gin-jwt icon indicating copy to clipboard operation
gin-jwt copied to clipboard

Published 20 hours ago verified publisher icon appleboy

gin-jwt should set the TimeFunc in jwt-go

Open samherrmann opened this issue 4 years ago • 0 comments

Both the gin-jwt library and the underlying jwt-go support a TimeFunc. By default, they are both initialized to time.Now.

https://github.com/appleboy/gin-jwt/blob/v2.6.4/auth_jwt.go#L272:

if mw.TimeFunc == nil {
  mw.TimeFunc = time.Now
}

https://github.com/dgrijalva/jwt-go/blob/v3.2.0/token.go#L13:

// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
// You can override it to use another time value.  This is useful for testing or if your
// server uses a different time zone than your tokens.
var TimeFunc = time.Now

gin-jwt should ensure that TimeFunc of each library are the same. If the two functions are not the same, it's possible for gin-jwt to create a token with an expiration date that is then falsely invalidated by jwt-go when the user of gin-jwt provides a custom TimeFunc.

Proposed Solution

The proposed solution is to simply add a line in the first snipped shown above to the following:

if mw.TimeFunc == nil {
  mw.TimeFunc = time.Now
}
jwt.TimeFunc = mw.TimeFunc // proposed line

samherrmann avatar Jan 19 '21 02:01 samherrmann