use same leeway for exp and nbf

Shopify · Apr 16, 2024 · 0ffe471 · 0ffe471
1 parent 7b09b25
commit 0ffe471
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 3 deletions.
diff --git a/lib/shopify_api/auth/jwt_payload.rb b/lib/shopify_api/auth/jwt_payload.rb
@@ -73,8 +73,7 @@ def ==(other)
 
       sig { params(token: String, api_secret_key: String).returns(T::Hash[String, T.untyped]) }
       def decode_token(token, api_secret_key)
-        JWT.decode(token, api_secret_key, true,
-          { exp_leeway: JWT_EXPIRATION_LEEWAY, algorithm: "HS256" })[0]
+        JWT.decode(token, api_secret_key, true, leeway: JWT_EXPIRATION_LEEWAY, algorithm: "HS256")[0]
       rescue JWT::DecodeError => err
         raise ShopifyAPI::Errors::InvalidJwtTokenError, "Error decoding session token: #{err.message}"
       end

diff --git a/test/auth/jwt_payload_test.rb b/test/auth/jwt_payload_test.rb
@@ -76,7 +76,7 @@ def test_decode_jwt_payload_fails_with_expired_token
 
       def test_decode_jwt_payload_fails_if_not_activated_yet
         payload = @jwt_payload.dup
-        payload[:nbf] = (Time.now + 10).to_i
+        payload[:nbf] = (Time.now + 12).to_i
         jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
         assert_raises(ShopifyAPI::Errors::InvalidJwtTokenError) do
           ShopifyAPI::Auth::JwtPayload.new(jwt_token)
@@ -92,6 +92,44 @@ def test_decode_jwt_payload_fails_with_invalid_api_key
           ShopifyAPI::Auth::JwtPayload.new(jwt_token)
         end
       end
+
+      def test_decode_jwt_payload_succeeds_with_expiration_in_the_past_within_10s_leeway
+        payload = @jwt_payload.merge(exp: Time.now.to_i - 8)
+        jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
+
+        decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
+
+        assert_equal(payload, {
+          iss: decoded.iss,
+          dest: decoded.dest,
+          aud: decoded.aud,
+          sub: decoded.sub,
+          exp: decoded.exp,
+          nbf: decoded.nbf,
+          iat: decoded.iat,
+          jti: decoded.jti,
+          sid: decoded.sid,
+        })
+      end
+
+      def test_decode_jwt_payload_succeeds_with_not_before_in_the_future_within_10s_leeway
+        payload = @jwt_payload.merge(nbf: Time.now.to_i + 8)
+        jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
+
+        decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
+
+        assert_equal(payload, {
+          iss: decoded.iss,
+          dest: decoded.dest,
+          aud: decoded.aud,
+          sub: decoded.sub,
+          exp: decoded.exp,
+          nbf: decoded.nbf,
+          iat: decoded.iat,
+          jti: decoded.jti,
+          sid: decoded.sid,
+        })
+      end
     end
   end
 end