Merge pull request auth0#94 from auth0/verify-time-values

lbalmaceda · web-flow · commit de7f6b29420e · 2016-11-09T19:13:15.000-03:00
Add time Claims verification with the isExpired method.
diff --git a/README.md b/README.md
@@ -87,6 +87,33 @@ If the token has an invalid syntax or the header or payload are not JSONs, a `JW
 If the token has an invalid signature or the Claim requirement is not met, a `JWTVerificationException` will raise.
 
 
+#### Time Validation
+
+The JWT token may include DateNumber fields that can be used to validate that:
+* The token was issued in a past date `"iat" < TODAY`
+* The token hasn't expired yet `"exp" > TODAY` and
+* The token can already be used. `"nbf" > TODAY`
+
+When verifying a token the time validation occurs automatically, resulting in a `JWTVerificationException` being throw when the values are invalid. If any of the previous fields are missing they won't be considered in this validation.
+
+To specify a **delta window** or leeway in which the Token should still be considered valid, use the `acceptTimeDelta()` method in the `JWTVerifier` builder and pass a positive milliseconds value. This applies to every item listed above.
+
+```java
+JWTVerifier verifier = JWT.require(Algorithm.RSA256(key))
+    .acceptTimeDelta(100) //nbf, iat and exp
+    .build();
+```
+
+You can also specify a custom value for a given Date claim and override the default one for only that claim.
+
+```java
+JWTVerifier verifier = JWT.require(Algorithm.RSA256(key))
+    .acceptTimeDelta(100)   //nbf and iat
+    .acceptExpiresAt(500)   //exp
+    .build();
+```
+
+
 ### Registered Claims
 
 #### Issuer ("iss")
@@ -145,14 +172,6 @@ Returns the JWT ID value or null if it's not defined.
 String id = jwt.getId();
 ```
 
-#### Time Validation
-
-The JWT token may include DateNumber fields that can be used to validate that the token was issued in a past date `"iat" < TODAY` and that the expiration date is in the future `"exp" > TODAY`. This library includes a method that checks both of this fields and returns the validity of the token. If any of the fields is missing they won't be considered.
-
-```java
-boolean isExpired = jwt.isExpired();
-```
-
 ### Private Claims
 
 Additional Claims defined in the token can be obtained by calling `getClaim()` and passing the Claim name. A Claim will always be returned, even if it can't be found.
diff --git a/lib/src/main/java/com/auth0/jwt/Clock.java b/lib/src/main/java/com/auth0/jwt/Clock.java
@@ -0,0 +1,21 @@
+package com.auth0.jwt;
+
+import java.util.Date;
+
+/**
+ * The Clock class is used to wrap calls to Date class.
+ */
+class Clock {
+
+    Clock() {
+    }
+
+    /**
+     * Returns a new Date representing Today's time.
+     *
+     * @return a new Date representing Today's time.
+     */
+    Date getToday() {
+        return new Date();
+    }
+}
diff --git a/lib/src/main/java/com/auth0/jwt/JWT.java b/lib/src/main/java/com/auth0/jwt/JWT.java
@@ -37,11 +37,6 @@ public static JWTVerifier.Verification require(Algorithm algorithm) throws Illeg
         return JWTVerifier.init(algorithm);
     }
 
-    @Override
-    public boolean isExpired() {
-        return jwt.isExpired();
-    }
-
     @Override
     public String getSignature() {
         return jwt.getSignature();
diff --git a/lib/src/main/java/com/auth0/jwt/JWTDecoder.java b/lib/src/main/java/com/auth0/jwt/JWTDecoder.java
@@ -110,9 +110,4 @@ public String getSignature() {
         return signature;
     }
 
-    @Override
-    public boolean isExpired() {
-        //TODO: Add advanced validation
-        return false;
-    }
 }
diff --git a/lib/src/main/java/com/auth0/jwt/JWTVerifier.java b/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -12,10 +12,12 @@
 class JWTVerifier {
     private final Algorithm algorithm;
     final Map<String, Object> claims;
+    private final Clock clock;
 
-    private JWTVerifier(Algorithm algorithm, Map<String, Object> claims) {
+    private JWTVerifier(Algorithm algorithm, Map<String, Object> claims, Clock clock) {
         this.algorithm = algorithm;
         this.claims = Collections.unmodifiableMap(claims);
+        this.clock = clock;
     }
 
     /**
@@ -35,6 +37,7 @@ static JWTVerifier.Verification init(Algorithm algorithm) throws IllegalArgument
     static class Verification {
         private final Algorithm algorithm;
         private final Map<String, Object> claims;
+        private long defaultDelta;
 
         Verification(Algorithm algorithm) throws IllegalArgumentException {
             if (algorithm == null) {
@@ -43,6 +46,7 @@ static class Verification {
 
             this.algorithm = algorithm;
             this.claims = new HashMap<>();
+            this.defaultDelta = 0;
         }
 
         /**
@@ -76,32 +80,66 @@ public Verification withAudience(String[] audience) {
         }
 
         /**
-         * Require a specific Expires At ("exp") claim.
+         * Define the default window in milliseconds in which the Not Before, Issued At and Expires At Claims will still be valid.
+         * Setting a specific delta value on a given Claim will override this value for that Claim.
          *
+         * @param delta the window in milliseconds in which the Not Before, Issued At and Expires At Claims will still be valid.
          * @return this same Verification instance.
+         * @throws IllegalArgumentException if delta is negative.
          */
-        public Verification withExpiresAt(Date expiresAt) {
-            requireClaim(PublicClaims.EXPIRES_AT, expiresAt);
+        public Verification acceptTimeDelta(long delta) throws IllegalArgumentException {
+            if (delta < 0) {
+                throw new IllegalArgumentException("Delta value can't be negative.");
+            }
+            this.defaultDelta = delta;
+            return this;
+        }
+
+        /**
+         * Set a specific delta window in milliseconds in which the Expires At ("exp") Claim will still be valid.
+         * Expiration Date is always verified when the value is present. This method overrides the value set with acceptTimeDelta
+         *
+         * @param delta the window in milliseconds in which the Expires At Claim will still be valid.
+         * @return this same Verification instance.
+         * @throws IllegalArgumentException if delta is negative.
+         */
+        public Verification acceptExpiresAt(long delta) throws IllegalArgumentException {
+            if (delta < 0) {
+                throw new IllegalArgumentException("Delta value can't be negative.");
+            }
+            requireClaim(PublicClaims.EXPIRES_AT, delta);
             return this;
         }
 
         /**
-         * Require a specific Not Before ("nbf") claim.
+         * Set a specific delta window in milliseconds in which the Not Before ("nbf") Claim will still be valid.
+         * Not Before Date is always verified when the value is present. This method overrides the value set with acceptTimeDelta
          *
+         * @param delta the window in milliseconds in which the Not Before Claim will still be valid.
          * @return this same Verification instance.
+         * @throws IllegalArgumentException if delta is negative.
          */
-        public Verification withNotBefore(Date notBefore) {
-            requireClaim(PublicClaims.NOT_BEFORE, notBefore);
+        public Verification acceptNotBefore(long delta) throws IllegalArgumentException {
+            if (delta < 0) {
+                throw new IllegalArgumentException("Delta value can't be negative.");
+            }
+            requireClaim(PublicClaims.NOT_BEFORE, delta);
             return this;
         }
 
         /**
-         * Require a specific Issued At ("iat") claim.
+         * Set a specific delta window in milliseconds in which the Issued At ("iat") Claim will still be valid.
+         * Issued At Date is always verified when the value is present. This method overrides the value set with acceptTimeDelta
          *
+         * @param delta the window in milliseconds in which the Issued At Claim will still be valid.
          * @return this same Verification instance.
+         * @throws IllegalArgumentException if delta is negative.
          */
-        public Verification withIssuedAt(Date issuedAt) {
-            requireClaim(PublicClaims.ISSUED_AT, issuedAt);
+        public Verification acceptIssuedAt(long delta) throws IllegalArgumentException {
+            if (delta < 0) {
+                throw new IllegalArgumentException("Delta value can't be negative.");
+            }
+            requireClaim(PublicClaims.ISSUED_AT, delta);
             return this;
         }
 
@@ -121,7 +159,31 @@ public Verification withJWTId(String jwtId) {
          * @return a new JWTVerifier instance.
          */
         public JWTVerifier build() {
-            return new JWTVerifier(algorithm, claims);
+            return this.build(new Clock());
+        }
+
+        /**
+         * Creates a new and reusable instance of the JWTVerifier with the configuration already provided.
+         * ONLY FOR TEST PURPOSES.
+         *
+         * @param clock the instance that will handle the current time.
+         * @return a new JWTVerifier instance with a custom Clock.
+         */
+        JWTVerifier build(Clock clock) {
+            addDeltaToDateClaims();
+            return new JWTVerifier(algorithm, claims, clock);
+        }
+
+        private void addDeltaToDateClaims() {
+            if (!claims.containsKey(PublicClaims.EXPIRES_AT)) {
+                claims.put(PublicClaims.EXPIRES_AT, defaultDelta);
+            }
+            if (!claims.containsKey(PublicClaims.NOT_BEFORE)) {
+                claims.put(PublicClaims.NOT_BEFORE, defaultDelta);
+            }
+            if (!claims.containsKey(PublicClaims.ISSUED_AT)) {
+                claims.put(PublicClaims.ISSUED_AT, defaultDelta);
+            }
         }
 
         private void requireClaim(String name, Object value) {
@@ -167,19 +229,30 @@ private void verifyClaims(JWT jwt, Map<String, Object> claims) {
     }
 
     private void assertValidClaim(JWT jwt, String claimName, Object expectedValue) throws InvalidClaimException {
+        String errMessage = String.format("The Claim '%s' value doesn't match the required one.", claimName);
         boolean isValid;
         if (PublicClaims.AUDIENCE.equals(claimName)) {
             isValid = Arrays.equals(jwt.getAudience(), (String[]) expectedValue);
         } else if (PublicClaims.NOT_BEFORE.equals(claimName) || PublicClaims.EXPIRES_AT.equals(claimName) || PublicClaims.ISSUED_AT.equals(claimName)) {
-            Date dateValue = (Date) expectedValue;
-            isValid = dateValue.equals(jwt.getClaim(claimName).asDate());
+            long deltaValue = (long) expectedValue;
+            Date today = clock.getToday();
+            Date date = jwt.getClaim(claimName).asDate();
+            if (PublicClaims.EXPIRES_AT.equals(claimName)) {
+                today.setTime(today.getTime() - deltaValue);
+                isValid = date == null || !today.after(date);
+                errMessage = String.format("The Token has expired on %s.", date);
+            } else {
+                today.setTime(today.getTime() + deltaValue);
+                isValid = date == null || !today.before(date);
+                errMessage = String.format("The Token can't be used before %s.", date);
+            }
         } else {
             String stringValue = (String) expectedValue;
             isValid = stringValue.equals(jwt.getClaim(claimName).asString());
         }
 
         if (!isValid) {
-            throw new InvalidClaimException(String.format("The Claim '%s' value doesn't match the required one.", claimName));
+            throw new InvalidClaimException(errMessage);
         }
     }
 }
diff --git a/lib/src/main/java/com/auth0/jwt/impl/PayloadDeserializer.java b/lib/src/main/java/com/auth0/jwt/impl/PayloadDeserializer.java
@@ -64,7 +64,7 @@ String[] getStringOrArray(Map<String, JsonNode> tree, String claimName) throws J
         return arr;
     }
 
-    private Date getDate(Map<String, JsonNode> tree, String claimName) {
+    Date getDate(Map<String, JsonNode> tree, String claimName) {
         JsonNode node = tree.get(claimName);
         if (node == null || node.isNull() || !node.canConvertToLong()) {
             return null;
@@ -73,7 +73,7 @@ private Date getDate(Map<String, JsonNode> tree, String claimName) {
         return new Date(ms);
     }
 
-    private String getString(Map<String, JsonNode> tree, String claimName) {
+    String getString(Map<String, JsonNode> tree, String claimName) {
         JsonNode node = tree.get(claimName);
         if (node == null || node.isNull()) {
             return null;
diff --git a/lib/src/main/java/com/auth0/jwt/interfaces/JWT.java b/lib/src/main/java/com/auth0/jwt/interfaces/JWT.java
@@ -4,7 +4,4 @@
  * The JWT class represents a Json Web Token.
  */
 public interface JWT extends Payload, Header, Signature {
-
-    //TODO replace with advanced validations
-    boolean isExpired();
 }
diff --git a/lib/src/test/java/com/auth0/jwt/ClockTest.java b/lib/src/test/java/com/auth0/jwt/ClockTest.java
@@ -0,0 +1,24 @@
+package com.auth0.jwt;
+
+import org.junit.Test;
+
+import java.util.Date;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.Assert.*;
+
+public class ClockTest {
+
+    @Test
+    public void shouldGetToday() throws Exception{
+        Clock clock = new Clock();
+        Date clockToday = clock.getToday();
+        Date today = new Date();
+
+        assertThat(clockToday, is(notNullValue()));
+        assertThat(clockToday.getTime(), is(equalTo(today.getTime())));
+    }
+
+}
diff --git a/lib/src/test/java/com/auth0/jwt/JWTDecoderTest.java b/lib/src/test/java/com/auth0/jwt/JWTDecoderTest.java
diff --git a/lib/src/test/java/com/auth0/jwt/JWTTest.java b/lib/src/test/java/com/auth0/jwt/JWTTest.java
diff --git a/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java b/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java
diff --git a/lib/src/test/java/com/auth0/jwt/impl/PayloadDeserializerTest.java b/lib/src/test/java/com/auth0/jwt/impl/PayloadDeserializerTest.java

Original file line number	Diff line number	Diff line change
`@@ -110,9 +110,4 @@ public String getSignature() {`
`110`	`110`	`return signature;`
`111`	`111`	`}`
`112`	`112`
`113`		`- @Override`
`114`		`- public boolean isExpired() {`
`115`		`- //TODO: Add advanced validation`
`116`		`- return false;`
`117`		`- }`
`118`	`113`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,4 @@`
`4`	`4`	`* The JWT class represents a Json Web Token.`
`5`	`5`	`*/`
`6`	`6`	`public interface JWT extends Payload, Header, Signature {`
`7`		`-`
`8`		`- //TODO replace with advanced validations`
`9`		`- boolean isExpired();`
`10`	`7`	`}`