Use same leeway for `exp` and `nbf` when parsing JWT #1312

rachel-carvalho · 2024-04-16T16:36:33Z

Description

Right now we specify a leeway of 10 seconds when validating JWT payload expiration, but no leeway for nbf (not valid before). The shopify-api JS library does allow for clockTolerance in both fields, and I think it makes sense for the Ruby gem to do the same.

How has this been tested?

I added unit tests.

Checklist:

My commit message follow the pattern described in here
I have performed a self-review of my own code.
I have added tests that prove my fix is effective or that my feature works.
I have updated the project documentation.
I have added a changelog line.

rachel-carvalho · 2024-04-16T16:39:36Z

lib/shopify_api/auth/jwt_payload.rb

@@ -73,8 +73,7 @@ def ==(other)

      sig { params(token: String, api_secret_key: String).returns(T::Hash[String, T.untyped]) }
      def decode_token(token, api_secret_key)
-        JWT.decode(token, api_secret_key, true,
-          { exp_leeway: JWT_EXPIRATION_LEEWAY, algorithm: "HS256" })[0]
+        JWT.decode(token, api_secret_key, true, leeway: JWT_EXPIRATION_LEEWAY, algorithm: "HS256")[0]


I would prefer to rename the constant to JWT_LEEWAY since it doesn't only apply to expiration anymore, but it's a public constant and might make this a breaking change, so I decided to keep it.

We can always alias it

Oh yeah good call, I'll do that then 👍

zzooeeyy

LGTM!

paulomarg · 2024-04-16T17:10:10Z

lib/shopify_api/auth/jwt_payload.rb

@@ -73,8 +73,7 @@ def ==(other)

      sig { params(token: String, api_secret_key: String).returns(T::Hash[String, T.untyped]) }
      def decode_token(token, api_secret_key)
-        JWT.decode(token, api_secret_key, true,
-          { exp_leeway: JWT_EXPIRATION_LEEWAY, algorithm: "HS256" })[0]
+        JWT.decode(token, api_secret_key, true, leeway: JWT_EXPIRATION_LEEWAY, algorithm: "HS256")[0]


We can always alias it

rachel-carvalho added 2 commits April 16, 2024 12:32

use same leeway for exp and nbf

0ffe471

add changelog line

9c481e5

rachel-carvalho commented Apr 16, 2024

View reviewed changes

rachel-carvalho marked this pull request as ready for review April 16, 2024 16:42

rachel-carvalho requested a review from a team as a code owner April 16, 2024 16:42

zzooeeyy approved these changes Apr 16, 2024

View reviewed changes

paulomarg approved these changes Apr 16, 2024

View reviewed changes

use JWT_LEEWAY constant for JWT leeway param

0eb2306

rachel-carvalho merged commit c1163e0 into main Apr 16, 2024
11 checks passed

rachel-carvalho deleted the add_leeway_for_jwt_nbf branch April 16, 2024 18:40

rachel-carvalho self-assigned this Apr 16, 2024

shopify-shipit bot temporarily deployed to rubygems April 23, 2024 15:57 Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use same leeway for `exp` and `nbf` when parsing JWT #1312

Use same leeway for `exp` and `nbf` when parsing JWT #1312

rachel-carvalho commented Apr 16, 2024 •

edited

Loading

rachel-carvalho Apr 16, 2024

paulomarg Apr 16, 2024

rachel-carvalho Apr 16, 2024

zzooeeyy left a comment

paulomarg Apr 16, 2024

Use same leeway for exp and nbf when parsing JWT #1312

Use same leeway for exp and nbf when parsing JWT #1312

Conversation

rachel-carvalho commented Apr 16, 2024 • edited Loading

Description

How has this been tested?

Checklist:

rachel-carvalho Apr 16, 2024

Choose a reason for hiding this comment

paulomarg Apr 16, 2024

Choose a reason for hiding this comment

rachel-carvalho Apr 16, 2024

Choose a reason for hiding this comment

zzooeeyy left a comment

Choose a reason for hiding this comment

paulomarg Apr 16, 2024

Choose a reason for hiding this comment

Use same leeway for `exp` and `nbf` when parsing JWT #1312

Use same leeway for `exp` and `nbf` when parsing JWT #1312

rachel-carvalho commented Apr 16, 2024 •

edited

Loading