Merge pull request auth0#297 from complanboy2/issue254

lbalmaceda · web-flow · commit 08def5e53323 · 2019-01-12T15:03:45.000-03:00
Allow to skip "issued at" validation
diff --git a/lib/src/main/java/com/auth0/jwt/JWTVerifier.java b/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -43,6 +43,7 @@ public static class BaseVerification implements Verification {
         private final Algorithm algorithm;
         private final Map<String, Object> claims;
         private long defaultLeeway;
+        private boolean ignoreIssuedAt;
 
         BaseVerification(Algorithm algorithm) throws IllegalArgumentException {
             if (algorithm == null) {
@@ -150,6 +151,14 @@ public Verification acceptIssuedAt(long leeway) throws IllegalArgumentException
             return this;
         }
 
+        /**
+         * Skip the Issued At ("iat") date verification. By default, the verification is performed.
+         */
+        public Verification ignoreIssuedAt() {
+            this.ignoreIssuedAt = true;
+            return this;
+        }
+
         /**
          * Require a specific JWT Id ("jti") claim.
          *
@@ -323,6 +332,10 @@ private void addLeewayToDateClaims() {
             if (!claims.containsKey(PublicClaims.NOT_BEFORE)) {
                 claims.put(PublicClaims.NOT_BEFORE, defaultLeeway);
             }
+            if(ignoreIssuedAt) {
+                claims.remove(PublicClaims.ISSUED_AT);
+                return;
+            }
             if (!claims.containsKey(PublicClaims.ISSUED_AT)) {
                 claims.put(PublicClaims.ISSUED_AT, defaultLeeway);
             }
diff --git a/lib/src/main/java/com/auth0/jwt/interfaces/Verification.java b/lib/src/main/java/com/auth0/jwt/interfaces/Verification.java
@@ -37,5 +37,7 @@ public interface Verification {
 
     Verification withArrayClaim(String name, Integer... items) throws IllegalArgumentException;
 
+    Verification ignoreIssuedAt();
+
     JWTVerifier build();
 }
diff --git a/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java b/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java
@@ -478,19 +478,30 @@ public void shouldThrowOnNegativeNotBeforeLeeway() throws Exception {
                 .acceptNotBefore(-1);
     }
 
-    // Issued At
+// Issued At with future date
+    @Test (expected = InvalidClaimException.class)
+    public void shouldThrowOnFutureIssuedAt() throws Exception {
+        Clock clock = mock(Clock.class);
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
+
+        String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE0Nzc1OTJ9.CWq-6pUXl1bFg81vqOUZbZrheO2kUBd2Xr3FUZmvudE";
+        JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret"));
+
+        DecodedJWT jwt = verification.build(clock).verify(token);
+        assertThat(jwt, is(notNullValue()));
+    }
+
+    // Issued At with future date and ignore flag
     @Test
-    public void shouldValidateIssuedAtWithLeeway() throws Exception {
+    public void shouldSkipIssuedAtVerificationWhenFlagIsPassed() throws Exception {
         Clock clock = mock(Clock.class);
         when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
 
-        String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0Nzc1OTJ9.0WJky9eLN7kuxLyZlmbcXRL3Wy8hLoNCEk5CCl2M4lo";
-        JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret"))
-                .acceptIssuedAt(2);
-        DecodedJWT jwt = verification
-                .build(clock)
-                .verify(token);
+        String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE0Nzc1OTJ9.CWq-6pUXl1bFg81vqOUZbZrheO2kUBd2Xr3FUZmvudE";
+        JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret"));
+        verification.ignoreIssuedAt();
 
+        DecodedJWT jwt = verification.build(clock).verify(token);
         assertThat(jwt, is(notNullValue()));
     }
 
@@ -508,6 +519,20 @@ public void shouldThrowOnInvalidIssuedAtIfPresent() throws Exception {
                 .verify(token);
     }
 
+    @Test
+    public void shouldOverrideAcceptIssuedAtWhenIgnoreIssuedAtFlagPassedAndSkipTheVerification() throws Exception {
+        Clock clock = mock(Clock.class);
+        when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
+
+        String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0Nzc1OTJ9.0WJky9eLN7kuxLyZlmbcXRL3Wy8hLoNCEk5CCl2M4lo";
+        JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret"));
+        DecodedJWT jwt = verification.acceptIssuedAt(20).ignoreIssuedAt()
+                .build()
+                .verify(token);
+
+        assertThat(jwt, is(notNullValue()));
+    }
+
     @Test
     public void shouldValidateIssuedAtIfPresent() throws Exception {
         Clock clock = mock(Clock.class);

Original file line number	Diff line number	Diff line change
`@@ -37,5 +37,7 @@ public interface Verification {`
`37`	`37`
`38`	`38`	`Verification withArrayClaim(String name, Integer... items) throws IllegalArgumentException;`
`39`	`39`
	`40`	`+ Verification ignoreIssuedAt();`
	`41`	`+`
`40`	`42`	`JWTVerifier build();`
`41`	`43`	`}`