From 41d1fe9191c08a86d14175682debb6ea37060155 Mon Sep 17 00:00:00 2001
From: Roi Martin <jroi.martin@gmail.com>
Date: Mon, 13 Jun 2016 20:18:07 +0200
Subject: [PATCH] Using UTC time in JWT token creation (#354)

As stated in PyJWT's documentation [1] and JWT specification [2][3], UTC
times must be used. This commit fixes JWT decoding in servers not using
UTC time.

[1] https://pypi.python.org/pypi/PyJWT/1.4.0
[2] https://tools.ietf.org/html/rfc7519#section-4.1.6
[3] https://tools.ietf.org/html/rfc7519#section-2
---
 lemur/auth/service.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lemur/auth/service.py b/lemur/auth/service.py
index ad1cf4f6..d6e88ed7 100644
--- a/lemur/auth/service.py
+++ b/lemur/auth/service.py
@@ -75,8 +75,8 @@ def create_token(user):
     expiration_delta = timedelta(days=int(current_app.config.get('LEMUR_TOKEN_EXPIRATION', 1)))
     payload = {
         'sub': user.id,
-        'iat': datetime.now(),
-        'exp': datetime.now() + expiration_delta
+        'iat': datetime.utcnow(),
+        'exp': datetime.utcnow() + expiration_delta
     }
     token = jwt.encode(payload, current_app.config['LEMUR_TOKEN_SECRET'])
     return token.decode('unicode_escape')