pyjwt icon indicating copy to clipboard operation
pyjwt copied to clipboard

Published 20 hours ago verified publisher icon jpadilla

Handling 'ImmatureSignatureError' for issued_at time

Open sriharan16 opened this issue 1 year ago • 2 comments

Handling 'ImmatureSignatureError' for issued_at time when it is a future time epoch.

if iat > (now + leeway):
   raise ImmatureSignatureError("The token is not yet valid (iat)")

When the issued_at time in the payload is greater than the current time + leeway then we can call it out as ImmatureSignatureError as we do for (nbf)

We have nbf in the payload but still, with proper nbf someone can call the API with improper iat to fool the system.

Example:

{
  "nbf": 1661419080   # 25-08-2022 14:48 IST
  "iat": 1661419200,    # 25-08-2022 14:50 IST
  "exp": 1661419500   # 25-08-2022 14:55 IST
}

Here the token is valid from 14:48(as per nbf) and has an expiry range of 5min from iat which makes the token valid. But the iat is less than nbf which makes the token valid for 7mins instead of 5min. This should not happen as per contract but attackers may do something like this even making iat and exp with the year 2023 which still makes the token valid.

We can restrict the same way as we do for nbf.

sriharan16 avatar Aug 24 '22 17:08 sriharan16

@jpadilla @auvipy Kindly help here in validating and reviewing this PR.

sriharan16 avatar Aug 26 '22 05:08 sriharan16

@auvipy I have rebased as mentioned. Also not sure why requesting your review removed @jpadilla! Kindly verify the changes and also add @jpadilla again as a reviewer

sriharan16 avatar Sep 22 '22 12:09 sriharan16

Team(@jpadilla, @auvipy ),

Can you please review this !

sriharan16 avatar Oct 14 '22 07:10 sriharan16

ci triggerred

auvipy avatar Oct 14 '22 17:10 auvipy

there is a bug report https://github.com/jpadilla/pyjwt/issues/814 , can you verify?

auvipy avatar Oct 21 '22 12:10 auvipy

Replied there.

sriharan16 avatar Oct 22 '22 08:10 sriharan16