The Wayback Machine - https://web.archive.org/web/20200906101412/https://github.com/jwt/ruby-jwt/issues/148/
Skip to content

/ ruby-jwt

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT.decode always raises JWT::ExpiredSignature for tokens created with Time objects passed as the `exp` parameter #148

Closed
abevoelker opened this issue Apr 30, 2016 · 4 comments
Closed

JWT.decode always raises JWT::ExpiredSignature for tokens created with Time objects passed as the `exp` parameter #148

abevoelker opened this issue Apr 30, 2016 · 4 comments
Assignees
@excpt
Labels
documentation enhancement
Milestone
Version 1.5.5

Comments

@abevoelker
Copy link

@abevoelker abevoelker commented Apr 30, 2016 

require "jwt"

secret = SecureRandom.hex(64)
exp_time = Time.now + 3600 # one hour from now
payload = {data: "test", exp: exp_time}
token = JWT.encode(payload, secret, "HS256")
JWT.decode(token, secret, true, { algorithm: "HS256" }) # => JWT::ExpiredSignature: Signature has expired

If I paste the generated token into jwt.io, this is the payload that JWT.encode generated:

{
  "data": "test",
  "exp": "2016-04-30 13:57:44 -0500"
}

If I instead change the code to do exp_time = (Time.now + 3600).to_i (i.e. cast to Unix epoch), it works correctly and doesn't raise a JWT::ExpiredSignature. The payload generated by that code is obviously different:

{
  "data": "test",
  "exp": 1462042886
}

So I'm guessing that the decoding is not converting time values like 2016-04-30 13:57:44 -0500 back into Time objects correctly.

Although the examples in the README explicitly do .to_i, it would be nice to either handle other time values or raise an exception if they are not supported at the encoding step.
@excpt excpt added the enhancement label Apr 30, 2016
@excpt excpt added this to the Version 1.5.5 milestone Apr 30, 2016
@excpt excpt self-assigned this Apr 30, 2016
@excpt
Copy link
Member

@excpt excpt commented Apr 30, 2016

Hi @abevoelker,

thanks for the detailed report.

As written in the RFC specs (https://tools.ietf.org/html/rfc7519#section-4.1.4):

Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

That's why we only allow Unix timestamps as valid values.

For the 1.x versions I will improve the exception that will be raised if the format for the exp claim does not fit the requirements.
@abevoelker
Copy link
Author

@abevoelker abevoelker commented Apr 30, 2016

Makes sense. Thank you for the quick response and the excellent gem! I'm new to JWT and the gem has made things very easy for me. ❤️
@excpt excpt modified the milestones: Version 2.0.0, Version 1.5.5 Jun 7, 2016
@excpt excpt modified the milestones: Version 1.6.0, Version 1.5.5 Aug 22, 2016
@excpt excpt added the documentation label Aug 22, 2016
@excpt excpt mentioned this issue Sep 16, 2016
Merged
@excpt excpt closed this in #164 Sep 16, 2016
@excpt
Copy link
Member

@excpt excpt commented Sep 16, 2016

@abevoelker I improved the error message. :)
@abevoelker
Copy link
Author

@abevoelker abevoelker commented Sep 16, 2016

@excpt You rock!
@jessecravens jessecravens mentioned this issue Feb 26, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@excpt excpt

Labels
documentation enhancement
Projects
None yet
Milestone
Version 1.5.5
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@abevoelker @excpt
You can’t perform that action at this time.