From 52e4189627dd36851b43e471d5604fe454651e46 Mon Sep 17 00:00:00 2001
From: David Komer <david@jewishinteractive.net>
Date: Thu, 17 Mar 2016 15:00:13 +0200
Subject: [PATCH 1/3] use json.Number for claims check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

if parser.UseJSONNumber is true then the Claims[“exp”] and
Claims[“nbf”] can be full int64 range, not limited to float64

vnbf and vexp are just flags for whether or not the values were
obtained through either method and should be checked
---
 parser.go | 39 ++++++++++++++++++++++++++++++---------
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/parser.go b/parser.go
index a078404..3e0fbc4 100644
--- a/parser.go
+++ b/parser.go
@@ -87,17 +87,38 @@ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	// Check expiration times
 	vErr := &ValidationError{}
 	now := TimeFunc().Unix()
-	if exp, ok := token.Claims["exp"].(float64); ok {
-		if now > int64(exp) {
-			vErr.err = "token is expired"
-			vErr.Errors |= ValidationErrorExpired
+	var exp, nbf int64
+	var vexp, vnbf bool
+
+	if p.UseJSONNumber {
+		if num, ok := token.Claims["exp"].(json.Number); ok {
+			if exp, err = num.Int64(); err == nil {
+				vexp = true
+			}
+		}
+		if num, ok := token.Claims["nbf"].(json.Number); ok {
+			if nbf, err = num.Int64(); err == nil {
+				vnbf = true
+			}
+		}
+	} else {
+		var ok bool
+		if exp, ok = token.Claims["exp"].(int64); ok {
+			vexp = true
+		}
+		if nbf, ok = token.Claims["nbf"].(int64); ok {
+			vnbf = true
 		}
 	}
-	if nbf, ok := token.Claims["nbf"].(float64); ok {
-		if now < int64(nbf) {
-			vErr.err = "token is not valid yet"
-			vErr.Errors |= ValidationErrorNotValidYet
-		}
+
+	if vexp && now > exp {
+		vErr.err = "token is expired"
+		vErr.Errors |= ValidationErrorExpired
+	}
+
+	if vnbf && now < nbf {
+		vErr.err = "token is not valid yet"
+		vErr.Errors |= ValidationErrorNotValidYet
 	}
 
 	// Perform validation

From 0ebbeab74c12abd7df470a78d36cffe310d63385 Mon Sep 17 00:00:00 2001
From: David Komer <david@jewishinteractive.net>
Date: Thu, 17 Mar 2016 15:12:22 +0200
Subject: [PATCH 2/3] conversion error fixed

---
 parser.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/parser.go b/parser.go
index 3e0fbc4..bf8cc88 100644
--- a/parser.go
+++ b/parser.go
@@ -102,12 +102,13 @@ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 			}
 		}
 	} else {
-		var ok bool
-		if exp, ok = token.Claims["exp"].(int64); ok {
+		if num, ok := token.Claims["exp"].(float64); ok {
 			vexp = true
+			exp = int64(num)
 		}
-		if nbf, ok = token.Claims["nbf"].(int64); ok {
+		if num, ok := token.Claims["nbf"].(float64); ok {
 			vnbf = true
+			nbf = int64(num)
 		}
 	}
 

From 572c9130e82f6dbfb551403b19629ff95b94e181 Mon Sep 17 00:00:00 2001
From: Dave Grijalva <grijalva@gmail.com>
Date: Mon, 4 Apr 2016 14:42:10 -0700
Subject: [PATCH 3/3] cleaned up style and added tests

---
 parser.go      | 32 ++++++++++++++++----------------
 parser_test.go | 27 +++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 16 deletions(-)

diff --git a/parser.go b/parser.go
index bf8cc88..e2fb28f 100644
--- a/parser.go
+++ b/parser.go
@@ -90,26 +90,26 @@ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	var exp, nbf int64
 	var vexp, vnbf bool
 
-	if p.UseJSONNumber {
-		if num, ok := token.Claims["exp"].(json.Number); ok {
-			if exp, err = num.Int64(); err == nil {
-				vexp = true
-			}
-		}
-		if num, ok := token.Claims["nbf"].(json.Number); ok {
-			if nbf, err = num.Int64(); err == nil {
-				vnbf = true
-			}
-		}
-	} else {
-		if num, ok := token.Claims["exp"].(float64); ok {
+	// Parse 'exp' claim
+	switch num := token.Claims["exp"].(type) {
+	case json.Number:
+		if exp, err = num.Int64(); err == nil {
 			vexp = true
-			exp = int64(num)
 		}
-		if num, ok := token.Claims["nbf"].(float64); ok {
+	case float64:
+		vexp = true
+		exp = int64(num)
+	}
+
+	// Parse 'nbf' claim
+	switch num := token.Claims["nbf"].(type) {
+	case json.Number:
+		if nbf, err = num.Int64(); err == nil {
 			vnbf = true
-			nbf = int64(num)
 		}
+	case float64:
+		vnbf = true
+		nbf = int64(num)
 	}
 
 	if vexp && now > exp {
diff --git a/parser_test.go b/parser_test.go
index 9115017..80250ef 100644
--- a/parser_test.go
+++ b/parser_test.go
@@ -127,6 +127,33 @@ var jwtTestData = []struct {
 		0,
 		&jwt.Parser{UseJSONNumber: true},
 	},
+	{
+		"JSON Number - basic expired",
+		"", // autogen
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar", "exp": json.Number(fmt.Sprintf("%v", time.Now().Unix()-100))},
+		false,
+		jwt.ValidationErrorExpired,
+		&jwt.Parser{UseJSONNumber: true},
+	},
+	{
+		"JSON Number - basic nbf",
+		"", // autogen
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100))},
+		false,
+		jwt.ValidationErrorNotValidYet,
+		&jwt.Parser{UseJSONNumber: true},
+	},
+	{
+		"JSON Number - expired and nbf",
+		"", // autogen
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100)), "exp": json.Number(fmt.Sprintf("%v", time.Now().Unix()-100))},
+		false,
+		jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
+		&jwt.Parser{UseJSONNumber: true},
+	},
 }
 
 func init() {