lib/jwt.rb in jwt-1.2.1 vs lib/jwt.rb in jwt-1.3.0

@@ -8,11 +8,13 @@
 require "openssl"
 require "jwt/json"
 
 module JWT
   class DecodeError < StandardError; end
+  class VerificationError < DecodeError; end
   class ExpiredSignature < StandardError; end
+  class ImmatureSignature < StandardError; end
   extend JWT::Json
 
   module_function
 
   def sign(algorithm, msg, key)
@@ -100,21 +102,26 @@
     header, payload, signature, signing_input = decoded_segments(jwt, verify)
     raise JWT::DecodeError.new("Not enough or too many segments") unless header && payload
 
     default_options = {
       :verify_expiration => true,
+      :verify_not_before => true,
       :leeway => 0
     }
     options = default_options.merge(options)
 
     if verify
       algo, key = signature_algorithm_and_key(header, key, &keyfinder)
       verify_signature(algo, key, signing_input, signature)
     end
+
     if options[:verify_expiration] && payload.include?('exp')
       raise JWT::ExpiredSignature.new("Signature has expired") unless payload['exp'].to_i > (Time.now.to_i - options[:leeway])
     end
+    if options[:verify_not_before] && payload.include?('nbf')
+      raise JWT::ImmatureSignature.new("Signature nbf has not been reached") unless payload['nbf'].to_i < (Time.now.to_i + options[:leeway])
+    end
     return payload,header
   end
 
   def signature_algorithm_and_key(header, key, &keyfinder)
     if keyfinder
@@ -124,17 +131,17 @@
   end
 
   def verify_signature(algo, key, signing_input, signature)
     begin
       if ["HS256", "HS384", "HS512"].include?(algo)
-        raise JWT::DecodeError.new("Signature verification failed") unless secure_compare(signature, sign_hmac(algo, signing_input, key))
+        raise JWT::VerificationError.new("Signature verification failed") unless secure_compare(signature, sign_hmac(algo, signing_input, key))
       elsif ["RS256", "RS384", "RS512"].include?(algo)
-        raise JWT::DecodeError.new("Signature verification failed") unless verify_rsa(algo, key, signing_input, signature)
+        raise JWT::VerificationError.new("Signature verification failed") unless verify_rsa(algo, key, signing_input, signature)
       else
-        raise JWT::DecodeError.new("Algorithm not supported")
+        raise JWT::VerificationError.new("Algorithm not supported")
       end
     rescue OpenSSL::PKey::PKeyError
-      raise JWT::DecodeError.new("Signature verification failed")
+      raise JWT::VerificationError.new("Signature verification failed")
     ensure
       OpenSSL.errors.clear
     end
   end