Adjust jwt expiry error messages (#634)

guyp-descope · web-flow · commit b07e69b96c7f · 2025-08-17T17:14:10.000+03:00
* Adjust jwt expiry error messages

* fix test
diff --git a/descope/auth.py b/descope/auth.py
@@ -637,11 +637,17 @@ def _validate_token(
                 audience=audience,
                 leeway=self.jwt_validation_leeway,
             )
-        except (ImmatureSignatureError, ExpiredSignatureError):
+        except (ImmatureSignatureError):
             raise AuthException(
                 400,
                 ERROR_TYPE_INVALID_TOKEN,
-                "Received Invalid token times error due to time glitch (between machines) during jwt validation, try to set the jwt_validation_leeway parameter (in DescopeClient) to higher value than 5sec which is the default",
+                "Received Invalid token (nbf in future) during jwt validation. Error can be due to time glitch (between machines), try to set the jwt_validation_leeway parameter (in DescopeClient) to higher value than 5sec which is the default",
+            )
+        except (ExpiredSignatureError):
+            raise AuthException(
+                401,
+                ERROR_TYPE_INVALID_TOKEN,
+                "Received expired token (exp in past) during jwt validation. (sometimes can be due to time glitch (between machines), try to set the jwt_validation_leeway parameter (in DescopeClient) to higher value than 5sec which is the default)",
             )
 
         claims["jwt"] = token
diff --git a/tests/test_descope_client.py b/tests/test_descope_client.py
@@ -824,7 +824,7 @@ def test_jwt_validation_leeway(self):
         self.assertEqual(cm.exception.status_code, 400)
         self.assertEqual(
             cm.exception.error_message,
-            "Received Invalid token times error due to time glitch (between machines) during jwt validation, try to set the jwt_validation_leeway parameter (in DescopeClient) to higher value than 5sec which is the default",
+            "Received Invalid token (nbf in future) during jwt validation. Error can be due to time glitch (between machines), try to set the jwt_validation_leeway parameter (in DescopeClient) to higher value than 5sec which is the default",
         )
 
     def test_select_tenant(self):

Original file line number	Diff line number	Diff line change
`@@ -824,7 +824,7 @@ def test_jwt_validation_leeway(self):`
`824`	`824`	`self.assertEqual(cm.exception.status_code, 400)`
`825`	`825`	`self.assertEqual(`
`826`	`826`	`cm.exception.error_message,`
`827`		`- "Received Invalid token times error due to time glitch (between machines) during jwt validation, try to set the jwt_validation_leeway parameter (in DescopeClient) to higher value than 5sec which is the default",`
	`827`	`+ "Received Invalid token (nbf in future) during jwt validation. Error can be due to time glitch (between machines), try to set the jwt_validation_leeway parameter (in DescopeClient) to higher value than 5sec which is the default",`
`828`	`828`	`)`
`829`	`829`
`830`	`830`	`def test_select_tenant(self):`