Added tests

TykTechnologies · May 30, 2018 · 3aa2858 · 3aa2858
1 parent 07c958f
commit 3aa2858
Show file tree

Hide file tree

Showing 3 changed files with 255 additions and 32 deletions.
diff --git a/apidef/api_definitions.go b/apidef/api_definitions.go
@@ -343,6 +343,9 @@ type APIDefinition struct {
 	JWTDisableIssuedAtValidation  bool                 `bson:"jwt_disable_issued_at_validation" json:"jwt_disable_issued_at_validation"`
 	JWTDisableExpiresAtValidation bool                 `bson:"jwt_disable_expires_at_validation" json:"jwt_disable_expires_at_validation"`
 	JWTDisableNotBeforeValidation bool                 `bson:"jwt_disable_not_before_validation" json:"jwt_disable_not_before_validation"`
+	JWTIssuedAtValidationSkew     uint64               `bson:"jwt_issued_at_validation_skew" json:"jwt_issued_at_validation_skew"`
+	JWTExpiresAtValidationSkew    uint64               `bson:"jwt_expires_at_validation_skew" json:"jwt_expires_at_validation_skew"`
+	JWTNotBeforeValidationSkew    uint64               `bson:"jwt_not_before_validation_skew" json:"jwt_not_before_validation_skew"`
 	NotificationsDetails          NotificationsManager `bson:"notifications" json:"notifications"`
 	EnableSignatureChecking       bool                 `bson:"enable_signature_checking" json:"enable_signature_checking"`
 	HmacAllowedClockSkew          float64              `bson:"hmac_allowed_clock_skew" json:"hmac_allowed_clock_skew"`

diff --git a/mw_jwt.go b/mw_jwt.go
@@ -465,21 +465,25 @@ func (k *JWTMiddleware) validateJWTClaims(c jwt.MapClaims) *jwt.ValidationError
 	vErr := new(jwt.ValidationError)
 	now := time.Now().Unix()
 
-	// The claims below are optional, by default, so if they are set to the
-	// default value in Go, let's not fail the verification for them.
-	if !k.Spec.JWTDisableExpiresAtValidation && c.VerifyExpiresAt(now, false) == false {
-		vErr.Inner = errors.New("Token is expired")
-		vErr.Errors |= jwt.ValidationErrorExpired
+	if !k.Spec.JWTDisableExpiresAtValidation {
+		if !c.VerifyExpiresAt(now-int64(k.Spec.JWTExpiresAtValidationSkew), false) {
+			vErr.Inner = errors.New("token has expired")
+			vErr.Errors |= jwt.ValidationErrorExpired
+		}
 	}
 
-	if !k.Spec.JWTDisableIssuedAtValidation && c.VerifyIssuedAt(now, false) == false {
-		vErr.Inner = fmt.Errorf("Token used before issued")
-		vErr.Errors |= jwt.ValidationErrorIssuedAt
+	if !k.Spec.JWTDisableIssuedAtValidation {
+		if c.VerifyIssuedAt(now+int64(k.Spec.JWTIssuedAtValidationSkew), false) == false {
+			vErr.Inner = errors.New("token used before issued")
+			vErr.Errors |= jwt.ValidationErrorIssuedAt
+		}
 	}
 
-	if !k.Spec.JWTDisableNotBeforeValidation && c.VerifyNotBefore(now, false) == false {
-		vErr.Inner = fmt.Errorf("token is not valid yet")
-		vErr.Errors |= jwt.ValidationErrorNotValidYet
+	if !k.Spec.JWTDisableNotBeforeValidation {
+		if c.VerifyNotBefore(now+int64(k.Spec.JWTNotBeforeValidationSkew), false) == false {
+			vErr.Inner = errors.New("token is not valid yet")
+			vErr.Errors |= jwt.ValidationErrorNotValidYet
+		}
 	}
 
 	if vErr.Errors == 0 {