auth0
Fix overflow when using Long.MAX_VALUE as leeway
Changes
Recently I tried to set the leeway of the JWT verifier to Long.MAX_VALUE to do some local debugging where the token being expired didn't matter. Unfortunately the verifier crashed with a long overflow when I ran it. The alternative was to set the leeway to a large, but not too large value. Nonetheless, this PR fixes the overflow as I believe it to be a bug.
Previous exception on the new shouldValidateExpiresAtWithMaxLeeway:
Instant exceeds minimum or maximum instant
java.time.DateTimeException: Instant exceeds minimum or maximum instant
at java.base/java.time.Instant.create(Instant.java:411)
at java.base/java.time.Instant.ofEpochSecond(Instant.java:330)
at java.base/java.time.Instant.plus(Instant.java:928)
at java.base/java.time.Instant.plusSeconds(Instant.java:878)
at java.base/java.time.Instant.plus(Instant.java:855)
at java.base/java.time.Instant.minus(Instant.java:978)
at java.base/java.time.Instant.minus(Instant.java:207)
at java.base/java.time.Duration.subtractFrom(Duration.java:1137)
at java.base/java.time.Instant.minus(Instant.java:954)
at com.auth0.jwt.JWTVerifier$BaseVerification.assertInstantIsFuture(JWTVerifier.java:359)
at com.auth0.jwt.JWTVerifier$BaseVerification.assertValidInstantClaim(JWTVerifier.java:344)
at com.auth0.jwt.JWTVerifier$BaseVerification.lambda$addMandatoryClaimChecks$17(JWTVerifier.java:308)
at com.auth0.jwt.JWTVerifier$BaseVerification$1.verify(JWTVerifier.java:412)
at com.auth0.jwt.JWTVerifier.verifyClaims(JWTVerifier.java:489)
at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:471)
at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:452)
at com.auth0.jwt.JWTVerifierTest.shouldValidateExpiresAtWithMaxLeeway(JWTVerifierTest.java:695)
Previous exception on the new shouldValidateNotBeforeWithMaxLeeway:
long overflow
java.lang.ArithmeticException: long overflow
at java.base/java.lang.Math.addExact(Math.java:848)
at java.base/java.time.Instant.plus(Instant.java:924)
at java.base/java.time.Instant.plusSeconds(Instant.java:878)
at java.base/java.time.Instant.plus(Instant.java:855)
at java.base/java.time.Instant.plus(Instant.java:207)
at java.base/java.time.Duration.addTo(Duration.java:1102)
at java.base/java.time.Instant.plus(Instant.java:787)
at com.auth0.jwt.JWTVerifier$BaseVerification.assertInstantIsLessThanOrEqualToNow(JWTVerifier.java:363)
at com.auth0.jwt.JWTVerifier$BaseVerification.assertValidInstantClaim(JWTVerifier.java:349)
at com.auth0.jwt.JWTVerifier$BaseVerification.lambda$addMandatoryClaimChecks$18(JWTVerifier.java:310)
at com.auth0.jwt.JWTVerifier$BaseVerification$1.verify(JWTVerifier.java:412)
at com.auth0.jwt.JWTVerifier.verifyClaims(JWTVerifier.java:489)
at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:471)
at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:452)
at com.auth0.jwt.JWTVerifierTest.shouldValidateNotBeforeWithMaxLeeway(JWTVerifierTest.java:767)
References
N/A
Testing
Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.
- [x] This change adds test coverage
- [x] This change has been tested on the latest version of Java or why not
Checklist
- [x] I have read the Auth0 general contribution guidelines
- [x] I have read the Auth0 Code of Conduct
- [x] All existing and new tests complete without errors
