fix for 3.0.2 #244
fix for 3.0.2 #244
Conversation
(1) updated version to 3.0.2 in package.json (2) removed oniyi-object-transform dependency (3) set clock skew to 5 minutes. will make this configurable in the future.
| @@ -178,17 +179,17 @@ exports.verify = function(jwtString, PEMKey, options, callback) { | |||
| if (typeof payload.exp !== 'number') | |||
| return done(new Error('invalid exp value in payload')); | |||
| if (!options.ignoreExpiration) { | |||
| if (Math.floor(Date.now() / 1000) >= payload.exp) { | |||
| if (Math.floor(Date.now() / 1000) >= payload.exp + constants.CLOCK_SKEW) { | |||
There was a problem hiding this comment.
The Date.now() method returns the number of milliseconds elapsed since 1 January 1970 00:00:00 UTC.
There was a problem hiding this comment.
Do you have any tests for this?
There was a problem hiding this comment.
The time is UTC. We have tests for expiration.
| return done(new Error('jwt is expired')); | ||
| } | ||
| } | ||
|
|
||
| // (5) nbf | ||
| // - check if it exists | ||
| if (payload.nbf) { | ||
| if (typeof payload.nbf !== 'number') | ||
| if (typeof payload.nbf !== 'number' || payload.nbf >= payload.exp) |
There was a problem hiding this comment.
It would be helpful to users if the error message indicated that nbf > exp OR nbf was not a number
There was a problem hiding this comment.
changed in the second commit.
| ], | ||
| }); | ||
| var oidc = {}; | ||
| oidc.algorithms = doc.id_token_signing_alg_values_supported; |
There was a problem hiding this comment.
any particular reason for a name difference between 'doc' and 'oidc'? For example why auth_endpoint and authorization_endpoint (which is the name in the spec). I would stick with the names in the spec, otherwise we are always translating. Sometimes, we may have overlap. Check out the names in: https://login.microsoftonline.com/common/.well-known/openid-configuration
There was a problem hiding this comment.
I changed the auth_endpoint to authorization_endpoint everywhere in the second commit.
There was a problem hiding this comment.
I will keep the 'algorithms' one since it is a more natural name than 'id_token_signing_alg_values_supported'. In the library we used 'algorithms' everywhere and we didn't do any translation of that.
| CONSTANTS.POLICY_REGEX = /^b2c_1_[0-9a-z._-]+$/i; // policy is case insensitive | ||
| CONSTANTS.TENANTNAME_REGEX = /^[0-9a-zA-Z]+.onmicrosoft.com$/; | ||
| CONSTANTS.TENANTID_REGEX = /^[0-9a-zA-Z-]+$/; | ||
|
|
||
| CONSTANTS.CLOCK_SKEW = 300; // 5 minutes |
There was a problem hiding this comment.
Please open an issue to make CLOCK_SKEW configurable.
(1) updated version to 3.0.2 in package.json
(2) removed oniyi-object-transform dependency
(3) set clock skew to 5 minutes as Wilson does. Will make this configurable in the future.