fix: check that DPoP Proof iat is recent enough

panva · Jan 24, 2024 · a6159e3 · a6159e3
1 parent 0bdea47
commit a6159e3
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/index.ts b/src/index.ts
@@ -4199,6 +4199,7 @@ async function validateDPoP(
     )
   }
 
+  const clockSkew = getClockSkew(options)
   const proof = await validateJwt(
     request.headers.get('dpop')!,
     checkSigningAlgorithm.bind(
@@ -4216,12 +4217,18 @@ async function validateDPoP(
       }
       return key
     },
-    getClockSkew(options),
+    clockSkew,
     getClockTolerance(options),
   )
     .then(checkJwtType.bind(undefined, 'dpop+jwt'))
     .then(validatePresence.bind(undefined, ['iat', 'jti', 'ath', 'htm', 'htu']))
 
+  const now = epochTime() + clockSkew
+  const diff = Math.abs(now - proof.claims.iat!)
+  if (diff > 300) {
+    throw new OPE('DPoP Proof iat is not recent enough')
+  }
+
   if (proof.claims.htm !== request.method) {
     throw new OPE('DPoP Proof htm mismatch')
   }