Merge pull request #161 from excpt/issue-157

Fix: exp claim check
jwt · Aug 23, 2016 · 732729a · 732729a
2 parents 8600e30 + 405671e
commit 732729a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/lib/jwt/verify.rb b/lib/jwt/verify.rb
@@ -35,7 +35,7 @@ def verify_aud
     def verify_expiration
       return unless @payload.include?('exp')
 
-      if @payload['exp'].to_i < (Time.now.to_i - leeway)
+      if @payload['exp'].to_i <= (Time.now.to_i - leeway)
         fail(JWT::ExpiredSignature, 'Signature has expired')
       end
     end

diff --git a/spec/jwt/verify_spec.rb b/spec/jwt/verify_spec.rb
@@ -60,6 +60,14 @@ module JWT
       it 'must allow some leeway in the expiration when configured' do
         Verify.verify_expiration(payload, options.merge(leeway: 10))
       end
+
+      it 'must be expired if the exp claim equals the current time' do
+        payload.merge!('exp' => Time.now.to_i)
+
+        expect do
+          Verify.verify_expiration(payload, options)
+        end.to raise_error JWT::ExpiredSignature
+      end
     end
 
     context '.verify_iat(payload, options)' do