fix: prevent sending expired tokens (#437)

code does a quick check on the exp of a token to prevent it from being sent to realtime

Author: filipecabaco

package-lock.json

@@ -41,7 +41,7 @@
     "@supabase/node-fetch": "^2.6.14",
     "@types/phoenix": "^1.5.4",
     "@types/ws": "^8.5.10",
-    "ws": "^8.14.2"
+    "ws": "^8.18.0"
   },
   "devDependencies": {
     "@arethetypeswrong/cli": "^0.16.2",
@@ -51,6 +51,7 @@
     "esm": "^3.2.25",
     "jsdom": "^16.7.0",
     "jsdom-global": "3.0.0",
+    "jsonwebtoken": "^9.0.2",
     "mock-socket": "^9.0.3",
     "npm-run-all": "^4.1.5",
     "nyc": "^15.1.0",
@@ -62,4 +63,4 @@
     "vitest": "^2.0.5",
     "web-worker": "1.2.0"
   }
-}
+}

package.json

@@ -335,6 +335,24 @@ export default class RealtimeClient {
    * @param token A JWT string.
    */
   setAuth(token: string | null): void {
+    if (token) {
+      let parsed = null
+      try {
+        parsed = JSON.parse(atob(token.split('.')[1]))
+      } catch (_error) {}
+      if (parsed && parsed.exp) {
+        let now = Math.floor(Date.now() / 1000)
+        let valid = now - parsed.exp < 0
+        if (!valid) {
+          this.log(
+            'auth',
+            `provided token has expired, not sending it to realtime`
+          )
+          return
+        }
+      }
+    }
+
     this.accessToken = token
 
     this.channels.forEach((channel) => {