auth0 · Dec 29, 2014 · Dec 29, 2014
Showing with 94 additions and 21 deletions.

+10 −20 index.js

+12 −0 lib/JsonWebTokenError.js

+13 −0 lib/TokenExpiredError.js

+1 −1 package.json

+58 −0 test/invalid_exp.tests.js
diff --git a/index.js b/index.js
@@ -1,5 +1,8 @@
 var jws = require('jws');
 
+var JsonWebTokenError = module.exports.JsonWebTokenError = require('./lib/JsonWebTokenError');
+var TokenExpiredError = module.exports.TokenExpiredError = require('./lib/TokenExpiredError');
+
 module.exports.decode = function (jwt) {
   var decoded = jws.decode(jwt);
   return decoded && decoded.payload;
@@ -74,8 +77,10 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
   }
 
   var parts = jwtString.split('.');
-  if (parts.length !== 3)
+
+  if (parts.length !== 3){
     return done(new JsonWebTokenError('jwt malformed'));
+  }
 
   if (parts[2].trim() === '' && secretOrPublicKey){
     return done(new JsonWebTokenError('jwt signature is required'));
@@ -100,7 +105,10 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
     return done(err);
   }
 
-  if (payload.exp) {
+  if (typeof payload.exp !== 'undefined') {
+    if (typeof payload.exp !== 'number') {
+      return done(new JsonWebTokenError('invalid exp value'));
+    }
     if (Math.floor(Date.now() / 1000) >= payload.exp)
       return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000)));
   }
@@ -122,21 +130,3 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
 
   return done(null, payload);
 };
-
-var JsonWebTokenError = module.exports.JsonWebTokenError = function (message, error) {
-  Error.call(this, message);
-  this.name = 'JsonWebTokenError';
-  this.message = message;
-  if (error) this.inner = error;
-};
-
-JsonWebTokenError.prototype = Object.create(Error.prototype);
-JsonWebTokenError.prototype.constructor = JsonWebTokenError;
-
-var TokenExpiredError = module.exports.TokenExpiredError = function (message, expiredAt) {
-  JsonWebTokenError.call(this, message);
-  this.name = 'TokenExpiredError';
-  this.expiredAt = expiredAt;
-};
-TokenExpiredError.prototype = Object.create(JsonWebTokenError.prototype);
-TokenExpiredError.prototype.constructor = TokenExpiredError;
diff --git a/lib/JsonWebTokenError.js b/lib/JsonWebTokenError.js
@@ -0,0 +1,12 @@
+var JsonWebTokenError = function (message, error) {
+  Error.call(this, message);
+  Error.captureStackTrace(this, this.constructor);
+  this.name = 'JsonWebTokenError';
+  this.message = message;
+  if (error) this.inner = error;
+};
+
+JsonWebTokenError.prototype = Object.create(Error.prototype);
+JsonWebTokenError.prototype.constructor = JsonWebTokenError;
+
+module.exports = JsonWebTokenError;
diff --git a/lib/TokenExpiredError.js b/lib/TokenExpiredError.js
@@ -0,0 +1,13 @@
+var JsonWebTokenError = require('./JsonWebTokenError');
+
+var TokenExpiredError = function (message, expiredAt) {
+  JsonWebTokenError.call(this, message);
+  this.name = 'TokenExpiredError';
+  this.expiredAt = expiredAt;
+};
+
+TokenExpiredError.prototype = Object.create(JsonWebTokenError.prototype);
+
+TokenExpiredError.prototype.constructor = TokenExpiredError;
+
+module.exports = TokenExpiredError;
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "jsonwebtoken",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "JSON Web Token implementation (symmetric and asymmetric)",
   "main": "index.js",
   "scripts": {

diff --git a/test/invalid_exp.tests.js b/test/invalid_exp.tests.js
@@ -0,0 +1,58 @@
+var jwt = require('../index');
+var expect = require('chai').expect;
+var assert = require('chai').assert;
+
+describe('invalid expiration', function() {
+
+  it('should fail with string', function (done) {
+    var broken_token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxMjMiLCJmb28iOiJhZGFzIn0.cDa81le-pnwJMcJi3o3PBwB7cTJMiXCkizIhxbXAKRg';
+
+    jwt.verify(broken_token, '123', function (err, decoded) {
+      expect(err.name).to.equal('JsonWebTokenError');
+      done();
+    });
+
+  });
+
+  it('should fail with 0', function (done) {
+    var broken_token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjAsImZvbyI6ImFkYXMifQ.UKxix5T79WwfqAA0fLZr6UrhU-jMES2unwCOFa4grEA';
+
+    jwt.verify(broken_token, '123', function (err) {
+      expect(err.name).to.equal('TokenExpiredError');
+      done();
+    });
+
+  });
+
+  it('should fail with false', function (done) {
+    var broken_token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOmZhbHNlLCJmb28iOiJhZGFzIn0.iBn33Plwhp-ZFXqppCd8YtED77dwWU0h68QS_nEQL8I';
+
+    jwt.verify(broken_token, '123', function (err) {
+      expect(err.name).to.equal('JsonWebTokenError');
+      done();
+    });
+
+  });
+
+  it('should fail with true', function (done) {
+    var broken_token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOnRydWUsImZvbyI6ImFkYXMifQ.eOWfZCTM5CNYHAKSdFzzk2tDkPQmRT17yqllO-ItIMM';
+
+    jwt.verify(broken_token, '123', function (err) {
+      expect(err.name).to.equal('JsonWebTokenError');
+      done();
+    });
+
+  });
+
+  it('should fail with object', function (done) {
+    var broken_token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOnt9LCJmb28iOiJhZGFzIn0.1JjCTsWLJ2DF-CfESjLdLfKutUt3Ji9cC7ESlcoBHSY';
+
+    jwt.verify(broken_token, '123', function (err) {
+      expect(err.name).to.equal('JsonWebTokenError');
+      done();
+    });
+
+  });
+
+
+});