fix(verify): add upper bound of 300 seconds for clockTolerance option#1039
Open
Pranav18M wants to merge 2 commits into
Open
fix(verify): add upper bound of 300 seconds for clockTolerance option#1039Pranav18M wants to merge 2 commits into
Pranav18M wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1021
Adds an upper bound of 300 seconds to the
clockToleranceoption inverify().The existing PR #1036 correctly rejects invalid values (NaN, Infinity,
negative) but does not cap the maximum value. A large-but-finite
clockTolerance like Number.MAX_SAFE_INTEGER still effectively bypasses
expiry verification since exp + 9007199254740991 produces a value far
larger than any realistic clockTimestamp, causing expired tokens to be
silently accepted.
Any clockTolerance above 300 seconds is almost certainly a
misconfiguration and poses a security risk.
Description
Adds an upper bound validation for the
clockToleranceoption inverify(). WhenclockToleranceexceeds 300 seconds, aJsonWebTokenErroris thrown immediately, preventing accidental ormalicious expiry bypass via large tolerance values.
References
Testing
The fix can be tested by calling
jwt.verify()withclockToleranceset to a value greater than 300 (e.g. 301 or Number.MAX_SAFE_INTEGER)
and confirming a JsonWebTokenError is thrown with the message
"clockTolerance must not exceed 300 seconds to prevent accidental
expiry bypass".
Environment: Node.js v20, jsonwebtoken v9.0.3