fix(jwt): handle kubeconfig with no expiry [EE-7044] (#11710)

Co-authored-by: testa113 <testa113>
2024-04-30 09:22:45 +12:00 · 2024-04-30 09:22:45 +12:00 · 7479302043
parent 10d20e5963
commit 7479302043
2 changed files with 12 additions and 9 deletions
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@ -123,7 +123,7 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,
 			if err != nil {
 				return nil, errInvalidJWTToken
 			}
-			if user.TokenIssueAt > cl.RegisteredClaims.ExpiresAt.Unix() {
+			if user.TokenIssueAt > cl.RegisteredClaims.IssuedAt.Unix() {
 				return nil, errInvalidJWTToken
 			}

@ -181,13 +181,15 @@ func (service *Service) generateSignedToken(data *portainer.TokenData, expiresAt
 		Role:                int(data.Role),
 		Scope:               scope,
 		ForceChangePassword: data.ForceChangePassword,
+		RegisteredClaims: jwt.RegisteredClaims{
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
+		},
 	}

-	if !expiresAt.IsZero() {
-		cl.RegisteredClaims = jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(expiresAt),
-			IssuedAt:  jwt.NewNumericDate(time.Now()),
-		}
+	// If expiresAt is set to a zero value, the token should never expire
+	if expiresAt.IsZero() {
+		cl.RegisteredClaims.ExpiresAt = nil
 	}

 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, cl)
--- a/api/jwt/jwt_kubeconfig.go
+++ b/api/jwt/jwt_kubeconfig.go
@ -18,9 +18,10 @@ func (service *Service) GenerateTokenForKubeconfig(data *portainer.TokenData) (s
 		return "", err
 	}

-	expiryAt := time.Now().Add(expiryDuration)
-	if expiryDuration == time.Duration(0) {
-		expiryAt = time.Time{}
+	// https://go.dev/play/p/bOrt6cQpA0I time.Time defaults to a zero value which is 0001-01-01 00:00:00 +0000 UTC
+	var expiryAt time.Time
+	if expiryDuration > time.Duration(0) {
+		expiryAt = time.Now().Add(expiryDuration)
 	}

 	return service.generateSignedToken(data, expiryAt, kubeConfigScope)