Skip iat checking and add 30s clock jitter grace

PRX · Sep 8, 2020 · ee09f74 · ee09f74
1 parent 9ac9a22
commit ee09f74
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/lib/rack/prx_auth.rb b/lib/rack/prx_auth.rb
@@ -53,8 +53,8 @@ def decode_token(token)
     end
 
     def expired?(claims)
-      now = Time.now.to_i
-      now < claims['iat'] || if claims['iat'] <= claims['exp']
+      now = Time.now.to_i - 30 # 30 second clock jitter allowance
+      if claims['iat'] <= claims['exp']
         now > claims['exp']
       else
         now > (claims['iat'] + claims['exp'])

diff --git a/test/rack/prx_auth_test.rb b/test/rack/prx_auth_test.rb
@@ -67,23 +67,24 @@ def expired?(claims)
       prxauth.send(:expired?, claims)
     end
 
-    it 'is expired if the token is issued in the future' do
-      claims['iat'] = Time.now.to_i + 3600
-
-      assert expired?(claims)
-    end
-
     describe 'with a malformed exp' do
+      let(:iat) { Time.now.to_i }
       let(:exp) { 3600 }
 
       it 'is expired if iat + exp are in the past' do
-        claims['iat'] -= 3601
+        claims['iat'] -= 3631
 
         assert expired?(claims)
       end
 
       it 'is not expired if iat + exp are in the future' do
-        claims['iat'] -= 3599
+        claims['iat'] = Time.now.to_i - 3599
+
+        refute expired?(claims)
+      end
+
+      it 'allows a 30s clock jitter' do
+        claims['iat'] = Time.now.to_i - 3629
 
         refute expired?(claims)
       end
@@ -97,10 +98,11 @@ def expired?(claims)
         refute expired?(claims)
       end
 
-      it 'is expired if exp is in the past' do
-
-        claims['exp'] = Time.now.to_i - 1
+      it 'is expired if exp is in the past (with 30s jitter grace)' do
+        claims['exp'] = Time.now.to_i - 31
         assert expired?(claims)
+        claims['exp'] = Time.now.to_i - 29
+        refute expired?(claims)
       end
     end
   end