Merge ec39d36 into a43b181

PRX · Mar 19, 2021 · 2f701a2 · 2f701a2
2 parents a43b181 + ec39d36
commit 2f701a2
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 8 deletions.
diff --git a/lib/prx_auth/version.rb b/lib/prx_auth/version.rb
@@ -1,3 +1,3 @@
 module PrxAuth
-  VERSION = "1.6.0"
+  VERSION = "1.7.0"
 end
diff --git a/lib/rack/prx_auth/auth_validator.rb b/lib/rack/prx_auth/auth_validator.rb
@@ -4,9 +4,9 @@ module Rack
   class PrxAuth
     class AuthValidator
 
-      attr_reader :issuer, :claims, :token
+      attr_reader :issuer, :token
 
-      def initialize(token, certificate, issuer)
+      def initialize(token, certificate = nil, issuer = nil)
         @token = token
         @certificate = certificate
         @issuer = issuer
@@ -35,11 +35,18 @@ def decode_token
       end
 
       def expired?
-        now = Time.now.to_i - 30 # 30 second clock jitter allowance
-        if claims['iat'] <= claims['exp']
-          now > claims['exp']
+        (time_to_live + 30) <= 0 # 30 second clock jitter allowance
+      end
+
+      def time_to_live
+        now = Time.now.to_i
+        if claims['exp'].nil?
+          0
+        elsif claims['iat'].nil? || claims['iat'] <= claims['exp']
+          claims['exp'] - now
         else
-          now > (claims['iat'] + claims['exp'])
+          # malformed - exp is a num-seconds offset from issued-at-time
+          (claims['iat'] + claims['exp']) - now
         end
       end
 

diff --git a/lib/rack/prx_auth/certificate.rb b/lib/rack/prx_auth/certificate.rb
@@ -11,6 +11,7 @@ class Certificate
 
       def initialize(cert_uri = nil)
         @cert_location = cert_uri.nil? ? DEFAULT_CERT_LOC : URI(cert_uri)
+        @certificate = nil
       end
 
       def valid?(token)

diff --git a/test/rack/prx_auth/auth_validator_test.rb b/test/rack/prx_auth/auth_validator_test.rb
@@ -9,7 +9,7 @@
   let(:iat) { Time.now.to_i }
   let(:exp) { 3600 }
   let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
-  let(:certificate) { cert = Rack::PrxAuth::Certificate.new }
+  let(:certificate) { Rack::PrxAuth::Certificate.new }
 
   describe '#token_issuer_matches' do
     it 'false if the token is from another issuer' do
@@ -89,6 +89,36 @@ def expired?(claims)
     end
   end
 
+  describe '#time_to_live' do
+    def time_to_live(claims)
+      auth_validator.stub(:claims, claims) do
+        auth_validator.time_to_live
+      end
+    end
+
+    it 'returns the ttl without any clock jitter correction' do
+      claims['exp'] = Time.now.to_i + 999
+      assert_equal time_to_live(claims), 999
+    end
+
+    it 'handles missing exp' do
+      claims['exp'] = nil
+      assert_equal time_to_live(claims), 0
+    end
+
+    it 'handles missing iat' do
+      claims['iat'] = nil
+      claims['exp'] = Time.now.to_i + 999
+      assert_equal time_to_live(claims), 999
+    end
+
+    it 'handles malformed exp' do
+      claims['iat'] = Time.now.to_i
+      claims['exp'] = 999
+      assert_equal time_to_live(claims), 999
+    end
+  end
+
   describe '#decode_token' do
     it 'should return an empty result for a nil token' do
         auth_validator.stub(:token, nil) do