fix: issuance and expiration sometimes used milliseconds instead of seconds

Author: nklomp

packages/callback-example/lib/__tests__/issuerCallback.spec.ts

@@ -37,7 +37,7 @@ async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promi
   }
   return await new jose.SignJWT({ ...args.payload })
     .setProtectedHeader({ ...args.header })
-    .setIssuedAt(+new Date())
+    .setIssuedAt(args.payload.iat ?? Math.round(+new Date()/1000))
     .setIssuer(kid)
     .setAudience(args.payload.aud)
     .setExpirationTime('2h')

packages/client/lib/__tests__/ProofOfPossessionBuilder.spec.ts

@@ -9,7 +9,7 @@ import { IDENTIPROOF_ISSUER_URL } from './MetadataMocks';
 
 const jwt: Jwt = {
   header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1', typ: 'jwt' },
-  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now() },
+  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now()/1000 },
 };
 
 const kid = 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1';

packages/client/lib/__tests__/SdJwt.spec.ts

@@ -43,7 +43,7 @@ const vcIssuer = new VcIssuerBuilder()
         },
         payload: {
           aud: issuerMetadata.credential_issuer,
-          iat: +new Date(),
+          iat: +new Date()/1000,
           nonce: 'a-c-nonce',
         },
       },

packages/client/lib/functions/ProofUtil.ts

@@ -94,8 +94,8 @@ const createJWT = (jwtProps?: JwtProps, existingJwt?: Jwt): Jwt => {
   const now = +new Date();
   const jwtPayload: Partial<JWTPayload> = {
     aud,
-    iat: jwt.payload?.iat ? jwt.payload.iat : now / 1000 - 60, // Let's ensure we subtract 60 seconds for potential time offsets
-    exp: jwt.payload?.exp ? jwt.payload.exp : now / 1000 + 10 * 60,
+    iat: jwt.payload?.iat ?? Math.round(now / 1000 - 60), // Let's ensure we subtract 60 seconds for potential time offsets
+    exp: jwt.payload?.exp ?? Math.round(now / 1000 + 10 * 60),
     nonce,
     ...(iss ? { iss } : {}),
     ...(jti ? { jti } : {}),

packages/issuer-rest/lib/IssuerTokenEndpoint.ts

@@ -14,10 +14,10 @@ import { v4 } from 'uuid'
  * @param interval
  */
 export const handleTokenRequest = <T extends object>({
-  tokenExpiresIn,
+  tokenExpiresIn, // expiration in seconds
   accessTokenSignerCallback,
   accessTokenIssuer,
-  cNonceExpiresIn,
+  cNonceExpiresIn, // expiration in seconds
   issuer,
   interval,
 }: Required<Pick<ITokenEndpointOpts, 'accessTokenIssuer' | 'cNonceExpiresIn' | 'interval' | 'accessTokenSignerCallback' | 'tokenExpiresIn'>> & {

packages/issuer-rest/lib/__tests__/ClientIssuerIT.spec.ts

@@ -314,7 +314,7 @@ describe('VcIssuer', () => {
     async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
       return await new jose.SignJWT({ ...args.payload })
         .setProtectedHeader({ ...args.header })
-        .setIssuedAt(+new Date())
+        .setIssuedAt(args.payload.iat ?? Math.round(+new Date()/1000))
         .setIssuer(kid!)
         .setAudience(args.payload.aud!)
         .setExpirationTime('2h')

packages/issuer/lib/VcIssuer.ts

@@ -519,7 +519,7 @@ export class VcIssuer<DIDDoc extends object> {
       }
       if (!iat) {
         throw new Error(IAT_ERROR)
-      } else if (iat > (createdAt/1000 + tokenExpiresIn)) {
+      } else if (iat > Math.round(createdAt/1000) + tokenExpiresIn) {
         // createdAt is in milliseconds whilst iat and tokenExpiresIn are in seconds
         throw new Error(IAT_ERROR)
       }

packages/issuer/lib/__tests__/VcIssuer.spec.ts

@@ -284,7 +284,7 @@ describe('VcIssuer', () => {
         },
         payload: {
           aud: IDENTIPROOF_ISSUER_URL,
-          iat: +new Date(),
+          iat: +new Date()/1000,
           nonce: 'test-nonce',
         },
       },
@@ -322,7 +322,7 @@ describe('VcIssuer', () => {
         },
         payload: {
           aud: IDENTIPROOF_ISSUER_URL,
-          iat: +new Date(),
+          iat: +new Date()/1000,
           nonce: 'test-nonce',
         },
       },
@@ -405,7 +405,7 @@ describe('VcIssuer', () => {
         },
         payload: {
           aud: IDENTIPROOF_ISSUER_URL,
-          iat: +new Date(),
+          iat: +new Date()/1000,
           nonce: 'test-nonce',
         },
       },

packages/issuer/lib/tokens/index.ts

@@ -134,8 +134,8 @@ export const createAccessTokenResponse = async (
     credentialOfferSessions: IStateManager<CredentialOfferSession>
     cNonces: IStateManager<CNonceState>
     cNonce?: string
-    cNonceExpiresIn?: number
-    tokenExpiresIn: number
+    cNonceExpiresIn?: number // expiration in seconds
+    tokenExpiresIn: number // expiration in seconds
     // preAuthorizedCodeExpirationDuration?: number
     accessTokenSignerCallback: JWTSignerCallback
     accessTokenIssuer: string