Added leeway for date validation issue #54

JanBrinker · JanBrinker · commit 716873a23681 · 2017-09-07T16:39:48.000+02:00
diff --git a/Sources/ClaimSet.swift b/Sources/ClaimSet.swift
@@ -93,18 +93,18 @@ extension ClaimSet {
 // MARK: Validations
 
 extension ClaimSet {
-  public func validate(audience: String? = nil, issuer: String? = nil) throws {
+  public func validate(audience: String? = nil, issuer: String? = nil, leeway: TimeInterval = 0) throws {
     if let issuer = issuer {
       try validateIssuer(issuer)
     }
 
     if let audience = audience {
       try validateAudience(audience)
     }
-
-    try validateExpiary()
-    try validateNotBefore()
-    try validateIssuedAt()
+		
+    try validateExpiary(leeway: leeway)
+    try validateNotBefore(leeway: leeway)
+    try validateIssuedAt(leeway: leeway)
   }
 
   public func validateAudience(_ audience: String) throws {
@@ -131,16 +131,16 @@ extension ClaimSet {
     }
   }
 
-  public func validateExpiary() throws {
-    try validateDate(claims, key: "exp", comparison: .orderedAscending, failure: .expiredSignature, decodeError: "Expiration time claim (exp) must be an integer")
+	public func validateExpiary(leeway: TimeInterval = 0) throws {
+		try validateDate(claims, key: "exp", comparison: .orderedAscending, leeway: (-1 * leeway), failure: .expiredSignature, decodeError: "Expiration time claim (exp) must be an integer")
   }
 
-  public func validateNotBefore() throws {
-    try validateDate(claims, key: "nbf", comparison: .orderedDescending, failure: .immatureSignature, decodeError: "Not before claim (nbf) must be an integer")
+  public func validateNotBefore(leeway: TimeInterval = 0) throws {
+    try validateDate(claims, key: "nbf", comparison: .orderedDescending, leeway: leeway, failure: .immatureSignature, decodeError: "Not before claim (nbf) must be an integer")
   }
 
-  public func validateIssuedAt() throws {
-    try validateDate(claims, key: "iat", comparison: .orderedDescending, failure: .invalidIssuedAt, decodeError: "Issued at claim (iat) must be an integer")
+  public func validateIssuedAt(leeway: TimeInterval = 0) throws {
+    try validateDate(claims, key: "iat", comparison: .orderedDescending, leeway: leeway, failure: .invalidIssuedAt, decodeError: "Issued at claim (iat) must be an integer")
   }
 }
 
diff --git a/Sources/Claims.swift b/Sources/Claims.swift
@@ -1,15 +1,15 @@
 import Foundation
 
-func validateDate(_ payload: Payload, key: String, comparison: ComparisonResult, failure: InvalidToken, decodeError: String) throws {
+func validateDate(_ payload: Payload, key: String, comparison: ComparisonResult, leeway: TimeInterval = 0, failure: InvalidToken, decodeError: String) throws {
   if payload[key] == nil {
     return
   }
 
   guard let date = extractDate(payload: payload, key: key) else {
     throw InvalidToken.decodeError(decodeError)
   }
-
-  if date.compare(Date()) == comparison {
+	
+  if date.compare(Date().addingTimeInterval(leeway)) == comparison {
     throw failure
   }
 }
diff --git a/Sources/Decode.swift b/Sources/Decode.swift
@@ -47,20 +47,20 @@ public enum InvalidToken: CustomStringConvertible, Error {
 
 
 /// Decode a JWT
-public func decode(_ jwt: String, algorithms: [Algorithm], verify: Bool = true, audience: String? = nil, issuer: String? = nil) throws -> ClaimSet {
+public func decode(_ jwt: String, algorithms: [Algorithm], verify: Bool = true, audience: String? = nil, issuer: String? = nil, leeway: TimeInterval = 0) throws -> ClaimSet {
   let (header, claims, signature, signatureInput) = try load(jwt)
 
   if verify {
-    try claims.validate(audience: audience, issuer: issuer)
+		try claims.validate(audience: audience, issuer: issuer, leeway: leeway)
     try verifySignature(algorithms, header: header, signingInput: signatureInput, signature: signature)
   }
 
   return claims
 }
 
 /// Decode a JWT
-public func decode(_ jwt: String, algorithm: Algorithm, verify: Bool = true, audience: String? = nil, issuer: String? = nil) throws -> ClaimSet {
-  return try decode(jwt, algorithms: [algorithm], verify: verify, audience: audience, issuer: issuer)
+public func decode(_ jwt: String, algorithm: Algorithm, verify: Bool = true, audience: String? = nil, issuer: String? = nil, leeway: TimeInterval = 0) throws -> ClaimSet {
+	return try decode(jwt, algorithms: [algorithm], verify: verify, audience: audience, issuer: issuer, leeway: leeway)
 }
 
 /// Decode a JWT

Original file line number	Diff line number	Diff line change
`@@ -93,18 +93,18 @@ extension ClaimSet {`
`93`	`93`	`// MARK: Validations`
`94`	`94`
`95`	`95`	`extension ClaimSet {`
`96`		`- public func validate(audience: String? = nil, issuer: String? = nil) throws {`
	`96`	`+ public func validate(audience: String? = nil, issuer: String? = nil, leeway: TimeInterval = 0) throws {`
`97`	`97`	`if let issuer = issuer {`
`98`	`98`	`try validateIssuer(issuer)`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`if let audience = audience {`
`102`	`102`	`try validateAudience(audience)`
`103`	`103`	`}`
`104`		`-`
`105`		`- try validateExpiary()`
`106`		`- try validateNotBefore()`
`107`		`- try validateIssuedAt()`
	`104`	`+`
	`105`	`+ try validateExpiary(leeway: leeway)`
	`106`	`+ try validateNotBefore(leeway: leeway)`
	`107`	`+ try validateIssuedAt(leeway: leeway)`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`public func validateAudience(_ audience: String) throws {`
`@@ -131,16 +131,16 @@ extension ClaimSet {`
`131`	`131`	`}`
`132`	`132`	`}`
`133`	`133`
`134`		`- public func validateExpiary() throws {`
`135`		`- try validateDate(claims, key: "exp", comparison: .orderedAscending, failure: .expiredSignature, decodeError: "Expiration time claim (exp) must be an integer")`
	`134`	`+ public func validateExpiary(leeway: TimeInterval = 0) throws {`
	`135`	`+ try validateDate(claims, key: "exp", comparison: .orderedAscending, leeway: (-1 * leeway), failure: .expiredSignature, decodeError: "Expiration time claim (exp) must be an integer")`
`136`	`136`	`}`
`137`	`137`
`138`		`- public func validateNotBefore() throws {`
`139`		`- try validateDate(claims, key: "nbf", comparison: .orderedDescending, failure: .immatureSignature, decodeError: "Not before claim (nbf) must be an integer")`
	`138`	`+ public func validateNotBefore(leeway: TimeInterval = 0) throws {`
	`139`	`+ try validateDate(claims, key: "nbf", comparison: .orderedDescending, leeway: leeway, failure: .immatureSignature, decodeError: "Not before claim (nbf) must be an integer")`
`140`	`140`	`}`
`141`	`141`
`142`		`- public func validateIssuedAt() throws {`
`143`		`- try validateDate(claims, key: "iat", comparison: .orderedDescending, failure: .invalidIssuedAt, decodeError: "Issued at claim (iat) must be an integer")`
	`142`	`+ public func validateIssuedAt(leeway: TimeInterval = 0) throws {`
	`143`	`+ try validateDate(claims, key: "iat", comparison: .orderedDescending, leeway: leeway, failure: .invalidIssuedAt, decodeError: "Issued at claim (iat) must be an integer")`
`144`	`144`	`}`
`145`	`145`	`}`
`146`	`146`
Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,15 @@`
`1`	`1`	`import Foundation`
`2`	`2`
`3`		`-func validateDate(_ payload: Payload, key: String, comparison: ComparisonResult, failure: InvalidToken, decodeError: String) throws {`
	`3`	`+func validateDate(_ payload: Payload, key: String, comparison: ComparisonResult, leeway: TimeInterval = 0, failure: InvalidToken, decodeError: String) throws {`
`4`	`4`	`if payload[key] == nil {`
`5`	`5`	`return`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`guard let date = extractDate(payload: payload, key: key) else {`
`9`	`9`	`throw InvalidToken.decodeError(decodeError)`
`10`	`10`	`}`
`11`		`-`
`12`		`- if date.compare(Date()) == comparison {`
	`11`	`+`
	`12`	`+ if date.compare(Date().addingTimeInterval(leeway)) == comparison {`
`13`	`13`	`throw failure`
`14`	`14`	`}`
`15`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -47,20 +47,20 @@ public enum InvalidToken: CustomStringConvertible, Error {`
`47`	`47`
`48`	`48`
`49`	`49`	`/// Decode a JWT`
`50`		`-public func decode(_ jwt: String, algorithms: [Algorithm], verify: Bool = true, audience: String? = nil, issuer: String? = nil) throws -> ClaimSet {`
	`50`	`+public func decode(_ jwt: String, algorithms: [Algorithm], verify: Bool = true, audience: String? = nil, issuer: String? = nil, leeway: TimeInterval = 0) throws -> ClaimSet {`
`51`	`51`	`let (header, claims, signature, signatureInput) = try load(jwt)`
`52`	`52`
`53`	`53`	`if verify {`
`54`		`- try claims.validate(audience: audience, issuer: issuer)`
	`54`	`+ try claims.validate(audience: audience, issuer: issuer, leeway: leeway)`
`55`	`55`	`try verifySignature(algorithms, header: header, signingInput: signatureInput, signature: signature)`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`return claims`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`/// Decode a JWT`
`62`		`-public func decode(_ jwt: String, algorithm: Algorithm, verify: Bool = true, audience: String? = nil, issuer: String? = nil) throws -> ClaimSet {`
`63`		`- return try decode(jwt, algorithms: [algorithm], verify: verify, audience: audience, issuer: issuer)`
	`62`	`+public func decode(_ jwt: String, algorithm: Algorithm, verify: Bool = true, audience: String? = nil, issuer: String? = nil, leeway: TimeInterval = 0) throws -> ClaimSet {`
	`63`	`+ return try decode(jwt, algorithms: [algorithm], verify: verify, audience: audience, issuer: issuer, leeway: leeway)`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`/// Decode a JWT`