diff --git a/include/jwt/impl/jwt.ipp b/include/jwt/impl/jwt.ipp index b1ab54c..e84156b 100644 --- a/include/jwt/impl/jwt.ipp +++ b/include/jwt/impl/jwt.ipp @@ -443,7 +443,7 @@ std::error_code jwt_object::verify( auto p_exp = payload() .get_claim_value(registered_claims::not_before); - if ((p_exp - dparams.leeway) < curr_time) { + if ((p_exp - dparams.leeway) > curr_time) { ec = VerificationErrc::ImmatureSignature; return ec; } diff --git a/include/jwt/jwt.hpp b/include/jwt/jwt.hpp index ec3ddbc..b4edd63 100644 --- a/include/jwt/jwt.hpp +++ b/include/jwt/jwt.hpp @@ -762,7 +762,7 @@ public: // 'tors * * 4. headers : Can pass a initializer list of pairs or any associative * containers which models `MappingConcept` (see `meta::is_mapping_concept`) - * to populate header. Can be used to set JTI. + * to populate header. Not much useful unless JWE is supported. */ template jwt_object(Args&&... args); @@ -1026,9 +1026,11 @@ private: // Data Members * Optional parameters that can be passed: * 1. verify : A boolean flag to indicate whether * the signature should be verified or not. + * Set to `true` by default. * * 2. leeway : Number of seconds that can be added (in case of exp) * or subtracted (in case of nbf) to be more lenient. + * Set to `0` by default. * * 3. algorithms : Takes in a sequence of algorithms which the client * expects the signature to be decoded with. diff --git a/tests/test_jwt_decode_verifiy.cc b/tests/test_jwt_decode_verifiy.cc index 6950bba..660ee9e 100644 --- a/tests/test_jwt_decode_verifiy.cc +++ b/tests/test_jwt_decode_verifiy.cc @@ -58,6 +58,115 @@ TEST (DecodeVerify, AfterExpiryWithLeeway) ASSERT_FALSE (ec); } +TEST (DecodeVerify, ValidIssuerTest) +{ + using namespace jwt::params; + + jwt::jwt_object obj{algorithm("hs256"), secret("secret")}; + obj.add_claim("iss", "arun.muralidharan") + .add_claim("sub", "test") + ; + + std::error_code ec; + auto enc_str = obj.signature(ec); + ASSERT_FALSE (ec); + + auto dec_obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret("secret"), issuer("arun.muralidharan")); + ASSERT_FALSE (ec); +} + +TEST (DecodeVerify, InvalidIssuerTest_1) +{ + using namespace jwt::params; + + jwt::jwt_object obj{algorithm("hs256"), secret("secret"), payload({{"sub", "test"}})}; + std::error_code ec; + auto enc_str = obj.signature(ec); + ASSERT_FALSE (ec); + + auto dec_obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret("secret"), issuer("arun.muralidharan")); + ASSERT_TRUE (ec); + + EXPECT_EQ (ec.value(), static_cast(jwt::VerificationErrc::InvalidIssuer)); +} + +TEST (DecodeVerify, InvalidIssuerTest_2) +{ + using namespace jwt::params; + + jwt::jwt_object obj{algorithm("hs256"), secret("secret"), payload({{"sub", "test"}})}; + obj.add_claim("iss", "arun.muralidharan"); + + std::error_code ec; + auto enc_str = obj.signature(ec); + ASSERT_FALSE (ec); + + auto dec_obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret("secret"), issuer("arun.murali")); + ASSERT_TRUE (ec); + EXPECT_EQ (ec.value(), static_cast(jwt::VerificationErrc::InvalidIssuer)); +} + +TEST (DecodeVerify, NotImmatureSignatureTest) +{ + using namespace jwt::params; + + jwt::jwt_object obj{algorithm("hs256"), secret("secret"), payload({{"sub", "test"}})}; + obj.add_claim(jwt::registered_claims::not_before, std::chrono::system_clock::now() - std::chrono::seconds{10}); + + std::error_code ec; + auto enc_str = obj.signature(ec); + ASSERT_FALSE (ec); + + auto dec_obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret("secret")); + ASSERT_FALSE (ec); +} + +TEST (DecodeVerify, ImmatureSignatureTest) +{ + using namespace jwt::params; + + jwt::jwt_object obj{algorithm("hs256"), secret("secret"), payload({{"sub", "test"}})}; + obj.add_claim(jwt::registered_claims::not_before, std::chrono::system_clock::now() + std::chrono::seconds{10}); + + std::error_code ec; + auto enc_str = obj.signature(ec); + ASSERT_FALSE (ec); + + auto dec_obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret("secret")); + ASSERT_TRUE (ec); + EXPECT_EQ (ec.value(), static_cast(jwt::VerificationErrc::ImmatureSignature)); +} + +TEST (DecodeVerify, ImmatureSignatureTestWithLeeway) +{ + using namespace jwt::params; + + jwt::jwt_object obj{algorithm("hs256"), secret("secret"), payload({{"sub", "test"}})}; + obj.add_claim(jwt::registered_claims::not_before, std::chrono::system_clock::now() + std::chrono::seconds{10}); + + std::error_code ec; + auto enc_str = obj.signature(ec); + ASSERT_FALSE (ec); + + auto dec_obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret("secret"), leeway(10)); + ASSERT_FALSE (ec); +} + +TEST (DecodeVerify, InvalidAudienceTest) +{ + using namespace jwt::params; + + jwt::jwt_object obj{algorithm("hs256"), secret("secret"), payload({{"sub", "test"}, {"aud", "www"}})}; + + std::error_code ec; + auto enc_str = obj.signature(ec); + ASSERT_FALSE (ec); + + auto dec_obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret("secret"), aud("ww")); + ASSERT_TRUE (ec); + EXPECT_EQ (ec.value(), static_cast(jwt::VerificationErrc::InvalidAudience)); +} + int main(int argc, char* argv[]) { ::testing::InitGoogleTest(&argc, argv); return RUN_ALL_TESTS(); diff --git a/tests/test_jwt_decode_verify b/tests/test_jwt_decode_verify index 3da6140..dbbdc47 100755 Binary files a/tests/test_jwt_decode_verify and b/tests/test_jwt_decode_verify differ