Add test which replicates the bug

TykTechnologies · Jun 11, 2018 · 9fbf505 · 9fbf505
1 parent 4f0e098
commit 9fbf505
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/apidef/api_definitions.go b/apidef/api_definitions.go
@@ -343,9 +343,9 @@ type APIDefinition struct {
 	JWTDisableIssuedAtValidation  bool                 `bson:"jwt_disable_issued_at_validation" json:"jwt_disable_issued_at_validation"`
 	JWTDisableExpiresAtValidation bool                 `bson:"jwt_disable_expires_at_validation" json:"jwt_disable_expires_at_validation"`
 	JWTDisableNotBeforeValidation bool                 `bson:"jwt_disable_not_before_validation" json:"jwt_disable_not_before_validation"`
-	JWTIssuedAtValidationSkew     uint64               `bson:"jwt_issued_at_validation_skew" json:"jwt_issued_at_validation_skew"`
-	JWTExpiresAtValidationSkew    uint64               `bson:"jwt_expires_at_validation_skew" json:"jwt_expires_at_validation_skew"`
-	JWTNotBeforeValidationSkew    uint64               `bson:"jwt_not_before_validation_skew" json:"jwt_not_before_validation_skew"`
+	JWTIssuedAtValidationSkew     int64               `bson:"jwt_issued_at_validation_skew" json:"jwt_issued_at_validation_skew"`
+	JWTExpiresAtValidationSkew    int64               `bson:"jwt_expires_at_validation_skew" json:"jwt_expires_at_validation_skew"`
+	JWTNotBeforeValidationSkew    int64               `bson:"jwt_not_before_validation_skew" json:"jwt_not_before_validation_skew"`
 	NotificationsDetails          NotificationsManager `bson:"notifications" json:"notifications"`
 	EnableSignatureChecking       bool                 `bson:"enable_signature_checking" json:"enable_signature_checking"`
 	HmacAllowedClockSkew          float64              `bson:"hmac_allowed_clock_skew" json:"hmac_allowed_clock_skew"`

diff --git a/mw_jwt.go b/mw_jwt.go
@@ -466,21 +466,21 @@ func (k *JWTMiddleware) validateJWTClaims(c jwt.MapClaims) *jwt.ValidationError
 	now := time.Now().Unix()
 
 	if !k.Spec.JWTDisableExpiresAtValidation {
-		if !c.VerifyExpiresAt(now-int64(k.Spec.JWTExpiresAtValidationSkew), false) {
+		if !c.VerifyExpiresAt(now - k.Spec.JWTExpiresAtValidationSkew, false) {
 			vErr.Inner = errors.New("token has expired")
 			vErr.Errors |= jwt.ValidationErrorExpired
 		}
 	}
 
 	if !k.Spec.JWTDisableIssuedAtValidation {
-		if c.VerifyIssuedAt(now+int64(k.Spec.JWTIssuedAtValidationSkew), false) == false {
+		if c.VerifyIssuedAt(now + k.Spec.JWTIssuedAtValidationSkew, false) == false {
 			vErr.Inner = errors.New("token used before issued")
 			vErr.Errors |= jwt.ValidationErrorIssuedAt
 		}
 	}
 
 	if !k.Spec.JWTDisableNotBeforeValidation {
-		if c.VerifyNotBefore(now+int64(k.Spec.JWTNotBeforeValidationSkew), false) == false {
+		if c.VerifyNotBefore(now + k.Spec.JWTNotBeforeValidationSkew, false) == false {
 			vErr.Inner = errors.New("token is not valid yet")
 			vErr.Errors |= jwt.ValidationErrorNotValidYet
 		}

diff --git a/mw_jwt_test.go b/mw_jwt_test.go
@@ -642,6 +642,16 @@ func TestJWTSessionIssueAtValidationConfigs(t *testing.T) {
 		})
 	})
 
+	t.Run("IssueAt-JWTDisableIssuedAtValidation--not_valid_jwt", func(t *testing.T) {
+		spec.JWTDisableIssuedAtValidation = false
+		spec.JWTIssuedAtValidationSkew = 2 // 2 seconds
+		loadAPI(spec)
+
+		ts.Run(t, test.TestCase{
+			Headers: jwtAuthHeaderGen(-3 * time.Second), Code: http.StatusOK,
+		})
+	})
+
 	t.Run("IssueAt-After_now-Add_skew--Valid_jwt", func(t *testing.T) {
 		spec.JWTDisableIssuedAtValidation = false
 		spec.JWTIssuedAtValidationSkew = 1