Verifying TTL is ambiguous regarding nanosecond handling
samdfonseca opened this issue · comments
Sam Fonseca commented
The spec's instructions for verifying token TTL doesn't explain how to handle nanoseconds.
If the user has specified a maximum age (or "time-to-live") for the token, ensure the recorded timestamp is not too far in the past.
This results in difference between implementations. For example, fernet-go uses time.Time.After
, which checks equality down to the nanosecond level, while Python's cryptography.fernet truncates nanoseconds from the now timestamp before comparing. This means that a token may fail verification in one implementation, but pass in the other.