auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

feat: support allow_expired query parameter for JWT validation

Open mandarini opened this issue 2 months ago • 0 comments

Description

Adds support for allow_expired=true query parameter to allow decoding expired JWTs for legitimate use cases (debugging, audit logs, displaying user info after expiration).

Fixes: https://github.com/supabase/auth/issues/2256

Changes

  • Modified parseJWTClaims() in internal/api/auth.go to check for allow_expired query parameter
  • When allow_expired=true, JWT parser skips claims validation (including expiration check)
  • Default behavior unchanged: JWTs are validated including expiration by default

Security Considerations

  • The JWT signature is still verified (not bypassed)
  • Only the expiration time check is skipped
  • This should be used only for specific legitimate use cases
  • The client library (supabase-js) will control when this parameter is passed

Testing

Tested with expired JWTs:

  • Without parameter: correctly rejects with expiration error
  • With allow_expired=true: successfully decodes and returns user data
  • Signature validation still enforced in both cases

mandarini avatar Nov 13 '25 08:11 mandarini