prx_auth 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ea45502db577f8550ac1aa9d96187123a7a62d67e7d51998eac6d0eded55e587
-  data.tar.gz: 1e0cd0290b00484e5bb3dc6979d79c154287c823bf5f284a2657f35addcb6272
+  metadata.gz: 484555dc0ba3038bdb9f54088103d9804b3698928ddbf0798b908228839922d5
+  data.tar.gz: fdc9960d949845ad438b6c72fb289edae431c4c844236d16d7d3a95ada7e5b38
 SHA512:
-  metadata.gz: cf7061a2989e205e67f8c908f971b26ebb6d281f3234dcfaef1d29b50ed33369a9256ad7472415e67f13f25f63d24f87298562435c70eb0dd4c489b6ca83dac9
-  data.tar.gz: ea96bdda24fd8a2a1dba8bea12b9ac793316d021962f0751b3ac3e3496e90b8096db7f38af664fca535e5951a37771761111144154abf4933e10b5f7c538c532
+  metadata.gz: 1cb94e1c232b0cac735a152bb436f77171f27eb73da09a1ae72e8de2672a29e6931b352794ece9f90b650475f4598f3f7ccf72f4f600385e033f56d562ae962c
+  data.tar.gz: d5f53932546a43ce99700739c9af7ecb59d5fb6dd78ef579975f80539a382af4009cb3f2658e1d9eade4e414905708ea0966ff63a9f90863cafc971c7b19bdd9

data/lib/prx_auth/version.rb

@@ -1,3 +1,3 @@
 module PrxAuth
-  VERSION = "1.3.0"
+  VERSION = "1.4.0"
 end

data/lib/rack/prx_auth.rb

@@ -53,7 +53,12 @@ module Rack
     end
 
     def expired?(claims)
-      Time.now.to_i > (claims['iat'] + claims['exp'])
+      now = Time.now.to_i - 30 # 30 second clock jitter allowance
+      if claims['iat'] <= claims['exp']
+        now > claims['exp']
+      else
+        now > (claims['iat'] + claims['exp'])
+      end
     end
 
     def should_validate_token?(claims)

data/test/rack/prx_auth_test.rb

@@ -5,7 +5,9 @@ describe Rack::PrxAuth do
   let(:prxauth) { Rack::PrxAuth.new(app) }
   let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
   let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
-  let(:claims) { {'sub'=>3, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
+  let(:iat) { Time.now.to_i }
+  let(:exp) { 3600 }
+  let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
 
   describe '#call' do
     it 'does nothing if there is no authorization header' do
@@ -59,15 +61,49 @@ describe Rack::PrxAuth do
     end
   end
 
-  describe '#token_expired?' do
-    it 'returns true if token is expired' do
-      claims['iat'] = Time.now.to_i - 4000
+  describe '#expired?' do
 
-      assert prxauth.send(:expired?, claims) == true
+    def expired?(claims)
+      prxauth.send(:expired?, claims)
     end
 
-    it 'returns false if it is valid' do
-      assert prxauth.send(:expired?, claims) == false
+    describe 'with a malformed exp' do
+      let(:iat) { Time.now.to_i }
+      let(:exp) { 3600 }
+
+      it 'is expired if iat + exp are in the past' do
+        claims['iat'] -= 3631
+
+        assert expired?(claims)
+      end
+
+      it 'is not expired if iat + exp are in the future' do
+        claims['iat'] = Time.now.to_i - 3599
+
+        refute expired?(claims)
+      end
+
+      it 'allows a 30s clock jitter' do
+        claims['iat'] = Time.now.to_i - 3629
+
+        refute expired?(claims)
+      end
+    end
+
+    describe 'with a corrected exp' do
+      let(:iat) { Time.now.to_i - 3600 }
+      let(:exp) { Time.now.to_i + 1 }
+
+      it 'is not expired if exp is in the future' do
+        refute expired?(claims)
+      end
+
+      it 'is expired if exp is in the past (with 30s jitter grace)' do
+        claims['exp'] = Time.now.to_i - 31
+        assert expired?(claims)
+        claims['exp'] = Time.now.to_i - 29
+        refute expired?(claims)
+      end
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Eve Asher
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-28 00:00:00.000000000 Z
+date: 2020-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler