Merge pull request firebase#46 from lcabral37/skew

Provide a leeway in verification of times to account for clock skew

Author: robertdimarco

Authentication/JWT.php

@@ -15,6 +15,14 @@
  */
 class JWT
 {
+
+    /**
+     * When checking nbf, iat or expiration times,
+     * we want to provide some extra leeway time to
+     * account for clock skew.
+     */
+    public static $leeway = 0;
+
     public static $supported_algs = array(
         'HS256' => array('hash_hmac', 'SHA256'),
         'HS512' => array('hash_hmac', 'SHA512'),
@@ -80,7 +88,7 @@ public static function decode($jwt, $key = null, $allowed_algs = array())
 
             // Check if the nbf if it is defined. This is the time that the
             // token can actually be used. If it's not yet that time, abort.
-            if (isset($payload->nbf) && $payload->nbf > time()) {
+            if (isset($payload->nbf) && $payload->nbf > (time() + self::$leeway)) {
                 throw new BeforeValidException(
                     'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)
                 );
@@ -89,14 +97,14 @@ public static function decode($jwt, $key = null, $allowed_algs = array())
             // Check that this token has been created before 'now'. This prevents
             // using tokens that have been created for later use (and haven't
             // correctly used the nbf claim).
-            if (isset($payload->iat) && $payload->iat > time()) {
+            if (isset($payload->iat) && $payload->iat > (time() + self::$leeway)) {
                 throw new BeforeValidException(
                     'Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat)
                 );
             }
 
             // Check if this token has expired.
-            if (isset($payload->exp) && time() >= $payload->exp) {
+            if (isset($payload->exp) && (time() - self::$leeway) >= $payload->exp) {
                 throw new ExpiredException('Expired token');
             }
         }

README.md

@@ -45,6 +45,16 @@ print_r($decoded);
 
 $decoded_array = (array) $decoded;
 
+/**
+ * You can add a leeway to account for when there is a clock skew times between
+ * the signing and verifying servers. It is recomended this leeway should not
+ * be bigger than a few minutes.
+ * Source: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
+ */
+
+JWT::$leeway = 60;
+$decoded = JWT::decode($jwt, $key, array('HS256'));
+
 ?>
 ```
 

tests/JWTTest.php

@@ -69,7 +69,30 @@ public function testValidToken()
     {
         $payload = array(
             "message" => "abc",
-            "exp" => time() + 20); // time in the future
+            "exp" => time() + JWT::$leeway + 20); // time in the future
+        $encoded = JWT::encode($payload, 'my_key');
+        $decoded = JWT::decode($encoded, 'my_key', array('HS256'));
+        $this->assertEquals($decoded->message, 'abc');
+    }
+
+    public function testValidTokenWithLeeway()
+    {
+        JWT::$leeway = 60;
+        $payload = array(
+            "message" => "abc",
+            "exp" => time() - 20); // time in the past
+        $encoded = JWT::encode($payload, 'my_key');
+        $decoded = JWT::decode($encoded, 'my_key', array('HS256'));
+        $this->assertEquals($decoded->message, 'abc');
+    }
+
+    public function testExpiredTokenWithLeeway()
+    {
+        JWT::$leeway = 60;
+        $payload = array(
+            "message" => "abc",
+            "exp" => time() - 70); // time far in the past
+        $this->setExpectedException('ExpiredException');
         $encoded = JWT::encode($payload, 'my_key');
         $decoded = JWT::decode($encoded, 'my_key', array('HS256'));
         $this->assertEquals($decoded->message, 'abc');
@@ -97,6 +120,50 @@ public function testValidTokenWithNbf()
         $this->assertEquals($decoded->message, 'abc');
     }
 
+    public function testValidTokenWithNbfLeeway()
+    {
+        JWT::$leeway = 60;
+        $payload = array(
+            "message" => "abc",
+            "nbf"     => time() + 20); // not before in near (leeway) future
+        $encoded = JWT::encode($payload, 'my_key');
+        $decoded = JWT::decode($encoded, 'my_key', array('HS256'));
+        $this->assertEquals($decoded->message, 'abc');
+    }
+
+    public function testInvalidTokenWithNbfLeeway()
+    {
+        JWT::$leeway = 60;
+        $payload = array(
+            "message" => "abc",
+            "nbf"     => time() + 65); // not before too far in future
+        $encoded = JWT::encode($payload, 'my_key');
+        $this->setExpectedException('BeforeValidException');
+        $decoded = JWT::decode($encoded, 'my_key', array('HS256'));
+    }
+
+    public function testValidTokenWithIatLeeway()
+    {
+        JWT::$leeway = 60;
+        $payload = array(
+            "message" => "abc",
+            "iat"     => time() + 20); // issued in near (leeway) future
+        $encoded = JWT::encode($payload, 'my_key');
+        $decoded = JWT::decode($encoded, 'my_key', array('HS256'));
+        $this->assertEquals($decoded->message, 'abc');
+    }
+
+    public function testInvalidTokenWithIatLeeway()
+    {
+        JWT::$leeway = 60;
+        $payload = array(
+            "message" => "abc",
+            "iat"     => time() + 65); // issued too far in future
+        $encoded = JWT::encode($payload, 'my_key');
+        $this->setExpectedException('BeforeValidException');
+        $decoded = JWT::decode($encoded, 'my_key', array('HS256'));
+    }
+
     public function testInvalidToken()
     {
         $payload = array(