Use sub, exp, iat as payload

ebihara99999 · ebihara99999 · commit 373a5f3a44c0 · 2019-01-15T00:37:20.000+09:00
`JWT::ExpiredSignature: Signature has expired` is expected when a token is expired. Review comment is: Sorcery#70 (comment)
diff --git a/lib/sorcery/controller/submodules/jwt_auth.rb b/lib/sorcery/controller/submodules/jwt_auth.rb
@@ -11,19 +11,23 @@ module InstanceMethods
           def jwt_auth(*credentials)
             user = user_class.authenticate(*credentials)
             if user
-              user_params = Config.jwt_user_params.each_with_object({}) do |val, acc|
-                acc[val] = user.public_send(val)
-              end
+              now = Time.current
+              default_payload = {
+                  sub: user.id,
+                  exp: (now + 3.days).to_i,
+                  iat: now.to_i
+              }
 
-              payload = user_params.merge Config.jwt_payload
+              payload = default_payload.merge Config.jwt_payload
               
-              { Config.jwt_user_data_key => user_params,
+              { Config.jwt_user_data_key => default_payload,
                 Config.jwt_auth_token_key => jwt_encode(payload) }
             end
           end
 
           # To be used as a before_action.
           def jwt_require_auth
+            binding.pry
             @current_user = Config.jwt_set_user ? User.find(jwt_user_id) : jwt_user_data
           rescue JWT::DecodeError => e
             jwt_not_authenticated(message: e.message) && return
@@ -57,7 +61,7 @@ def jwt_user_data(token = jwt_from_header)
           # Return user id from user data if id present.
           # Else return nil
           def jwt_user_id
-            jwt_user_data.try(:[], :id)
+            jwt_user_data[:sub]
           end
 
           # This method called if user not authenticated
diff --git a/spec/controllers/controller_jwt_auth_spec.rb b/spec/controllers/controller_jwt_auth_spec.rb
@@ -4,15 +4,20 @@
   let!(:user) { double('user', id: 42) }
   before(:each) do
     request.env['HTTP_ACCEPT'] = "application/json" if ::Rails.version < '5.0.0'
+    Timecop.freeze(Time.new(2019, 01, 14, 19, 00, 00))
   end
 
   describe 'with jwt auth features' do
     let(:user_email) { 'test@test.test' }
     let(:user_password) { 'testpass' }
-    let(:auth_token) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6NDJ9.TIAi77DJvww5hA1DHOWfoMmWWsjEmDWMa3pJbZreTJc' }
+    let(:auth_token) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjQyLCJleHAiOjE1NDc3MTkyMDAsImlhdCI6MTU0NzQ2MDAwMH0.QM5mTkYiDwI-10cEOq4b_bfrwe99BRuef6pnIB-jqIk' }
     let(:response_data) do
       {
-        user_data: { id: user.id },
+        user_data: {
+            sub: user.id,
+            exp: 1547719200,
+            iat: 1547460000
+        },
         auth_token: auth_token
       }
     end
@@ -88,7 +93,29 @@
             expect(JSON.parse(response.body)["error"]["message"]).not_to be nil
           end
         end
+        
+        context "token is expired" do
+          before do
+            Timecop.freeze(Time.new(2099, 01, 14, 19, 00, 00))
+            request.headers.merge! Authorization: auth_token
+          end
+
+          it "does return 401" do
+            get :some_action_jwt, format: :json
+  
+            expect(response.status).to eq(401)
+            expect(JSON.parse(response.body)["error"]["message"]).not_to be nil
+          end
+
+          after do
+            Timecop.return
+          end
+        end
       end
     end
   end
+
+  after do
+    Timecop.return
+  end
 end
