From 5c4fb61574723af2e795fa8c5ff56090f011d056 Mon Sep 17 00:00:00 2001 From: David Bonting Date: Mon, 1 Apr 2019 16:00:12 +0200 Subject: [PATCH] Add NBF clock tolerance --- README.md | 7 +++++++ index.js | 29 +++++++++++++++++++++++++---- test/verifier.js | 11 +++++++++++ 3 files changed, 43 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b1e4dfc..a3cb546 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,13 @@ try{ } ```` +To allow clocktolerance use the third argument (in milliseconds): +````javascript +nJwt.verify(token, null, null, 2500, function(err,verifiedJwt){ + +}); +```` + ### Changing the algorithm If you want to change the algorithm from the default `HS256`, you can do so diff --git a/index.js b/index.js index 4de537b..914f2e5 100644 --- a/index.js +++ b/index.js @@ -266,8 +266,8 @@ Jwt.prototype.isExpired = function() { return new Date(this.body.exp*1000) < new Date(); }; -Jwt.prototype.isNotBefore = function() { - return new Date(this.body.nbf * 1000) >= new Date(); +Jwt.prototype.isNotBefore = function(ms) { + return new Date((this.body.nbf * 1000) - ms) >= new Date(); }; function Parser(options){ @@ -322,6 +322,7 @@ function Verifier(){ } this.setSigningAlgorithm('HS256'); this.setKeyResolver(defaultKeyResolver.bind(this)); + this.nbfTolerance = 0; return this; } Verifier.prototype.setSigningAlgorithm = function setSigningAlgorithm(alg) { @@ -338,6 +339,10 @@ Verifier.prototype.setSigningKey = function setSigningKey(keyStr) { Verifier.prototype.setKeyResolver = function setKeyResolver(keyResolver) { this.keyResolver = keyResolver.bind(this); }; +Verifier.prototype.setNbfTolerance = function setNbfTolerance(ms) { + this.nbfTolerance = ms; + return this; +}; Verifier.prototype.isSupportedAlg = isSupportedAlg; Verifier.prototype.verify = function verify(jwtString,cb){ @@ -366,7 +371,7 @@ Verifier.prototype.verify = function verify(jwtString,cb){ return done(new JwtParseError(properties.errors.EXPIRED,jwtString,header,body)); } - if (jwt.isNotBefore()) { + if (jwt.isNotBefore(this.nbfTolerance)) { return done(new JwtParseError(properties.errors.NOT_ACTIVE,jwtString,header,body)); } @@ -435,13 +440,29 @@ var jwtLib = { Verifier: Verifier, base64urlEncode: base64urlEncode, base64urlUnescape:base64urlUnescape, - verify: function(/*jwtTokenString, [signingKey], [algOverride], [callbck] */){ + verify: function(/*jwtTokenString, [signingKey], [algOverride], [nbfTolerance], [callback] */){ var args = Array.prototype.slice.call(arguments); var cb = typeof args[args.length-1] === 'function' ? args.pop() : null; var verifier = new Verifier(); + if(args.length===4){ + verifier.setNbfTolerance(args[3]); + + if(args[2]==null){ + verifier.setSigningAlgorithm('none'); + }else{ + verifier.setSigningAlgorithm(args[2]); + } + + if(args[1]==null){ + verifier.setSigningKey(''); + }else{ + verifier.setSigningKey(args[1]); + } + } + if(args.length===3){ verifier.setSigningAlgorithm(args[2]); verifier.setSigningKey(args[1]); diff --git a/test/verifier.js b/test/verifier.js index 7d529a3..bed6619 100644 --- a/test/verifier.js +++ b/test/verifier.js @@ -148,6 +148,17 @@ describe('Verifier().verify() ',function(){ }); }); + it('should NOT return the jwt string, header and body on error objects with not active message since nbfTolerance is set',function(done){ + var jwt = new nJwt.Jwt({notActiveToken:uuid()}) + .setNotBefore(new Date().getTime()+1000) + var token = jwt.compact(); + nJwt.verify(token,null,null,1000,function(err){ + assert.isNull(err); + assert.isNotNull(token); + done(); + }); + }); + it('should return the jwt string, header and body with null error objects',function(done){ var jwt = new nJwt.Jwt({notActiveToken:uuid()}); var token = jwt.compact();