diff --git a/packages/credentials/src/jwt.ts b/packages/credentials/src/jwt.ts index 13317ec37..719f21cb8 100644 --- a/packages/credentials/src/jwt.ts +++ b/packages/credentials/src/jwt.ts @@ -163,6 +163,10 @@ export class Jwt { static async verify(options: VerifyJwtOptions): Promise { const { decoded: decodedJwt, encoded: encodedJwt } = Jwt.parse({ jwt: options.jwt }); + if (decodedJwt.payload.exp && Math.floor(Date.now() / 1000) > decodedJwt.payload.exp) { + throw new Error(`Verification failed: JWT is expired`); + } + // TODO: should really be looking for verificationMethod with authentication verification relationship const dereferenceResult = await Jwt.didResolver.dereference({ didUrl: decodedJwt.header.kid! }); if (dereferenceResult.dereferencingMetadata.error) { diff --git a/packages/credentials/tests/jwt.spec.ts b/packages/credentials/tests/jwt.spec.ts index 7edec27e7..5144f249f 100644 --- a/packages/credentials/tests/jwt.spec.ts +++ b/packages/credentials/tests/jwt.spec.ts @@ -69,6 +69,21 @@ describe('Jwt', () => { }); describe('verify()', () => { + it('throws error if JWT is expired', async () => { + const did = await DidKeyMethod.create({ keyAlgorithm: 'secp256k1' }); + const header: JwtHeaderParams = { typ: 'JWT', alg: 'ES256K', kid: did.document.verificationMethod![0].id }; + const base64UrlEncodedHeader = Convert.object(header).toBase64Url(); + + const payload: JwtPayload = { iat: Math.floor(Date.now() / 1000 - 60), exp: Math.floor(Date.now() / 1000 - 1) }; + const base64UrlEncodedPayload = Convert.object(payload).toBase64Url(); + + try { + await Jwt.verify({ jwt: `${base64UrlEncodedHeader}.${base64UrlEncodedPayload}.hijk` }); + expect.fail(); + } catch(e: any) { + expect(e.message).to.include('JWT is expired'); + } + }); it('throws error if JWT header kid does not dereference a verification method', async () => { const did = await DidKeyMethod.create({ keyAlgorithm: 'secp256k1' }); const header: JwtHeaderParams = { typ: 'JWT', alg: 'ES256K', kid: did.did };