# HG changeset patch # User Matthew Wild # Date 1657542509 -3600 # Node ID 008a7097fdc553a0ebf03dc7d0c6d74b573d4b11 # Parent 31a2bd84191df9506c5408f03359342175cbaba0 util.jwt: Provide built-in token expiry support (defaults to 3600s lifetime) To avoid every user of the library needing to add and verify expiry info, this is now handled by util.jwt itself (if not overridden or disabled). Issuing tokens that are valid forever is bad practice and rarely desired, and the default token lifetime is now 3600s (1 hour). diff -r 31a2bd84191d -r 008a7097fdc5 util/jwt.lua --- a/util/jwt.lua Sat Jul 02 15:29:04 2022 +0100 +++ b/util/jwt.lua Mon Jul 11 13:28:29 2022 +0100 @@ -152,21 +152,46 @@ PS256 = new_rsa_algorithm("PS256"), PS384 = new_rsa_algorithm("PS384"), PS512 = new_rsa_algorithm("PS512"); }; -local function new_signer(algorithm, key_input) +local function new_signer(algorithm, key_input, options) local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm); local key = (impl.load_private_key or impl.load_key)(key_input); local sign = impl.sign; + local default_ttl = (options and options.default_ttl) or 3600; return function (payload) + local issued_at; + if not payload.iat then + issued_at = os.time(); + payload.iat = issued_at; + end + if not payload.exp then + payload.exp = (issued_at or os.time()) + default_ttl; + end return sign(key, payload); end end -local function new_verifier(algorithm, key_input) +local function new_verifier(algorithm, key_input, options) local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm); local key = (impl.load_public_key or impl.load_key)(key_input); local verify = impl.verify; + local check_expiry = not (options and options.accept_expired); + local claim_verifier = options and options.claim_verifier; return function (token) - return verify(key, token); + local ok, payload = verify(key, token); + if ok then + local expires_at = check_expiry and payload.exp; + if expires_at then + if type(expires_at) ~= "number" then + return nil, "invalid-expiry"; + elseif expires_at < os.time() then + return nil, "token-expired"; + end + end + if claim_verifier and not claim_verifier(payload) then + return nil, "incorrect-claims"; + end + end + return ok, payload; end end