Add: test token isn't expired

2 files changed, 15 insertions, 1 deletions

diff --git a/muck/token.py b/muck/token.py
index dd85ec9..e818ccf 100644
--- a/muck/token.py
+++ b/muck/token.py
@@ -33,7 +33,7 @@ class TokenChecker:
         try:
             return jwt.decode(
                 token, key=self._key, audience=None, options=options)
-        except jwt.DecodeError as e:
+        except (jwt.DecodeError, jwt.ExpiredSignatureError) as e:
             raise muck.Error(str(e))
 
     def _get_token_text(self, value):
diff --git a/muck/token_tests.py b/muck/token_tests.py
index dadbda9..9530d83 100644
--- a/muck/token_tests.py
+++ b/muck/token_tests.py
@@ -44,6 +44,20 @@ class TokenCheckerTests(unittest.TestCase):
         with self.assertRaises(muck.Error):
             self.tc.parse_header('Bearer XXX')
 
+    def test_rejects_expired_token(self):
+        claims = {
+            'sub': 'subject-1',
+            'scopes': 'scope-1',
+            'iss': 'issuer-1',
+            'aud': 'audience-1',
+            'exp': time.time() - 3600,
+        }
+
+        token = muck.create_token(claims, muck.test_key_text)
+        header = 'Bearer {}'.format(token)
+        with self.assertRaises(muck.Error):
+            self.tc.parse_header(header)
+
     def test_accepts_valid_token(self):
         claims = {
             'sub': 'subject-1',