Add "iat" claim to token (jazzband#192)

mizvyt · mizvyt · web-flow · commit 7759aa810942 · 2021-10-01T00:37:46.000-04:00
Co-authored-by: mizvyt &lt;vytautas@anqlave.co&gt;
diff --git a/rest_framework_simplejwt/serializers.py b/rest_framework_simplejwt/serializers.py
@@ -117,6 +117,7 @@ def validate(self, attrs):
 
             refresh.set_jti()
             refresh.set_exp()
+            refresh.set_iat()
 
             data['refresh'] = str(refresh)
 
@@ -133,8 +134,9 @@ def validate(self, attrs):
         # passed
         token.check_exp(api_settings.SLIDING_TOKEN_REFRESH_EXP_CLAIM)
 
-        # Update the "exp" claim
+        # Update the "exp" and "iat" claims
         token.set_exp()
+        token.set_iat()
 
         return {'token': str(token)}
 
diff --git a/rest_framework_simplejwt/tokens.py b/rest_framework_simplejwt/tokens.py
@@ -50,8 +50,9 @@ def __init__(self, token=None, verify=True):
             # New token.  Skip all the verification steps.
             self.payload = {api_settings.TOKEN_TYPE_CLAIM: self.token_type}
 
-            # Set "exp" claim with default value
+            # Set "exp" and "iat" claims with default value
             self.set_exp(from_time=self.current_time, lifetime=self.lifetime)
+            self.set_iat(at_time=self.current_time)
 
             # Set "jti" claim
             self.set_jti()
@@ -124,6 +125,9 @@ def set_jti(self):
     def set_exp(self, claim='exp', from_time=None, lifetime=None):
         """
         Updates the expiration time of a token.
+
+        See here:
+        https://tools.ietf.org/html/rfc7519#section-4.1.4
         """
         if from_time is None:
             from_time = self.current_time
@@ -133,6 +137,18 @@ def set_exp(self, claim='exp', from_time=None, lifetime=None):
 
         self.payload[claim] = datetime_to_epoch(from_time + lifetime)
 
+    def set_iat(self, claim='iat', at_time=None):
+        """
+        Updates the time at which the token was issued.
+
+        See here:
+        https://tools.ietf.org/html/rfc7519#section-4.1.6
+        """
+        if at_time is None:
+            at_time = self.current_time
+
+        self.payload[claim] = datetime_to_epoch(at_time)
+
     def check_exp(self, claim='exp', current_time=None):
         """
         Checks whether a timestamp value in the given claim has passed (since
diff --git a/tests/test_tokens.py b/tests/test_tokens.py
@@ -60,8 +60,9 @@ def test_init_no_token_given(self):
         self.assertEqual(t.current_time, now)
         self.assertIsNone(t.token)
 
-        self.assertEqual(len(t.payload), 3)
-        self.assertEqual(t.payload['exp'], datetime_to_epoch(now + MyToken.lifetime))
+        self.assertEqual(len(t.payload), 4)
+        self.assertEqual(t.payload['exp'], datetime_to_epoch(now + MyToken.lifetime)) 
+        self.assertEqual(t.payload['iat'], datetime_to_epoch(now))
         self.assertIn('jti', t.payload)
         self.assertEqual(t.payload[api_settings.TOKEN_TYPE_CLAIM], MyToken.token_type)
 
@@ -88,9 +89,10 @@ def test_init_token_given(self):
         self.assertEqual(t.current_time, now)
         self.assertEqual(t.token, encoded_good_token)
 
-        self.assertEqual(len(t.payload), 4)
+        self.assertEqual(len(t.payload), 5)
         self.assertEqual(t['some_value'], 'arst')
         self.assertEqual(t['exp'], datetime_to_epoch(original_now + MyToken.lifetime))
+        self.assertEqual(t['iat'], datetime_to_epoch(original_now))
         self.assertEqual(t[api_settings.TOKEN_TYPE_CLAIM], MyToken.token_type)
         self.assertIn('jti', t.payload)
 
@@ -169,6 +171,7 @@ def test_str(self):
         # content.
         del token[api_settings.TOKEN_TYPE_CLAIM]
         del token['jti']
+        del token['iat']
 
         # Should encode the given token
         encoded_token = str(token)
@@ -236,6 +239,21 @@ def test_set_exp(self):
         self.assertIn('refresh_exp', token)
         self.assertEqual(token['refresh_exp'], datetime_to_epoch(now + timedelta(days=1)))
 
+    def test_set_iat(self):
+        now = make_utc(datetime(year=2000, month=1, day=1))
+
+        token = MyToken()
+        token.current_time = now
+
+        # By default, should add 'iat' claim to token using `self.current_time`
+        token.set_iat()
+        self.assertEqual(token['iat'], datetime_to_epoch(now))
+
+        # Should allow overriding of time and claim name
+        token.set_iat(claim='refresh_iat', at_time=now + timedelta(days=1))
+        self.assertIn('refresh_iat', token)
+        self.assertEqual(token['refresh_iat'], datetime_to_epoch(now + timedelta(days=1)))
+
     def test_check_exp(self):
         token = MyToken()
 
