Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON Web Token: support nbf and exp claims #4526

Merged
merged 7 commits into from Jun 7, 2023
Merged

JSON Web Token: support nbf and exp claims #4526

merged 7 commits into from Jun 7, 2023

Conversation

rsto
Copy link
Member

@rsto rsto commented Jun 7, 2023

This updates the JSON Web Token code to

  • validate the nbf claim
  • validate the exp claim
  • ignore unknown claims, as stated in Section 4 of RFC7519

The initial code was contributed by @bamthomas in #4515. Thanks! This PR adds more strict validation invalid JSON claims and makes the cunit test code more maintainable.

bamthomas and others added 7 commits June 7, 2023 14:27
@bamthomas @rsto
http_jwt: allow size >= 2 for jwt payload
a3745aa
@bamthomas @rsto
http_jwt: add exp/nbf claims validation for JWT
d714f05
@bamthomas @rsto
http_jwt: avoid breaking change and follow JWT specs
b6001fc
@rsto
http_jwt: ignore unsupported claims
89ee4c7 
See RFC 7519, Section 4:

   Specific applications of JWTs will require implementations
   to understand and process some claims in particular ways.
   However, in the absence of such requirements, all claims
   that are not understood by implementations MUST be ignored.

Signed-off-by: Robert Stepanek <rsto@fastmailteam.com>
@rsto
http_jwt: validate all known claims, even if ignored
ae5e1bb 
Signed-off-by: Robert Stepanek <rsto@fastmailteam.com>
@rsto
http_jwt: make unit testing time-based claims nicer
c745a73 
Signed-off-by: Robert Stepanek <rsto@fastmailteam.com>
@rsto
http_jwt: update documentation
2538b82 
Signed-off-by: Robert Stepanek <rsto@fastmailteam.com>
@rsto rsto requested review from ksmurchison and elliefm June 7, 2023 12:29
ksmurchison
ksmurchison approved these changes Jun 7, 2023
View reviewed changes
Copy link
Contributor

@ksmurchison ksmurchison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than my 2 comments LGTM

imap/http_jwt.c Show resolved Hide resolved
imap/http_jwt.c Show resolved Hide resolved
@rsto rsto merged commit cf6eb8a into cyrusimap:master Jun 7, 2023
1 check passed
@rsto rsto deleted the http_jwt_timeclaims branch June 7, 2023 13:42
@rsto rsto restored the http_jwt_timeclaims branch June 7, 2023 13:42
@rsto rsto added the 3.8 affects 3.8 label Jun 7, 2023
@rsto rsto mentioned this pull request Jun 7, 2023
Closed
@elliefm elliefm added backport-to-3.8 for PRs that are to be backported to 3.8 and removed 3.8 affects 3.8 labels Jun 8, 2023
@elliefm
Copy link
Contributor

elliefm commented Jun 8, 2023

FYI you need to use the "backport-to..." label if you want me to backport it, I don't look for plain version labels on PRs, those are for describing which versions are affected by a bug.

Is this a bug fix or a new feature? It looks like a feature, and 3.8 is stable now and doesn't get new features, only bug fixes.

@rsto
Copy link
Member Author

rsto commented Jun 12, 2023

@elliefm thanks, did not know to use the "backport-to" label. It's a feature, not a bug. So no backport then.

@rsto rsto removed the backport-to-3.8 for PRs that are to be backported to 3.8 label Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ksmurchison ksmurchison ksmurchison approved these changes

@elliefm elliefm Awaiting requested review from elliefm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@rsto @elliefm @ksmurchison @bamthomas