Merge pull request #8898 from lafirest/fix/jwt_exp_float

fix(jwt): make jwt support float timestamp claims

apps/emqx_auth_jwt/src/emqx_auth_jwt.erl

@@ -80,7 +80,7 @@ is_expired(Exp) when is_binary(Exp)  ->
             ?DEBUG("acl_deny_due_to_invalid_jwt_exp:~p", [Exp]),
             true
     end;
-is_expired(Exp) when is_integer(Exp) ->
+is_expired(Exp) when is_number(Exp) ->
     Now = erlang:system_time(second),
     Now > Exp;
 is_expired(Exp) ->

apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl

@@ -201,19 +201,19 @@ do_verify(JwsCompacted, [Jwk|More]) ->
 
 check_claims(Claims) ->
     Now = os:system_time(seconds),
-    Checker = [{<<"exp">>, with_int_value(
+    Checker = [{<<"exp">>, with_num_value(
                              fun(ExpireTime) -> Now < ExpireTime end)},
-               {<<"iat">>, with_int_value(
+               {<<"iat">>, with_num_value(
                              fun(IssueAt) -> IssueAt =< Now end)},
-               {<<"nbf">>, with_int_value(
+               {<<"nbf">>, with_num_value(
                              fun(NotBefore) -> NotBefore =< Now end)}
               ],
     do_check_claim(Checker, Claims).
 
-with_int_value(Fun) ->
+with_num_value(Fun) ->
     fun(Value) ->
             case Value of
-                Int when is_integer(Int) -> Fun(Int);
+                Num when is_number(Num) -> Fun(Num);
                 Bin when is_binary(Bin) ->
                     case emqx_auth_jwt:string_to_number(Bin) of
                         {ok, Num} -> Fun(Num);

apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl

@@ -177,6 +177,30 @@ t_check_auth_str_exp(_Config) ->
     ct:pal("Auth result: ~p~n", [Result2]),
     ?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result2).
 
+t_check_auth_float_exp(init, _Config) ->
+    application:unset_env(emqx_auth_jwt, verify_claims).
+t_check_auth_float_exp(_Config) ->
+    Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external},
+    Exp = os:system_time(seconds) + 3.5,
+
+    Jwt0 = sign([{clientid, <<"client1">>},
+                 {username, <<"plain">>},
+                 {exp, Exp}], <<"HS256">>, <<"emqxsecret">>),
+    ct:pal("Jwt: ~p~n", [Jwt0]),
+
+    Result0 = emqx_access_control:authenticate(Plain#{password => Jwt0}),
+    ct:pal("Auth result: ~p~n", [Result0]),
+    ?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
+
+    Jwt1 = sign([{clientid, <<"client1">>},
+                 {username, <<"plain">>},
+                 {exp, 1.5}], <<"HS256">>, <<"emqxsecret">>),
+    ct:pal("Jwt: ~p~n", [Jwt1]),
+
+    Result1 = emqx_access_control:authenticate(Plain#{password => Jwt1}),
+    ct:pal("Auth result: ~p~n", [Result1]),
+    ?assertMatch({error, _}, Result1).
+
 t_check_claims(init, _Config) ->
     application:set_env(emqx_auth_jwt, verify_claims, [{sub, <<"value">>}]).
 t_check_claims(_Config) ->