Merge pull request #16 from atholbro/support-unlimited-expiry-time

atholbro · web-flow · commit f526ea426f5c · 2025-09-17T19:34:33.000-04:00
Add support for unlimited expiry tokens by leaving the expiry time null.
diff --git a/paseto-core/src/main/java/net/aholbrook/paseto/claims/Claims.java b/paseto-core/src/main/java/net/aholbrook/paseto/claims/Claims.java
@@ -12,6 +12,10 @@ private Claims() {
 			new IssuedInPast(), new CurrentlyValid()
 	};
 
+	public static final Claim[] DEFAULT_NO_EXPIRY_CLAIM_CHECKS = new Claim[] {
+			new IssuedInPast(), new CurrentlyValid(true)
+	};
+
 	public static VerificationContext verify(Token token) {
 		return verify(token, DEFAULT_CLAIM_CHECKS);
 	}
diff --git a/paseto-core/src/main/java/net/aholbrook/paseto/claims/CurrentlyValid.java b/paseto-core/src/main/java/net/aholbrook/paseto/claims/CurrentlyValid.java
@@ -18,6 +18,7 @@ public class CurrentlyValid implements Claim {
 
 	private final OffsetDateTime time;
 	private final Duration allowableDrift;
+	private final boolean allowWithoutExpiration;
 
 	/**
 	 * Verifies that the token is not expired or validated before it's "Not Before" time.
@@ -28,7 +29,20 @@ public class CurrentlyValid implements Claim {
 	 * relaxes the check by adding a 1 second window into the future during which the not before check will pass.
 	 */
 	public CurrentlyValid() {
-		this(DEFAULT_ALLOWABLE_DRIFT);
+		this(DEFAULT_ALLOWABLE_DRIFT, false);
+	}
+
+	/**
+	 * Verifies that the token is not expired or validated before it's "Not Before" time.
+	 *
+	 * This call sets the "check time" to Clock.systemUTC() and should be used in most cases.
+	 *
+	 * This constructor sets the allowable clock drift as DEFAULT_ALLOWABLE_DRIFT which is defined as 1 second. This
+	 * relaxes the check by adding a 1 second window into the future during which the not before check will pass.
+	 * @param allowWithoutExpiration When true, treat tokens without a set expiry as valid.
+	 */
+	public CurrentlyValid(boolean allowWithoutExpiration) {
+		this(DEFAULT_ALLOWABLE_DRIFT, allowWithoutExpiration);
 	}
 
 	/**
@@ -42,7 +56,22 @@ public CurrentlyValid() {
 	 * time.
 	 */
 	public CurrentlyValid(Duration allowableDrift) {
-		this(null, allowableDrift);
+		this(null, allowableDrift, false);
+	}
+
+	/**
+	 * Verifies that the token is not expired or validated before it's "Not Before" time.
+	 *
+	 * This call sets the "check time" to Clock.systemUTC() and should be used in most cases.
+	 *
+	 * @param allowableDrift Time window during which a token is considered valid even if it's not before time is in
+	 * the future. Should be set to a small time window (default is 1 second) which allows for a
+	 * slight clock drift between servers. Only applies to "not before" and not the expiration
+	 * time.
+	 * @param allowWithoutExpiration When true, treat tokens without a set expiry as valid.
+	 */
+	public CurrentlyValid(Duration allowableDrift, boolean allowWithoutExpiration) {
+		this(null, allowableDrift, allowWithoutExpiration);
 	}
 
 	/**
@@ -57,10 +86,12 @@ public CurrentlyValid(Duration allowableDrift) {
 	 * the future. Should be set to a small time window (default is 1 second) which allows for a
 	 * slight clock drift between servers. Only applies to "not before" and not the expiration
 	 * time.
+	 * @param allowWithoutExpiration When true, treat tokens without a set expiry as valid.
 	 */
-	public CurrentlyValid(OffsetDateTime time, Duration allowableDrift) {
+	public CurrentlyValid(OffsetDateTime time, Duration allowableDrift, boolean allowWithoutExpiration) {
 		this.time = time;
 		this.allowableDrift = allowableDrift;
+		this.allowWithoutExpiration = allowWithoutExpiration;
 	}
 
 	@Override
@@ -70,15 +101,9 @@ public String name() {
 
 	@Override
 	public void check(Token token, VerificationContext context) {
+		// Note: issued at times can be checked with the IssuedInPast rule.
 		OffsetDateTime time = this.time == null ? OffsetDateTime.now(Clock.systemUTC()) : this.time;
 
-		// If no expiry time was set, then we treat the token as expired.
-		if (token.getExpiration() == null) {
-			throw new MissingClaimException(Token.CLAIM_EXPIRATION, NAME, token);
-		}
-
-		OffsetDateTime expiration = Instant.ofEpochSecond(token.getExpiration()).atOffset(ZoneOffset.UTC);
-
 		// Check "Not Before" if provided.
 		if (token.getNotBefore() != null) {
 			OffsetDateTime notBefore = Instant.ofEpochSecond(token.getNotBefore()).atOffset(ZoneOffset.UTC);
@@ -88,7 +113,16 @@ public void check(Token token, VerificationContext context) {
 			}
 		}
 
-		// Note: issued at times can be checked with the IssuedInPast rule.
+		// If no expiry time was set, then we treat the token as expired unless allowWithoutExpiration is true.
+		if (token.getExpiration() == null) {
+			if (allowWithoutExpiration) {
+				return; // valid
+			} else {
+				throw new MissingClaimException(Token.CLAIM_EXPIRATION, NAME, token);
+			}
+		}
+
+		OffsetDateTime expiration = Instant.ofEpochSecond(token.getExpiration()).atOffset(ZoneOffset.UTC);
 
 		// Finally we check the expiration time.
 		if (expiration.isBefore(time)) {
diff --git a/paseto-core/src/main/java/net/aholbrook/paseto/service/LocalTokenService.java b/paseto-core/src/main/java/net/aholbrook/paseto/service/LocalTokenService.java
@@ -3,6 +3,7 @@
 import net.aholbrook.paseto.Paseto;
 import net.aholbrook.paseto.PasetoV1;
 import net.aholbrook.paseto.PasetoV2;
+import net.aholbrook.paseto.PasetoV4;
 import net.aholbrook.paseto.TokenWithFooter;
 import net.aholbrook.paseto.claims.Claim;
 import net.aholbrook.paseto.claims.Claims;
@@ -14,8 +15,8 @@ public class LocalTokenService<_TokenType extends Token> extends TokenService<_T
 	private final KeyProvider keyProvider;
 
 	private LocalTokenService(Paseto paseto, KeyProvider keyProvider, Claim[] claims,
-			Duration defaultValidityPeriod, Class<_TokenType> tokenClass) {
-		super(paseto, claims, defaultValidityPeriod, tokenClass);
+			Duration defaultValidityPeriod, Class<_TokenType> tokenClass, boolean allowTokensWithoutExpiration) {
+		super(paseto, claims, defaultValidityPeriod, tokenClass, allowTokensWithoutExpiration);
 		this.keyProvider = keyProvider;
 	}
 
@@ -107,6 +108,7 @@ public static class Builder<_TokenType extends Token> {
 		private Paseto paseto;
 		private Long defaultValidityPeriod = null;
 		private Claim[] claims = Claims.DEFAULT_CLAIM_CHECKS;
+		private boolean allowTokensWithoutExpiration = false;
 
 		public Builder(Class<_TokenType> tokenClass, KeyProvider keyProvider) {
 			this.tokenClass = tokenClass;
@@ -123,6 +125,11 @@ public Builder<_TokenType> withV2() {
 			return this;
 		}
 
+		public Builder<_TokenType> withV4() {
+			this.paseto = new PasetoV4.Builder().build();
+			return this;
+		}
+
 		public Builder<_TokenType> withPaseto(Paseto paseto) {
 			this.paseto = paseto;
 			return this;
@@ -133,6 +140,16 @@ public Builder<_TokenType> withDefaultValidityPeriod(Long seconds) {
 			return this;
 		}
 
+		public Builder<_TokenType> withoutExpiration() {
+			this.allowTokensWithoutExpiration = true;
+
+			if (claims == Claims.DEFAULT_CLAIM_CHECKS) {
+				claims = Claims.DEFAULT_NO_EXPIRY_CLAIM_CHECKS;
+			}
+
+			return this;
+		}
+
 		public Builder<_TokenType> checkClaims(Claim[] claims) {
 			this.claims = claims;
 			return this;
@@ -145,7 +162,8 @@ public LocalTokenService<_TokenType> build() {
 					keyProvider,
 					claims,
 					defaultValidityPeriod != null ? Duration.ofSeconds(defaultValidityPeriod) : null,
-					tokenClass);
+					tokenClass,
+					allowTokensWithoutExpiration);
 		}
 	}
 }
diff --git a/paseto-core/src/main/java/net/aholbrook/paseto/service/PublicTokenService.java b/paseto-core/src/main/java/net/aholbrook/paseto/service/PublicTokenService.java
@@ -3,6 +3,7 @@
 import net.aholbrook.paseto.Paseto;
 import net.aholbrook.paseto.PasetoV1;
 import net.aholbrook.paseto.PasetoV2;
+import net.aholbrook.paseto.PasetoV4;
 import net.aholbrook.paseto.TokenWithFooter;
 import net.aholbrook.paseto.claims.Claim;
 import net.aholbrook.paseto.claims.Claims;
@@ -16,8 +17,8 @@ public class PublicTokenService<_TokenType extends Token> extends TokenService<_
 	private final KeyProvider keyProvider;
 
 	private PublicTokenService(Paseto paseto, KeyProvider keyProvider, Claim[] claims,
-			Duration defaultValidityPeriod, Class<_TokenType> tokenClass) {
-		super(paseto, claims, defaultValidityPeriod, tokenClass);
+			Duration defaultValidityPeriod, Class<_TokenType> tokenClass, boolean allowTokensWithoutExpiration) {
+		super(paseto, claims, defaultValidityPeriod, tokenClass, allowTokensWithoutExpiration);
 		this.keyProvider = keyProvider;
 	}
 
@@ -110,6 +111,7 @@ public static class Builder<_TokenType extends Token> {
 		private Paseto paseto;
 		private Long defaultValidityPeriod = null;
 		private Claim[] claims = Claims.DEFAULT_CLAIM_CHECKS;
+		private boolean allowTokensWithoutExpiration = false;
 
 		public Builder(Class<_TokenType> tokenClass, KeyProvider keyProvider) {
 			this.tokenClass = tokenClass;
@@ -126,6 +128,11 @@ public Builder<_TokenType> withV2() {
 			return this;
 		}
 
+		public Builder<_TokenType> withV4() {
+			this.paseto = new PasetoV4.Builder().build();
+			return this;
+		}
+
 		public Builder<_TokenType> withPaseto(Paseto paseto) {
 			this.paseto = paseto;
 			return this;
@@ -136,6 +143,16 @@ public Builder<_TokenType> withDefaultValidityPeriod(Long defaultValidityPeriod)
 			return this;
 		}
 
+		public Builder<_TokenType> withoutExpiration() {
+			this.allowTokensWithoutExpiration = true;
+
+			if (claims == Claims.DEFAULT_CLAIM_CHECKS) {
+				claims = Claims.DEFAULT_NO_EXPIRY_CLAIM_CHECKS;
+			}
+
+			return this;
+		}
+
 		public Builder<_TokenType> checkClaims(Claim[] claims) {
 			this.claims = claims;
 			return this;
@@ -148,7 +165,8 @@ public PublicTokenService<_TokenType> build() {
 					keyProvider,
 					claims,
 					defaultValidityPeriod != null ? Duration.ofSeconds(defaultValidityPeriod) : null,
-					tokenClass);
+					tokenClass,
+					allowTokensWithoutExpiration);
 		}
 	}
 }
diff --git a/paseto-core/src/main/java/net/aholbrook/paseto/service/TokenService.java b/paseto-core/src/main/java/net/aholbrook/paseto/service/TokenService.java
@@ -16,13 +16,15 @@ public abstract class TokenService<_TokenType extends Token> {
 	final Class<_TokenType> tokenClass;
 	final Claim[] claims;
 	private final Duration defaultValidityPeriod;
+	private final boolean allowTokensWithoutExpiration;
 
 	TokenService(Paseto paseto, Claim[] claims, Duration defaultValidityPeriod,
-			Class<_TokenType> tokenClass) {
+			Class<_TokenType> tokenClass, boolean allowTokensWithoutExpiration) {
 		this.paseto = paseto;
 		this.tokenClass = tokenClass;
 		this.defaultValidityPeriod = defaultValidityPeriod;
 		this.claims = claims;
+		this.allowTokensWithoutExpiration = allowTokensWithoutExpiration;
 	}
 
 	abstract public String encode(_TokenType token);
@@ -62,7 +64,7 @@ protected final void validateToken(_TokenType token) {
 			if (defaultValidityPeriod != null) {
 				OffsetDateTime issuedAt = Instant.ofEpochSecond(token.getIssuedAt()).atOffset(ZoneOffset.UTC);
 				token.setExpiration(issuedAt.plus(defaultValidityPeriod).toEpochSecond());
-			} else {
+			} else if (!allowTokensWithoutExpiration) {
 				throw new MissingClaimException(Token.CLAIM_EXPIRATION, "TokenService", token);
 			}
 		}
diff --git a/paseto-core/src/test/java/net/aholbrook/paseto/ClaimVerificationTest.java b/paseto-core/src/test/java/net/aholbrook/paseto/ClaimVerificationTest.java
@@ -38,7 +38,7 @@ private VerificationContext defaultVerification(Token token) {
 	private VerificationContext standardVerification(Token token, OffsetDateTime time) {
 		Claim[] claims = new Claim[] {
 				new IssuedInPast(time, IssuedInPast.DEFAULT_ALLOWABLE_DRIFT),
-				new CurrentlyValid(time, CurrentlyValid.DEFAULT_ALLOWABLE_DRIFT)
+				new CurrentlyValid(time, CurrentlyValid.DEFAULT_ALLOWABLE_DRIFT, false)
 		};
 
 		return Claims.verify(token, claims);
@@ -111,6 +111,19 @@ public void tokenVerification_expired_missing() {
 		});
 	}
 
+	@Test
+	@DisplayName("A token without an expiration time is valid if allowWithoutExpiration is set to true.")
+	public void tokenVerification_null_expired_allowed() {
+		Token token = new Token().setIssuedAt(0L);
+
+		Claim[] claims = new Claim[] {
+				new IssuedInPast(IssuedInPast.DEFAULT_ALLOWABLE_DRIFT),
+				new CurrentlyValid(CurrentlyValid.DEFAULT_ALLOWABLE_DRIFT, true)
+		};
+
+		Claims.verify(token, claims);
+	}
+
 	@Test
 	@DisplayName("CurrentlyValid claim name is correct.")
 	public void tokenVerification_expired_name() {
diff --git a/paseto-core/src/test/java/net/aholbrook/paseto/PasetoV1ServiceTest.java b/paseto-core/src/test/java/net/aholbrook/paseto/PasetoV1ServiceTest.java
@@ -317,6 +317,20 @@ public void v1Service_public_noExpiry(Paseto.Builder builder) {
 		});
 	}
 
+	@ParameterizedTest(name = "{displayName} with {0}")
+	@MethodSource("net.aholbrook.paseto.Sources#pasetoV1Builders")
+	public void v1Service_public_noExpiryAllowed(Paseto.Builder builder) {
+		Token token = new Token().setTokenId("id").setIssuedAt(0L);
+		PublicTokenService<Token> service = new PublicTokenService.Builder<>(Token.class, rfcPublicKeyProvider())
+				.withPaseto(builder.build())
+				.withoutExpiration()
+				.build();
+
+		String s = service.encode(token);
+		Token token2 = service.decode(s);
+		Assertions.assertNotNull(token2.getIssuedAt());
+		Assertions.assertNull(token2.getExpiration());
+	}
 
 	// Constructors / Builder options
 	@ParameterizedTest(name = "{displayName} with {0}")
diff --git a/paseto-core/src/test/java/net/aholbrook/paseto/PasetoV2ServiceTest.java b/paseto-core/src/test/java/net/aholbrook/paseto/PasetoV2ServiceTest.java
@@ -308,6 +308,21 @@ public void v2Service_local_noExpiry(Paseto.Builder builder) {
 		});
 	}
 
+	@ParameterizedTest(name = "{displayName} with {0}")
+	@MethodSource("net.aholbrook.paseto.Sources#pasetoV2Builders")
+	public void v2Service_local_noExpiryAllowed(Paseto.Builder builder) {
+		Token token = new Token().setTokenId("id").setIssuedAt(0L);
+		LocalTokenService<Token> service = new LocalTokenService.Builder<>(Token.class, rfcLocalKeyProvider())
+				.withPaseto(builder.build())
+				.withoutExpiration()
+				.build();
+
+		String s = service.encode(token);
+		Token token2 = service.decode(s);
+		Assertions.assertNotNull(token2.getIssuedAt());
+		Assertions.assertNull(token2.getExpiration());
+	}
+
 	@ParameterizedTest(name = "{displayName} with {0}")
 	@MethodSource("net.aholbrook.paseto.Sources#pasetoV2Builders")
 	public void v2Service_public_defaultValidityPeriod(Paseto.Builder builder) {
@@ -337,6 +352,21 @@ public void v2Service_public_noExpiry(Paseto.Builder builder) {
 		});
 	}
 
+	@ParameterizedTest(name = "{displayName} with {0}")
+	@MethodSource("net.aholbrook.paseto.Sources#pasetoV2Builders")
+	public void v2Service_public_noExpiryAllowed(Paseto.Builder builder) {
+		Token token = new Token().setTokenId("id").setIssuedAt(0L);
+		PublicTokenService<Token> service = new PublicTokenService.Builder<>(Token.class, rfcPublicKeyProvider())
+				.withPaseto(builder.build())
+				.withoutExpiration()
+				.build();
+
+		String s = service.encode(token);
+		Token token2 = service.decode(s);
+		Assertions.assertNotNull(token2.getIssuedAt());
+		Assertions.assertNull(token2.getExpiration());
+	}
+
 
 	// Constructors / Builder options
 	@ParameterizedTest(name = "{displayName} with {0}")
