nbf claim validation should include clockTolerance (#115)

auth0 · Oct 9, 2023 · 993c1e2 · 993c1e2
2 parents ee0a1fc + 128a564
commit 993c1e2
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/packages/access-token-jwt/src/jwt-verifier.ts b/packages/access-token-jwt/src/jwt-verifier.ts
@@ -246,7 +246,8 @@ const jwtVerifier = ({
       };
       const { payload, protectedHeader: header } = await jwtVerify(
         jwt,
-        getKeyFnGetter(jwksUri)
+        getKeyFnGetter(jwksUri),
+        { clockTolerance }
       );
       await validate(payload, header, validators);
       return { payload, header, token: jwt };

diff --git a/packages/access-token-jwt/test/jwt-verifier.test.ts b/packages/access-token-jwt/test/jwt-verifier.test.ts
@@ -3,6 +3,7 @@ import nock from 'nock';
 import sinon from 'sinon';
 import { createJwt, now } from './helpers';
 import { jwtVerifier, InvalidTokenError } from '../src';
+import validate from '../src/validate.js';
 
 describe('jwt-verifier', () => {
   afterEach(nock.cleanAll);
@@ -122,6 +123,43 @@ describe('jwt-verifier', () => {
     );
   });
 
+  it('should throw for invalid nbf', async () => {
+    const clock = sinon.useFakeTimers(1000);
+    const jwt = await createJwt({
+      payload: {
+        nbf: 2000,
+      },
+    });
+
+    const verify = jwtVerifier({
+      jwksUri: 'https://issuer.example.com/.well-known/jwks.json',
+      issuer: 'https://issuer.example.com/',
+      audience: 'https://api/',
+    });
+    await expect(verify(jwt)).rejects.toThrowError(
+      '"nbf" claim timestamp check failed'
+    );
+    clock.restore();
+  });
+
+  it('should validate nbf claim with clockTolerance', async () => {
+    const clock = sinon.useFakeTimers(1000);
+    const jwt = await createJwt({
+      payload: {
+        nbf: 2000,
+      },
+    });
+
+    const verify = jwtVerifier({
+      jwksUri: 'https://issuer.example.com/.well-known/jwks.json',
+      issuer: 'https://issuer.example.com/',
+      audience: 'https://api/',
+      clockTolerance: 5000,
+    });
+    await expect(verify(jwt)).resolves.not.toThrow();
+    clock.restore();
+  });
+
   it('should throw unexpected token signing alg', async () => {
     const secret = randomBytes(32).toString('hex');
     const jwt = await createJwt({ secret });