Merge ee09f74 into 035c87f

PRX · Sep 8, 2020 · 0455cf2 · 0455cf2
2 parents 035c87f + ee09f74
commit 0455cf2
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 9 deletions.
diff --git a/lib/prx_auth/version.rb b/lib/prx_auth/version.rb
@@ -1,3 +1,3 @@
 module PrxAuth
-  VERSION = "1.3.0"
+  VERSION = "1.4.0"
 end
diff --git a/lib/rack/prx_auth.rb b/lib/rack/prx_auth.rb
@@ -53,7 +53,12 @@ def decode_token(token)
     end
 
     def expired?(claims)
-      Time.now.to_i > (claims['iat'] + claims['exp'])
+      now = Time.now.to_i - 30 # 30 second clock jitter allowance
+      if claims['iat'] <= claims['exp']
+        now > claims['exp']
+      else
+        now > (claims['iat'] + claims['exp'])
+      end
     end
 
     def should_validate_token?(claims)

diff --git a/test/rack/prx_auth_test.rb b/test/rack/prx_auth_test.rb
@@ -5,7 +5,9 @@
   let(:prxauth) { Rack::PrxAuth.new(app) }
   let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
   let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
-  let(:claims) { {'sub'=>3, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
+  let(:iat) { Time.now.to_i }
+  let(:exp) { 3600 }
+  let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
 
   describe '#call' do
     it 'does nothing if there is no authorization header' do
@@ -59,15 +61,49 @@
     end
   end
 
-  describe '#token_expired?' do
-    it 'returns true if token is expired' do
-      claims['iat'] = Time.now.to_i - 4000
+  describe '#expired?' do
 
-      assert prxauth.send(:expired?, claims) == true
+    def expired?(claims)
+      prxauth.send(:expired?, claims)
     end
 
-    it 'returns false if it is valid' do
-      assert prxauth.send(:expired?, claims) == false
+    describe 'with a malformed exp' do
+      let(:iat) { Time.now.to_i }
+      let(:exp) { 3600 }
+
+      it 'is expired if iat + exp are in the past' do
+        claims['iat'] -= 3631
+
+        assert expired?(claims)
+      end
+
+      it 'is not expired if iat + exp are in the future' do
+        claims['iat'] = Time.now.to_i - 3599
+
+        refute expired?(claims)
+      end
+
+      it 'allows a 30s clock jitter' do
+        claims['iat'] = Time.now.to_i - 3629
+
+        refute expired?(claims)
+      end
+    end
+
+    describe 'with a corrected exp' do
+      let(:iat) { Time.now.to_i - 3600 }
+      let(:exp) { Time.now.to_i + 1 }
+
+      it 'is not expired if exp is in the future' do
+        refute expired?(claims)
+      end
+
+      it 'is expired if exp is in the past (with 30s jitter grace)' do
+        claims['exp'] = Time.now.to_i - 31
+        assert expired?(claims)
+        claims['exp'] = Time.now.to_i - 29
+        refute expired?(claims)
+      end
     end
   end