spotify · bguedel · Aug 17, 2021 · Nov 9, 2021 · Nov 9, 2021 · Nov 16, 2021
diff --git a/src/main/java/com/spotify/github/v3/clients/JwtTokenIssuer.java b/src/main/java/com/spotify/github/v3/clients/JwtTokenIssuer.java
@@ -30,37 +30,55 @@
 import java.security.spec.KeySpec;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Date;
+import java.util.function.Supplier;
 
 /** The helper Jwt token issuer. */
 public class JwtTokenIssuer {
 
   private static final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.RS256;
-  private static final long TOKEN_TTL = 600000;
+  private static final long TOKEN_TTL = 600_000;
+  private static final long TOKEN_ISSUED = 60_000;
 
   private final PrivateKey signingKey;
+  private final Supplier<Date> issuedAt;
 
-  private JwtTokenIssuer(final PrivateKey signingKey) {
+  private JwtTokenIssuer(final PrivateKey signingKey, final Supplier<Date> issuedAt) {
     this.signingKey = signingKey;
+    this.issuedAt = issuedAt;
   }
 
   /**
    * Instantiates a new Jwt token issuer.
    *
    * @param privateKey the private key to use
+   * @param issuedAt the way to determine when the jwt is assumed to be issued at. Used to fix drift
    * @throws NoSuchAlgorithmException the no such algorithm exception
    * @throws InvalidKeySpecException the invalid key spec exception
    */
-  public static JwtTokenIssuer fromPrivateKey(final byte[] privateKey)
+  public static JwtTokenIssuer fromPrivateKey(final byte[] privateKey, final Supplier<Date> issuedAt)
       throws NoSuchAlgorithmException, InvalidKeySpecException {
 
     KeySpec keySpec = PKCS1PEMKey.loadKeySpec(privateKey)
         .orElseGet(() -> new PKCS8EncodedKeySpec(privateKey));
 
     KeyFactory kf = KeyFactory.getInstance("RSA");
     PrivateKey signingKey = kf.generatePrivate(keySpec);
-    return new JwtTokenIssuer(signingKey);
+    return new JwtTokenIssuer(signingKey, issuedAt);
   }
 
+  /**
+   * Instantiates a new Jwt token issuer.
+   *
+   * @param privateKey the private key to use
+   * @throws NoSuchAlgorithmException the no such algorithm exception
+   * @throws InvalidKeySpecException the invalid key spec exception
+   */
+  public static JwtTokenIssuer fromPrivateKey(final byte[] privateKey)
+      throws NoSuchAlgorithmException, InvalidKeySpecException {
+
+    Supplier<Date> defaultIssuedAt = () -> new Date(System.currentTimeMillis() - TOKEN_ISSUED);
+    return fromPrivateKey(privateKey, defaultIssuedAt);
+  }
   /**
    * Generates a JWT token for the given APP ID.
    *
@@ -74,7 +92,7 @@ public String getToken(final Integer appId) {
         .setIssuer(String.valueOf(appId))
         .signWith(signingKey, SIGNATURE_ALGORITHM)
         .setExpiration(new Date(System.currentTimeMillis() + TOKEN_TTL))
-        .setIssuedAt(new Date())
+        .setIssuedAt(issuedAt.get())
         .compact();
   }
 }
diff --git a/src/test/java/com/spotify/github/v3/clients/JwtTokenIssuerTest.java b/src/test/java/com/spotify/github/v3/clients/JwtTokenIssuerTest.java
@@ -26,6 +26,8 @@
 
 import com.google.common.io.Resources;
 import java.net.URL;
+import java.util.Date;
+
 import org.junit.Test;
 
 public class JwtTokenIssuerTest {
@@ -49,7 +51,7 @@ public void loadsDERFileWithPKCS8Key() throws Exception {
   @Test
   public void loadsPEMFile() throws Exception {
     final byte[] key = Resources.toByteArray(PEM_KEY_RESOURCE);
-    final JwtTokenIssuer tokenIssuer = JwtTokenIssuer.fromPrivateKey(key);
+    final JwtTokenIssuer tokenIssuer = JwtTokenIssuer.fromPrivateKey(key, () -> new Date());
 
     final String token = tokenIssuer.getToken(42);
     assertThat(token, not(nullValue()));