Verify expired tokens are invalid; bump token validity to 30 days.

2016-09-29 15:55:53 -05:00 · 2016-09-29 15:55:53 -05:00 · 70d2809ae2
parent 71fc5ab4c1
commit 70d2809ae2
2 changed files with 8 additions and 1 deletions
--- a/lib/session_token.rb
+++ b/lib/session_token.rb
@ -1,7 +1,7 @@
 class SessionToken
  HOST         = Rails.application.routes.default_url_options[:host]
  PORT         = Rails.application.routes.default_url_options[:port]
-  EXPIRY       = 4.days
+  EXPIRY       = 40.days
  PRIVATE_KEY  = KeyGen.current
  PUBLIC_KEY   = KeyGen.current.public_key
  ALG          = 'RS256'
--- a/spec/lib/session_token_spec.rb
+++ b/spec/lib/session_token_spec.rb
@ -32,4 +32,11 @@ describe SessionToken do
  it 'issues a token to a user' do
    SessionToken.issue_to(user, iat: 000, exp: 456, iss: "//lycos.com:9867")
  end
+
+  it "doesn't honor expired tokens" do
+    token  = SessionToken.issue_to(user, iat: 000, exp: 1, iss: "//lycos.com:9867")
+    result = Auth::FromJWT.run(jwt: token.encoded)
+    expect(result.success?).to be(false)
+    expect(result.errors.values.first.message).to include("is not valid")
+  end
 end