Check if token expired in MiddlewareFunc

README.md

@@ -155,10 +155,11 @@ func main() {
 	})
 
 	auth := r.Group("/auth")
+	// Refresh time can be longer than token timeout
+	auth.GET("/refresh_token", authMiddleware.RefreshHandler)
 	auth.Use(authMiddleware.MiddlewareFunc())
 	{
 		auth.GET("/hello", helloHandler)
-		auth.GET("/refresh_token", authMiddleware.RefreshHandler)
 	}
 
 	if err := http.ListenAndServe(":"+port, r); err != nil {

auth_jwt.go

@@ -37,7 +37,7 @@ type GinJWTMiddleware struct {
 
 	// This field allows clients to refresh their token until MaxRefresh has passed.
 	// Note that clients can refresh their token in the last moment of MaxRefresh.
-	// This means that the maximum validity timespan for a token is MaxRefresh + Timeout.
+	// This means that the maximum validity timespan for a token is TokenTime + MaxRefresh.
 	// Optional, defaults to 0 meaning not refreshable.
 	MaxRefresh time.Duration
 
@@ -336,6 +336,11 @@ func (mw *GinJWTMiddleware) middlewareImpl(c *gin.Context) {
 		return
 	}
 
+	if int64(claims["exp"].(float64)) < mw.TimeFunc().Unix() {
+		mw.unauthorized(c, http.StatusUnauthorized, mw.HTTPStatusMessageFunc(ErrExpiredToken, c))
+		return
+	}
+
 	c.Set("JWT_PAYLOAD", claims)
 	identity := mw.IdentityHandler(c)
 
@@ -454,7 +459,7 @@ func (mw *GinJWTMiddleware) RefreshHandler(c *gin.Context) {
 func (mw *GinJWTMiddleware) RefreshToken(c *gin.Context) (string, time.Time, error) {
 	claims, err := mw.CheckIfTokenExpire(c)
 	if err != nil {
-		return "", time.Now(), ErrExpiredToken
+		return "", time.Now(), err
 	}
 
 	// Create the token

auth_jwt_test.go

@@ -156,10 +156,11 @@ func ginHandler(auth *GinJWTMiddleware) *gin.Engine {
 	r.POST("/login", auth.LoginHandler)
 
 	group := r.Group("/auth")
+	// Refresh time can be longer than token timeout
+	group.GET("/refresh_token", auth.RefreshHandler)
 	group.Use(auth.MiddlewareFunc())
 	{
 		group.GET("/hello", helloHandler)
-		group.GET("/refresh_token", auth.RefreshHandler)
 	}
 
 	return r
@@ -979,3 +980,55 @@ func TestSendAuthorizationBool(t *testing.T) {
 			assert.Equal(t, http.StatusOK, r.Code)
 		})
 }
+
+func TestExpiredTokenOnAuth(t *testing.T) {
+	// the middleware to test
+	authMiddleware, _ := New(&GinJWTMiddleware{
+		Realm:             "test zone",
+		Key:               key,
+		Timeout:           time.Hour,
+		MaxRefresh:        time.Hour * 24,
+		Authenticator:     defaultAuthenticator,
+		SendAuthorization: true,
+		Authorizator: func(data interface{}, c *gin.Context) bool {
+			return data.(string) == "admin"
+		},
+		TimeFunc: func() time.Time {
+			return time.Now().AddDate(0, 0, 1)
+		},
+	})
+
+	handler := ginHandler(authMiddleware)
+
+	r := gofight.New()
+
+	r.GET("/auth/hello").
+		SetHeader(gofight.H{
+			"Authorization": "Bearer " + makeTokenString("HS256", "admin"),
+		}).
+		Run(handler, func(r gofight.HTTPResponse, rq gofight.HTTPRequest) {
+			assert.Equal(t, http.StatusUnauthorized, r.Code)
+		})
+}
+
+func TestBadTokenOnRefreshHandler(t *testing.T) {
+	// the middleware to test
+	authMiddleware, _ := New(&GinJWTMiddleware{
+		Realm:         "test zone",
+		Key:           key,
+		Timeout:       time.Hour,
+		Authenticator: defaultAuthenticator,
+	})
+
+	handler := ginHandler(authMiddleware)
+
+	r := gofight.New()
+
+	r.GET("/auth/refresh_token").
+		SetHeader(gofight.H{
+			"Authorization": "Bearer " + "BadToken",
+		}).
+		Run(handler, func(r gofight.HTTPResponse, rq gofight.HTTPRequest) {
+			assert.Equal(t, http.StatusUnauthorized, r.Code)
+		})
+}

example/basic/server.go

@@ -127,10 +127,11 @@ func main() {
 	})
 
 	auth := r.Group("/auth")
+	// Refresh time can be longer than token timeout
+	auth.GET("/refresh_token", authMiddleware.RefreshHandler)
 	auth.Use(authMiddleware.MiddlewareFunc())
 	{
 		auth.GET("/hello", helloHandler)
-		auth.GET("/refresh_token", authMiddleware.RefreshHandler)
 	}
 
 	if err := http.ListenAndServe(":"+port, r); err != nil {