can't test token_expire (no time travel?)

[benascbr]

Subject of the issue

I was asked to implement test for jwt token expire for our application.

Because jwt.ttl is in minutes we can't wait 1 minute in test. Instead I'm trying to time travel but that doesn't work.

Your environment

Q	A
Bug?	possibly
New Feature?	no
Framework	Laravel
Framework version	11.36.1
Package version	"php-open-source-saver/jwt-auth": "^2",
PHP version	8.3.14

Steps to reproduce

    public function test_token_expire()
    {
        Config::set('jwt.ttl', 1);
        $user = $this->user();

        $response = $this
            ->withHeaders(['X-DEVICE-ID' => md5(microtime(true))])
            ->postJson('/v1/login', [
                'username' => $user->email,
                'password' => 'password'
            ])
            ->assertOk();

        $token = $response->json('data.token');

        $this
            ->withToken($token)
            ->get('/v1/me')
            ->assertOk();

        $this->travel(1)->year();

        $this
            ->withToken($token)
            ->get('/v1/me')
            ->assertUnauthorized();
    }

Expected behaviour

Last API should fail, because token is expired after traveling 1 year.

Actual behaviour

Last API isn't failing and user token still works after 1 year.

[benascbr]

Even if time travelling is bad idea I would appreciate any alternative solution to make such test.

[benascbr]

https://github.com/tymondesigns/jwt-auth/blob/2.x/src/Claims/Expiration.php#L30

[DrakkoFire]

I'm guessing it uses Carbon under the hood, a good solution it would be using Carbon::setTestNow() with your date before generating the token, so it can create it with the simulated now(), and then reset the setTestNow to your current date so you can verify if it expired.

Here's a little example:

public function test_token_expire()
{
    Config::set('jwt.ttl', 1);

    // Traveling to the past by 1 minute
    Carbon::setTestNow(Carbon::now()->subMinutes(1));

    $user = $this->user();

    $response = $this
        ->withHeaders(['X-DEVICE-ID' => md5(microtime(true))])
        ->postJson('/v1/login', [
            'username' => $user->email,
            'password' => 'password'
        ])
        ->assertOk();

    $token = $response->json('data.token');

    $this
        ->withToken($token)
        ->get('/v1/me')
        ->assertOk();

    // Traveling back to the present time
    Carbon::setTestNow();

    $this
        ->withToken($token)
        ->get('/v1/me')
        ->assertUnauthorized();
}

You can check the documentation for it