golang-jwt
diff --git a/‎claims.go
Lines changed: 27 additions & 228 deletions b/‎claims.go
Lines changed: 27 additions & 228 deletions
diff --git a/‎example_test.go
Lines changed: 25 additions & 1 deletion b/‎example_test.go
Lines changed: 25 additions & 1 deletion
@@ -1,23 +1,25 @@
 package jwt
 
-import (
-	"crypto/subtle"
-	"fmt"
-	"time"
-)
-
-// Claims must just have a Valid method that determines
-// if the token is invalid for any supported reason
+// Claims represent any form of a JWT Claims Set according to
+// https://datatracker.ietf.org/doc/html/rfc7519#section-4. In order to have a
+// common basis for validation, it is required that an implementation is able to
+// supply at least the claim names provided in
+// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1 namely `exp`,
+// `iat`, `nbf`, `iss` and `aud`.
 type Claims interface {
-	Valid() error
+	GetExpiryAt() *NumericDate
+	GetIssuedAt() *NumericDate
+	GetNotBefore() *NumericDate
+	GetIssuer() string
+	GetAudience() ClaimStrings
 }
 
 // RegisteredClaims are a structured version of the JWT Claims Set,
 // restricted to Registered Claim Names, as referenced at
 // https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
 //
 // This type can be used on its own, but then additional private and
-// public claims embedded in the JWT will not be parsed. The typical usecase
+// public claims embedded in the JWT will not be parsed. The typical use-case
 // therefore is to embedded this in a user-defined claim type.
 //
 // See examples for how to use this with your own claim types.
@@ -44,230 +46,27 @@ type RegisteredClaims struct {
 	ID string `json:"jti,omitempty"`
 }
 
-// Valid validates time based claims "exp, iat, nbf".
-// There is no accounting for clock skew.
-// As well, if any of the above claims are not in the token, it will still
-// be considered a valid claim.
-func (c RegisteredClaims) Valid() error {
-	vErr := new(ValidationError)
-	now := TimeFunc()
-
-	// The claims below are optional, by default, so if they are set to the
-	// default value in Go, let's not fail the verification for them.
-	if !c.VerifyExpiresAt(now, false) {
-		delta := now.Sub(c.ExpiresAt.Time)
-		vErr.Inner = fmt.Errorf("%s by %s", ErrTokenExpired, delta)
-		vErr.Errors |= ValidationErrorExpired
-	}
-
-	if !c.VerifyIssuedAt(now, false) {
-		vErr.Inner = ErrTokenUsedBeforeIssued
-		vErr.Errors |= ValidationErrorIssuedAt
-	}
-
-	if !c.VerifyNotBefore(now, false) {
-		vErr.Inner = ErrTokenNotValidYet
-		vErr.Errors |= ValidationErrorNotValidYet
-	}
-
-	if vErr.valid() {
-		return nil
-	}
-
-	return vErr
-}
-
-// VerifyAudience compares the aud claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *RegisteredClaims) VerifyAudience(cmp string, req bool) bool {
-	return verifyAud(c.Audience, cmp, req)
-}
-
-// VerifyExpiresAt compares the exp claim against cmp (cmp < exp).
-// If req is false, it will return true, if exp is unset.
-func (c *RegisteredClaims) VerifyExpiresAt(cmp time.Time, req bool) bool {
-	if c.ExpiresAt == nil {
-		return verifyExp(nil, cmp, req)
-	}
-
-	return verifyExp(&c.ExpiresAt.Time, cmp, req)
-}
-
-// VerifyIssuedAt compares the iat claim against cmp (cmp >= iat).
-// If req is false, it will return true, if iat is unset.
-func (c *RegisteredClaims) VerifyIssuedAt(cmp time.Time, req bool) bool {
-	if c.IssuedAt == nil {
-		return verifyIat(nil, cmp, req)
-	}
-
-	return verifyIat(&c.IssuedAt.Time, cmp, req)
-}
-
-// VerifyNotBefore compares the nbf claim against cmp (cmp >= nbf).
-// If req is false, it will return true, if nbf is unset.
-func (c *RegisteredClaims) VerifyNotBefore(cmp time.Time, req bool) bool {
-	if c.NotBefore == nil {
-		return verifyNbf(nil, cmp, req)
-	}
-
-	return verifyNbf(&c.NotBefore.Time, cmp, req)
-}
-
-// VerifyIssuer compares the iss claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *RegisteredClaims) VerifyIssuer(cmp string, req bool) bool {
-	return verifyIss(c.Issuer, cmp, req)
-}
-
-// StandardClaims are a structured version of the JWT Claims Set, as referenced at
-// https://datatracker.ietf.org/doc/html/rfc7519#section-4. They do not follow the
-// specification exactly, since they were based on an earlier draft of the
-// specification and not updated. The main difference is that they only
-// support integer-based date fields and singular audiences. This might lead to
-// incompatibilities with other JWT implementations. The use of this is discouraged, instead
-// the newer RegisteredClaims struct should be used.
-//
-// Deprecated: Use RegisteredClaims instead for a forward-compatible way to access registered claims in a struct.
-type StandardClaims struct {
-	Audience  string `json:"aud,omitempty"`
-	ExpiresAt int64  `json:"exp,omitempty"`
-	Id        string `json:"jti,omitempty"`
-	IssuedAt  int64  `json:"iat,omitempty"`
-	Issuer    string `json:"iss,omitempty"`
-	NotBefore int64  `json:"nbf,omitempty"`
-	Subject   string `json:"sub,omitempty"`
-}
-
-// Valid validates time based claims "exp, iat, nbf". There is no accounting for clock skew.
-// As well, if any of the above claims are not in the token, it will still
-// be considered a valid claim.
-func (c StandardClaims) Valid() error {
-	vErr := new(ValidationError)
-	now := TimeFunc().Unix()
-
-	// The claims below are optional, by default, so if they are set to the
-	// default value in Go, let's not fail the verification for them.
-	if !c.VerifyExpiresAt(now, false) {
-		delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
-		vErr.Inner = fmt.Errorf("%s by %s", ErrTokenExpired, delta)
-		vErr.Errors |= ValidationErrorExpired
-	}
-
-	if !c.VerifyIssuedAt(now, false) {
-		vErr.Inner = ErrTokenUsedBeforeIssued
-		vErr.Errors |= ValidationErrorIssuedAt
-	}
-
-	if !c.VerifyNotBefore(now, false) {
-		vErr.Inner = ErrTokenNotValidYet
-		vErr.Errors |= ValidationErrorNotValidYet
-	}
-
-	if vErr.valid() {
-		return nil
-	}
-
-	return vErr
-}
-
-// VerifyAudience compares the aud claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool {
-	return verifyAud([]string{c.Audience}, cmp, req)
-}
-
-// VerifyExpiresAt compares the exp claim against cmp (cmp < exp).
-// If req is false, it will return true, if exp is unset.
-func (c *StandardClaims) VerifyExpiresAt(cmp int64, req bool) bool {
-	if c.ExpiresAt == 0 {
-		return verifyExp(nil, time.Unix(cmp, 0), req)
-	}
-
-	t := time.Unix(c.ExpiresAt, 0)
-	return verifyExp(&t, time.Unix(cmp, 0), req)
-}
-
-// VerifyIssuedAt compares the iat claim against cmp (cmp >= iat).
-// If req is false, it will return true, if iat is unset.
-func (c *StandardClaims) VerifyIssuedAt(cmp int64, req bool) bool {
-	if c.IssuedAt == 0 {
-		return verifyIat(nil, time.Unix(cmp, 0), req)
-	}
-
-	t := time.Unix(c.IssuedAt, 0)
-	return verifyIat(&t, time.Unix(cmp, 0), req)
-}
-
-// VerifyNotBefore compares the nbf claim against cmp (cmp >= nbf).
-// If req is false, it will return true, if nbf is unset.
-func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool {
-	if c.NotBefore == 0 {
-		return verifyNbf(nil, time.Unix(cmp, 0), req)
-	}
-
-	t := time.Unix(c.NotBefore, 0)
-	return verifyNbf(&t, time.Unix(cmp, 0), req)
-}
-
-// VerifyIssuer compares the iss claim against cmp.
-// If required is false, this method will return true if the value matches or is unset
-func (c *StandardClaims) VerifyIssuer(cmp string, req bool) bool {
-	return verifyIss(c.Issuer, cmp, req)
-}
-
-// ----- helpers
-
-func verifyAud(aud []string, cmp string, required bool) bool {
-	if len(aud) == 0 {
-		return !required
-	}
-	// use a var here to keep constant time compare when looping over a number of claims
-	result := false
-
-	var stringClaims string
-	for _, a := range aud {
-		if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
-			result = true
-		}
-		stringClaims = stringClaims + a
-	}
-
-	// case where "" is sent in one or many aud claims
-	if len(stringClaims) == 0 {
-		return !required
-	}
-
-	return result
+// GetExpiryAt implements the Claims interface.
+func (c RegisteredClaims) GetExpiryAt() *NumericDate {
+	return c.ExpiresAt
 }
 
-func verifyExp(exp *time.Time, now time.Time, required bool) bool {
-	if exp == nil {
-		return !required
-	}
-	return now.Before(*exp)
+// GetNotBefore implements the Claims interface.
+func (c RegisteredClaims) GetNotBefore() *NumericDate {
+	return c.NotBefore
 }
 
-func verifyIat(iat *time.Time, now time.Time, required bool) bool {
-	if iat == nil {
-		return !required
-	}
-	return now.After(*iat) || now.Equal(*iat)
+// GetIssuedAt implements the Claims interface.
+func (c RegisteredClaims) GetIssuedAt() *NumericDate {
+	return c.IssuedAt
 }
 
-func verifyNbf(nbf *time.Time, now time.Time, required bool) bool {
-	if nbf == nil {
-		return !required
-	}
-	return now.After(*nbf) || now.Equal(*nbf)
+// GetAudience implements the Claims interface.
+func (c RegisteredClaims) GetAudience() ClaimStrings {
+	return c.Audience
 }
 
-func verifyIss(iss string, cmp string, required bool) bool {
-	if iss == "" {
-		return !required
-	}
-	if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 {
-		return true
-	} else {
-		return false
-	}
+// GetIssuer implements the Claims interface.
+func (c RegisteredClaims) GetIssuer() string {
+	return c.Issuer
 }
@@ -70,7 +70,7 @@ func ExampleNewWithClaims_customClaimsType() {
 	//Output: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpc3MiOiJ0ZXN0IiwiZXhwIjoxNTE2MjM5MDIyfQ.xVuY2FZ_MRXMIEgVQ7J-TFtaucVFRXUzHm9LmV41goM <nil>
 }
 
-// Example creating a token using a custom claims type.  The StandardClaim is embedded
+// Example creating a token using a custom claims type.  The RegisteredClaims is embedded
 // in the custom type to allow for easy encoding, parsing and validation of standard claims.
 func ExampleParseWithClaims_customClaimsType() {
 	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpc3MiOiJ0ZXN0IiwiYXVkIjoic2luZ2xlIn0.QAWg1vGvnqRuCFTMcPkjZljXHh8U3L_qUjszOtQbeaA"
@@ -93,6 +93,30 @@ func ExampleParseWithClaims_customClaimsType() {
 	// Output: bar test
 }
 
+// Example creating a token using a custom claims type and validation options.  The RegisteredClaims is embedded
+// in the custom type to allow for easy encoding, parsing and validation of standard claims.
+func ExampleParseWithClaims_customValidator() {
+	tokenString := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpc3MiOiJ0ZXN0IiwiYXVkIjoic2luZ2xlIn0.QAWg1vGvnqRuCFTMcPkjZljXHh8U3L_qUjszOtQbeaA"
+
+	type MyCustomClaims struct {
+		Foo string `json:"foo"`
+		jwt.RegisteredClaims
+	}
+
+	validator := jwt.NewValidator(jwt.WithLeeway(5 * time.Second))
+	token, err := jwt.ParseWithClaims(tokenString, &MyCustomClaims{}, func(token *jwt.Token) (interface{}, error) {
+		return []byte("AllYourBase"), nil
+	}, jwt.WithValidator(validator))
+
+	if claims, ok := token.Claims.(*MyCustomClaims); ok && token.Valid {
+		fmt.Printf("%v %v", claims.Foo, claims.RegisteredClaims.Issuer)
+	} else {
+		fmt.Println(err)
+	}
+
+	// Output: bar test
+}
+
 // An example of parsing the error types using bitfield checks
 func ExampleParse_errorChecking() {
 	// Token from another example.  This token is expired