Fix error in 4.0.0 branch where refresh expires time was always used

Landon Gilbert-Bland · Landon Gilbert-Bland · commit efa7dd1d7491 · 2021-01-31T22:24:27.000-07:00
diff --git a/flask_jwt_extended/jwt_manager.py b/flask_jwt_extended/jwt_manager.py
@@ -473,7 +473,10 @@ def _encode_jwt_from_config(
             claim_overrides.update(claims)
 
         if expires_delta is None:
-            expires_delta = config.refresh_expires
+            if token_type == "access":
+                expires_delta = config.access_expires
+            else:
+                expires_delta = config.refresh_expires
 
         return _encode_jwt(
             algorithm=config.algorithm,
diff --git a/flask_jwt_extended/tokens.py b/flask_jwt_extended/tokens.py
@@ -1,6 +1,7 @@
-import datetime
 import uuid
-from calendar import timegm
+from datetime import datetime
+from datetime import timedelta
+from datetime import timezone
 
 import jwt
 from werkzeug.security import safe_str_cmp
@@ -23,10 +24,10 @@ def _encode_jwt(
     secret,
     token_type,
 ):
-    now = datetime.datetime.utcnow()
+    now = datetime.now(timezone.utc)
 
-    if isinstance(fresh, datetime.timedelta):
-        fresh = timegm((now + fresh).utctimetuple())
+    if isinstance(fresh, timedelta):
+        fresh = datetime.timestamp(now + fresh)
 
     token_data = {
         "fresh": fresh,
diff --git a/flask_jwt_extended/view_decorators.py b/flask_jwt_extended/view_decorators.py
@@ -1,5 +1,5 @@
-from calendar import timegm
 from datetime import datetime
+from datetime import timezone
 from functools import wraps
 from re import split
 
@@ -28,7 +28,7 @@ def _verify_token_is_fresh(jwt_header, jwt_data):
         if not fresh:
             raise FreshTokenRequired("Fresh token required", jwt_header, jwt_data)
     else:
-        now = timegm(datetime.utcnow().utctimetuple())
+        now = datetime.timestamp(datetime.now(timezone.utc))
         if fresh < now:
             raise FreshTokenRequired("Fresh token required", jwt_header, jwt_data)
 
diff --git a/tests/test_decode_tokens.py b/tests/test_decode_tokens.py
@@ -1,5 +1,6 @@
 from datetime import datetime
 from datetime import timedelta
+from datetime import timezone
 
 import pytest
 from dateutil.relativedelta import relativedelta
@@ -289,3 +290,21 @@ def test_jwt_headers(app):
         refresh_token = create_refresh_token("username", additional_headers=jwt_header)
         assert get_unverified_jwt_headers(access_token)["foo"] == "bar"
         assert get_unverified_jwt_headers(refresh_token)["foo"] == "bar"
+
+
+def test_token_expires_time(app):
+    app.config["JWT_ACCESS_TOKEN_EXPIRES"] = timedelta(hours=1)
+    app.config["JWT_REFRESH_TOKEN_EXPIRES"] = timedelta(hours=2)
+
+    now_timestamp = datetime.timestamp(datetime.now(timezone.utc))
+
+    with app.test_request_context():
+        access_token = create_access_token("username")
+        refresh_token = create_refresh_token("username")
+        access_timestamp = decode_token(access_token)["exp"]
+        refresh_timestamp = decode_token(refresh_token)["exp"]
+
+        # <  2 for a little bit of leeway from when we calculated now vs when
+        # the tokens are created
+        assert (access_timestamp - (now_timestamp + 3600)) < 2
+        assert (refresh_timestamp - (now_timestamp + 7200)) < 2
