add leeway (#45)

Author: acoshift

auth.go

@@ -22,6 +22,8 @@ type Auth struct {
 	keysMutex *sync.RWMutex
 	keys      map[string]*rsa.PublicKey
 	keysExp   time.Time
+
+	Leeway time.Duration
 }
 
 const (
@@ -85,6 +87,15 @@ func (auth *Auth) VerifyIDToken(idToken string) (*Token, error) {
 	if !ok || !token.Valid {
 		return nil, &ErrTokenInvalid{"firebaseauth: invalid token"}
 	}
+
+	now := time.Now().Unix()
+	if !claims.verifyExpiresAt(now) {
+		delta := time.Unix(now, 0).Sub(time.Unix(claims.ExpiresAt, 0))
+		return nil, &ErrTokenInvalid{fmt.Sprintf("token is expired by %v", delta)}
+	}
+	if !claims.verifyIssuedAt(now + int64(auth.Leeway/time.Second)) {
+		return nil, &ErrTokenInvalid{fmt.Sprintf("token used before issued")}
+	}
 	if !claims.verifyAudience(auth.app.projectID) {
 		return nil, &ErrTokenInvalid{fmt.Sprintf("firebaseauth: Firebase ID token has incorrect \"aud\" (audience) claim. Expected \"%s\" but got \"%s\"", auth.app.projectID, claims.Audience)}
 	}

token.go

@@ -1,10 +1,5 @@
 package firebase
 
-import (
-	"fmt"
-	"time"
-)
-
 // Token is the firebase access token
 type Token struct {
 	Issuer        string `json:"iss"`
@@ -29,20 +24,7 @@ type Token struct {
 }
 
 // Valid implements jwt-go Claims interface
-// for validates time based claims, such as IssuedAt, and ExpiresAt
-// But not verify token signature and header
 func (t *Token) Valid() error {
-	now := time.Now().Unix()
-
-	if !t.verifyExpiresAt(now) {
-		delta := time.Unix(now, 0).Sub(time.Unix(t.ExpiresAt, 0))
-		return fmt.Errorf("token is expired by %v", delta)
-	}
-
-	if !t.verifyIssuedAt(now) {
-		return fmt.Errorf("token used before issued")
-	}
-
 	return nil
 }
 

token_test.go

@@ -1,49 +1,41 @@
-package firebase_test
+package firebase
 
 import (
 	"testing"
 	"time"
 
-	"fmt"
-
-	firebase "github.com/acoshift/go-firebase-admin"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestValidToken(t *testing.T) {
 	t.Run("Valid", func(t *testing.T) {
-		now := time.Now()
-		token := &firebase.Token{
-			IssuedAt:  now.Unix(),
-			ExpiresAt: now.Unix(),
-		}
+		token := &Token{}
 
 		err := token.Valid()
-		assert.Nil(t, err)
+		assert.NoError(t, err)
 	})
 
-	t.Run("usedbefore", func(t *testing.T) {
-		now := time.Now().AddDate(1, 0, 0)
-		now2 := time.Now()
-		token := &firebase.Token{
-			IssuedAt:  now.Unix(),
-			ExpiresAt: now2.Unix(),
+	t.Run("verifyIssuedAt", func(t *testing.T) {
+		now := time.Now()
+		token := &Token{
+			IssuedAt: now.Unix(),
 		}
 
-		err := token.Valid()
-		assert.NotNil(t, err)
-		assert.Equal(t, fmt.Errorf("token used before issued"), err)
+		res := token.verifyIssuedAt(now.Unix())
+		assert.True(t, res)
+
+		res = token.verifyIssuedAt(now.Unix() + 60 /* leeway */)
+		assert.True(t, res)
 	})
 
-	t.Run("expired", func(t *testing.T) {
+	t.Run("verifyExpiresAt", func(t *testing.T) {
 		now := time.Now()
-		token := &firebase.Token{
+		token := &Token{
 			IssuedAt:  now.Unix(),
 			ExpiresAt: 1500651130,
 		}
 
-		err := token.Valid()
-		assert.NotNil(t, err)
-		assert.Equal(t, fmt.Errorf("token is expired by %v", time.Unix(now.Unix(), 0).Sub(time.Unix(token.ExpiresAt, 0))), err)
+		res := token.verifyExpiresAt(now.Unix())
+		assert.False(t, res)
 	})
 }