 <- jwt_encode_sig(claim3, privkey)
+  jwtr4 <- jwt_encode_sig(claim4, privkey)
   expect_equal(jwt_decode_hmac(jwth1, secret)$iss, "test")
   expect_error(jwt_decode_hmac(jwth2, secret), "expired")
+  expect_equal(jwt_decode_hmac(jwth3, secret)$iss, "test")
+  expect_error(jwt_decode_hmac(jwth4, secret), "before")
   expect_equal(jwt_decode_sig(jwtr1, pubkey)$iss, "test")
   expect_error(jwt_decode_sig(jwtr2, pubkey), "expired")
+  expect_equal(jwt_decode_sig(jwtr3, pubkey)$iss, "test")
+  expect_error(jwt_decode_sig(jwtr4, pubkey), "before")
 })

Original file line number	Diff line number	Diff line change
`@@ -178,4 +178,11 @@ check_expiration_time <- function(payload){`
`178`	`178`	`stop(paste("Token has expired on", expdate), call. = FALSE)`
`179`	`179`	`}`
`180`	`180`	`}`
	`181`	`+ if(length(payload$nbf)){`
	`182`	`+ stopifnot("nbf claim is a number" = is.numeric(payload$nbf))`
	`183`	`+ nbfdate <- structure(payload$nbf, class = c("POSIXct", "POSIXt"))`
	`184`	`+ if(nbfdate > (Sys.time() + 60)){`
	`185`	`+ stop(paste("Token is not valid before", nbfdate), call. = FALSE)`
	`186`	`+ }`
	`187`	`+ }`
`181`	`188`	`}`