Merge pull request jpadilla#41 from skion/nbf

jpadilla · jpadilla · commit 3db70f1a71aa · 2014-10-21T17:04:05.000-04:00
Not-before claim validation
diff --git a/README.md b/README.md
@@ -77,6 +77,7 @@ JSON Web Token defines some reserved claim names and defines how they should be
 used. PyJWT supports these reserved claim names:
 
  - "exp" (Expiration Time) Claim
+ - "nbf" (Not Before Time) Claim
 
 ### Expiration Time Claim
 
@@ -125,6 +126,7 @@ you can set a leeway of 10 seconds in order to have some margin:
 
 ```python
 import datetime
+import time
 import jwt
 
 jwt_payload = jwt.encode({
@@ -138,6 +140,8 @@ time.sleep(32)
 jwt.decode(jwt_payload, 'secret', leeway=10)
 ```
 
+PyJWT also supports not-before validation via the [`nbf` claim](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-27#section-4.1.5) in a similar fashion.
+
 ## License
 
 MIT
diff --git a/jwt/__init__.py b/jwt/__init__.py
@@ -251,6 +251,11 @@ def verify_signature(payload, signing_input, header, signature, key='',
     except KeyError:
         raise DecodeError('Algorithm not supported')
 
+    if 'nbf' in payload and verify_expiration:
+        utc_timestamp = timegm(datetime.utcnow().utctimetuple())
+        if payload['nbf'] > (utc_timestamp + leeway):
+            raise ExpiredSignature("Signature not yet valid")
+
     if 'exp' in payload and verify_expiration:
         utc_timestamp = timegm(datetime.utcnow().utctimetuple())
 
diff --git a/tests/test_jwt.py b/tests/test_jwt.py
@@ -297,6 +297,22 @@ def test_decode_with_expiration(self):
             lambda: jwt.verify_signature(
                 decoded_payload, signing, header, signature, secret))
 
+    def test_decode_with_notbefore(self):
+        self.payload['nbf'] = utc_timestamp() + 10
+        secret = 'secret'
+        jwt_message = jwt.encode(self.payload, secret)
+
+        self.assertRaises(
+            jwt.ExpiredSignature,
+            lambda: jwt.decode(jwt_message, secret))
+
+        decoded_payload, signing, header, signature = jwt.load(jwt_message)
+
+        self.assertRaises(
+            jwt.ExpiredSignature,
+            lambda: jwt.verify_signature(
+                decoded_payload, signing, header, signature, secret))
+
     def test_decode_skip_expiration_verification(self):
         self.payload['exp'] = time.time() - 1
         secret = 'secret'
@@ -308,6 +324,17 @@ def test_decode_skip_expiration_verification(self):
         jwt.verify_signature(decoded_payload, signing, header,
                              signature, secret, verify_expiration=False)
 
+    def test_decode_skip_notbefore_verification(self):
+        self.payload['nbf'] = time.time() + 10
+        secret = 'secret'
+        jwt_message = jwt.encode(self.payload, secret)
+
+        jwt.decode(jwt_message, secret, verify_expiration=False)
+
+        decoded_payload, signing, header, signature = jwt.load(jwt_message)
+        jwt.verify_signature(decoded_payload, signing, header,
+                             signature, secret, verify_expiration=False)
+
     def test_decode_with_expiration_with_leeway(self):
         self.payload['exp'] = utc_timestamp() - 2
         secret = 'secret'
@@ -331,6 +358,29 @@ def test_decode_with_expiration_with_leeway(self):
             lambda: jwt.verify_signature(decoded_payload, signing,
                                          header, signature, secret, leeway=1))
 
+    def test_decode_with_notbefore_with_leeway(self):
+        self.payload['nbf'] = utc_timestamp() + 10
+        secret = 'secret'
+        jwt_message = jwt.encode(self.payload, secret)
+
+        decoded_payload, signing, header, signature = jwt.load(jwt_message)
+
+        # With 13 seconds leeway, should be ok
+        jwt.decode(jwt_message, secret, leeway=13)
+
+        jwt.verify_signature(decoded_payload, signing, header,
+                             signature, secret, leeway=13)
+
+        # With 1 seconds, should fail
+        self.assertRaises(
+            jwt.ExpiredSignature,
+            lambda: jwt.decode(jwt_message, secret, leeway=1))
+
+        self.assertRaises(
+            jwt.ExpiredSignature,
+            lambda: jwt.verify_signature(decoded_payload, signing,
+                                         header, signature, secret, leeway=1))
+
     def test_encode_decode_with_rsa_sha256(self):
         try:
             from Crypto.PublicKey import RSA
diff --git a/tox.ini b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py26, py27, py32, py33
+envlist = py26, py27, py32, py33, py34
 
 [testenv]
 deps = PyCrypto
