Handle exp with fractional/invalid value

max-lt · Nov 1, 2023 · 997112e · 997112e
1 parent 7df5690
commit 997112e
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -243,12 +243,23 @@ static ngx_int_t ngx_http_auth_jwt_access_handler(ngx_http_request_t *r)
     return NGX_HTTP_UNAUTHORIZED;
   }
 
-  // Validate the exp date of the JWT; Still valid if "exp" missing (exp == -1)
-  time_t exp = (time_t)jwt_get_grant_int(jwt, "exp");
-  if (exp != -1 && exp < time(NULL))
+  // Validate the exp date of the JWT; Still valid if "exp" missing
+  char* exp_str = jwt_get_grants_json(jwt, "exp");
+  if (exp_str)
   {
-    ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "JWT: the jwt has expired [exp=%ld]", (long)exp);
-    return NGX_HTTP_UNAUTHORIZED;
+    long int exp = strtol(exp_str, NULL, 10);
+
+    if (exp == 0)
+    {
+      ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, "JWT: invalid exp date in jwt %s", exp_str);
+      return NGX_HTTP_UNAUTHORIZED;
+    }
+
+    if (exp < time(NULL))
+    {
+      ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "JWT: the jwt has expired [exp=%ld]", (long)exp);
+      return NGX_HTTP_UNAUTHORIZED;
+    }
   }
 
   // Validate jwt_require

diff --git a/test.sh b/test.sh
@@ -177,6 +177,14 @@ test_jwt "Expired jwt in header on auth-disabled should return 201" "/auth-disab
 test_jwt "Expired jwt on secure-cookie should return 401" "/secure-cookie"      "401" "--cookie \"rampartjwt=${JWT}\""
 test_jwt "Expired jwt on secure-auth-h should return 401" "/secure-auth-header" "401" "--header \"Authorization: Bearer ${JWT}\""
 
+echo "# Test float exp claim" # { "exp": 1698742245.336421 }
+JWT='eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTg3NDIyNDUuMzM2NDIxfQ.Wh-6szLG-7TcO19Efwh5A7IBoMWPPfttxwgUFKBhDJA'
+test_jwt "Expired jwt on secure-auth-h should return 401" "/secure-auth-header" "401" "--header \"Authorization: Bearer ${JWT}\""
+
+echo "# Test invalid exp" # { "exp": "1698742245" }
+JWT='eyJhbGciOiJIUzI1NiJ9.eyJleHAiOiIxNjk4NzQyMjQ1In0.Vpvf77sGNljk6gmGnaDPE1LTD_wEo-GTFZrCWiAfVgM'
+test_jwt "Expired jwt on secure-auth-h should return 401" "/secure-auth-header" "401" "--header \"Authorization: Bearer ${JWT}\""
+
 echo "# Test exp claim with non-expired jwt (2032-01-01)"
 JWT='eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE5NTY1MjgwMDB9.3rTJLB2KJxDoTImIsyMC4Bo5R1IY-d9dhr75llFiw_8'
 test_jwt "Calling secure-cookie with non-expired jwt should return 201" "/secure-cookie"      "201" "--cookie \"rampartjwt=${JWT}\""