[validate] Support the nbf claim

kylef · kylef · commit 525410a7b4cb · 2015-04-05T00:26:48.000+01:00
diff --git a/JWT/JWT.swift b/JWT/JWT.swift
@@ -6,6 +6,7 @@ public enum InvalidToken : Printable {
   case DecodeError(String)
   case InvalidIssuer
   case ExpiredSignature
+  case ImmatureSignature
 
   public var description:String {
     switch self {
@@ -15,6 +16,8 @@ public enum InvalidToken : Printable {
         return "Invalid Issuer"
       case .ExpiredSignature:
         return "Expired Signature"
+      case .ImmatureSignature:
+        return "The token is not yet valid (not before claim)"
     }
   }
 }
@@ -125,5 +128,14 @@ func validateClaims(payload:Payload, audience:String?, issuer:String?) -> Invali
     return .DecodeError("Expiration time claim (exp) must be an integer")
   }
 
+  if let nbf = payload["nbf"] as? NSTimeInterval {
+    let expiary = NSDate(timeIntervalSince1970: nbf)
+    if expiary.compare(NSDate()) == .OrderedDescending {
+      return .ImmatureSignature
+    }
+  } else if let nbf:AnyObject = payload["nbf"] {
+    return .DecodeError("Not before claim (nbf) must be an integer")
+  }
+
   return nil
 }
diff --git a/JWTTests/JWTTests.swift b/JWTTests/JWTTests.swift
@@ -58,6 +58,26 @@ class JWTDecodeTests : XCTestCase {
       XCTAssertEqual(payload as NSDictionary, ["exp": 1728188491])
     }
   }
+
+  // MARK: Not before claim
+
+  func testNotBeforeClaim() {
+    let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0MjgxODk3MjB9.GPkK60gYvrxESysLWDhMramkh69Dd5OaOsyi2U3cVpg"
+    assertSuccess(decode(jwt)) { payload in
+      XCTAssertEqual(payload as NSDictionary, ["nbf": 1428189720])
+    }
+  }
+
+  func testInvalidNotBeforeClaim() {
+    let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOlsxNDI4MTg5NzIwXX0.PUL1FQubzzJa4MNXe2D3d5t5cMaqFr3kYlzRUzly-C8"
+    assertDecodeError(decode(jwt), "Not before claim (nbf) must be an integer")
+  }
+
+  func testUnmetNotBeforeClaim() {
+    // If this just started failing, hello 2024!
+    let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjgxODg0OTF9.Tzhu1tu-7BXcF5YEIFFE1Vmg4tEybUnaz58FR4PcblQ"
+    assertFailure(decode(jwt))
+  }
 }
 
 // MARK: Helpers
diff --git a/README.md b/README.md
@@ -26,6 +26,7 @@ JWT.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E
 
 - Issuer (`iss`) Claim
 - Expiration Time (`exp`) Claim
+- Not Before (`nbf`) Claim
 
 ## License
 

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ public enum InvalidToken : Printable {`
`6`	`6`	`case DecodeError(String)`
`7`	`7`	`case InvalidIssuer`
`8`	`8`	`case ExpiredSignature`
	`9`	`+ case ImmatureSignature`
`9`	`10`
`10`	`11`	`public var description:String {`
`11`	`12`	`switch self {`
`@@ -15,6 +16,8 @@ public enum InvalidToken : Printable {`
`15`	`16`	`return "Invalid Issuer"`
`16`	`17`	`case .ExpiredSignature:`
`17`	`18`	`return "Expired Signature"`
	`19`	`+ case .ImmatureSignature:`
	`20`	`+ return "The token is not yet valid (not before claim)"`
`18`	`21`	`}`
`19`	`22`	`}`
`20`	`23`	`}`
`@@ -125,5 +128,14 @@ func validateClaims(payload:Payload, audience:String?, issuer:String?) -> Invali`
`125`	`128`	`return .DecodeError("Expiration time claim (exp) must be an integer")`
`126`	`129`	`}`
`127`	`130`
	`131`	`+ if let nbf = payload["nbf"] as? NSTimeInterval {`
	`132`	`+ let expiary = NSDate(timeIntervalSince1970: nbf)`
	`133`	`+ if expiary.compare(NSDate()) == .OrderedDescending {`
	`134`	`+ return .ImmatureSignature`
	`135`	`+ }`
	`136`	`+ } else if let nbf:AnyObject = payload["nbf"] {`
	`137`	`+ return .DecodeError("Not before claim (nbf) must be an integer")`
	`138`	`+ }`
	`139`	`+`
`128`	`140`	`return nil`
`129`	`141`	`}`