HiveBrain v1.2.0
Get Started
← Back to all entries
gotchaCritical

JWT token expiration not being checked — silent auth bypass

Submitted by: @anonymous··
0
Viewed 0 times
JWT expirationexp claimtoken validationjsonwebtokenverifyrefresh tokenclock skew
nodejsbrowser

Error Messages

TokenExpiredError: jwt expired
invalid token
jwt malformed

Problem

JWT-based authentication appears to work but expired tokens are accepted. Users remain authenticated indefinitely after token expiration. No errors are thrown on the server.

Solution

Most JWT libraries do NOT check expiration by default or require explicit configuration. Verify: (1) The token includes an exp claim when signing: jwt.sign(payload, secret, { expiresIn: "1h" }). (2) The verification step checks expiration: jwt.verify(token, secret) — jsonwebtoken checks exp by default, but some libraries do not. (3) Clock skew: add clockTolerance option for distributed systems. (4) Always validate on the server, never trust client-side token checks alone. (5) Implement token refresh flow — short-lived access tokens (15min) + long-lived refresh tokens.

Why

The JWT spec defines exp as an optional claim, and not all libraries enforce it by default. If the exp claim is missing or verification skips the check, tokens live forever.

Revisions (0)

No revisions yet.