add default validators: exp, nbf

SkyLothar · Oct 23, 2016 · d977a19 · d977a19
1 parent 6de9289
commit d977a19
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 26 deletions.
diff --git a/lib/resty/jwt.lua b/lib/resty/jwt.lua
@@ -4,7 +4,7 @@ local evp = require "resty.evp"
 local hmac = require "resty.hmac"
 local resty_random = require "resty.random"
 
-local _M = {_VERSION="0.1.5"}
+local _M = {_VERSION="0.1.8"}
 local mt = {__index=_M}
 
 local string_match= string.match
@@ -353,8 +353,11 @@ _M.alg_whitelist = nil
 
 --- Returns the list of default validations that will be
 --- applied upon the verification of a jwt.
-function _M.get_default_validation_options(self)
-  return { }
+function _M.get_default_validation_options(self, jwt_obj)
+  return {
+    [str_const.require_exp_claim]=jwt_obj[exp] ~= nil,
+    [str_const.require_nbf_claim]=jwt_obj[nbf] ~= nil
+  }
 end
 
 --- Set a function used to retrieve the content of x5u urls
@@ -673,6 +676,9 @@ end
 -- Validates the claims for the given (parsed) object
 local function validate_claims(self, jwt_obj, ...)
   local claim_specs = {...}
+  if #claim_specs == 0 then
+    table.insert(claim_specs, _M:get_default_validation_options(jwt_obj))
+  end
 
   if jwt_obj[str_const.reason] ~= nil then
     return false
@@ -731,8 +737,6 @@ function _M.verify_jwt_obj(self, secret, jwt_obj, ...)
 
   local jwt_str = string_format(str_const.regex_jwt_join_str, jwt_obj.raw_header , jwt_obj.raw_payload , jwt_obj.signature)
 
-
-
   if self.alg_whitelist ~= nil then
     if self.alg_whitelist[alg] == nil then
       return {verified=false, reason="whitelist unsupported alg: " .. alg}

diff --git a/t/load-verify.t b/t/load-verify.t
@@ -451,15 +451,15 @@ WQIDAQAB
                 ]]
 
             jwt:set_alg_whitelist({ RS256 = 1 })
-            local jwt_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9."
-                .. "eyJpc3MiOiJ0ZXN0IiwibmJmIjoxNDYxOTE0MDE3LCJleHAiOj"
-                .. "E0NjE5MTc2MTcsImlhdCI6MTQ2MTkxNDAxN30.LCd6AunnelBJ"
-                .. "Q1Y8-_nx2chncOd8XidNzmbFk5O_ohlOqjeGConlVpfJZyPYCe"
-                .. "bLvfgWQUT9VSM9cqXK7ZtUBTN8iI9VIYpjakzB3GfF6AiPK-bS"
-                .. "6tDfoXoupJD448rD0hB5Q6H-FhE6EmWzlAhoE38qQvnr3Va17h"
-                .. "LO5PLhDjmDtI2BeB0GaTM4SwkD1rHaS0KmWoW30hpNWJGoQu-J"
-                .. "fERR5000dhqa08N0mJeKx1fwFZ4D8hW8zj7zaL9LpF-ogdQEF-"
-                .. "fb1_6ntMMh0fOdvkE9QOsNLUo_VWzdsIvnCCDn8oCrwgssm9BbxQWphRS33DMCVbALwD6HCOa836rX6Q"
+            local jwt_token = "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJSUzI1NiJ9."
+              .. "eyJpc3MiOiAidGVzdCIsICJpYXQiOiAxNDYxOTE0MDE3fQ."
+              .. "dng6Vc-p_ISwiWc61ifWahbFYKBNWfaIr-W3bTPpgL-awG8"
+              .. "UlaCONkQk2PHJw_xndbpenQYl_-hipCKynokeFBTXVcSL6H"
+              .. "7XL4D9laQVDVFnI63hcXOMQxgICsQPVdcfVSBl2jHyV8kuw"
+              .. "XpUHbXQTxMawlE9SkI1-7UukxL9OyFIkT1D1uW7P96irVDs"
+              .. "GkEdTLVUPJerH-jlW4rRbW9twSHsgzHgkaqnQ41giW_e2Zz"
+              .. "r0U2euFH-AxlyvWBJd8Y7rQ_aD40USKsJilZ5qSykGZ7KHd"
+              .. "PzuwTXioCwB8bGVE2YoL-DKYj7-tOwoNsMK7UJzyjqzHqwuqvZWtbhmeRlww"
 
             local jwt_obj = jwt:verify(public_key, jwt_token)
             ngx.say(jwt_obj["verified"])
@@ -497,15 +497,15 @@ WQIDAQAB
                 ]]
 
             jwt:set_alg_whitelist({ RS256 = 1 })
-            local jwt_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9."
-                .. "eyJpc3MiOiJ0ZXN0IiwibmJmIjoxNDYxOTE0MDE3LCJleHAiOj"
-                .. "E0NjE5MTc2MTcsImlhdCI6MTQ2MTkxNDAxN30.LCd6AunnelBJ"
-                .. "Q1Y8-_nx2chncOd8XidNzmbFk5O_ohlOqjeGConlVpfJZyPYCe"
-                .. "bLvfgWQUT9VSM9cqXK7ZtUBTN8iI9VIYpjakzB3GfF6AiPK-bS"
-                .. "6tDfoXoupJD448rD0hB5Q6H-FhE6EmWzlAhoE38qQvnr3Va17h"
-                .. "LO5PLhDjmDtI2BeB0GaTM4SwkD1rHaS0KmWoW30hpNWJGoQu-J"
-                .. "fERR5000dhqa08N0mJeKx1fwFZ4D8hW8zj7zaL9LpF-ogdQEF-"
-                .. "fb1_6ntMMh0fOdvkE9QOsNLUo_VWzdsIvnCCDn8oCrwgssm9BbxQWphRS33DMCVbALwD6HCOa836rX6Q"
+            local jwt_token = "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJSUzI1NiJ9."
+              .. "eyJpc3MiOiAidGVzdCIsICJpYXQiOiAxNDYxOTE0MDE3fQ."
+              .. "dng6Vc-p_ISwiWc61ifWahbFYKBNWfaIr-W3bTPpgL-awG8"
+              .. "UlaCONkQk2PHJw_xndbpenQYl_-hipCKynokeFBTXVcSL6H"
+              .. "7XL4D9laQVDVFnI63hcXOMQxgICsQPVdcfVSBl2jHyV8kuw"
+              .. "XpUHbXQTxMawlE9SkI1-7UukxL9OyFIkT1D1uW7P96irVDs"
+              .. "GkEdTLVUPJerH-jlW4rRbW9twSHsgzHgkaqnQ41giW_e2Zz"
+              .. "r0U2euFH-AxlyvWBJd8Y7rQ_aD40USKsJilZ5qSykGZ7KHd"
+              .. "PzuwTXioCwB8bGVE2YoL-DKYj7-tOwoNsMK7UJzyjqzHqwuqvZWtbhmeRlww"
 
             -- Alter the jwt
             jwt_token = jwt_token .. "123"

diff --git a/t/sign-verify.t b/t/sign-verify.t
@@ -293,9 +293,9 @@ bar
 
             local jwt_obj = jwt:verify(
                 "lua-resty-jwt",
-                "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" ..
-                ".eyJmb28iOiJiYXIiLCJuYmYiOjk5OTk5OTk5OTl9" ..
-                ".Wfu3owxbzlrb0GXvV0D22Si8WEDP0WeRGwZNPAoYHMI"
+                "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."
+                .. "eyJmb28iOiJiYXIifQ."
+                .. "VxhQcGihWyHuJeHhpUiq2FU7aW2s_3ZJlY6h1kdlmJY"
             )
             ngx.say(jwt_obj["verified"])
             ngx.say(jwt_obj["reason"])

diff --git a/t/validate-jwt.t b/t/validate-jwt.t
@@ -656,3 +656,28 @@ everything is awesome~ :p
 [error]
 
 
+=== TEST 21: JWT validate exp by default
+--- http_config eval: $::HttpConfig
+--- config
+    location /t {
+        content_by_lua '
+            local jwt = require "resty.jwt"
+            local jwt_obj = jwt:verify(
+                "lua-resty-jwt",
+                "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" ..
+                ".eyJmb28iOiJiYXIiLCJleHAiOjB9" ..
+                ".btivkb1guN1sQBYYVcrigEuNVvDOp1PDrbgaNSD3Whg"
+            )
+            ngx.say(jwt_obj["verified"])
+            ngx.say(jwt_obj["reason"])
+        ';
+    }
+--- request
+GET /t
+--- response_body
+false
+'exp' claim expired at Thu, 01 Jan 1970 00:00:00 GMT
+--- no_error_log
+[error]
+
+