Skip to content

gin-jwt should set the TimeFunc in jwt-go #266

New issue
New issue
Open
Open
gin-jwt should set the TimeFunc in jwt-go#266
@samherrmann

Description

@samherrmann
samherrmann
opened on Jan 19, 2021

Both the gin-jwt library and the underlying jwt-go support a TimeFunc. By default, they are both initialized to time.Now.

https://github.com/appleboy/gin-jwt/blob/v2.6.4/auth_jwt.go#L272:

if mw.TimeFunc == nil {
  mw.TimeFunc = time.Now
}

https://github.com/dgrijalva/jwt-go/blob/v3.2.0/token.go#L13:

// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
// You can override it to use another time value.  This is useful for testing or if your
// server uses a different time zone than your tokens.
var TimeFunc = time.Now

gin-jwt should ensure that TimeFunc of each library are the same. If the two functions are not the same, it's possible for gin-jwt to create a token with an expiration date that is then falsely invalidated by jwt-go when the user of gin-jwt provides a custom TimeFunc.

Proposed Solution

The proposed solution is to simply add a line in the first snipped shown above to the following:

if mw.TimeFunc == nil {
  mw.TimeFunc = time.Now
}
jwt.TimeFunc = mw.TimeFunc // proposed line

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions