Skip to content

Commit

Permalink
fix: check that DPoP Proof iat is recent enough
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Jan 24, 2024
1 parent 0bdea47 commit a6159e3
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4199,6 +4199,7 @@ async function validateDPoP(
)
}

const clockSkew = getClockSkew(options)
const proof = await validateJwt(
request.headers.get('dpop')!,
checkSigningAlgorithm.bind(
Expand All @@ -4216,12 +4217,18 @@ async function validateDPoP(
}
return key
},
getClockSkew(options),
clockSkew,
getClockTolerance(options),
)
.then(checkJwtType.bind(undefined, 'dpop+jwt'))
.then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']))

const now = epochTime() + clockSkew
const diff = Math.abs(now - proof.claims.iat!)
if (diff > 300) {
throw new OPE('DPoP Proof iat is not recent enough')
}

if (proof.claims.htm !== request.method) {
throw new OPE('DPoP Proof htm mismatch')
}
Expand Down

0 comments on commit a6159e3

Please sign in to comment.