JWT "Expires In" Bug

s.alpaslan · February 24, 2023, 7:32am

The “Expires In” value entered while creating the JWT token is defined as 3600. However , when the user wants to enter a value other than this value , this value is still considered as 3600 .

As far as I can see in modules/jwt.php, the value 3600 is entered, but not as options.‚

wappler 5.4.1
php
macos

s.alpaslan · February 14, 2023, 2:39pm

Hi @patrick ,

I will fix the problem temporarily, but what is the value of the EXPIRES IN field? If you could help with this situation, I would greatly appreciate it . so “$options->exp” is right ?

For Sign

// Check if user has set the 'exp' value, otherwise default to 3600 seconds
        $exp = isset($options->exp) ? $options->exp : 3600;

        $payload = array(
            'iat' => $time,
            'nbf' => $time + 60,
            'exp' => $time + $exp
        );

For Token Verify

public function verify($options) {
    option_require($options, 'token');
    option_require($options, 'key');

    $options = $this->app->parseObject($options);

    $payload = NULL;

    try {
        $payload = \lib\jwt\Jwt::verify($options);

        if (isset($payload->exp)) {
            $exp = $payload->exp;
        } else {
            $exp = time() + 3600;
        }

        if ($exp < time()) {
            throw new Exception('Token has expired');
        }
    } catch (\Exception $err) {
        // Invalid
    }

    return $payload;
}

The option name here appears as “exp”, but 3600 is used by default because it sends a null value. I guess it’s not “exp”???

            "alg": "String", // algorithm for signing (HS256, HS384, HS512, RS256, RS384, RS512)
            "key": "String", // key for signing
            "iss": "String", // issuer
            "sub": "String", // subject
            "aud": "String", // audience
            "jti": "String", // token id
            "iat": "Number", // time that the token was issued
            "nbf": "Number", // time before which the token cannot be accepted
            "exp": "Number", // expiration time
            "headers": "Object", // header items
            "claims": "Object" // claim items

George · February 14, 2023, 3:38pm

patrick · February 24, 2023, 7:32am

Only the sign function needs to be modified.

At the top add:

option_default($options, 'expiresIn', 3600);

The payload becomes:

$payload = array(
  'iat' => $time,
  'nbf' => $time + 60,
  'exp' => $time + $options->expiresIn
);

The option is expiresIn, not exp.

jwt.zip (922 Bytes)

Teodor · February 24, 2023, 7:32am

Teodor · February 24, 2023, 7:32am

Fixed in Wappler 5.4.2

Teodor · February 24, 2023, 7:32am

Teodor · February 25, 2023, 4:00pm

This topic was automatically closed after 32 hours. New replies are no longer allowed.