Description
The JWT token validation in AuthRepository.isJwtExpired() has a critical security flaw. While the code correctly rejects tokens without an exp claim (line 757-759), there's a potential vulnerability where tokens with an exp value of 0 or negative values bypass the intended zero-check.
Steps to Reproduce
Create a malformed JWT with exp: 0 or exp: -1
Attempt to use it for authentication
The check at line 761 (if (exp <= 0L)) may not be reachable if parsing fails
Expected Behavior
All invalid or expired tokens should be rejected with clear error messaging
Actual Behavior
Tokens with zero or negative expiration times slip through validation due to exception handling that returns true (expired) without distinguishing between parsing errors and actual validation failures
Environment
Platform: Android TV/Mobile
Component: Authentication Layer
File: app/src/main/kotlin/com/arflix/tv/data/repository/AuthRepository.kt (line 747-769)
Possible Fix
Kotlin
private fun isJwtExpired(token: String, bufferSeconds: Long = 60): Boolean {
return try {
val parts = token.split(".")
if (parts.size != 3) return true // JWT must have 3 parts
val payload = String(
Base64.decode(parts[1], Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP),
Charsets.UTF_8
)
val json = JSONObject(payload)
if (!json.has("exp")) return true
val exp = json.getLong("exp")
if (exp <= 0L) return true // Reject zero or negative expiration
val now = Clock.System.now().epochSeconds
exp <= now + bufferSeconds
} catch (e: Exception) {
AppLogger.e("Auth", "JWT parsing error", e)
true // Reject on any parsing error
}
}
Description
The JWT token validation in AuthRepository.isJwtExpired() has a critical security flaw. While the code correctly rejects tokens without an exp claim (line 757-759), there's a potential vulnerability where tokens with an exp value of 0 or negative values bypass the intended zero-check.
Steps to Reproduce
Create a malformed JWT with exp: 0 or exp: -1
Attempt to use it for authentication
The check at line 761 (if (exp <= 0L)) may not be reachable if parsing fails
Expected Behavior
All invalid or expired tokens should be rejected with clear error messaging
Actual Behavior
Tokens with zero or negative expiration times slip through validation due to exception handling that returns true (expired) without distinguishing between parsing errors and actual validation failures
Environment
Platform: Android TV/Mobile
Component: Authentication Layer
File: app/src/main/kotlin/com/arflix/tv/data/repository/AuthRepository.kt (line 747-769)
Possible Fix
Kotlin
private fun isJwtExpired(token: String, bufferSeconds: Long = 60): Boolean {
return try {
val parts = token.split(".")
if (parts.size != 3) return true // JWT must have 3 parts
val payload = String(
Base64.decode(parts[1], Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP),
Charsets.UTF_8
)
val json = JSONObject(payload)
if (!json.has("exp")) return true
val exp = json.getLong("exp")
if (exp <= 0L) return true // Reject zero or negative expiration
val now = Clock.System.now().epochSeconds
exp <= now + bufferSeconds
} catch (e: Exception) {
AppLogger.e("Auth", "JWT parsing error", e)
true // Reject on any parsing error
}
}