Add support for negative leeway values about jsonwebtoken HOT 8 CLOSED

1. I don't see why we would go to ms resolution when we only have seconds in the api/sec
2. Not an issue with a decent leeway, that's what it's for

from jsonwebtoken.

@Keats thanks for the quick response!

1. I'm not proposing that we go to ms resolution. My proposed fix is in the attached PR.

2. I have not been able to identify a leeway value that fixes the following issue. Here is a drawing representing a token which is about to expire, but has not expired yet.

   

   I would like to make the current code fail for this case since the token may expire in transit over the network.

   if matches!(claims.exp, TryParse::Parsed(exp) if options.validate_exp && exp < now - options.leeway)
   {
      return Err(new_error(ErrorKind::ExpiredSignature));
   }
   

   It looks like it will succeed for all unsigned integers.

   

   Can you suggest a leeway value that will allow me to return ErrorKind::ExpiredSignature when the token is about to expire? As a specific example, maybe you could suggest a value that would work when time now=1 and time exp=2.

from jsonwebtoken.

It seems that what you want, rather than negative leeway which is imo a bit confusing is another option to reject tokens that are x seconds or less from expiration?

from jsonwebtoken.

It seems that what you want, rather than negative leeway which is imo a bit confusing is another option to reject tokens that are x seconds or less from expiration?

@Keats yes, rejecting tokens that are x seconds or less prior to expiration is our goal.

Configuring this as a separate setting rather than as a negative leeway value should work fine.

from jsonwebtoken.

Something like Validation::reject_tokens_expiring_in_less_than(seconds: int)?

from jsonwebtoken.

Something like Validation::reject_tokens_expiring_in_less_than(seconds: int)?

Yes, that is a clear name in my opinion.

Would you like me to update the existing PR to reflect?

from jsonwebtoken.

@Keats Here is a new PR implementing Validation::reject_tokens_expiring_in_less_than. Can you review and approve?

from jsonwebtoken.

Fix released as part of version 9.3.0; closing this issue

from jsonwebtoken.