Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tokens don't expire, and expiry is an optional, user-supplied input #8

Open
micolous opened this issue Oct 11, 2024 · 0 comments
Open

Tokens don't expire, and expiry is an optional, user-supplied input #8

micolous opened this issue Oct 11, 2024 · 0 comments

Comments

@micolous
Copy link

Both TokenGenerator and AdvancedTokenGenerator optionally set a token expiry timestamp based on the validity_timestamp query parameter:

Jitsi-SAML2JWT/src/classes/TokenGenerator.class.php

Lines 55 to 58 in 5a38452

if (array_key_exists('validity_timestamp',$requestData))
$validity=intval($requestData['validity_timestamp']);
else
$validity=0;

Jitsi-SAML2JWT/src/classes/TokenGenerator.class.php

Lines 80 to 81 in 5a38452

if ($validity>0)
$payload['exp']=$validity;

This doesn't appear to be set as part of normal request flows, so tokens never expire by default.

The exp field should be set on based on a server-side configuration option, and not in response to user-supplied inputs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@micolous