Skip to content

Comments

Fix broken JWT expiration check in SEP-10 authentication#226

Open
CassioMG wants to merge 2 commits intorelease/1.10.0from
bugfix/token-exp-validation
Open

Fix broken JWT expiration check in SEP-10 authentication#226
CassioMG wants to merge 2 commits intorelease/1.10.0from
bugfix/token-exp-validation

Conversation

@CassioMG
Copy link
Contributor

@CassioMG CassioMG commented Feb 20, 2026

Fix broken JWT expiration check in SEP-10 authentication

Summary

The validateToken function in the SEP-10 auth flow never rejected expired tokens. This was caused by accessing a non-existent property on the decoded JWT object, which silently evaluated to undefined — and since undefined < number is always false in JavaScript, the expiration check was a no-op.

Bug

jws.decode() returns { header, payload, signature }, but the code was reading parsedToken.expiresAt — a property that doesn't exist on the decoded object. The exp claim actually lives at parsedToken.payload.exp.

Before (broken):

if (parsedToken.expiresAt < Math.floor(Date.now() / 1000)) {
  throw new ExpiredTokenError(parsedToken.expiresAt);
}

After (fixed):

const exp = parsedToken.payload?.exp;
if (exp && exp < Math.floor(Date.now() / 1000)) {
  throw new ExpiredTokenError(exp);
}

Notably, AuthToken.from() in Types/auth.ts already reads decoded.payload.exp correctly thus returning a token with a valid expiresAt value.

Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a critical security bug in the SEP-10 authentication flow where JWT token expiration was never validated due to accessing a non-existent property on the decoded JWT object.

Changes:

  • Fixed JWT expiration validation to correctly access parsedToken.payload.exp instead of the non-existent parsedToken.expiresAt
  • Exported validateToken function with @internal JSDoc annotation for testing purposes
  • Added stripInternal: true to tsconfig.json to prevent internal APIs from appearing in public type declarations
  • Added comprehensive test suite for JWT decoding and token validation

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
@stellar/typescript-wallet-sdk/src/walletSdk/Auth/index.ts Fixed JWT expiration check to access correct property path and exported validateToken for testing
@stellar/typescript-wallet-sdk/test/auth.test.ts Added comprehensive tests for JWT structure and token validation including expiration checks
@stellar/typescript-wallet-sdk/tsconfig.json Added stripInternal flag to exclude @internal APIs from type declarations

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CassioMG CassioMG self-assigned this Feb 20, 2026
@CassioMG CassioMG requested a review from Copilot February 20, 2026 20:31
Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@piyalbasu piyalbasu Awaiting requested review from piyalbasu

Assignees

@CassioMG CassioMG

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CassioMG