Move nbf and exp verifications after signature verification. #53
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I would like to move the signature validation before the check of
exp
andnbf
claims.I have the following scenario, which I believe is quite common: I sign tokens with an expiration date, but I want my system to be able to refresh them (i.e. re-emit a new one with the data of the old one, but with a later expiration date) if the expiration date was near AND the token passed validation. Currently I can't, because an expiration error will be thrown before the actual validation.
To do that, we need the token to be validated first, and then its expiration checked. People that don't want to use expiration, can just opt-out and not put any
exp
flag, as usual. This should not change anything for the rest of the users, and allow a new interesting use case.Please tell me if there is an issue I did not think of.