fix(jwt): handle kubeconfig with no expiry [EE-7044] (#11710)

Co-authored-by: testa113 <testa113>
2024-04-30 09:22:45 +12:00 · 2024-04-30 09:22:45 +12:00 · 7479302043
parent 10d20e5963
commit 7479302043
2 changed files with 12 additions and 9 deletions
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@ -123,7 +123,7 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,
 			if err != nil {
 				return nil, errInvalidJWTToken
 			}
-			if user.TokenIssueAt > cl.RegisteredClaims.ExpiresAt.Unix() {
+			if user.TokenIssueAt > cl.RegisteredClaims.IssuedAt.Unix() {
 				return nil, errInvalidJWTToken
 			}
@ -181,13 +181,15 @@ func (service *Service) generateSignedToken(data *portainer.TokenData, expiresAt
 		Role:                int(data.Role),
 		Scope:               scope,
 		ForceChangePassword: data.ForceChangePassword,
 		RegisteredClaims: jwt.RegisteredClaims{
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ExpiresAt: jwt.NewNumericDate(expiresAt),
 		},
 	}
-	if !expiresAt.IsZero() {
+	// If expiresAt is set to a zero value, the token should never expire
-		cl.RegisteredClaims = jwt.RegisteredClaims{
+	if expiresAt.IsZero() {
-			ExpiresAt: jwt.NewNumericDate(expiresAt),
+		cl.RegisteredClaims.ExpiresAt = nil
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		}
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, cl)
--- a/api/jwt/jwt_kubeconfig.go
+++ b/api/jwt/jwt_kubeconfig.go
@ -18,9 +18,10 @@ func (service *Service) GenerateTokenForKubeconfig(data *portainer.TokenData) (s
 		return "", err
 	}
-	expiryAt := time.Now().Add(expiryDuration)
+	// https://go.dev/play/p/bOrt6cQpA0I time.Time defaults to a zero value which is 0001-01-01 00:00:00 +0000 UTC
-	if expiryDuration == time.Duration(0) {
+	var expiryAt time.Time
-		expiryAt = time.Time{}
+	if expiryDuration > time.Duration(0) {
 		expiryAt = time.Now().Add(expiryDuration)
 	}
 	return service.generateSignedToken(data, expiryAt, kubeConfigScope)