Relax the timestamp check for invalid_before

Apply the time tolerance to `invalid_before` the same way we do
it for expiration.

Author: jedisct1

Cargo.toml

@@ -15,7 +15,7 @@ readme = "README.md"
 anyhow = "1.0.69"
 binstring = "0.1.1"
 ciborium = { version = "0.2.0", optional = true }
-coarsetime = "0.1.22"
+coarsetime = "0.1.23"
 ct-codecs = "1.1.1"
 ed25519-compact = { version = "2.0.4", features = ["pem"] }
 hmac-sha1-compact = "1.1.3"

README.md

@@ -14,6 +14,8 @@
     - [Token verification](#token-verification)
   - [Signatures (asymmetric, `RS*`, `PS*`, `ES*` and `EdDSA` algorithms) example](#signatures-asymmetric-rs-ps-es-and-eddsa-algorithms-example)
     - [Key pairs and tokens creation](#key-pairs-and-tokens-creation)
+      - [ES256](#es256)
+      - [ES384](#es384)
   - [Advanced usage](#advanced-usage)
     - [Custom claims](#custom-claims)
     - [Peeking at metadata before verification](#peeking-at-metadata-before-verification)
@@ -113,11 +115,12 @@ Extra verification steps can optionally be enabled via the `ValidationOptions` s
 let mut options = VerificationOptions::default();
 // Accept tokens that will only be valid in the future
 options.accept_future = true;
-// accept tokens even if they have expired up to 15 minutes after the deadline
+// Accept tokens even if they have expired up to 15 minutes after the deadline,
+// and/or they will be valid within 15 minutes.
 options.time_tolerance = Some(Duration::from_mins(15));
-// reject tokens if they were issued more than 1 hour ago
+// Reject tokens if they were issued more than 1 hour ago
 options.max_validity = Some(Duration::from_hours(1));
-// reject tokens if they don't include an issuer from that set
+// Reject tokens if they don't include an issuer from that set
 options.allowed_issuers = Some(HashSet::from_strings(&["example app"]));
 
 // see the documentation for the full list of available options

src/claims.rs

@@ -190,7 +190,7 @@ impl<CustomClaims> JWTClaims<CustomClaims> {
         }
         if !options.accept_future {
             if let Some(invalid_before) = self.invalid_before {
-                ensure!(now >= invalid_before, JWTError::TokenNotValidYet);
+                ensure!(now + time_tolerance >= invalid_before, JWTError::TokenNotValidYet);
             }
         }
         if let Some(expires_at) = self.expires_at {

src/common.rs

@@ -39,7 +39,7 @@ pub struct VerificationOptions {
     /// Require the audience to be present in the set
     pub allowed_audiences: Option<HashSet<String>>,
 
-    /// Time tolerance for validating expiration dates
+    /// How much clock drift to tolerate when verifying token timestamps
     pub time_tolerance: Option<Duration>,
 
     /// Reject tokens created more than `max_validity` ago

src/lib.rs

@@ -119,13 +119,14 @@
 //! let mut options = VerificationOptions::default();
 //! // Accept tokens that will only be valid in the future
 //! options.accept_future = true;
-//! // accept tokens even if they have expired up to 15 minutes after the deadline
+//! // Accept tokens even if they have expired up to 15 minutes after the deadline
+//! // and/or they will be valid within 15 minutes.
 //! options.time_tolerance = Some(Duration::from_mins(15));
-//! // reject tokens if they were issued more than 1 hour ago
+//! // Reject tokens if they were issued more than 1 hour ago
 //! options.max_validity = Some(Duration::from_hours(1));
-//! // reject tokens if they don't include an issuer from that list
+//! // Reject tokens if they don't include an issuer from that list
 //! options.allowed_issuers = Some(HashSet::from_strings(&["example app"]));
-//! // see the documentation for the full list of available options
+//! // See the documentation for the full list of available options
 //!
 //! let claims = key.verify_token::<NoCustomClaims>(&token, Some(options))?;
 //! # Ok(()) }