From d977a1974c3ace4de1ab4473c4e8cc9d81ca9953 Mon Sep 17 00:00:00 2001 From: SkyLothar Date: Mon, 24 Oct 2016 02:00:36 +0800 Subject: [PATCH] add default validators: exp, nbf --- lib/resty/jwt.lua | 14 +++++++++----- t/load-verify.t | 36 ++++++++++++++++++------------------ t/sign-verify.t | 6 +++--- t/validate-jwt.t | 25 +++++++++++++++++++++++++ 4 files changed, 55 insertions(+), 26 deletions(-) diff --git a/lib/resty/jwt.lua b/lib/resty/jwt.lua index f934176..f1c535c 100644 --- a/lib/resty/jwt.lua +++ b/lib/resty/jwt.lua @@ -4,7 +4,7 @@ local evp = require "resty.evp" local hmac = require "resty.hmac" local resty_random = require "resty.random" -local _M = {_VERSION="0.1.5"} +local _M = {_VERSION="0.1.8"} local mt = {__index=_M} local string_match= string.match @@ -353,8 +353,11 @@ _M.alg_whitelist = nil --- Returns the list of default validations that will be --- applied upon the verification of a jwt. -function _M.get_default_validation_options(self) - return { } +function _M.get_default_validation_options(self, jwt_obj) + return { + [str_const.require_exp_claim]=jwt_obj[exp] ~= nil, + [str_const.require_nbf_claim]=jwt_obj[nbf] ~= nil + } end --- Set a function used to retrieve the content of x5u urls @@ -673,6 +676,9 @@ end -- Validates the claims for the given (parsed) object local function validate_claims(self, jwt_obj, ...) local claim_specs = {...} + if #claim_specs == 0 then + table.insert(claim_specs, _M:get_default_validation_options(jwt_obj)) + end if jwt_obj[str_const.reason] ~= nil then return false @@ -731,8 +737,6 @@ function _M.verify_jwt_obj(self, secret, jwt_obj, ...) local jwt_str = string_format(str_const.regex_jwt_join_str, jwt_obj.raw_header , jwt_obj.raw_payload , jwt_obj.signature) - - if self.alg_whitelist ~= nil then if self.alg_whitelist[alg] == nil then return {verified=false, reason="whitelist unsupported alg: " .. alg} diff --git a/t/load-verify.t b/t/load-verify.t index c7804e6..cd7040f 100644 --- a/t/load-verify.t +++ b/t/load-verify.t @@ -451,15 +451,15 @@ WQIDAQAB ]] jwt:set_alg_whitelist({ RS256 = 1 }) - local jwt_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9." - .. "eyJpc3MiOiJ0ZXN0IiwibmJmIjoxNDYxOTE0MDE3LCJleHAiOj" - .. "E0NjE5MTc2MTcsImlhdCI6MTQ2MTkxNDAxN30.LCd6AunnelBJ" - .. "Q1Y8-_nx2chncOd8XidNzmbFk5O_ohlOqjeGConlVpfJZyPYCe" - .. "bLvfgWQUT9VSM9cqXK7ZtUBTN8iI9VIYpjakzB3GfF6AiPK-bS" - .. "6tDfoXoupJD448rD0hB5Q6H-FhE6EmWzlAhoE38qQvnr3Va17h" - .. "LO5PLhDjmDtI2BeB0GaTM4SwkD1rHaS0KmWoW30hpNWJGoQu-J" - .. "fERR5000dhqa08N0mJeKx1fwFZ4D8hW8zj7zaL9LpF-ogdQEF-" - .. "fb1_6ntMMh0fOdvkE9QOsNLUo_VWzdsIvnCCDn8oCrwgssm9BbxQWphRS33DMCVbALwD6HCOa836rX6Q" + local jwt_token = "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJSUzI1NiJ9." + .. "eyJpc3MiOiAidGVzdCIsICJpYXQiOiAxNDYxOTE0MDE3fQ." + .. "dng6Vc-p_ISwiWc61ifWahbFYKBNWfaIr-W3bTPpgL-awG8" + .. "UlaCONkQk2PHJw_xndbpenQYl_-hipCKynokeFBTXVcSL6H" + .. "7XL4D9laQVDVFnI63hcXOMQxgICsQPVdcfVSBl2jHyV8kuw" + .. "XpUHbXQTxMawlE9SkI1-7UukxL9OyFIkT1D1uW7P96irVDs" + .. "GkEdTLVUPJerH-jlW4rRbW9twSHsgzHgkaqnQ41giW_e2Zz" + .. "r0U2euFH-AxlyvWBJd8Y7rQ_aD40USKsJilZ5qSykGZ7KHd" + .. "PzuwTXioCwB8bGVE2YoL-DKYj7-tOwoNsMK7UJzyjqzHqwuqvZWtbhmeRlww" local jwt_obj = jwt:verify(public_key, jwt_token) ngx.say(jwt_obj["verified"]) @@ -497,15 +497,15 @@ WQIDAQAB ]] jwt:set_alg_whitelist({ RS256 = 1 }) - local jwt_token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9." - .. "eyJpc3MiOiJ0ZXN0IiwibmJmIjoxNDYxOTE0MDE3LCJleHAiOj" - .. "E0NjE5MTc2MTcsImlhdCI6MTQ2MTkxNDAxN30.LCd6AunnelBJ" - .. "Q1Y8-_nx2chncOd8XidNzmbFk5O_ohlOqjeGConlVpfJZyPYCe" - .. "bLvfgWQUT9VSM9cqXK7ZtUBTN8iI9VIYpjakzB3GfF6AiPK-bS" - .. "6tDfoXoupJD448rD0hB5Q6H-FhE6EmWzlAhoE38qQvnr3Va17h" - .. "LO5PLhDjmDtI2BeB0GaTM4SwkD1rHaS0KmWoW30hpNWJGoQu-J" - .. "fERR5000dhqa08N0mJeKx1fwFZ4D8hW8zj7zaL9LpF-ogdQEF-" - .. "fb1_6ntMMh0fOdvkE9QOsNLUo_VWzdsIvnCCDn8oCrwgssm9BbxQWphRS33DMCVbALwD6HCOa836rX6Q" + local jwt_token = "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJSUzI1NiJ9." + .. "eyJpc3MiOiAidGVzdCIsICJpYXQiOiAxNDYxOTE0MDE3fQ." + .. "dng6Vc-p_ISwiWc61ifWahbFYKBNWfaIr-W3bTPpgL-awG8" + .. "UlaCONkQk2PHJw_xndbpenQYl_-hipCKynokeFBTXVcSL6H" + .. "7XL4D9laQVDVFnI63hcXOMQxgICsQPVdcfVSBl2jHyV8kuw" + .. "XpUHbXQTxMawlE9SkI1-7UukxL9OyFIkT1D1uW7P96irVDs" + .. "GkEdTLVUPJerH-jlW4rRbW9twSHsgzHgkaqnQ41giW_e2Zz" + .. "r0U2euFH-AxlyvWBJd8Y7rQ_aD40USKsJilZ5qSykGZ7KHd" + .. "PzuwTXioCwB8bGVE2YoL-DKYj7-tOwoNsMK7UJzyjqzHqwuqvZWtbhmeRlww" -- Alter the jwt jwt_token = jwt_token .. "123" diff --git a/t/sign-verify.t b/t/sign-verify.t index 4968c2b..1480431 100644 --- a/t/sign-verify.t +++ b/t/sign-verify.t @@ -293,9 +293,9 @@ bar local jwt_obj = jwt:verify( "lua-resty-jwt", - "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" .. - ".eyJmb28iOiJiYXIiLCJuYmYiOjk5OTk5OTk5OTl9" .. - ".Wfu3owxbzlrb0GXvV0D22Si8WEDP0WeRGwZNPAoYHMI" + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." + .. "eyJmb28iOiJiYXIifQ." + .. "VxhQcGihWyHuJeHhpUiq2FU7aW2s_3ZJlY6h1kdlmJY" ) ngx.say(jwt_obj["verified"]) ngx.say(jwt_obj["reason"]) diff --git a/t/validate-jwt.t b/t/validate-jwt.t index ec85c76..2ec4488 100644 --- a/t/validate-jwt.t +++ b/t/validate-jwt.t @@ -656,3 +656,28 @@ everything is awesome~ :p [error] +=== TEST 21: JWT validate exp by default +--- http_config eval: $::HttpConfig +--- config + location /t { + content_by_lua ' + local jwt = require "resty.jwt" + local jwt_obj = jwt:verify( + "lua-resty-jwt", + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" .. + ".eyJmb28iOiJiYXIiLCJleHAiOjB9" .. + ".btivkb1guN1sQBYYVcrigEuNVvDOp1PDrbgaNSD3Whg" + ) + ngx.say(jwt_obj["verified"]) + ngx.say(jwt_obj["reason"]) + '; + } +--- request +GET /t +--- response_body +false +'exp' claim expired at Thu, 01 Jan 1970 00:00:00 GMT +--- no_error_log +[error] + +