fix falsly invalid tokens

tsndr · Feb 23, 2024 · f3dfdff · f3dfdff
1 parent 0cd10e1
commit f3dfdff
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -221,10 +221,10 @@ export async function verify(token: string, secret: string | JsonWebKey | Crypto
 
         const now = Math.floor(Date.now() / 1000)
 
-        if (payload.nbf && Math.abs(payload.nbf - now) > (options.clockTolerance ?? 0))
+        if (payload.nbf && payload.nbf > now && Math.abs(payload.nbf - now) > (options.clockTolerance ?? 0))
             throw new Error('NOT_YET_VALID')
 
-        if (payload.exp &&  Math.abs(payload.exp - now) > (options.clockTolerance ?? 0))
+        if (payload.exp && payload.exp <= now && Math.abs(payload.exp - now) > (options.clockTolerance ?? 0))
             throw new Error('EXPIRED')
 
         const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ['verify'])

diff --git a/tests/index.spec.ts b/tests/index.spec.ts
@@ -125,12 +125,21 @@ describe('Verify', async () => {
     const secret = 'super-secret'
 
     const now = Math.floor(Date.now() / 1000)
-    const off = 30 // 30 seconds
-    const nbf = now + off // Not valid before 30 seconds from now
-    const exp = now - off // Expired 30 seconds ago
+    const offset = 30 // 30 seconds
 
-    const notYetValidToken = await jwt.sign({ sub: 'me', nbf }, secret)
-    const expiredToken = await jwt.sign({ sub: 'me', exp }, secret)
+    const validToken = await jwt.sign({ sub: 'me', nbf: now - offset }, secret)
+    const notYetExpired = await jwt.sign({ sub: 'me', exp: now + offset }, secret)
+
+    const notYetValidToken = await jwt.sign({ sub: 'me', nbf: now + offset }, secret)
+    const expiredToken = await jwt.sign({ sub: 'me', exp: now - offset }, secret)
+
+    test('Valid', () => {
+        expect(jwt.verify(validToken, secret, { throwError: true })).resolves.toBe(true)
+    })
+
+    test('Not yet expired', () => {
+        expect(jwt.verify(notYetExpired, secret, { throwError: true })).resolves.toBe(true)
+    })
 
     test('Not yet valid', () => {
         expect(jwt.verify(notYetValidToken, secret, { throwError: true })).rejects.toThrowError('NOT_YET_VALID')
@@ -141,7 +150,7 @@ describe('Verify', async () => {
     })
 
     test('Clock offset', () => {
-        expect(jwt.verify(notYetValidToken, secret, { clockTolerance: off, throwError: true })).resolves.toBe(true)
-        expect(jwt.verify(expiredToken, secret, { clockTolerance: off, throwError: true })).resolves.toBe(true)
+        expect(jwt.verify(notYetValidToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBe(true)
+        expect(jwt.verify(expiredToken, secret, { clockTolerance: offset, throwError: true })).resolves.toBe(true)
     })
 })