Runtime error when verifying expired JWT

[ChristianCiach]

Please have a look at this stacktrace:

2017/12/07 13:29:41 [error] 20226#20226: *1246015 lua entry thread aborted: runtime error: /usr/local/openresty/site/lualib/resty/openidc.lua:86: bad "exptime" argument
stack traceback:
coroutine 0:
        [C]: in function 'set'
        /usr/local/openresty/site/lualib/resty/openidc.lua:86: in function 'openidc_cache_set'
        /usr/local/openresty/site/lualib/resty/openidc.lua:1163: in function 'jwt_verify'
        /usr/local/openresty/site/lualib/resty/openidc.lua:1193: in function 'bearer_jwt_verify'

This happens when putting a negative TTL into the cache, which probably happens when the JWT has expired.

[zandbelt]

Right, can you confirm this works for you? :

diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
index e565346..1e624e5 100644
--- a/lib/resty/openidc.lua
+++ b/lib/resty/openidc.lua
@@ -82,7 +82,8 @@
 local function openidc_cache_set(type, key, value, exp)
   local dict = ngx.shared[type]
   if dict then
-    local success, err, forcible = dict:set(key, value, exp)
+    local exptime = (exp > 0) and exp or 0
+    local success, err, forcible = dict:set(key, value, exptime)
     ngx.log(ngx.DEBUG, "cache set: success=", success, " err=", err, " forcible=", forcible)
   end
 end

[gwkunze]

I ran into the same issue, and the posted fix worked for me.

[ChristianCiach]

Seems to work here, too. Thanks for fixing!

[zandbelt]

note that the actual commit is slightly different because it doesn't make sense to cache negative values at all (not even setting them to 0 as the proposed fix did)