About the jwt expiration check in keyless circuit #684
Replies: 2 comments 4 replies
-
|
@zhiqiangxu I believe that line you shared is checking whether user’s ephemeral key pair is expired, not the validity of the JWT. We introduced a separate expiry time for the key pair since jwts typically expire in 1h but we don’t want users to be forced to relogin every 1h. That signal being named with “jwt” seems a mistake. (@alinush to confirm) Sorry about the confusion… |
Beta Was this translation helpful? Give feedback.
-
|
@zjma is correct here. The naming of variables in our circuit code is very unfortunate. Currently being fixed. |
Beta Was this translation helpful? Give feedback.
-
|
@zjma Thanks for the reply! Btw, when do you expect the circuit to take an audit? (If there is such a plan.) |
Beta Was this translation helpful? Give feedback.
-
|
Circuit went through an audit a year ago! We are currently in the middle of an internal audit. |
Beta Was this translation helpful? Give feedback.
-
|
@alinush wow, is the audit report public? |
Beta Was this translation helpful? Give feedback.
-
|
It's not. But we will consider doing a public audit later, once we finish our own internal one. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
While reading the code here, I've a question: why is the jwt expiration check done this way instead of simply checking
expiration_time > current_time?Beta Was this translation helpful? Give feedback.
All reactions