[Fixed] revocation check used current time instead of jwt issue time

Also empty revoked keys once account jwt has no revocations. Signed-off-by: Matthias Hanel <mh@synadia.com>
2026-04-17 03:24:40 -07:00 · 2020-10-06 15:43:34 -04:00
parent f9bff10226
commit 387e1e1ee4
9 changed files with 133 additions and 28 deletions
--- a/vendor/github.com/nats-io/jwt/v2/account_claims.go
+++ b/vendor/github.com/nats-io/jwt/v2/account_claims.go
@@ -235,7 +235,8 @@ func (a *AccountClaims) Revoke(pubKey string) {
 	a.RevokeAt(pubKey, time.Now())
 }

-// RevokeAt enters a revocation by public key and timestamp into this export
+// RevokeAt enters a revocation by public key and timestamp into this account
+// This will revoke all jwt issued for pubKey, prior to timestamp
 // If there is already a revocation for this public key that is newer, it is kept.
 func (a *AccountClaims) RevokeAt(pubKey string, timestamp time.Time) {
 	if a.Revocations == nil {
@@ -250,14 +251,18 @@ func (a *AccountClaims) ClearRevocation(pubKey string) {
 	a.Revocations.ClearRevocation(pubKey)
 }

-// IsRevokedAt checks if the public key is in the revoked list with a timestamp later than
-// the one passed in. Generally this method is called with time.Now() but other time's can
-// be used for testing.
-func (a *AccountClaims) IsRevokedAt(pubKey string, timestamp time.Time) bool {
-	return a.Revocations.IsRevoked(pubKey, timestamp)
+// isRevoked checks if the public key is in the revoked list with a timestamp later than the one passed in.
+// Generally this method is called with the subject and issue time of the jwt to be tested.
+// DO NOT pass time.Now(), it will not produce a stable/expected response.
+func (a *AccountClaims) isRevoked(pubKey string, claimIssuedAt time.Time) bool {
+	return a.Revocations.IsRevoked(pubKey, claimIssuedAt)
 }

-// IsRevoked checks if the public key is in the revoked list with time.Now()
-func (a *AccountClaims) IsRevoked(pubKey string) bool {
-	return a.Revocations.IsRevoked(pubKey, time.Now())
+// IsClaimRevoked checks if the account revoked the claim passed in.
+// Invalid claims (nil, no Subject or IssuedAt) will return true.
+func (a *AccountClaims) IsClaimRevoked(claim *UserClaims) bool {
+	if claim == nil || claim.IssuedAt == 0 || claim.Subject == "" {
+		return true
+	}
+	return a.isRevoked(claim.Subject, time.Unix(claim.IssuedAt, 0))
 }
--- a/vendor/github.com/nats-io/jwt/v2/revocation_list.go
+++ b/vendor/github.com/nats-io/jwt/v2/revocation_list.go
@@ -39,9 +39,9 @@ func (r RevocationList) ClearRevocation(pubKey string) {
 }

 // IsRevoked checks if the public key is in the revoked list with a timestamp later than
-// the one passed in. Generally this method is called with time.Now() but other time's can
+// the one passed in. Generally this method is called with an issue time but other time's can
 // be used for testing.
 func (r RevocationList) IsRevoked(pubKey string, timestamp time.Time) bool {
 	ts, ok := r[pubKey]
-	return ok && ts > timestamp.Unix()
+	return ok && ts >= timestamp.Unix()
 }
--- a/vendor/github.com/nats-io/jwt/v2/validation.go
+++ b/vendor/github.com/nats-io/jwt/v2/validation.go
@@ -105,3 +105,14 @@ func (v *ValidationResults) Errors() []error {
 	}
 	return errs
 }
+
+// Warnings returns only non blocking issues as strings
+func (v *ValidationResults) Warnings() []string {
+	var errs []string
+	for _, v := range v.Issues {
+		if !v.Blocking {
+			errs = append(errs, v.Description)
+		}
+	}
+	return errs
+}