From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 25 May 2020 13:19:14 +0000 (+0300)
Subject: lib-oauth2: Allow nbf and iat to be 0
X-Git-Tag: 2.3.11.2~44
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=225f7978b2afbca9f1939e6ac7d88a481ebe2b13;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Allow nbf and iat to be 0

Some implementations set these intentionally to 0.
---

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 29c6fa5523..a837297ae3 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -295,13 +295,13 @@ oauth2_jwt_body_process(ARRAY_TYPE(oauth2_field) *fields, struct json_tree *tree
 	if ((ret = get_time_field(tree, "nbf", &nbf)) < 0) {
 		*error_r = "Malformed 'nbf' field";
 		return -1;
-	} else if (ret == 0)
+	} else if (ret == 0 || nbf == 0)
 		nbf = t0;
 
 	if ((ret = get_time_field(tree, "iat", &iat)) < 0) {
 		*error_r = "Malformed 'iat' field";
 		return -1;
-	} else if (ret == 0)
+	} else if (ret == 0 || iat == 0)
 		iat = t0;
 
 	if (nbf > t0) {
diff --git a/src/lib-oauth2/test-oauth2-jwt.c b/src/lib-oauth2/test-oauth2-jwt.c
index 7685cb2eb7..31698b3cdc 100644
--- a/src/lib-oauth2/test-oauth2-jwt.c
+++ b/src/lib-oauth2/test-oauth2-jwt.c
@@ -442,6 +442,17 @@ static void test_jwt_dates(void)
 	sign_jwt_token_hs256(tokenbuf, hs_sign_key);
 	test_jwt_token(str_c(tokenbuf));
 
+	str_truncate(tokenbuf, 0);
+        base64url_encode_str("{\"alg\":\"HS256\",\"typ\":\"JWT\"}", tokenbuf);
+	str_append_c(tokenbuf, '.');
+	base64url_encode_str(t_strdup_printf("{\"sub\":\"testuser\","
+					     "\"exp\":%"PRIdTIME_T","
+				             "\"nbf\":0,\"iat\":%"PRIdTIME_T"}",
+					     exp, iat),
+			     tokenbuf);
+	sign_jwt_token_hs256(tokenbuf, hs_sign_key);
+	test_jwt_token(str_c(tokenbuf));
+
 	test_end();
 }