JWT Token Validator Challenge

Published: 1 month ago (December 1, 2025 at 05:50 PM EST)

1 min read

Source: Dev.to

Overview

In 2019 Django’s session management framework contained a subtle but catastrophic vulnerability (CVE‑2019‑11358). The framework failed to properly invalidate session tokens after authentication, allowing attackers to hijack user sessions indefinitely. The root cause was an off‑by‑one error in the token expiration check: using bool: instead of a proper comparison.

Token‑validation Exercise

def is_token_valid(current_time: float, expiry: float, token_timestamp: float) -> bool:
    """
    Validate whether an authentication token is still valid.

    Rules:
    - Return False if the token has expired (elapsed >= expiry).
    - Return False if time travel is detected (current_time < token_timestamp).
    
    Examples:
    >>> is_token_valid(1000.0, 600, 1500.0)   # 500 s elapsed
    True
    >>> is_token_valid(1000.0, 600, 1600.0)   # Exactly at expiry
    False
    """
    # Your implementation here
    pass

Edge‑Case Table

Expiry Configuration	Security Risk	Real‑World Impact
No expiry check	❌ Critical	Tokens valid forever
Wrong boundary (`=` not `>`)

Additional Considerations

Time‑travel detection (current_time < token_timestamp).
Real‑world security scenarios (session fixation, clock‑skew attacks).

JWT Token Validator Challenge

Overview

Token‑validation Exercise

Edge‑Case Table

Additional Considerations

Related posts

Day 1276 : Career Climbing

The Architecture Behind a Stateless AI Application

The Atomic Schlep: The Architecture of the Unstoppable Swap

Google Antigravity: An Overview, Architecture, and Core Differentiators