JWT logic

pblazej · pblazej · commit bfdb58058a5a · 2025-10-31T15:43:09.000+01:00
diff --git a/Sources/LiveKit/Token/CachingTokenSource.swift b/Sources/LiveKit/Token/CachingTokenSource.swift
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+internal import LiveKitFFI
 import Foundation
 
 /// A token source that caches credentials from any other ``TokenSourceConfigurable`` using a configurable store.
@@ -148,20 +149,27 @@ public extension TokenSourceResponse {
             return false
         }
 
-        do {
-            try jwt.nbf.verifyNotBefore()
-            try jwt.exp.verifyNotExpired(currentDate: Date().addingTimeInterval(tolerance))
-        } catch {
-            return false
-        }
-
-        return true
+        return jwt.nbf.verifyNotBefore() && jwt.exp.verifyNotExpired(Date().addingTimeInterval(tolerance))
     }
 
     /// Extracts the JWT payload from the participant token.
     ///
     /// - Returns: The JWT payload if successfully parsed, nil otherwise
-    internal func jwt() -> LiveKitJWTPayload? {
-        LiveKitJWTPayload.fromUnverified(token: participantToken)
+    internal func jwt() -> Claims? {
+        try? tokenClaimsFromUnverified(token: participantToken)
+    }
+}
+
+private extension UInt64 {
+    var asDate: Date {
+        Date(timeIntervalSince1970: TimeInterval(self))
+    }
+
+    func verifyNotBefore(_ date: Date = Date()) -> Bool {
+        asDate >= date
+    }
+
+    func verifyNotExpired(_ date: Date = Date()) -> Bool {
+        asDate < date
     }
 }
diff --git a/Sources/LiveKit/Token/JWT.swift b/Sources/LiveKit/Token/JWT.swift
diff --git a/Tests/LiveKitCoreTests/Token/TokenSourceTests.swift b/Tests/LiveKitCoreTests/Token/TokenSourceTests.swift
@@ -18,6 +18,7 @@
 #if canImport(LiveKitTestSupport)
 import LiveKitTestSupport
 #endif
+import LiveKitFFI
 
 class TokenSourceTests: LKTestCase {
     actor MockValidJWTSource: TokenSourceConfigurable {
@@ -38,7 +39,23 @@ class TokenSourceTests: LKTestCase {
                 identity: options.participantIdentity ?? "test-identity"
             )
             tokenGenerator.name = options.participantName ?? participantName
-            tokenGenerator.videoGrant = LiveKitJWTPayload.VideoGrant(room: options.roomName ?? "test-room", roomJoin: true)
+            tokenGenerator.videoGrants = VideoGrants(
+                roomCreate: false,
+                roomList: false,
+                roomRecord: false,
+                roomAdmin: false,
+                roomJoin: true,
+                room: options.roomName ?? "test-room",
+                destinationRoom: "",
+                canPublish: false,
+                canSubscribe: false,
+                canPublishData: false,
+                canPublishSources: [],
+                canUpdateOwnMetadata: false,
+                ingressAdmin: false,
+                hidden: false,
+                recorder: false
+            )
 
             let token = try tokenGenerator.sign()
 
@@ -74,10 +91,26 @@ class TokenSourceTests: LKTestCase {
                 apiKey: "test-api-key",
                 apiSecret: "test-api-secret",
                 identity: options.participantIdentity ?? "test-identity",
-                ttl: -60
+                ttl: 0
             )
             tokenGenerator.name = options.participantName ?? "test-participant"
-            tokenGenerator.videoGrant = LiveKitJWTPayload.VideoGrant(room: options.roomName ?? "test-room", roomJoin: true)
+            tokenGenerator.videoGrants = VideoGrants(
+                roomCreate: false,
+                roomList: false,
+                roomRecord: false,
+                roomAdmin: false,
+                roomJoin: true,
+                room: options.roomName ?? "test-room",
+                destinationRoom: "",
+                canPublish: false,
+                canSubscribe: false,
+                canPublishData: false,
+                canPublishSources: [],
+                canUpdateOwnMetadata: false,
+                ingressAdmin: false,
+                hidden: false,
+                recorder: false
+            )
 
             let token = try tokenGenerator.sign()
 
diff --git a/Tests/LiveKitTestSupport/Room.swift b/Tests/LiveKitTestSupport/Room.swift
@@ -15,6 +15,7 @@
  */
 
 @testable import LiveKit
+import LiveKitFFI
 
 public struct RoomTestingOptions {
     public let delegate: RoomDelegate?
@@ -78,12 +79,24 @@ public extension LKTestCase {
                                             apiSecret: apiSecret,
                                             identity: identity)
 
-        tokenGenerator.videoGrant = LiveKitJWTPayload.VideoGrant(room: room,
-                                                                 roomJoin: true,
-                                                                 canPublish: canPublish,
-                                                                 canSubscribe: canSubscribe,
-                                                                 canPublishData: canPublishData,
-                                                                 canPublishSources: canPublishSources.map(String.init))
+        tokenGenerator.videoGrants = VideoGrants(
+            roomCreate: false,
+            roomList: false,
+            roomRecord: false,
+            roomAdmin: false,
+            roomJoin: true,
+            room: room,
+            destinationRoom: "",
+            canPublish: canPublish,
+            canSubscribe: canSubscribe,
+            canPublishData: canPublishData,
+            canPublishSources: canPublishSources.map(String.init),
+            canUpdateOwnMetadata: false,
+            ingressAdmin: false,
+            hidden: false,
+            recorder: false
+        )
+
         return try tokenGenerator.sign()
     }
 
diff --git a/Tests/LiveKitTestSupport/TokenGenerator.swift b/Tests/LiveKitTestSupport/TokenGenerator.swift
@@ -29,7 +29,7 @@ public class TokenGenerator {
     public var ttl: TimeInterval
     public var name: String?
     public var metadata: String?
-    public var videoGrant: LiveKitJWTPayload.VideoGrant?
+    public var videoGrants: VideoGrants?
 
     public init(apiKey: String,
                 apiSecret: String,
@@ -43,40 +43,19 @@ public class TokenGenerator {
     }
 
     public func sign() throws -> String {
-        var ffiVideoGrants: VideoGrants?
-        if let grant = videoGrant {
-            ffiVideoGrants = VideoGrants(
-                roomCreate: grant.roomCreate ?? false,
-                roomList: grant.roomList ?? false,
-                roomRecord: grant.roomRecord ?? false,
-                roomAdmin: grant.roomAdmin ?? false,
-                roomJoin: grant.roomJoin ?? false,
-                room: grant.room ?? "",
-                destinationRoom: "",
-                canPublish: grant.canPublish ?? false,
-                canSubscribe: grant.canSubscribe ?? false,
-                canPublishData: grant.canPublishData ?? false,
-                canPublishSources: grant.canPublishSources ?? [],
-                canUpdateOwnMetadata: false,
-                ingressAdmin: false,
-                hidden: grant.hidden ?? false,
-                recorder: grant.recorder ?? false
-            )
-        }
-
         let credentials = ApiCredentials(key: apiKey, secret: apiSecret)
         let options = TokenOptions(
             ttl: ttl,
-            videoGrants: ffiVideoGrants,
+            videoGrants: videoGrants,
             sipGrants: nil,
             identity: identity,
             name: name,
             metadata: metadata,
             attributes: nil,
             sha256: nil,
-            roomName: videoGrant?.room
+            roomName: videoGrants?.room
         )
 
-        return try generateToken(options: options, credentials: credentials)
+        return try tokenGenerate(options: options, credentials: credentials)
     }
 }
