You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The jwt logic assumes exp is in ms timestamp format (time.getUnixTime is just Date.now), but the JWT RFC (https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4) states it should be seconds since epoch, not ms. This means that if something is using lib0 to validate a JWT token, but that JWT token was generated to the RFC, the expiration check will fail.
To Reproduce
Steps to reproduce the behavior:
Generate a standards compliant JWT token (e.g., with a JWT library in another platform)
Verify the token with lib0
See false expiration error
Expected behavior
Expect epoch seconds for exp claims.
Possibly add logic to support both since the bug was out there.
Describe the bug
The jwt logic assumes
exp
is in ms timestamp format (time.getUnixTime is just Date.now), but the JWT RFC (https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4) states it should be seconds since epoch, not ms. This means that if something is using lib0 to validate a JWT token, but that JWT token was generated to the RFC, the expiration check will fail.To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expect epoch seconds for
exp
claims.Possibly add logic to support both since the bug was out there.
Relevant code:
lib0/crypto/jwt.js
Line 50 in e8bb155
The text was updated successfully, but these errors were encountered: