Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gin-jwt should set the TimeFunc in jwt-go #266

Open
samherrmann opened this issue Jan 19, 2021 · 0 comments
Open

gin-jwt should set the TimeFunc in jwt-go #266

samherrmann opened this issue Jan 19, 2021 · 0 comments

Comments

@samherrmann
Copy link

Both the gin-jwt library and the underlying jwt-go support a TimeFunc. By default, they are both initialized to time.Now.

https://github.com/appleboy/gin-jwt/blob/v2.6.4/auth_jwt.go#L272:

if mw.TimeFunc == nil {
  mw.TimeFunc = time.Now
}

https://github.com/dgrijalva/jwt-go/blob/v3.2.0/token.go#L13:

// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
// You can override it to use another time value.  This is useful for testing or if your
// server uses a different time zone than your tokens.
var TimeFunc = time.Now

gin-jwt should ensure that TimeFunc of each library are the same. If the two functions are not the same, it's possible for gin-jwt to create a token with an expiration date that is then falsely invalidated by jwt-go when the user of gin-jwt provides a custom TimeFunc.

Proposed Solution

The proposed solution is to simply add a line in the first snipped shown above to the following:

if mw.TimeFunc == nil {
  mw.TimeFunc = time.Now
}
jwt.TimeFunc = mw.TimeFunc // proposed line
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@samherrmann