From ebfaecfa915fe43c813a7e8a88f7e4c32b0a9657 Mon Sep 17 00:00:00 2001
From: firest <blankalupo@163.com>
Date: Thu, 10 Nov 2022 13:16:02 +0800
Subject: [PATCH 1/2] fix(jwt): fix the jwt ACL will return a wrong result when
 the token is expired

---
 apps/emqx_auth_jwt/src/emqx_auth_jwt.erl        |  2 +-
 apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
index 623fa25c5..223fc673c 100644
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
@@ -67,7 +67,7 @@ check_acl(ClientInfo = #{jwt_claims := Claims},
             case is_expired(Exp) of
                 true ->
                     ?DEBUG("acl_deny_due_to_jwt_expired", []),
-                    deny;
+                    {stop, deny};
                 false ->
                     verify_acl(ClientInfo, Acl, PubSub, Topic)
             end;
diff --git a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
index 7452091bd..235f77783 100644
--- a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
+++ b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
@@ -462,6 +462,16 @@ t_check_jwt_acl_expire(_Config) ->
        {ok, #{}, [?RC_NOT_AUTHORIZED]},
        emqtt:subscribe(C, <<"a/b">>, 0)),
 
+    Default = emqx_zone:get_env(external, acl_nomatch, deny),
+    emqx_zone:set_env(external, acl_nomatch, allow),
+    try
+        ?assertMatch(
+           {ok, #{}, [?RC_NOT_AUTHORIZED]},
+           emqtt:subscribe(C, <<"a/b">>, 0))
+    after
+        emqx_zone:set_env(external, acl_nomatch, Default)
+    end,
+
     ok = emqtt:disconnect(C).
 
 t_check_jwt_acl_no_exp(init, _Config) ->

From 8a0158e21dd67cc4c2d03e8dd82e21ee85798895 Mon Sep 17 00:00:00 2001
From: firest <blankalupo@163.com>
Date: Tue, 15 Nov 2022 09:52:34 +0800
Subject: [PATCH 2/2] chore: update changes

---
 changes/v4.3.23-en.md | 2 ++
 changes/v4.3.23-zh.md | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/changes/v4.3.23-en.md b/changes/v4.3.23-en.md
index d36322211..ee43c4cee 100644
--- a/changes/v4.3.23-en.md
+++ b/changes/v4.3.23-en.md
@@ -5,3 +5,5 @@
 - Added topic validation for `emqx_mod_rewrite`. The dest topics contains wildcards are not allowed to publish [#9359](https://github.com/emqx/emqx/issues/9359).
 
 ## Bug fixes
+
+- Fix a bug where the JWT ACL would not short-circuit with a deny response when the token is expired [#9338](https://github.com/emqx/emqx/pull/9338).
diff --git a/changes/v4.3.23-zh.md b/changes/v4.3.23-zh.md
index e290b9ad3..3e3e293f4 100644
--- a/changes/v4.3.23-zh.md
+++ b/changes/v4.3.23-zh.md
@@ -5,3 +5,5 @@
 - 为主题重写模块增加主题合法性检查，带有通配符的目标主题不允许被发布 [#9359](https://github.com/emqx/emqx/issues/9359)。
 
 ## 修复
+
+- 修复 JWT ACL 在令牌超期后授权检查不生效的问题 [#9338](https://github.com/emqx/emqx/pull/9338)。