CODEWITHSUNDEEP
govalidationtimejwt
Max
Max

Reputation: 13

A token that is invalid in time is returned valid by the JWT library

While testing the server, I noticed that expired tokens continue to provide access to the system. I started checking the function where my token is validated.

func (m *Manager) VerifyToken(accessToken string) (int64, error) {
    fmt.Println("\nTOKEN ACCESS: ", accessToken)
    token, err := jwt.Parse(accessToken, func(token *jwt.Token) (interface{}, error) {
        return []byte(m.secretKey), nil
    })
    if err != nil {
        return -1, err
    }
    fmt.Println("TIME NOW: ", time.Now())
    fmt.Println("JWT TOKEN: ", token)
    if !token.Valid {
        return -1, errors.New("invalid token")
    }

The function received a token - eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHBpcmVzQXQiOjE3MTQ2NTAyMTIsInVzZXJfaWQiOjV9.58N280umsEoi0W9GbIMBbTssKlqpK3by23HTRuWdRyM

Using the site: https://jwt.io/, I received it in payload: { "expiresAt": 1714650212, "user_id": 5 }

Converting time from Unix: Thu May 02 2024 14:43:32 GMT+0300 (Eastern European Summer Time)

When I call the function: time.Now() - 2024-05-02 15:18:33.4632351 +0300 EEST m=+7.377764501 You can see that the token has expired, but function jwt.parse() returned Valid = true

Result

I went to read the documentation, but I didn’t see any difference from the written code. Doc: https://pkg.go.dev/github.com/golang-jwt/jwt/v4#Parse Article: https://medium.com/@cheickzida/golang-implementing-jwt-token-authentication-bba9bfd84d60

Upvotes: 1

Views: 114

Answers (1)

Brits
Brits

Reputation: 18380

Your JWT contains:

{
  "expiresAt": 1714650212,
  "user_id": 5
}

Whilst it is true that the time specified in expiresAt has passed, this is not a header mentioned in the RFC7519 (so if you want that verified you will need to do it yourself).

The header used for "Expiration Time" is exp. So a token with this header would be:

{
  "exp": 1714650212,
  "user_id": 5
}

Token (using secret "secret-key"):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MTQ2NTAyMTIsInVzZXJfaWQiOjV9.Ks3REsNCXL6xj4Iu9gXtGTcqJDV7WQ2TSekEf8jqyA8

Running this token through your code fails with the expected error "token has invalid claims: token is expired".

Upvotes: 0

Related Questions