From 66e669f30298164a692c5368d3e7f73134490cd1 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 27 Oct 2018 10:12:48 +0300
Subject: Add: test token isn't expired

---
 muck/token.py       |  2 +-
 muck/token_tests.py | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/muck/token.py b/muck/token.py
index dd85ec9..e818ccf 100644
--- a/muck/token.py
+++ b/muck/token.py
@@ -33,7 +33,7 @@ class TokenChecker:
         try:
             return jwt.decode(
                 token, key=self._key, audience=None, options=options)
-        except jwt.DecodeError as e:
+        except (jwt.DecodeError, jwt.ExpiredSignatureError) as e:
             raise muck.Error(str(e))
 
     def _get_token_text(self, value):
diff --git a/muck/token_tests.py b/muck/token_tests.py
index dadbda9..9530d83 100644
--- a/muck/token_tests.py
+++ b/muck/token_tests.py
@@ -44,6 +44,20 @@ class TokenCheckerTests(unittest.TestCase):
         with self.assertRaises(muck.Error):
             self.tc.parse_header('Bearer XXX')
 
+    def test_rejects_expired_token(self):
+        claims = {
+            'sub': 'subject-1',
+            'scopes': 'scope-1',
+            'iss': 'issuer-1',
+            'aud': 'audience-1',
+            'exp': time.time() - 3600,
+        }
+
+        token = muck.create_token(claims, muck.test_key_text)
+        header = 'Bearer {}'.format(token)
+        with self.assertRaises(muck.Error):
+            self.tc.parse_header(header)
+
     def test_accepts_valid_token(self):
         claims = {
             'sub': 'subject-1',
-- 
cgit v1.2.1