Merge pull request auth0#104 from auth0/leeway-seconds

lbalmaceda · web-flow · commit 5b80b285d4ed · 2016-11-21T12:58:08.000-03:00
Receive Leeway as seconds
diff --git a/README.md b/README.md
@@ -125,20 +125,20 @@ The JWT token may include DateNumber fields that can be used to validate that:
 
 When verifying a token the time validation occurs automatically, resulting in a `JWTVerificationException` being throw when the values are invalid. If any of the previous fields are missing they won't be considered in this validation.
 
-To specify a **leeway window** in which the Token should still be considered valid, use the `acceptLeeway()` method in the `JWTVerifier` builder and pass a positive milliseconds value. This applies to every item listed above.
+To specify a **leeway window** in which the Token should still be considered valid, use the `acceptLeeway()` method in the `JWTVerifier` builder and pass a positive seconds value. This applies to every item listed above.
 
 ```java
 JWTVerifier verifier = JWT.require(Algorithm.RSA256(key))
-    .acceptLeeway(100) //nbf, iat and exp
+    .acceptLeeway(1) // 1 sec for nbf, iat and exp
     .build();
 ```
 
 You can also specify a custom value for a given Date claim and override the default one for only that claim.
 
 ```java
 JWTVerifier verifier = JWT.require(Algorithm.RSA256(key))
-    .acceptLeeway(100)   //nbf and iat
-    .acceptExpiresAt(500)   //exp
+    .acceptLeeway(1)   //1 sec for nbf and iat
+    .acceptExpiresAt(5)   //5 secs for exp
     .build();
 ```
 
diff --git a/lib/src/main/java/com/auth0/jwt/JWTVerifier.java b/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -91,7 +91,7 @@ public Verification withAudience(String... audience) {
          * Define the default window in milliseconds in which the Not Before, Issued At and Expires At Claims will still be valid.
          * Setting a specific leeway value on a given Claim will override this value for that Claim.
          *
-         * @param leeway the window in milliseconds in which the Not Before, Issued At and Expires At Claims will still be valid.
+         * @param leeway the window in seconds in which the Not Before, Issued At and Expires At Claims will still be valid.
          * @return this same Verification instance.
          * @throws IllegalArgumentException if leeway is negative.
          */
@@ -104,10 +104,10 @@ public Verification acceptLeeway(long leeway) throws IllegalArgumentException {
         }
 
         /**
-         * Set a specific leeway window in milliseconds in which the Expires At ("exp") Claim will still be valid.
+         * Set a specific leeway window in seconds in which the Expires At ("exp") Claim will still be valid.
          * Expiration Date is always verified when the value is present. This method overrides the value set with acceptLeeway
          *
-         * @param leeway the window in milliseconds in which the Expires At Claim will still be valid.
+         * @param leeway the window in seconds in which the Expires At Claim will still be valid.
          * @return this same Verification instance.
          * @throws IllegalArgumentException if leeway is negative.
          */
@@ -120,10 +120,10 @@ public Verification acceptExpiresAt(long leeway) throws IllegalArgumentException
         }
 
         /**
-         * Set a specific leeway window in milliseconds in which the Not Before ("nbf") Claim will still be valid.
+         * Set a specific leeway window in seconds in which the Not Before ("nbf") Claim will still be valid.
          * Not Before Date is always verified when the value is present. This method overrides the value set with acceptLeeway
          *
-         * @param leeway the window in milliseconds in which the Not Before Claim will still be valid.
+         * @param leeway the window in seconds in which the Not Before Claim will still be valid.
          * @return this same Verification instance.
          * @throws IllegalArgumentException if leeway is negative.
          */
@@ -136,10 +136,10 @@ public Verification acceptNotBefore(long leeway) throws IllegalArgumentException
         }
 
         /**
-         * Set a specific leeway window in milliseconds in which the Issued At ("iat") Claim will still be valid.
+         * Set a specific leeway window in seconds in which the Issued At ("iat") Claim will still be valid.
          * Issued At Date is always verified when the value is present. This method overrides the value set with acceptLeeway
          *
-         * @param leeway the window in milliseconds in which the Issued At Claim will still be valid.
+         * @param leeway the window in seconds in which the Issued At Claim will still be valid.
          * @return this same Verification instance.
          * @throws IllegalArgumentException if leeway is negative.
          */
@@ -201,11 +201,11 @@ public JWTVerifier build() {
          * @return a new JWTVerifier instance with a custom Clock.
          */
         JWTVerifier build(Clock clock) {
-            addDeltaToDateClaims();
+            addLeewayToDateClaims();
             return new JWTVerifier(algorithm, claims, clock);
         }
 
-        private void addDeltaToDateClaims() {
+        private void addLeewayToDateClaims() {
             if (!claims.containsKey(PublicClaims.EXPIRES_AT)) {
                 claims.put(PublicClaims.EXPIRES_AT, defaultLeeway);
             }
@@ -312,14 +312,15 @@ private void assertValidStringClaim(String claimName, String value, String expec
 
     private void assertValidDateClaim(Date date, long leeway, boolean shouldBeFuture) {
         Date today = clock.getToday();
+        today.setTime((long) Math.floor((today.getTime() / 1000) * 1000)); //truncate millis
         boolean isValid;
         String errMessage;
         if (shouldBeFuture) {
-            today.setTime(today.getTime() - leeway);
+            today.setTime(today.getTime() - leeway * 1000);
             isValid = date == null || !today.after(date);
             errMessage = String.format("The Token has expired on %s.", date);
         } else {
-            today.setTime(today.getTime() + leeway);
+            today.setTime(today.getTime() + leeway * 1000);
             isValid = date == null || !today.before(date);
             errMessage = String.format("The Token can't be used before %s.", date);
         }
diff --git a/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java b/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java
@@ -338,11 +338,11 @@ public void shouldThrowOnNegativeCustomLeeway() throws Exception {
     @Test
     public void shouldValidateExpiresAtWithLeeway() throws Exception {
         Clock clock = mock(Clock.class);
-        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE + 299));
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE + 1000));
 
         String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0Nzc1OTJ9.isvT0Pqx0yjnZk53mUFSeYFJLDs-Ls9IsNAm86gIdZo";
         JWT jwt = JWTVerifier.init(Algorithm.HMAC256("secret"))
-                .acceptExpiresAt(300)
+                .acceptExpiresAt(2)
                 .build(clock)
                 .verify(token);
 
@@ -367,7 +367,7 @@ public void shouldThrowOnInvalidExpiresAtIfPresent() throws Exception {
         exception.expect(InvalidClaimException.class);
         exception.expectMessage(startsWith("The Token has expired on"));
         Clock clock = mock(Clock.class);
-        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE + 10));
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE + 1000));
 
         String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0Nzc1OTJ9.isvT0Pqx0yjnZk53mUFSeYFJLDs-Ls9IsNAm86gIdZo";
         JWTVerifier.init(Algorithm.HMAC256("secret"))
@@ -388,11 +388,11 @@ public void shouldThrowOnNegativeExpiresAtLeeway() throws Exception {
     @Test
     public void shouldValidateNotBeforeWithLeeway() throws Exception {
         Clock clock = mock(Clock.class);
-        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 299));
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
 
         String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0Nzc1OTJ9.wq4ZmnSF2VOxcQBxPLfeh1J2Ozy1Tj5iUaERm3FKaw8";
         JWT jwt = JWTVerifier.init(Algorithm.HMAC256("secret"))
-                .acceptNotBefore(300)
+                .acceptNotBefore(2)
                 .build(clock)
                 .verify(token);
 
@@ -404,7 +404,7 @@ public void shouldThrowOnInvalidNotBeforeIfPresent() throws Exception {
         exception.expect(InvalidClaimException.class);
         exception.expectMessage(startsWith("The Token can't be used before"));
         Clock clock = mock(Clock.class);
-        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 10));
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
 
         String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0Nzc1OTJ9.wq4ZmnSF2VOxcQBxPLfeh1J2Ozy1Tj5iUaERm3FKaw8";
         JWTVerifier.init(Algorithm.HMAC256("secret"))
@@ -438,11 +438,11 @@ public void shouldThrowOnNegativeNotBeforeLeeway() throws Exception {
     @Test
     public void shouldValidateIssuedAtWithLeeway() throws Exception {
         Clock clock = mock(Clock.class);
-        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 299));
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
 
         String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0Nzc1OTJ9.0WJky9eLN7kuxLyZlmbcXRL3Wy8hLoNCEk5CCl2M4lo";
         JWT jwt = JWTVerifier.init(Algorithm.HMAC256("secret"))
-                .acceptIssuedAt(300)
+                .acceptIssuedAt(2)
                 .build(clock)
                 .verify(token);
 
@@ -454,7 +454,7 @@ public void shouldThrowOnInvalidIssuedAtIfPresent() throws Exception {
         exception.expect(InvalidClaimException.class);
         exception.expectMessage(startsWith("The Token can't be used before"));
         Clock clock = mock(Clock.class);
-        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 10));
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
 
         String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0Nzc1OTJ9.0WJky9eLN7kuxLyZlmbcXRL3Wy8hLoNCEk5CCl2M4lo";
         JWTVerifier.init(Algorithm.HMAC256("secret"))
