Token Expiry Check

Easy+50 XPA07:2021 Identification and Authentication FailuresCWE-347

JWTAuthenticationToken Validation

Scenario

Your application validates JWT tokens by decoding the payload and returning user info.

The token payload contains an expiry timestamp (exp) in Unix seconds, but the validation function never checks it.

An attacker with an old, expired token can still authenticate indefinitely.

Failing to check token expiry means revoked or stolen tokens remain valid forever, allowing persistent unauthorized access even after a user logs out or a breach is detected.

Your Tasks

Inspect the validateToken function — it returns valid:true without checking payload.exp.
Fix it: if payload.exp < currentTime, throw 'Token expired'.
Ensure tokens where exp === currentTime are still considered valid (boundary condition).

Examples

Example 1 — Expired token is accepted (bug)

validateToken({sub:'alice',exp:1000,iat:900}, 2000)
// Returns {valid:true, userId:'alice'} — should have thrown!

Example 2 — Valid token returns user info

validateToken({sub:'alice',exp:2000,iat:900}, 1000)
// Returns {valid:true, userId:'alice'}

Constraints

›payload is a pre-parsed object with sub (string), exp (number), iat (number)
›currentTime is a Unix timestamp in seconds (number)
›Throw exactly 'Token expired' — no other message

Hint

References

https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run