add time claims verification in the isExpired method.

lbalmaceda · lbalmaceda · commit 8b676c093013 · 2016-11-08T15:24:37.000-03:00
diff --git a/lib/src/main/java/com/auth0/jwt/JWTDecoder.java b/lib/src/main/java/com/auth0/jwt/JWTDecoder.java
@@ -112,7 +112,15 @@ public String getSignature() {
 
     @Override
     public boolean isExpired() {
-        //TODO: Add advanced validation
-        return false;
+        final Date iat = getIssuedAt();
+        final Date nbf = getNotBefore();
+        final Date exp = getExpiresAt();
+        final Date today = new Date();
+
+        boolean issuedAtValid = iat == null || iat.before(today);
+        boolean notBeforeValid = nbf == null || nbf.after(today);
+        boolean expiresAtValid = exp == null || exp.after(today);
+
+        return !issuedAtValid || !notBeforeValid || !expiresAtValid;
     }
 }
diff --git a/lib/src/main/java/com/auth0/jwt/impl/PayloadDeserializer.java b/lib/src/main/java/com/auth0/jwt/impl/PayloadDeserializer.java
@@ -64,7 +64,7 @@ String[] getStringOrArray(Map<String, JsonNode> tree, String claimName) throws J
         return arr;
     }
 
-    private Date getDate(Map<String, JsonNode> tree, String claimName) {
+    Date getDate(Map<String, JsonNode> tree, String claimName) {
         JsonNode node = tree.get(claimName);
         if (node == null || node.isNull() || !node.canConvertToLong()) {
             return null;
@@ -73,7 +73,7 @@ private Date getDate(Map<String, JsonNode> tree, String claimName) {
         return new Date(ms);
     }
 
-    private String getString(Map<String, JsonNode> tree, String claimName) {
+    String getString(Map<String, JsonNode> tree, String claimName) {
         JsonNode node = tree.get(claimName);
         if (node == null || node.isNull()) {
             return null;
diff --git a/lib/src/main/java/com/auth0/jwt/interfaces/JWT.java b/lib/src/main/java/com/auth0/jwt/interfaces/JWT.java
@@ -5,6 +5,11 @@
  */
 public interface JWT extends Payload, Header, Signature {
 
-    //TODO replace with advanced validations
+    /**
+     * Tests whether this token's DateTime values IssuedAt, ExpiresAt and NotBefore are time valid.
+     * If any of them are missing they won't be taken into account. If the token it's expired it shouldn't be used.
+     *
+     * @return whether the token should be used or not.
+     */
     boolean isExpired();
 }
diff --git a/lib/src/test/java/com/auth0/jwt/JWTDecoderTest.java b/lib/src/test/java/com/auth0/jwt/JWTDecoderTest.java
@@ -1,6 +1,5 @@
 package com.auth0.jwt;
 
-import com.auth0.jwt.JWTDecoder;
 import com.auth0.jwt.exceptions.JWTDecodeException;
 import com.auth0.jwt.impl.BaseClaim;
 import com.auth0.jwt.interfaces.Claim;
@@ -175,42 +174,46 @@ public void shouldGetType() throws Exception {
     }
 
     @Test
-    @Ignore("Pending implementation")
     public void shouldBeExpired() throws Exception {
         long pastSeconds = System.currentTimeMillis() / 1000;
         long futureSeconds = (System.currentTimeMillis() + 10000) / 1000;
 
-        JWT issuedAndExpiresInTheFuture = customTimeJWT(futureSeconds, futureSeconds);
+        JWT issuedAndExpiresInTheFuture = customTimeJWT(futureSeconds, futureSeconds, futureSeconds);
         assertTrue(issuedAndExpiresInTheFuture.isExpired());
-        JWT issuedInTheFuture = customTimeJWT(futureSeconds, null);
+        JWT issuedInTheFuture = customTimeJWT(futureSeconds, null, null);
         assertTrue(issuedInTheFuture.isExpired());
 
-        JWT issuedAndExpiresInThePast = customTimeJWT(pastSeconds, pastSeconds);
+        JWT issuedAndExpiresInThePast = customTimeJWT(pastSeconds, pastSeconds, pastSeconds);
         assertTrue(issuedAndExpiresInThePast.isExpired());
-        JWT expiresInThePast = customTimeJWT(null, pastSeconds);
+        JWT expiresInThePast = customTimeJWT(null, pastSeconds, null);
         assertTrue(expiresInThePast.isExpired());
 
-        JWT issuedInTheFutureExpiresInThePast = customTimeJWT(futureSeconds, pastSeconds);
+        JWT issuedInTheFutureExpiresInThePast = customTimeJWT(futureSeconds, pastSeconds, pastSeconds);
         assertTrue(issuedInTheFutureExpiresInThePast.isExpired());
+
+        JWT notBeforeThePast = customTimeJWT(null, null, pastSeconds);
+        assertTrue(notBeforeThePast.isExpired());
     }
 
     @Test
-    @Ignore("Pending implementation")
     public void shouldNotBeExpired() throws Exception {
         long pastSeconds = System.currentTimeMillis() / 1000;
         long futureSeconds = (System.currentTimeMillis() + 10000) / 1000;
 
-        JWT missingDates = customTimeJWT(null, null);
+        JWT missingDates = customTimeJWT(null, null, null);
         assertFalse(missingDates.isExpired());
 
-        JWT issuedInThePastExpiresInTheFuture = customTimeJWT(pastSeconds, futureSeconds);
+        JWT issuedInThePastExpiresInTheFuture = customTimeJWT(pastSeconds, futureSeconds, futureSeconds);
         assertFalse(issuedInThePastExpiresInTheFuture.isExpired());
 
-        JWT issuedInThePast = customTimeJWT(pastSeconds, null);
+        JWT issuedInThePast = customTimeJWT(pastSeconds, null, null);
         assertFalse(issuedInThePast.isExpired());
 
-        JWT expiresInTheFuture = customTimeJWT(null, futureSeconds);
+        JWT expiresInTheFuture = customTimeJWT(null, futureSeconds, null);
         assertFalse(expiresInTheFuture.isExpired());
+
+        JWT notBeforeTheFuture = customTimeJWT(null, null, futureSeconds);
+        assertFalse(notBeforeTheFuture.isExpired());
     }
 
     //Private PublicClaims
@@ -241,17 +244,23 @@ public void shouldGetNullClaimIfClaimValueIsNull() throws Exception {
 
     //Helper Methods
 
-    private JWT customTimeJWT(Long iat, Long exp) {
+    private JWT customTimeJWT(Long iat, Long exp, Long nbf) {
         String header = base64Encode("{}");
         StringBuilder bodyBuilder = new StringBuilder("{");
         if (iat != null) {
-            bodyBuilder.append("\"iat\":\"").append(iat.longValue()).append("\"");
+            bodyBuilder.append("\"iat\":").append(iat.longValue());
         }
         if (exp != null) {
             if (iat != null) {
                 bodyBuilder.append(",");
             }
-            bodyBuilder.append("\"exp\":\"").append(exp.longValue()).append("\"");
+            bodyBuilder.append("\"exp\":").append(exp.longValue());
+        }
+        if (nbf != null) {
+            if (iat != null || exp != null) {
+                bodyBuilder.append(",");
+            }
+            bodyBuilder.append("\"nbf\":").append(nbf.longValue());
         }
         bodyBuilder.append("}");
         String body = base64Encode(bodyBuilder.toString());
diff --git a/lib/src/test/java/com/auth0/jwt/JWTTest.java b/lib/src/test/java/com/auth0/jwt/JWTTest.java
@@ -284,4 +284,15 @@ public void shouldGetType() throws Exception {
         assertThat(jwt, is(notNullValue()));
         assertThat(jwt.getType(), is("JWS"));
     }
+
+    @Test
+    public void shouldGetIfItsExpired() throws Exception {
+        String token = "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzY3MjcwODZ9.L9dcPHEDQew2u9MkDCORFkfDGcSOsgoPqNY-LUMLEHg";
+        JWT jwt = JWT.require(Algorithm.HMAC256("secret"))
+                .build()
+                .verify(token);
+
+        assertThat(jwt, is(notNullValue()));
+        assertThat(jwt.isExpired(), is(true));
+    }
 }
diff --git a/lib/src/test/java/com/auth0/jwt/impl/PayloadDeserializerTest.java b/lib/src/test/java/com/auth0/jwt/impl/PayloadDeserializerTest.java
@@ -13,10 +13,7 @@
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 import static org.hamcrest.Matchers.*;
 import static org.hamcrest.collection.IsArrayContainingInOrder.arrayContaining;
@@ -126,4 +123,76 @@ public void shouldGetNullArrayWhenParsingNonArrayOrTextNode() throws Exception {
         assertThat(values, is(nullValue()));
     }
 
+
+    @Test
+    public void shouldGetNullDateWhenParsingNullNode() throws Exception {
+        Map<String, JsonNode> tree = new HashMap<>();
+        NullNode node = NullNode.getInstance();
+        tree.put("key", node);
+
+        Date date = deserializer.getDate(tree, "key");
+        assertThat(date, is(nullValue()));
+    }
+
+    @Test
+    public void shouldGetNullDateWhenParsingNull() throws Exception {
+        Map<String, JsonNode> tree = new HashMap<>();
+        tree.put("key", null);
+
+        Date date = deserializer.getDate(tree, "key");
+        assertThat(date, is(nullValue()));
+    }
+
+    @Test
+    public void shouldGetNullDateWhenParsingNonNumericNode() throws Exception {
+        Map<String, JsonNode> tree = new HashMap<>();
+        TextNode node = new TextNode("123456789");
+        tree.put("key", node);
+
+        Date date = deserializer.getDate(tree, "key");
+        assertThat(date, is(nullValue()));
+    }
+
+    @Test
+    public void shouldGetDateWhenParsingNumericNode() throws Exception {
+        Map<String, JsonNode> tree = new HashMap<>();
+        long seconds = 1478627949 / 1000;
+        LongNode node = new LongNode(seconds);
+        tree.put("key", node);
+
+        Date date = deserializer.getDate(tree, "key");
+        assertThat(date, is(notNullValue()));
+        assertThat(date.getTime(), is(seconds * 1000));
+    }
+
+    @Test
+    public void shouldGetNullStringWhenParsingNullNode() throws Exception {
+        Map<String, JsonNode> tree = new HashMap<>();
+        NullNode node = NullNode.getInstance();
+        tree.put("key", node);
+
+        String text = deserializer.getString(tree, "key");
+        assertThat(text, is(nullValue()));
+    }
+
+    @Test
+    public void shouldGetNullStringWhenParsingNull() throws Exception {
+        Map<String, JsonNode> tree = new HashMap<>();
+        tree.put("key", null);
+
+        String text = deserializer.getString(tree, "key");
+        assertThat(text, is(nullValue()));
+    }
+
+    @Test
+    public void shouldGetStringWhenParsingTextNode() throws Exception {
+        Map<String, JsonNode> tree = new HashMap<>();
+        TextNode node = new TextNode("something here");
+        tree.put("key", node);
+
+        String text = deserializer.getString(tree, "key");
+        assertThat(text, is(notNullValue()));
+        assertThat(text, is("something here"));
+    }
+
 }
