feat: add ignoreExpiration config to optionally bypass JWT expiration validation

Author: AdriaCarrera

apps/custom-issuer/.env.example

@@ -35,3 +35,6 @@ PORT=3000
 # If not set, CORS will be disabled (no cross-origin requests allowed)
 # Example: http://localhost:3000,https://example.com,https://app.example.com
 ALLOWED_ORIGINS=
+
+# If set to true, the service will not check the expiration time of incoming JWTs
+IGNORE_EXPIRATION=

apps/custom-issuer/src/config/issuer.config.ts

@@ -3,13 +3,15 @@ export type IssuerConfig = {
     validationPublicKeyUrl: string;
     validationIssuerUrl: string;
     issuerUrl: string;
+    ignoreExpiration: boolean;
 };
 
 export default (): IssuerConfig => {
     const keyBase64 = process.env.KEY_BASE64;
     const validationPublicKeyUrl = process.env.VALIDATION_PUBLIC_KEY_URL;
     const validationIssuerUrl = process.env.VALIDATION_ISSUER_URL;
     const issuerUrl = process.env.ISSUER_URL;
+    const ignoreExpiration = process.env.IGNORE_EXPIRATION === "true";
 
     if (!keyBase64 || keyBase64.trim() === "") {
         throw new Error(
@@ -57,5 +59,6 @@ export default (): IssuerConfig => {
         validationPublicKeyUrl: validationPublicKeyUrl.trim(),
         validationIssuerUrl: validationIssuerUrl.trim(),
         issuerUrl: issuerUrl.trim(),
+        ignoreExpiration,
     };
 };

apps/custom-issuer/src/modules/issuer/issuer.service.ts

@@ -11,6 +11,7 @@ import { Config } from "../../config";
 export class IssuerService {
     private readonly issuerUrl: string;
     private readonly validationIssuerUrl: string;
+    private readonly ignoreExpiration: boolean;
 
     constructor(
         private readonly keyService: KeyService,
@@ -33,6 +34,7 @@ export class IssuerService {
 
         this.issuerUrl = issuerConfig.issuerUrl;
         this.validationIssuerUrl = issuerConfig.validationIssuerUrl;
+        this.ignoreExpiration = issuerConfig.ignoreExpiration;
     }
 
     async issueToken(inputJwt: string, signPayload: number[]): Promise<string> {
@@ -48,6 +50,7 @@ export class IssuerService {
             try {
                 return jwt.verify(inputJwt, publicKey, {
                     algorithms: [JWT_ALGORITHM],
+                    ignoreExpiration: this.ignoreExpiration,
                 }) as jwt.JwtPayload;
             } catch (_) {}
         }
@@ -61,7 +64,9 @@ export class IssuerService {
 
         this.validateSubject(sub);
         this.validateIssuer(iss);
-        this.validateTimeClaims(exp, nbf);
+        if (!this.ignoreExpiration) {
+            this.validateTimeClaims(exp, nbf);
+        }
 
         return { sub, exp, nbf, fatxn: signPayload };
     }

infra/chart/values/staging.yaml

@@ -49,6 +49,7 @@ customIssuer:
             validationIssuerUrl: VALIDATION_ISSUER_URL
             issuerUrl: ISSUER_URL
             allowedOrigins: ALLOWED_ORIGINS
+            ignoreExpiration: IGNORE_EXPIRATION
 
 attester:
     enabled: true