fix actframework#513 DefaultSessionCodec.processExpiration error and actframework#512 JWT: sometimes JWT deserialization failed

greenlaw110 · greenlaw110 · commit 35bfd06d43fc · 2018-02-14T00:16:43.000+11:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,8 @@
 * EntityMetaInfo and scanner - support JPA plugin
 * Update to act-asm-5.0.3 for precise line number in error reporting
 * Improve built-in service performance by make them as nonblock when possible
+* `DefaultSessionCodec.processExpiration` error #513
+* JWT: sometimes JWT deserialization failed #512
 * Command line param binding failed for `char[]` #511
 * `NullPointerException` after app reloaded from an ASM error in dev mode #509
 * Error page not displayed if asm error raised during scanning phase #508
diff --git a/src/main/java/act/crypto/HMAC.java b/src/main/java/act/crypto/HMAC.java
@@ -82,8 +82,8 @@ public String toString(JWT.Token token) {
         token.header(JWT.Header.ALGO, algoName);
         String headers = token.headerJsonString();
         String payloads = token.payloadJsonString();
-        String encodedHeaders = Codec.encodeUrlSafeBase64(headers);
-        String encodedPayloads = Codec.encodeUrlSafeBase64(payloads);
+        String encodedHeaders = encodePart(headers);
+        String encodedPayloads = encodePart(payloads);
         StringBuilder buf = new StringBuilder(encodedHeaders)
                 .append(".")
                 .append(encodedPayloads);
@@ -97,15 +97,15 @@ public String hash(String text) {
 
     public String hash(byte[] bytes) {
         byte[] hashed = mac.doFinal(bytes);
-        return Codec.encodeUrlSafeBase64(hashed);
+        return encodePart(hashed);
     }
 
     public boolean verifyHash(String content, String hash) {
         byte[] myHash = mac.doFinal(content.getBytes(UTF_8));
         int len = hash.length();
         int padding = 4 - len % 4;
         if (padding > 0) {
-            hash = S.concat(hash, S.times('.', padding));
+            hash = S.concat(hash, S.times(Codec.URL_SAFE_BASE64_PADDING_CHAR, padding));
         }
         return MessageDigest.isEqual(myHash, Codec.decodeUrlSafeBase64(hash));
     }
@@ -124,6 +124,13 @@ public boolean verifyArgo(String algoName) {
         }
     }
 
+    private static String encodePart(String part) {
+        return Codec.encodeUrlSafeBase64(part);
+    }
+    private static String encodePart(byte[] part) {
+        return Codec.encodeUrlSafeBase64(part);
+    }
+
     public static void main(String[] args) {
         HMAC hmac = new HMAC("secret", "SHA256");
         System.out.println(hmac.hash("Hello World"));
diff --git a/src/main/java/act/session/DefaultSessionCodec.java b/src/main/java/act/session/DefaultSessionCodec.java
@@ -208,7 +208,7 @@ private String dissolveIntoCookieContent(H.KV<?> kv, boolean isSession) {
 
     static H.Session processExpiration(H.Session session, long now, boolean newSession, boolean sessionWillExpire, int ttl, String pingPath, H.Request request) {
         if (!sessionWillExpire) return session;
-        long expiration = now + ttl;
+        long expiration = now + ttl * 1000;
         if (newSession) {
             // no previous cookie to restore; but we need to set the timestamp in the new cookie
             // note we use `load` API instead of `put` because we don't want to set the dirty flag
