jwt exp claim is type string

[holdenhinkle]

Hello,

The jwt exp claim is type string when it should be an integer:

See https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.4

Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

Here's an example:

{
"exp": "1736872433",
"iat": 1736870633,
"nbf": 1736870628,
"user": {
"id": "a0dffd14-a3c1-4a73-947c-9373440cf57f",
"name": "holden",
"status": 2,
"loggedIn": false,
"role": "user",
"authenticatedBy": null
}
}

In searching for a way to "fix" this I've seen several other people post decoded rodauth JWTs where the exp value type is also string (they were not posting because of this issue.)

What's strange, is I've confirmed exp is being set as an integer:

From: #jwt_session_hash:

    24: jwt_session_hash do
    25:   hash = super() # Let Rodauth set up its default session structure
 => 26:   binding.pry
    27:   if account.present?
    28:     user = ::Account.find(account_id)
    29:     profile = user.profile
    30: 
    31:     hash[:user] = {
    32:       id: user[:id],
    33:       name: profile.name,
    34:       status: user.status_before_type_cast,
    35:       loggedIn:  logged_in?.present?, # logged_in? returns a String or nil,
    36:       role: profile.role,
    37:       authenticatedBy: session[:authenticated_by]  # this is an Array or nil
    38:       # permissions,
    39:     }
    40:   end
    41: 
    42:   hash
    43: end

[1] pry(#<RodauthApi>)> hash
=> {:exp=>30 minutes and 1736825007 seconds, :iat=>1736825007, :nbf=>1736825002}
[2] pry(#<RodauthApi>)> hash[:exp].instance_of?(Integer)
=> true

But later, when I decode it, it's string:

 45: session_jwt do
    46:   token = super()
    47:   # decode it immediately, using the same secret/algorithm
    48:   data = JWT.decode(token, hmac_secret, true, { algorithm: "HS256" }).first
 => 49:   binding.pry
    50:   Rails.logger.info "***** session_jwt payload: #{data.inspect}"
    51:   token
    52: end

[1] pry(#<RodauthApi>)> data
=> {"exp"=>"1736828864",
 "iat"=>1736827064,
 "nbf"=>1736827059,
 "user"=>
  {"id"=>"a0dffd14-a3c1-4a73-947c-9373440cf57f",
   "name"=>"holden",
   "status"=>2,
   "loggedIn"=>false,
   "role"=>"user",
   "authenticatedBy"=>nil}}

I need a "fix" for this because Jose says the jwt is invalid due to this issue. I can't use jsonwebtoken for various reasons.

Any insight into this issue would be greatly appreciated!

Oh, I'm using the rodauth-rails gem.

Thanks for creating such a wonderful authentication gem!

[jeremyevans]

Can you reproduce this without rodauth-rails? If so, please provide a minimal self-contained reproducible example and I will look into it.

[holdenhinkle]

Thanks for your fast response Jeremy.

The issue is not with rodauth.

Here's an example of a decoded jwt when using just rodauth:

  "exp": 1736886311,
  "iat": 1736884511,
  "nbf": 1736884506
}

And a pry session inspecting exp:

    21: jwt_session_hash do
    22:   hash = super() # Let Rodauth set up its default session structure
 => 23:   binding.pry
    24:   hash
    25: end

[1] pry(#<#<Class:0x000000011b65d710>>)> hash
=> {:exp=>1736896586, :iat=>1736894786, :nbf=>1736894781}
[2] pry(#<#<Class:0x000000011b65d710>>)> hash[:exp].is_a?(Integer)
=> true

I noticed that the :exp values look different between rodauth and rodauth-rails:

rodauth:
:exp=>1736896586

rodauth-rails:
:exp=>30 minutes and 1736825007 seconds

I'm going to create a minimal rails app with rodauth-rails tonight to see if I can recreate my issue. I don't want to use my current rails app because it has a number of gems installed.

I'll report back.

Thanks again!

[holdenhinkle]

I found the issue. It has nothing to do with rodauth or rodauth-rails. The issue lies with setting jwt_access_token_period to 30.minutes.

Rails’ ActiveSupport::Duration (30.minutes) converts durations into objects that, when serialized, seems to produce strings instead of integers in JSON contexts.

• 30.minutes in Rails returns an ActiveSupport::Duration object.
• When serialized (e.g., in Rodauth’s JWT payload), Rails converts it to a string format instead of keeping it as a raw number

To test this:

rails console
duration = 30.minutes
puts duration.class
=> ActiveSupport::Duration

require 'json'

duration = 30.minutes
json_output = JSON.dump({ duration: duration })
puts json_output
=> {"duration":"1800.0"}

Thanks again for getting back to me so quickly, Jeremy!

[holdenhinkle]

I forgot to say, the fix is to just call #to_i on 30.minutes:

jwt_access_token_period 30.minutes.to_i