feat: allow making exp claim required (#351)

Author: tareksha

parser_option.go

@@ -58,6 +58,14 @@ func WithIssuedAt() ParserOption {
  }
 }
 
+// WithExpirationRequired returns the ParserOption to make exp claim required.
+// By default exp claim is optional.
+funcWithExpirationRequired() ParserOption {
+returnfunc(p*Parser) {
+p.validator.requireExp=true
+ }
+}
+
 // WithAudience configures the validator to require the specified audience in
 // the `aud` claim. Validation will fail if the audience is not listed in the
 // token or the `aud` claim is missing.

parser_test.go

@@ -423,6 +423,16 @@ var jwtTestData = []struct {
 jwt.NewParser(jwt.WithLeeway(2*time.Minute)),
 jwt.SigningMethodRS256,
  },
+ {
+"rejects if exp is required but missing",
+"", // autogen
+defaultKeyFunc,
+&jwt.RegisteredClaims{},
+false,
+ []error{jwt.ErrTokenInvalidClaims},
+jwt.NewParser(jwt.WithExpirationRequired()),
+jwt.SigningMethodRS256,
+ },
 }
 
 // signToken creates and returns a signed JWT token using signingMethod.

validator.go

@@ -42,6 +42,9 @@ type validator struct {
 // validation. If unspecified, this defaults to time.Now.
 timeFuncfunc() time.Time
 
+// requireExp specifies whether the exp claim is required
+requireExpbool
+
 // verifyIat specifies whether the iat (Issued At) claim will be verified.
 // According to https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 this
 // only specifies the age of the token, but no validation check is
@@ -86,8 +89,9 @@ func (v *validator) Validate(claims Claims) error {
  }
 
 // We always need to check the expiration time, but usage of the claim
-// itself is OPTIONAL.
-iferr=v.verifyExpiresAt(claims, now, false); err!=nil {
+// itself is OPTIONAL by default. requireExp overrides this behavior
+// and makes the exp claim mandatory.
+iferr=v.verifyExpiresAt(claims, now, v.requireExp); err!=nil {
 errs=append(errs, err)
  }