You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Test-PodeJwt, responsible for validating JWT payload when using JWT auth scheme will return The JWT has expired in certain scenarios based on the machine's local timezone even though the JWT expiry is in future.
Steps To Reproduce
This can be reproduced by enabling JWT authentication, and changing the machine timezone ahead of UTC.
Expected Behavior
If JWT exp is in future, Pode should not return The JWT has expired
Platform
OS: Windows
Browser: Chrome, Firefox
Versions:
Pode: Pode v2.8.0
PowerShell: PS5.1, PS 7.2.4
Additional Context
As per the definition of NumericDate in rfc7519exp and nbf should represent "...number of seconds from 1970-01-01T00:00:00Z UTC...".
However, given the following initialization in Cryptography.ps1
The Kind for these objects will be Local and Unspecified respectively.
As per Remarks in DateTime.Equality documentation,
The Equality operator determines whether two DateTime values are equal by comparing their number of ticks. Before comparing DateTime objects, make sure that the objects represent times in the same time zone. You can do this by comparing the values of their Kind property.
The value for Ticks property would be different when DateTimeKind is specified, vs. when it is not
This makes the existing implementation of JWT validation invalid. This could be fixed by initializing $now as UtcNow and using the overload that allows specifying DateTimeKind for $unixStart. I will share a PR for this shortly in case it is helpful.
The text was updated successfully, but these errors were encountered:
Describe the Bug
Test-PodeJwt
, responsible for validating JWT payload when using JWT auth scheme will returnThe JWT has expired
in certain scenarios based on the machine's local timezone even though the JWT expiry is in future.Steps To Reproduce
This can be reproduced by enabling JWT authentication, and changing the machine timezone ahead of UTC.
Expected Behavior
If JWT exp is in future, Pode should not return
The JWT has expired
Platform
Additional Context
As per the definition of
NumericDate
in rfc7519exp
andnbf
should represent "...number of seconds from 1970-01-01T00:00:00Z UTC...".However, given the following initialization in
Cryptography.ps1
Pode/src/Private/Cryptography.ps1
Lines 264 to 265 in 9b1456e
The
Kind
for these objects will beLocal
andUnspecified
respectively.As per Remarks in DateTime.Equality documentation,
The value for
Ticks
property would be different whenDateTimeKind
is specified, vs. when it is notThis makes the existing implementation of JWT validation invalid. This could be fixed by initializing
$now
asUtcNow
and using the overload that allows specifyingDateTimeKind
for$unixStart
. I will share a PR for this shortly in case it is helpful.The text was updated successfully, but these errors were encountered: