jwt: increase leeway and add some tests

drakkan · drakkan · commit a768dac29d18 · 2025-10-11T14:14:21.000+02:00
also export a constant for the Cookie name

Signed-off-by: Nicola Murino &lt;nicola.murino@gmail.com&gt;
diff --git a/internal/httpd/auth_utils.go b/internal/httpd/auth_utils.go
@@ -49,8 +49,7 @@ const (
 )
 
 const (
-	basicRealm   = "Basic realm=\"SFTPGo\""
-	jwtCookieKey = "jwt"
+	basicRealm = "Basic realm=\"SFTPGo\""
 )
 
 var (
@@ -142,7 +141,7 @@ func createAndSetCookie(w http.ResponseWriter, r *http.Request, claims *jwt.Clai
 
 func setCookie(w http.ResponseWriter, r *http.Request, cookiePath, cookieValue string, duration time.Duration) {
 	http.SetCookie(w, &http.Cookie{
-		Name:     jwtCookieKey,
+		Name:     jwt.CookieKey,
 		Value:    cookieValue,
 		Path:     cookiePath,
 		Expires:  time.Now().Add(duration),
@@ -156,7 +155,7 @@ func setCookie(w http.ResponseWriter, r *http.Request, cookiePath, cookieValue s
 func removeCookie(w http.ResponseWriter, r *http.Request, cookiePath string) {
 	invalidateToken(r)
 	http.SetCookie(w, &http.Cookie{
-		Name:     jwtCookieKey,
+		Name:     jwt.CookieKey,
 		Value:    "",
 		Path:     cookiePath,
 		Expires:  time.Unix(0, 0),
diff --git a/internal/httpd/oidc.go b/internal/httpd/oidc.go
@@ -809,7 +809,7 @@ func removeOIDCCookie(w http.ResponseWriter, r *http.Request) {
 func canSkipOIDCValidation(r *http.Request) bool {
 	_, err := r.Cookie(oidcCookieKey)
 	if err != nil {
-		_, err = r.Cookie(jwtCookieKey)
+		_, err = r.Cookie(jwt.CookieKey)
 		return err == nil
 	}
 	return false
diff --git a/internal/httpd/oidc_test.go b/internal/httpd/oidc_test.go
@@ -845,7 +845,7 @@ func TestSkipOIDCAuth(t *testing.T) {
 	rr := httptest.NewRecorder()
 	r, err := http.NewRequest(http.MethodGet, webClientLogoutPath, nil)
 	assert.NoError(t, err)
-	r.Header.Set("Cookie", fmt.Sprintf("%v=%v", jwtCookieKey, tokenString))
+	r.Header.Set("Cookie", fmt.Sprintf("%v=%v", jwt.CookieKey, tokenString))
 	server.router.ServeHTTP(rr, r)
 	assert.Equal(t, http.StatusFound, rr.Code)
 	assert.Equal(t, webClientLoginPath, rr.Header().Get("Location"))
diff --git a/internal/httpd/server.go b/internal/httpd/server.go
@@ -1071,7 +1071,7 @@ func (s *httpdServer) refreshAdminToken(w http.ResponseWriter, r *http.Request,
 func (s *httpdServer) updateContextFromCookie(r *http.Request) *http.Request {
 	_, err := jwt.FromContext(r.Context())
 	if err != nil {
-		_, err = r.Cookie(jwtCookieKey)
+		_, err = r.Cookie(jwt.CookieKey)
 		if err != nil {
 			return r
 		}
diff --git a/internal/jwt/jwt.go b/internal/jwt/jwt.go
@@ -30,6 +30,10 @@ import (
 	"github.com/rs/xid"
 )
 
+const (
+	CookieKey = "jwt"
+)
+
 var (
 	TokenCtxKey = &contextKey{"Token"}
 	ErrorCtxKey = &contextKey{"Error"}
@@ -235,7 +239,7 @@ func VerifyTokenWithKey(payload string, algo []jose.SignatureAlgorithm, key any)
 	if err != nil {
 		return nil, err
 	}
-	if err := claims.ValidateWithLeeway(jwt.Expected{Time: time.Now()}, 15*time.Second); err != nil {
+	if err := claims.ValidateWithLeeway(jwt.Expected{Time: time.Now()}, 30*time.Second); err != nil {
 		return nil, err
 	}
 	return &claims, nil
@@ -244,7 +248,7 @@ func VerifyTokenWithKey(payload string, algo []jose.SignatureAlgorithm, key any)
 // TokenFromCookie tries to retrieve the token string from a cookie named
 // "jwt".
 func TokenFromCookie(r *http.Request) string {
-	cookie, err := r.Cookie("jwt")
+	cookie, err := r.Cookie(CookieKey)
 	if err != nil {
 		return ""
 	}
diff --git a/internal/jwt/jwt_test.go b/internal/jwt/jwt_test.go
@@ -223,3 +223,33 @@ func TestContext(t *testing.T) {
 
 	assert.Equal(t, "jwt context value Token", TokenCtxKey.String())
 }
+
+func TestValidationLeeway(t *testing.T) {
+	s, err := NewSigner(jose.HS256, util.GenerateRandomBytes(32))
+	require.NoError(t, err)
+	claims := &Claims{}
+	claims.Audience = []string{util.GenerateUniqueID()}
+	claims.SetIssuedAt(time.Now().Add(10 * time.Second)) // issued at in the future
+	claims.SetExpiry(time.Now().Add(10 * time.Second))
+	token, err := s.Sign(claims)
+	require.NoError(t, err)
+	_, err = VerifyToken(s, token)
+	assert.NoError(t, err)
+
+	claims = &Claims{}
+	claims.Audience = []string{util.GenerateUniqueID()}
+	claims.SetExpiry(time.Now().Add(-10 * time.Second)) // expired
+	token, err = s.Sign(claims)
+	require.NoError(t, err)
+	_, err = VerifyToken(s, token)
+	assert.NoError(t, err)
+
+	claims = &Claims{}
+	claims.Audience = []string{util.GenerateUniqueID()}
+	claims.SetExpiry(time.Now().Add(30 * time.Second))
+	claims.SetNotBefore(time.Now().Add(10 * time.Second)) // not before in the future
+	token, err = s.Sign(claims)
+	require.NoError(t, err)
+	_, err = VerifyToken(s, token)
+	assert.NoError(t, err)
+}

Original file line number	Diff line number	Diff line change
`@@ -809,7 +809,7 @@ func removeOIDCCookie(w http.ResponseWriter, r *http.Request) {`
`809`	`809`	`func canSkipOIDCValidation(r *http.Request) bool {`
`810`	`810`	`_, err := r.Cookie(oidcCookieKey)`
`811`	`811`	`if err != nil {`
`812`		`- _, err = r.Cookie(jwtCookieKey)`
	`812`	`+ _, err = r.Cookie(jwt.CookieKey)`
`813`	`813`	`return err == nil`
`814`	`814`	`}`
`815`	`815`	`return false`
Original file line number	Diff line number	Diff line change
`@@ -1071,7 +1071,7 @@ func (s httpdServer) refreshAdminToken(w http.ResponseWriter, r http.Request,`
`1071`	`1071`	`func (s httpdServer) updateContextFromCookie(r http.Request) *http.Request {`
`1072`	`1072`	`_, err := jwt.FromContext(r.Context())`
`1073`	`1073`	`if err != nil {`
`1074`		`- _, err = r.Cookie(jwtCookieKey)`
	`1074`	`+ _, err = r.Cookie(jwt.CookieKey)`
`1075`	`1075`	`if err != nil {`
`1076`	`1076`	`return r`
`1077`	`1077`	`}`