Fix cache containing "not yet active tokens" that never become active (…

…#195) * test case * fix inactive cached tokens never becoming active * cache value is consistent with token claim behavior (and the spec)
nearform · Feb 21, 2022 · 6995436 · 6995436
1 parent 94b1f2d
commit 6995436
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/src/verifier.js b/src/verifier.js
@@ -258,7 +258,9 @@ function verify(
     const now = clockTimestamp || Date.now()
 
     // Validate time range
-    if (typeof value !== 'undefined' && (min === 0 || now > min) && (max === 0 || now <= max)) {
+    if (typeof value !== 'undefined' &&
+      (min === 0 || (now < min && value.code === 'FAST_JWT_INACTIVE') || (now >= min && value.code !== 'FAST_JWT_INACTIVE')) &&
+      (max === 0 || now <= max)) {
       // Cache hit
       return handleCachedResult(value, callback, promise)
     }

diff --git a/test/verifier.spec.js b/test/verifier.spec.js
@@ -1214,7 +1214,7 @@ test('caching - should correctly expire cached token using the maxAge claim', t
   t.end()
 })
 
-test('caching - should correctly expire not yet cached token using the nbf claim', t => {
+test('caching - should correctly expire not yet cached token using the nbf claim at exact notBefore time', t => {
   const clock = fakeTime({ now: 100000 })
 
   const signer = createSigner({ key: 'secret', notBefore: 200000 })
@@ -1242,6 +1242,34 @@ test('caching - should correctly expire not yet cached token using the nbf claim
   t.end()
 })
 
+test('caching - should correctly expire not yet cached token using the nbf claim while checking after expiry period', t => {
+  const clock = fakeTime({ now: 100000 })
+
+  const signer = createSigner({ key: 'secret', notBefore: 200000 })
+  const verifier = createVerifier({ key: 'secret', cache: true })
+  const token = signer({ a: 1 })
+
+  // First of all, make a token and verify it's cached and rejected
+  t.equal(verifier.cache.size, 0)
+  t.throws(() => verifier(token), { message: 'The token will be active at 1970-01-01T00:05:00.000Z.' })
+  t.equal(verifier.cache.size, 1)
+  t.throws(() => verifier(token), { message: 'The token will be active at 1970-01-01T00:05:00.000Z.' })
+  t.ok(verifier.cache.get(hashToken(token))[0] instanceof TokenError)
+
+  // Now advance after expired time
+  clock.tick(200010)
+
+  // The token should now be active and the cache should have been updated to reflect it
+  t.strictSame(verifier(token), { a: 1, iat: 100, nbf: 300 })
+  t.equal(verifier.cache.size, 1)
+  t.strictSame(verifier(token), { a: 1, iat: 100, nbf: 300 })
+  t.equal(verifier.cache.size, 1)
+  t.strictSame(verifier.cache.get(hashToken(token)), [{ a: 1, iat: 100, nbf: 300 }, 300000, 900010])
+
+  clock.uninstall()
+  t.end()
+})
+
 test('caching - should be able to consider both nbf and exp field at the same time', t => {
   const clock = fakeTime({ now: 100000 })