Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

jwt.verify() returns jwt expired when the expiration is 24h

Tags:

javascript

jwt

I used jwt to create a token:

const jwt = require('jsonwebtoken');
const token = jwt.sign({
filePath: "path/to/file"
}, 'secretKey', {
expiresIn: "24h"
});
try {
  console.log(token)
  var decoded = jwt.verify(token, 'secretKey');
} catch(err) {
 console.log(err)
}

jwt.header:

{
  "alg": "HS256",
  "typ": "JWT"
}

payload:

{
  "filePath": "path",
  "iat": 1557833831,
  "exp": 1557920231
}

When I test the snippet code mentioned above in my real app, I got an error message:

jwt expired

Using the jwt debugger, the token is valid and should expire after 24h. The error returned by verify() which checks the expiration. How jwt checks the expiration? or it does not check it?

like image 221
Slim Avatar asked Oct 28 '22 14:10

Slim


1 Answers

So since the question is, how does jwt check the expiration date, it depends on basically on some properties that may be implemented according to the JWT RFC

One would be exp. In case a token expires before the current datetime, then the JWT cannot be processed

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

Another one to note would be the iat, which stands for issued at

The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

A final one that could be used for time verfication, as far as I am aware of would be, nbf, standing for not before

The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

Now, for the code at hand, I don't see anything which is of, having following setup, this works perfectly fine for me

const jwt = require('jsonwebtoken');

const token = jwt.sign( {
  hello: 'world'   
}, 'myverysecretkey', {
    expiresIn: '24h'
});

try {
    const verify = jwt.verify( token, 'myverysecretkey' );
    console.log( verify );
} catch (err) {
    console.error( err );
}

which would output

Object {hello: "world", iat: 1557840459, exp: 1557926859}

This can be validated on the codesandbox link

like image 82
Icepickle Avatar answered Oct 31 '22 08:10

Icepickle