GW_MC/YANPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enforce strict expiration checking for JWT and handle existing user identities in password strategy
All checks were successful
Test / test-frontend (pull_request) Successful in 20s
Details
Test / frontend-build (pull_request) Successful in 22s
Details
Verify / verify-generated-code (pull_request) Successful in 58s
Details
Test / test (pull_request) Successful in 47s
Details
Verify / verify-openapi-spec (pull_request) Successful in 57s
Details
Verify / verify-frontend-api-client (pull_request) Successful in 16s
Details
Test / lint (pull_request) Successful in 1m0s
Details

Browse Source
This commit is contained in:
GW_MC
2025-12-19 12:22:13 +08:00
parent ec81d3228b
commit 507b5f0e49
2 changed files with 58 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/api/src/services/auth/authentication.rs
View File

@@ -115,6 +115,8 @@ impl AuthenticationService for AuthenticationServiceImpl {
target_sub: Option<String>,
) -> Result<Option<Claims>, ServiceError> {
let mut validation = Validation::default();
// disable leeway for strict expiration checking
validation.leeway = 0;
if let Some(expected_sub) = target_sub {
validation.sub = Some(expected_sub);
}
@@ -247,11 +249,16 @@ mod tests {
let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
let user_id = Uuid::new_v4();
let (token, _) = service.generate_jwt(user_id, 1).await.unwrap();
let (token, claims) = service.generate_jwt(user_id, 1).await.unwrap();
sleep(Duration::from_secs(2)).await;
let valid = service.is_valid_jwt(&token, None).await.unwrap();
assert!(valid.is_none(), "Token should be expired and thus invalid");
assert!(
valid.is_none(),
"Token should be expired and thus invalid. Current time: {:?}. Diff: {}",
chrono::Utc::now(),
chrono::Utc::now().timestamp() - claims.exp as i64
);
}
#[tokio::test]