Merge pull request #8898 from lafirest/fix/jwt_exp_float

fix(jwt): make jwt support float timestamp claims
2022-09-06 16:09:11 +08:00 · 2022-09-06 16:09:11 +08:00 · ad31dfff35
parent 6417b5f3c4 d5494897c7
commit ad31dfff35
3 changed files with 30 additions and 6 deletions
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
@ -80,7 +80,7 @@ is_expired(Exp) when is_binary(Exp)  ->
            ?DEBUG("acl_deny_due_to_invalid_jwt_exp:~p", [Exp]),
            true
    end;
-is_expired(Exp) when is_integer(Exp) ->
+is_expired(Exp) when is_number(Exp) ->
    Now = erlang:system_time(second),
    Now > Exp;
 is_expired(Exp) ->
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl
@ -201,19 +201,19 @@ do_verify(JwsCompacted, [Jwk|More]) ->

 check_claims(Claims) ->
    Now = os:system_time(seconds),
-    Checker = [{<<"exp">>, with_int_value(
+    Checker = [{<<"exp">>, with_num_value(
                             fun(ExpireTime) -> Now < ExpireTime end)},
-               {<<"iat">>, with_int_value(
+               {<<"iat">>, with_num_value(
                             fun(IssueAt) -> IssueAt =< Now end)},
-               {<<"nbf">>, with_int_value(
+               {<<"nbf">>, with_num_value(
                             fun(NotBefore) -> NotBefore =< Now end)}
              ],
    do_check_claim(Checker, Claims).

-with_int_value(Fun) ->
+with_num_value(Fun) ->
    fun(Value) ->
            case Value of
-                Int when is_integer(Int) -> Fun(Int);
+                Num when is_number(Num) -> Fun(Num);
                Bin when is_binary(Bin) ->
                    case emqx_auth_jwt:string_to_number(Bin) of
                        {ok, Num} -> Fun(Num);
--- a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
+++ b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
@ -177,6 +177,30 @@ t_check_auth_str_exp(_Config) ->
    ct:pal("Auth result: ~p~n", [Result2]),
    ?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result2).

+t_check_auth_float_exp(init, _Config) ->
+    application:unset_env(emqx_auth_jwt, verify_claims).
+t_check_auth_float_exp(_Config) ->
+    Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external},
+    Exp = os:system_time(seconds) + 3.5,
+
+    Jwt0 = sign([{clientid, <<"client1">>},
+                 {username, <<"plain">>},
+                 {exp, Exp}], <<"HS256">>, <<"emqxsecret">>),
+    ct:pal("Jwt: ~p~n", [Jwt0]),
+
+    Result0 = emqx_access_control:authenticate(Plain#{password => Jwt0}),
+    ct:pal("Auth result: ~p~n", [Result0]),
+    ?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
+
+    Jwt1 = sign([{clientid, <<"client1">>},
+                 {username, <<"plain">>},
+                 {exp, 1.5}], <<"HS256">>, <<"emqxsecret">>),
+    ct:pal("Jwt: ~p~n", [Jwt1]),
+
+    Result1 = emqx_access_control:authenticate(Plain#{password => Jwt1}),
+    ct:pal("Auth result: ~p~n", [Result1]),
+    ?assertMatch({error, _}, Result1).
+
 t_check_claims(init, _Config) ->
    application:set_env(emqx_auth_jwt, verify_claims, [{sub, <<"value">>}]).
 t_check_claims(_Config) ->