diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl index 623fa25c5..223fc673c 100644 --- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl +++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl @@ -67,7 +67,7 @@ check_acl(ClientInfo = #{jwt_claims := Claims}, case is_expired(Exp) of true -> ?DEBUG("acl_deny_due_to_jwt_expired", []), - deny; + {stop, deny}; false -> verify_acl(ClientInfo, Acl, PubSub, Topic) end; diff --git a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl index 7452091bd..235f77783 100644 --- a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl +++ b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl @@ -462,6 +462,16 @@ t_check_jwt_acl_expire(_Config) -> {ok, #{}, [?RC_NOT_AUTHORIZED]}, emqtt:subscribe(C, <<"a/b">>, 0)), + Default = emqx_zone:get_env(external, acl_nomatch, deny), + emqx_zone:set_env(external, acl_nomatch, allow), + try + ?assertMatch( + {ok, #{}, [?RC_NOT_AUTHORIZED]}, + emqtt:subscribe(C, <<"a/b">>, 0)) + after + emqx_zone:set_env(external, acl_nomatch, Default) + end, + ok = emqtt:disconnect(C). t_check_jwt_acl_no_exp(init, _Config) -> diff --git a/changes/v4.3.23-en.md b/changes/v4.3.23-en.md index b8c0230c6..fbc662fc2 100644 --- a/changes/v4.3.23-en.md +++ b/changes/v4.3.23-en.md @@ -7,3 +7,5 @@ - Print a warning message when boot with the default (insecure) Erlang cookie [#9340](https://github.com/emqx/emqx/pull/9340). ## Bug fixes + +- Fix a bug where the JWT ACL would not short-circuit with a deny response when the token is expired [#9338](https://github.com/emqx/emqx/pull/9338). diff --git a/changes/v4.3.23-zh.md b/changes/v4.3.23-zh.md index b14dd96bb..14f9c33e1 100644 --- a/changes/v4.3.23-zh.md +++ b/changes/v4.3.23-zh.md @@ -7,3 +7,5 @@ - 使用默认的(不安全的) Erlang cookie 进行启动时,将会打印一条警告信息 [#9340](https://github.com/emqx/emqx/pull/9340)。 ## 修复 + +- 修复 JWT ACL 在令牌超期后授权检查不生效的问题 [#9338](https://github.com/emqx/emqx/pull/9338)。