kernelshard · kernelshard · Aug 11, 2025 · Aug 9, 2025 · Aug 9, 2025 · Aug 10, 2025
diff --git a/services/auth/internal/service/token_service.go b/services/auth/internal/service/token_service.go
@@ -37,13 +37,19 @@ func (s *jwtService) GenerateToken(user *model.User) (string, error) {
 		"email": user.Email,
 		"exp":   time.Now().Add(s.expiryTime).Unix(),
 		"iat":   time.Now().Unix(),
+		"nbf":   time.Now().Unix(), // Not valid before now
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	return token.SignedString([]byte(s.secret))
 }
 
 func (s *jwtService) ValidateToken(tokenStr string) (string, string, error) {
 	token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (any, error) {
+		// Validate the signing method to prevent algorithm confuses attack
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			s.logger.Error("Unexpected signing method", slog.String("method", token.Header["alg"].(string)))
+			return nil, jwt.ErrSignatureInvalid
+		}
 		return []byte(s.secret), nil
 	})
 
@@ -63,6 +69,29 @@ func (s *jwtService) ValidateToken(tokenStr string) (string, string, error) {
 		return "", "", jwt.ErrTokenMalformed
 	}
 	email, ok := claims["email"].(string)
+	if !ok {
+		s.logger.Error("Invalid email claim", slog.String("email", email))
+		return "", "", jwt.ErrTokenMalformed
+	}
+
+	// validate time based claims
+	now := time.Now().Unix()
+
+	// check expiry
+	if exp, ok := claims["exp"].(float64); ok {
+		if int64(exp) < now {
+			s.logger.Error("Token expired", slog.Int64("exp", int64(exp)), slog.Int64("now", now))
+		}
+		return "", "", jwt.ErrTokenExpired
+	}
+
+	// check not before
+	if nbf, ok := claims["nbf"].(float64); ok {
+		if int64(nbf) > now {
+			s.logger.Error("Token not valid yet", slog.Int64("nbf", int64(nbf)), slog.Int64("now", now))
+		}
+		return "", "", jwt.ErrTokenNotValidYet
+	}
 
 	return userID, email, nil
 }
diff --git a/services/auth/internal/storage/user_storage.go b/services/auth/internal/storage/user_storage.go
@@ -2,7 +2,6 @@ package storage
 
 import (
 	"context"
-	"fmt"
 	"time"
 
 	"github.com/jackc/pgx/v5/pgxpool"
@@ -60,8 +59,6 @@ func (s *userStorage) GetUserByEmail(ctx context.Context, email string) (*model.
 	if err := row.Scan(&user.ID, &user.Email, &user.Password, &user.CreatedAt); err != nil {
 		return nil, err
 	}
-	fmt.Println(user)
-
 	return &user, nil
 }