[sr-dev] [kamailio/kamailio] [JWT module] Verification doesn't check if the JWT is expired (Issue #4007)

### Description <!-- Explain what you did, what you expected to happen, and what actually happened. --> I used `jwt_verify()` function and expected to automatically handle the expiration check. But it doesn't. ### Troubleshooting #### Reproduction Have the following Kamailio config: ``` loadmodule "jwt.so" ... modparam("jwt", "key_mode", 0) .... $var(authorization_header_value) = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxNDQ0ODEiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjExMTYyMzkwMjJ9.Ce0o-10D-ghrfQ8jAZTFgJxw6pufLa6gtoCsylI9cPQo2MANVKV1sjwwKtbLfPzSobz1VhOVZ3RtbFME1GKwEOQq0MuNh7EsmMypjAyBbSPj3he0H4ysa3Lt2i8nJ2Z02j_PU387EEwziC4ilkbXNLXdx43ji_SP--dF3rij2C1Wv8AWbNloPnIAIgtTMdXRuxQPPGFhpBLfUPa54dgrRjLRSGzUJKNbszVljhpzqLM6rJ7hsf2MiB3Ww0goRH7r_9-rm4s9eYMK1xaCPlxBUIxw9bVbNkpiFypq_IcdhXnfyTsF4FUuXSgoUqGD6dOCOh6umsDfl7rrBTMRDdqT1CcBj-_CIWSwmxreVxYz1ET5cZe0oj1GnZRYFXrJzUFd1y9srV6qKY-QK1hlflONd_YZ23hpT1hXOVF0fsgB5JQBjDYBi2kLKms5zi-EAmoIVr1JVJS5-tE_iS3p40YGblI0oOOfxeKCtskgl9KtsRvUWi_25pU5BOEX8KiXVkJ2MH9KFYv2-HXrBVkZyY4kCsHIedz8k_nMfOICrh932pC2bgkQLJEZLSwtO8nTK5G1OrS_VLYwqJv0oGtnmcupexTGYiDjN6t1nqnH6s6409z16M-pKG2wwrt-40sFJh-5eDrpqs8KreSDdOYZsoB5POn7ipqZ0OfbVUCT4TzYYPA"; $var(jwt_verification) = jwt_verify("/etc/kamailio/oauth_pub.pem", "RS256", "sub='$fU'", "$var(authorization_header_value)" ); xlog("JWT verification Status: $var(jwt_verification)"); #Outputs 1 ... ``` If you decode the JWT you'll see that the timestamp in the `iat` header is in the past. #### Debugging Data #### Log Messages ``` {1 90377072 REGISTER 1d0833c1-0d75-123e-8abe-560004469ea4} <script>: JWT verification Status: 1 ``` ### Possible Solutions Compare the timestamp from the token's `iat` claim with the current timestamp and fail the verification if it's in the past. ### Additional Information * **Kamailio Version** - output of `kamailio -v` ``` version: kamailio 5.8.2 (x86_64/linux) 3fa5f4 flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: 3fa5f4 compiled on 10:39:56 Jun 12 2024 with gcc 8.5.0 ``` * **Operating System**: <!-- Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...; Kernel details (output of `lsb_release -a` and `uname -a`) --> ``` Rocky Linux 8.10 (Green Obsidian) ``` -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/4007 You are receiving this because you are subscribed to this thread. Message ID: &lt;kamailio/kamailio/issues/4007(a)github.com&gt;