From e4154dd472d1d18d3d197462ae10565e1a0612c9 Mon Sep 17 00:00:00 2001
From: Ilya Averyanov <av@rubybox.dev>
Date: Tue, 30 Apr 2024 19:01:16 +0300
Subject: [PATCH] feat(authn): use correct time resolution for setting channel
 expire in JWT authn

---
 apps/emqx_auth/src/emqx_authn/emqx_authn_chains.erl     | 1 +
 apps/emqx_auth_jwt/src/emqx_authn_jwt.erl               | 9 ++++++---
 apps/emqx_auth_jwt/test/emqx_authn_jwt_expire_SUITE.erl | 7 +++++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/apps/emqx_auth/src/emqx_authn/emqx_authn_chains.erl b/apps/emqx_auth/src/emqx_authn/emqx_authn_chains.erl
index ba017791c..946ef9ff3 100644
--- a/apps/emqx_auth/src/emqx_authn/emqx_authn_chains.erl
+++ b/apps/emqx_auth/src/emqx_authn/emqx_authn_chains.erl
@@ -142,6 +142,7 @@ end).
 -type state() :: #{atom() => term()}.
 -type extra() :: #{
     is_superuser := boolean(),
+    %% millisecond timestamp
     expire_at => pos_integer(),
     atom() => term()
 }.
diff --git a/apps/emqx_auth_jwt/src/emqx_authn_jwt.erl b/apps/emqx_auth_jwt/src/emqx_authn_jwt.erl
index f3fee4acf..ceaa2dfc2 100644
--- a/apps/emqx_auth_jwt/src/emqx_authn_jwt.erl
+++ b/apps/emqx_auth_jwt/src/emqx_authn_jwt.erl
@@ -257,9 +257,12 @@ extra_to_auth_data(Extra, JWT, AclClaimName, DisconnectAfterExpire) ->
             {error, bad_username_or_password}
     end.
 
-expire_at(false, _Extra) -> #{};
-expire_at(true, #{<<"exp">> := ExpireTime}) -> #{expire_at => ExpireTime};
-expire_at(true, #{}) -> #{}.
+expire_at(false, _Extra) ->
+    #{};
+expire_at(true, #{<<"exp">> := ExpireTime}) ->
+    #{expire_at => erlang:convert_time_unit(ExpireTime, second, millisecond)};
+expire_at(true, #{}) ->
+    #{}.
 
 acl(Claims, AclClaimName) ->
     case Claims of
diff --git a/apps/emqx_auth_jwt/test/emqx_authn_jwt_expire_SUITE.erl b/apps/emqx_auth_jwt/test/emqx_authn_jwt_expire_SUITE.erl
index afcbe3ed9..91bd7189a 100644
--- a/apps/emqx_auth_jwt/test/emqx_authn_jwt_expire_SUITE.erl
+++ b/apps/emqx_auth_jwt/test/emqx_authn_jwt_expire_SUITE.erl
@@ -61,9 +61,11 @@ t_jwt_expire(_Config) ->
 
     {ok, [#{provider := emqx_authn_jwt}]} = emqx_authn_chains:list_authenticators(?GLOBAL),
 
+    Expire = erlang:system_time(second) + 3,
+
     Payload = #{
         <<"username">> => <<"myuser">>,
-        <<"exp">> => erlang:system_time(second) + 2
+        <<"exp">> => Expire
     },
     JWS = emqx_authn_jwt_SUITE:generate_jws('hmac-based', Payload, <<"secret">>),
 
@@ -71,7 +73,8 @@ t_jwt_expire(_Config) ->
     {ok, _} = emqtt:connect(C),
 
     receive
-        {disconnected, ?RC_NOT_AUTHORIZED, #{}} -> ok
+        {disconnected, ?RC_NOT_AUTHORIZED, #{}} ->
+            ?assert(erlang:system_time(second) >= Expire)
     after 5000 ->
         ct:fail("Client should be disconnected by timeout")
     end.