Skip to content

Commit 6e117a9

Browse files
Allow 10-second leeway when decoding tokens (#27)
* allow 10-second leeway when decoding tokens * Bump VERSION to 0.2.0 Co-authored-by: Julia Allen <julia.l.allen@gsa.gov>
1 parent 756300d commit 6e117a9

3 files changed

Lines changed: 20 additions & 2 deletions

File tree

lib/omniauth/login_dot_gov/id_token.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,8 @@ def decoded_id_token
3838
id_token,
3939
client.idp_configuration.public_key,
4040
true,
41-
algorithm: 'RS256'
41+
algorithm: 'RS256',
42+
leeway: 10
4243
).first
4344
end
4445
end
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
module OmniAuth
22
module LoginDotGov
3-
VERSION = '0.1.2'.freeze
3+
VERSION = '0.2.0'.freeze
44
end
55
end

spec/omniauth/login_dot_gov/id_token_spec.rb

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,5 +35,22 @@
3535
)
3636
end
3737
end
38+
context 'when the token nbf is within 10 seconds past decoding time' do
39+
let(:jwt) { JWT.encode({ nbf: Time.now.to_i + 10, nonce: jwt_nonce }, IdpFixtures.private_key, 'RS256') }
40+
41+
it 'allows 10 seconds of leeway' do
42+
expect(subject.verify_nonce(session_nonce_digest)).to eq true
43+
end
44+
end
45+
46+
context 'when the token nbf is not within 10 seconds past decoding time' do
47+
let(:jwt) { JWT.encode({ nbf: Time.now.to_i + 11, nonce: jwt_nonce }, IdpFixtures.private_key, 'RS256') }
48+
49+
it 'raises ImmatureSignature error' do
50+
expect { subject.verify_nonce(session_nonce_digest) }.to raise_error(
51+
JWT::ImmatureSignature
52+
)
53+
end
54+
end
3855
end
3956
end

0 commit comments

Comments
 (0)