Token expiration check in middleware might pass an expired token through #173

localden · 2025-03-07T06:06:45Z

This is the logic I am referring to:

// Check if the token is expired
if (!!authInfo.expiresAt && authInfo.expiresAt < Date.now() / 1000) {
  throw new InvalidTokenError("Token has expired");
}

If, for whatever reason, the token expiration is set to 0 (e.g., a dummy value to signal need for refresh), then !!authInfo.expiresAt will evaluate to false, meaning that there will be no error caught and the token might be conisdered verified.

And for what it's worth, 0 should not be treated as "token doesn't expire" - that is signaled by the lack of exp claims (as it is optional).

I rewrote it like this in my custom middleware handler:

if (!authInfo.expiresAt) {
  throw new InvalidTokenError("Token has no expiration time");
} else if (authInfo.expiresAt < Date.now() / 1000) {
  throw new InvalidTokenError("Token has expired");
}

The text was updated successfully, but these errors were encountered:

christian-bromann · 2025-05-04T18:25:12Z

@localden I raised a PR for this in #446 and would love your feedback, thanks!

localden added the bug Something isn't working label Mar 7, 2025

christian-bromann mentioned this issue May 4, 2025

fix(server): validate expiresAt token value for non existence #446

Open

9 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Token expiration check in middleware might pass an expired token through #173

Token expiration check in middleware might pass an expired token through #173

localden commented Mar 7, 2025 •

edited

Loading

christian-bromann commented May 4, 2025

Token expiration check in middleware might pass an expired token through #173

Token expiration check in middleware might pass an expired token through #173

Comments

localden commented Mar 7, 2025 • edited Loading

christian-bromann commented May 4, 2025

localden commented Mar 7, 2025 •

edited

Loading