When verifying JWT shouldn't DateTime.now().toUtc() be used instead of DateTime.now() ? #26
Description
Description
When verifying JWT shouldn't DateTime.now().toUtc() be used instead of DateTime.now() ?
I believe all DateTime.now() statements in JTW verify should be changed to DateTime.now().toUtc()
Justification
When created, all JWT tokens have their date claims created using UTC dates, so I think we need to verify these dates using UTC dates.
Current Code
jwt.dart function JWT verify uses DateTime.now()
if (checkNotBefore && payload.containsKey('nbf')) {
final nbf = DateTime.fromMillisecondsSinceEpoch(
payload['nbf'] * 1000,
);
if (nbf.isAfter(DateTime.now())) {
throw JWTNotActiveError();
}
}Recommended New Code
Code changed to use DateTime.now().toUtc()
if (checkNotBefore && payload.containsKey('nbf')) {
final nbf = DateTime.fromMillisecondsSinceEpoch(
payload['nbf'] * 1000,
);
if (nbf.isAfter(DateTime.now().toUtc())) {
throw JWTNotActiveError();
}
}solid_auth is a great package that I have learned a lot from, thank you!
Metadata
Metadata
Assignees
Labels
No labels