From ddc302a963d0b76406001441e7e3455ec3a8b1a9 Mon Sep 17 00:00:00 2001
From: kirahsapong <102400653+kirahsapong@users.noreply.github.com>
Date: Thu, 11 Jan 2024 09:46:47 -0800
Subject: [PATCH] Add logic to JWT.verify to validate JWT is not expired (#366)

* Add logic to jwt.verify to validate jwt is not expired

* Update test
---
 packages/credentials/src/jwt.ts        |  4 ++++
 packages/credentials/tests/jwt.spec.ts | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/packages/credentials/src/jwt.ts b/packages/credentials/src/jwt.ts
index 13317ec37..719f21cb8 100644
--- a/packages/credentials/src/jwt.ts
+++ b/packages/credentials/src/jwt.ts
@@ -163,6 +163,10 @@ export class Jwt {
   static async verify(options: VerifyJwtOptions): Promise<JwtVerifyResult> {
     const { decoded: decodedJwt, encoded: encodedJwt } = Jwt.parse({ jwt: options.jwt });
 
+    if (decodedJwt.payload.exp && Math.floor(Date.now() / 1000) > decodedJwt.payload.exp) {
+      throw new Error(`Verification failed: JWT is expired`);
+    }
+
     // TODO: should really be looking for verificationMethod with authentication verification relationship
     const dereferenceResult = await Jwt.didResolver.dereference({ didUrl: decodedJwt.header.kid! });
     if (dereferenceResult.dereferencingMetadata.error) {
diff --git a/packages/credentials/tests/jwt.spec.ts b/packages/credentials/tests/jwt.spec.ts
index 7edec27e7..63c8ea92e 100644
--- a/packages/credentials/tests/jwt.spec.ts
+++ b/packages/credentials/tests/jwt.spec.ts
@@ -69,6 +69,21 @@ describe('Jwt', () => {
   });
 
   describe('verify()', () => {
+    it('throws error if JWT is expired', async () => {
+      const did = await DidKeyMethod.create({ keyAlgorithm: 'secp256k1' });
+      const header: JwtHeaderParams = { typ: 'JWT', alg: 'ES256K', kid: did.document.verificationMethod![0].id };
+      const base64UrlEncodedHeader = Convert.object(header).toBase64Url();
+
+      const payload: JwtPayload = { exp: Math.floor(Date.now() / 1000 - 1) };
+      const base64UrlEncodedPayload = Convert.object(payload).toBase64Url();
+
+      try {
+        await Jwt.verify({ jwt: `${base64UrlEncodedHeader}.${base64UrlEncodedPayload}.hijk` });
+        expect.fail();
+      } catch(e: any) {
+        expect(e.message).to.include('JWT is expired');
+      }
+    });
     it('throws error if JWT header kid does not dereference a verification method', async () => {
       const did = await DidKeyMethod.create({ keyAlgorithm: 'secp256k1' });
       const header: JwtHeaderParams = { typ: 'JWT', alg: 'ES256K', kid: did.did };