C#•15mo ago

❔ JWT still being accepted after it expires in web API

private string GenerateToken()
{
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtSettings:Key"]!));
    var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
    var claims = new[]
    {
        new Claim("admin", "true")
    };
    var token = new JwtSecurityToken
    (
        _configuration["JwtSettings:Issuer"],
        _configuration["JwtSettings:Audience"],
        claims,
        expires: DateTime.UtcNow.AddSeconds(15),
        signingCredentials: credentials
    );

    return new JwtSecurityTokenHandler().WriteToken(token);
}

private string GenerateToken()
{
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtSettings:Key"]!));
    var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
    var claims = new[]
    {
        new Claim("admin", "true")
    };
    var token = new JwtSecurityToken
    (
        _configuration["JwtSettings:Issuer"],
        _configuration["JwtSettings:Audience"],
        claims,
        expires: DateTime.UtcNow.AddSeconds(15),
        signingCredentials: credentials
    );

    return new JwtSecurityTokenHandler().WriteToken(token);
}

builder.Services.AddAuthentication(x =>
{
    x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = config["JwtSettings:Issuer"],
        ValidAudience = config["JwtSettings:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["JwtSettings:Key"]!))
    };
});

builder.Services.AddAuthentication(x =>
{
    x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    x.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = config["JwtSettings:Issuer"],
        ValidAudience = config["JwtSettings:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config["JwtSettings:Key"]!))
    };
});

This is the endpoint that requires the JWT

[Authorize]
[HttpGet("List")]
public async Task<IActionResult> List()
{
    var result = _gameService.GetAllGameStateRecords();

    return result.IsDefined(out var gameStateRecords) 
        ? Ok(gameStateRecords)
        : StatusCode(500, result);
}

[Authorize]
[HttpGet("List")]
public async Task<IActionResult> List()
{
    var result = _gameService.GetAllGameStateRecords();

    return result.IsDefined(out var gameStateRecords) 
        ? Ok(gameStateRecords)
        : StatusCode(500, result);
}

After 15 seconds, as long as I keep the Authorization header with the JWT, the endpoint doesn't 401 me

2 Replies

Uchuu•15mo ago

The exp seems to be correct But it is now well passed that time and I can still use this token Oh shit wait The minium JWT expiration is 5 mionuites?

Accord•15mo ago

Looks like nothing has happened here. I will mark this as stale and this post will be archived until there is new activity.

Gaming

Programming

❔ JWT still being accepted after it expires in web API