JWT 'not before' (nbf) claim is not validated #44
Description
Summary
During security edge case testing, it was discovered that the server does not validate the JWT nbf (not before) claim. Tokens with a future nbf timestamp are accepted.
Current Behavior
Tokens with a nbf claim set to a future time are accepted and processed normally.
Expected Behavior
Tokens should be rejected with 401 Unauthorized if the current time is before the nbf claim value.
Security Impact
Low-Medium: While this is generally low risk since tokens are still validated for expiration (exp), proper nbf validation is a defense-in-depth measure that prevents early use of tokens that may have been generated in advance.
Technical Details
- Location: JWT validation in Micronaut Security
- Test Reference:
SecurityEdgeCasesTest.tokenNotYetValid_documentsNbfBehavior() - Configuration: May require enabling nbf validation in Micronaut JWT configuration
Suggested Fix
Enable nbf claim validation in the Micronaut security configuration. This may involve:
- Adding
token.jwt.claims.nbf.validate: trueor similar configuration - Or implementing a custom claim validator
Labels
- security
- enhancement