def _verify_iat_and_exp(payload):
"""Verifies the ``iat`` (Issued At) and ``exp`` (Expires) claims in a token
payload.
Args:
payload (Mapping[str, str]): The JWT payload.
Raises:
ValueError: if any checks failed.
"""
now = _helpers.datetime_to_secs(_helpers.utcnow())
# Make sure the iat and exp claims are present.
for key in ("iat", "exp"):
if key not in payload:
raise ValueError(
"Token does not contain required claim {}".format(key))
# Make sure the token wasn't issued in the future.
iat = payload["iat"]
# Err on the side of accepting a token that is slightly early to account
# for clock skew.
earliest = iat - _helpers.CLOCK_SKEW_SECS
if now < earliest:
raise ValueError("Token used too early, {} < {}".format(now, iat))
# Make sure the token wasn't issued in the past.
exp = payload["exp"]
# Err on the side of accepting a token that is slightly out of date
# to account for clow skew.
latest = exp + _helpers.CLOCK_SKEW_SECS
if latest < now:
raise ValueError("Token expired, {} < {}".format(latest, now))
def test_decode_bad_token_expired(token_factory):
token = token_factory(
claims={
"exp":
_helpers.datetime_to_secs(_helpers.utcnow() -
datetime.timedelta(hours=1))
})
with pytest.raises(ValueError) as excinfo:
jwt.decode(token, PUBLIC_CERT_BYTES)
assert excinfo.match(r"Token expired")
def test_decode_bad_token_too_early(token_factory):
token = token_factory(
claims={
"iat":
_helpers.datetime_to_secs(_helpers.utcnow() +
datetime.timedelta(hours=1))
})
with pytest.raises(ValueError) as excinfo:
jwt.decode(token, PUBLIC_CERT_BYTES)
assert excinfo.match(r"Token used too early")
def factory(claims=None, key_id=None, use_es256_signer=False):
now = _helpers.datetime_to_secs(_helpers.utcnow())
payload = {
"aud": "*****@*****.**",
"iat": now,
"exp": now + 300,
"user": "******",
"metadata": {
"meta": "data"
},
}
payload.update(claims or {})
# False is specified to remove the signer's key id for testing
# headers without key ids.
if key_id is False:
signer._key_id = None
key_id = None
if use_es256_signer:
return jwt.encode(es256_signer, payload, key_id=key_id)
else:
return jwt.encode(signer, payload, key_id=key_id)
def test_utcnow():
assert isinstance(_helpers.utcnow(), datetime.datetime)