added token date checks & signature is now forced to lowercase hex before validation.

src/jwt.lua

@@ -2,6 +2,7 @@ local meta    = {}
 local data    = {}
 
 local json    = require 'cjson'
+local json_safe = require 'cjson.safe'
 json.encode_empty_table('array')
 local basexx  = require 'basexx'
 local jws     = require 'jwt.jws'
@@ -55,7 +56,8 @@ function data.decode(str, options)
   if not str then return nil, "Parameter 1 cannot be nil" end
   local dotFirst = str:find("%.")
   if not dotFirst then return nil, "Invalid token" end
-  local header = json.decode((basexx.from_url64(str:sub(1,dotFirst-1))))
+  local header, err = json_safe.decode((basexx.from_url64(str:sub(1,dotFirst-1))))
+  if (header == nil) then return nil, err end
 
   return getJwt(header):decode(header, str, options)
 end

src/jwt/jws.lua

@@ -73,12 +73,26 @@ function data:decode(header, str, options)
 
   local message = basexx.from_url64(bodyStr)
   if signature then
-    if not self.verify[header.alg](rawHeader.."."..bodyStr, signature, options.keys.public) then
-      return nil, "Invalid token"
+    if not self.verify[header.alg](rawHeader.."."..bodyStr, string.lower(basexx.to_hex(signature)), options.keys.public) then
+      return nil, "Token Invalid"
+    end
+  end
+
+  local decoded_message = json.decode(message)
+
+  if decoded_message.nbf ~= nil then
+    if math.floor(ngx.now()) < decoded_message.nbf then
+      return nil, "Token not yet valid"
+    end
+  end
+
+  if decoded_message.exp ~= nil then
+    if math.floor(ngx.now()) > decoded_message.exp then
+      return nil, "Token expired"
     end
   end
 
-  return json.decode(message)
+  return decoded_message
 end
 
 return data