Skip to content

Require an exp claim in JWTs — reject never-expiring tokens (closes #14)#20

Merged
abhay-codes07 merged 1 commit into
mainfrom
fix/jwt-require-exp
Jul 12, 2026
Merged

Require an exp claim in JWTs — reject never-expiring tokens (closes #14)#20
abhay-codes07 merged 1 commit into
mainfrom
fix/jwt-require-exp

Conversation

@abhay-codes07

Copy link
Copy Markdown
Owner

Closes #14. Security hardening.

verify_hs256_jwt only checked expiry when exp was present, so a validly-signed token that omits exp was accepted indefinitely. JWTs have no revocation, so a captured no-exp token would be a permanent credential.

Fix

A missing/invalid exp is now rejected with AccessDenied('JWT missing exp'). mint_hs256_jwt / mint_rs256_jwt always set exp, so legitimate issuance is unaffected.

Tests

3: a validly-signed no-exp token is rejected; a normal token still verifies; an expired token still rejected. Cloud suite 25 passed, mypy + ruff clean.

Note: overlaps trivially with #6 (RS256), which factors this check into _validate_claims — whichever merges second is a one-line reconcile.

verify_hs256_jwt only checked expiry when exp was present, so a validly-signed
token that omits exp was accepted indefinitely. JWTs have no revocation, so a
captured no-exp token would be a permanent credential. Now a missing exp is
rejected with 'JWT missing exp'. mint_hs256_jwt/mint_rs256_jwt always set exp,
so legitimate issuance is unaffected. 3 tests. Closes #14.
Copilot AI review requested due to automatic review settings July 12, 2026 18:00

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@github-actions

Copy link
Copy Markdown

🛫 Volo reliability — ❌ NO-SHIP

Replayed 7 adversarial scenarios against the agent (threshold ≥ 0.90).

Metric Score
Trajectory determinism 1.000
Decision determinism 1.000
Faithfulness 0.000
Consistency under repetition 1.000

Cost — replayed deterministically at $0 (no live API calls).

baseline 1783879231064-f5bce9b4-c841-4c5f-96b1-f8726a33c1c9 • generated by Volo

@abhay-codes07 abhay-codes07 merged commit 00f5326 into main Jul 12, 2026
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

JWT without an exp claim never expires (cloud SSO)

2 participants