Description
When verifying JWT shouldn't DateTime.now().toUtc() be used instead of DateTime.now() ?
I believe all DateTime.now() statements in JTW verify should be changed to DateTime.now().toUtc()
Justification
When created, all JWT tokens have their date claims created using UTC dates, so I think we need to verify these dates using UTC dates.
Current Code
jwt.dart function JWT verify uses DateTime.now()
if (checkNotBefore && payload.containsKey('nbf')) {
final nbf = DateTime.fromMillisecondsSinceEpoch(
payload['nbf'] * 1000,
);
if (nbf.isAfter(DateTime.now())) {
throw JWTNotActiveError();
}
}Recommended New Code
Code changed to use DateTime.now().toUtc()
if (checkNotBefore && payload.containsKey('nbf')) {
final nbf = DateTime.fromMillisecondsSinceEpoch(
payload['nbf'] * 1000,
);
if (nbf.isAfter(DateTime.now().toUtc())) {
throw JWTNotActiveError();
}
}
solid_auth is a great package that I have learned a lot from, thank you!
Description
When verifying JWT shouldn't
DateTime.now().toUtc()be used instead ofDateTime.now()?I believe all
DateTime.now()statements inJTW verifyshould be changed toDateTime.now().toUtc()Justification
When created, all JWT tokens have their date claims created using UTC dates, so I think we need to verify these dates using UTC dates.
Current Code
jwt.dartfunctionJWT verifyusesDateTime.now()Recommended New Code
Code changed to use
DateTime.now().toUtc()