fix(acl): deny all ACl when token expired

2022-05-15 09:24:02 +02:00 · 2022-05-15 09:24:02 +02:00 · 655c2987f3
parent d6178f8611
commit 655c2987f3
1 changed files with 22 additions and 5 deletions
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
@ -72,14 +72,31 @@ check_acl(ClientInfo = #{jwt_claims := Claims},
          Topic,
          _NoMatchAction,
          #{acl_claim_name := AclClaimName}) ->
-    Deadline = erlang:system_time(second),
    case Claims of
-        #{AclClaimName := Acl, <<"exp">> := Exp}
-            when is_integer(Exp) andalso Exp >= Deadline ->
-            verify_acl(ClientInfo, Acl, PubSub, Topic);
-        _ -> ignore
+        #{AclClaimName := Acl, <<"exp">> := Exp} ->
+            try is_expired(Exp) of
+                true ->
+                    ?DEBUG("acl_deny_due_to_jwt_expired", []),
+                    deny;
+                false ->
+                    verify_acl(ClientInfo, Acl, PubSub, Topic)
+            catch
+                _:_ ->
+                    ?DEBUG("acl_deny_due_to_invalid_jwt_exp", []),
+                    deny
+            end;
+        _ ->
+            ?DEBUG("no_acl_jwt_claim", []),
+            ignore
    end.

+is_expired(Exp) when is_binary(Exp)  ->
+    ExpInt  = binary_to_integer(Exp),
+    is_expired(ExpInt);
+is_expired(Exp) ->
+    Now = erlang:system_time(second),
+    Now > Exp.
+
 description() -> "Authentication with JWT".

 %%------------------------------------------------------------------------------