Skip to content

fix(server): validate expiresAt token value for non existence #446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(server): validate expiresAt token value for non existence #446

wants to merge 1 commit into from
+43 −5

Conversation

christian-bromann
Copy link
Contributor

Motivation and Context

As mentioned in #173 the expiresAt property of the token isn't validated quite correctly and doesn't distinguish between token not set and token being 0.

How Has This Been Tested?

I've added unit tests for this change.

Breaking Changes

no

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@christian-bromann christian-bromann mentioned this pull request May 4, 2025
Open
@ihrpr ihrpr added this to the auth milestone Jun 26, 2025
@ochafik ochafik self-requested a review June 30, 2025 10:45
ochafik
ochafik requested changes Jun 30, 2025
View reviewed changes
Copy link
Contributor

@ochafik ochafik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @christian-bromann, thanks for sending this out! Looks good, just a tiny nit in the test :-)

src/server/auth/middleware/bearerAuth.test.ts
it("should reject expired tokens", async () => {
it.each([
[Math.floor(Date.now() / 1000) - 100], // Token expired 100 seconds ago
[0], // Token expires at the same time as now
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would place expiration at the Unix epoch / 1 January 1970. Maybe also test (unfloored) Date.now() / 1000 if you wanna check the boundary?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ochafik ochafik ochafik requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
auth
Development

Successfully merging this pull request may close these issues.
3 participants
@christian-bromann @ochafik @ihrpr