Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VerifyExpiresAt returns false when not required and exp is empty #239

Closed
nrgraham23 opened this issue Sep 15, 2022 · 1 comment
Closed

VerifyExpiresAt returns false when not required and exp is empty #239

nrgraham23 opened this issue Sep 15, 2022 · 1 comment

Comments

@nrgraham23
Copy link

The VerifyExpiresAt function returns false when it is not required and the exp token is an empty string because it returns false if there is not a match in the switch statement: https://github.com/golang-jwt/jwt/blob/main/map_claims.go#L58

Based on the comment on the method and the old version of this method, it seems like this is a bug.
@oxisto
Copy link
Collaborator

oxisto commented Dec 3, 2022

Sorry for the long delay. Somehow this issue slipped my radar. The function was intentionally changed in this PR: #40

The current implementation is a little bit better in terms of security, because an "empty string" is not valid for exp. According to the RFC, exp must be a date timestamp in a JSON number. Therefore, we decided to return false in the end of the switch statement in case someone is trying to validate a token with exp being anything else but a JSON number as an additional safeguard.

@oxisto oxisto closed this as completed Dec 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nrgraham23 @oxisto