Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix overflow when using Long.MAX_VALUE as leeway #723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix overflow when using Long.MAX_VALUE as leeway #723

wants to merge 1 commit into from

Conversation

jmerle
Copy link

@jmerle jmerle commented Jun 25, 2025
edited
Loading

Changes

Recently I tried to set the leeway of the JWT verifier to Long.MAX_VALUE to do some local debugging where the token being expired didn't matter. Unfortunately the verifier crashed with a long overflow when I ran it. The alternative was to set the leeway to a large, but not too large value. Nonetheless, this PR fixes the overflow as I believe it to be a bug.

Previous exception on the new shouldValidateExpiresAtWithMaxLeeway:

Instant exceeds minimum or maximum instant
java.time.DateTimeException: Instant exceeds minimum or maximum instant
	at java.base/java.time.Instant.create(Instant.java:411)
	at java.base/java.time.Instant.ofEpochSecond(Instant.java:330)
	at java.base/java.time.Instant.plus(Instant.java:928)
	at java.base/java.time.Instant.plusSeconds(Instant.java:878)
	at java.base/java.time.Instant.plus(Instant.java:855)
	at java.base/java.time.Instant.minus(Instant.java:978)
	at java.base/java.time.Instant.minus(Instant.java:207)
	at java.base/java.time.Duration.subtractFrom(Duration.java:1137)
	at java.base/java.time.Instant.minus(Instant.java:954)
	at com.auth0.jwt.JWTVerifier$BaseVerification.assertInstantIsFuture(JWTVerifier.java:359)
	at com.auth0.jwt.JWTVerifier$BaseVerification.assertValidInstantClaim(JWTVerifier.java:344)
	at com.auth0.jwt.JWTVerifier$BaseVerification.lambda$addMandatoryClaimChecks$17(JWTVerifier.java:308)
	at com.auth0.jwt.JWTVerifier$BaseVerification$1.verify(JWTVerifier.java:412)
	at com.auth0.jwt.JWTVerifier.verifyClaims(JWTVerifier.java:489)
	at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:471)
	at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:452)
	at com.auth0.jwt.JWTVerifierTest.shouldValidateExpiresAtWithMaxLeeway(JWTVerifierTest.java:695)

Previous exception on the new shouldValidateNotBeforeWithMaxLeeway:

long overflow
java.lang.ArithmeticException: long overflow
	at java.base/java.lang.Math.addExact(Math.java:848)
	at java.base/java.time.Instant.plus(Instant.java:924)
	at java.base/java.time.Instant.plusSeconds(Instant.java:878)
	at java.base/java.time.Instant.plus(Instant.java:855)
	at java.base/java.time.Instant.plus(Instant.java:207)
	at java.base/java.time.Duration.addTo(Duration.java:1102)
	at java.base/java.time.Instant.plus(Instant.java:787)
	at com.auth0.jwt.JWTVerifier$BaseVerification.assertInstantIsLessThanOrEqualToNow(JWTVerifier.java:363)
	at com.auth0.jwt.JWTVerifier$BaseVerification.assertValidInstantClaim(JWTVerifier.java:349)
	at com.auth0.jwt.JWTVerifier$BaseVerification.lambda$addMandatoryClaimChecks$18(JWTVerifier.java:310)
	at com.auth0.jwt.JWTVerifier$BaseVerification$1.verify(JWTVerifier.java:412)
	at com.auth0.jwt.JWTVerifier.verifyClaims(JWTVerifier.java:489)
	at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:471)
	at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:452)
	at com.auth0.jwt.JWTVerifierTest.shouldValidateNotBeforeWithMaxLeeway(JWTVerifierTest.java:767)

References

N/A

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds test coverage
  • This change has been tested on the latest version of Java or why not

Checklist

@jmerle jmerle requested a review from a team as a code owner June 25, 2025 00:46
@jmerle jmerle force-pushed the leeway-overflow branch from 299d24b to 07635e1 Compare June 25, 2025 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jmerle