util.jwt: Provide built-in token expiry support (defaults to 3600s lifetime)
To avoid every user of the library needing to add and verify expiry info, this
is now handled by util.jwt itself (if not overridden or disabled).
Issuing tokens that are valid forever is bad practice and rarely desired, and
the default token lifetime is now 3600s (1 hour).
--- a/util/jwt.lua Sat Jul 02 15:29:04 2022 +0100
+++ b/util/jwt.lua Mon Jul 11 13:28:29 2022 +0100
@@ -152,21 +152,46 @@
PS256 = new_rsa_algorithm("PS256"), PS384 = new_rsa_algorithm("PS384"), PS512 = new_rsa_algorithm("PS512");
};
-local function new_signer(algorithm, key_input)
+local function new_signer(algorithm, key_input, options)
local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm);
local key = (impl.load_private_key or impl.load_key)(key_input);
local sign = impl.sign;
+ local default_ttl = (options and options.default_ttl) or 3600;
return function (payload)
+ local issued_at;
+ if not payload.iat then
+ issued_at = os.time();
+ payload.iat = issued_at;
+ end
+ if not payload.exp then
+ payload.exp = (issued_at or os.time()) + default_ttl;
+ end
return sign(key, payload);
end
end
-local function new_verifier(algorithm, key_input)
+local function new_verifier(algorithm, key_input, options)
local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm);
local key = (impl.load_public_key or impl.load_key)(key_input);
local verify = impl.verify;
+ local check_expiry = not (options and options.accept_expired);
+ local claim_verifier = options and options.claim_verifier;
return function (token)
- return verify(key, token);
+ local ok, payload = verify(key, token);
+ if ok then
+ local expires_at = check_expiry and payload.exp;
+ if expires_at then
+ if type(expires_at) ~= "number" then
+ return nil, "invalid-expiry";
+ elseif expires_at < os.time() then
+ return nil, "token-expired";
+ end
+ end
+ if claim_verifier and not claim_verifier(payload) then
+ return nil, "incorrect-claims";
+ end
+ end
+ return ok, payload;
end
end