Less problematic handling for time drift in the socket

2019-12-28 12:27:21 -08:00 · 2019-12-28 12:27:21 -08:00 · 853d215b1d
commit 853d215b1d
parent 3bbb8a3769
1 changed files with 9 additions and 16 deletions
--- a/websocket.go
+++ b/websocket.go
@ -92,24 +92,17 @@ func ParseJWT(token []byte) (*WebsocketTokenPayload, error) {
 		alg = jwt.NewHS256([]byte(config.Get().AuthenticationToken))
 	}

-	_, err := jwt.Verify(token, alg, &payload)
+	now := time.Now()
+	verifyOptions := jwt.ValidatePayload(
+		&payload.Payload,
+		jwt.ExpirationTimeValidator(now),
+	)
+
+	_, err := jwt.Verify(token, alg, &payload, verifyOptions)
 	if err != nil {
 		return nil, err
 	}

-	// Check the time of the JWT becoming valid does not exceed more than 15 seconds
-	// compared to the system time. This accounts for clock drift to some degree.
-	if time.Now().Unix()-payload.NotBefore.Unix() <= -15 {
-		return nil, errors.New("jwt violates nbf")
-	}
-
-	// Compare the expiration time of the token to the current system time. Include
-	// up to 15 seconds of clock drift, and if it has expired return an error and
-	// do not process the action.
-	if time.Now().Unix()-payload.ExpirationTime.Unix() > 15 {
-		return nil, errors.New("jwt violates exp")
-	}
-
 	if !payload.HasPermission(PermissionConnect) {
 		return nil, errors.New("not authorized to connect to this socket")
 	}
@ -123,8 +116,8 @@ func (wsh *WebsocketHandler) TokenValid() error {
 		return errors.New("no jwt present")
 	}

-	if time.Now().Unix()-wsh.JWT.ExpirationTime.Unix() > 15 {
-		return errors.New("jwt violates nbf")
+	if err := jwt.ExpirationTimeValidator(time.Now())(&wsh.JWT.Payload); err != nil {
+		return err
 	}

 	if !wsh.JWT.HasPermission(PermissionConnect) {