oppi.li
fork of indigo with slightly nicer lexgen
configurable JWT timestamp leeway
bnewbold.net
+10
-4
+10
-4
atproto/auth/jwt.go
+10
-4
atproto/auth/jwt.go
···
20
21
type ServiceAuthValidator struct {
22
// Service DID reference for this validator: a DID with optional #-separated fragment
23
-
Audience string
24
-
Dir identity.Directory
25
}
26
27
type serviceAuthClaims struct {
···
32
33
func (s *ServiceAuthValidator) Validate(ctx context.Context, tokenString string, lexMethod *syntax.NSID) (syntax.DID, error) {
34
35
opts := []jwt.ParserOption{
36
jwt.WithValidMethods(supportedAlgs),
37
jwt.WithAudience(s.Audience),
38
jwt.WithExpirationRequired(),
39
jwt.WithIssuedAt(),
40
-
jwt.WithLeeway(5 * time.Second), // TODO: configurable? better default?
41
}
42
43
token, err := jwt.ParseWithClaims(tokenString, &serviceAuthClaims{}, s.fetchIssuerKeyFunc(ctx), opts...)
···
73
}
74
claims, ok := token.Claims.(*serviceAuthClaims)
75
if !ok {
76
-
// TODO: is this the best error here?
77
return "", jwt.ErrTokenInvalidClaims
78
}
79
···
20
21
type ServiceAuthValidator struct {
22
// Service DID reference for this validator: a DID with optional #-separated fragment
23
+
Audience string
24
+
Dir identity.Directory
25
+
TimestampLeeway time.Duration
26
}
27
28
type serviceAuthClaims struct {
···
33
34
func (s *ServiceAuthValidator) Validate(ctx context.Context, tokenString string, lexMethod *syntax.NSID) (syntax.DID, error) {
35
36
+
leeway := s.TimestampLeeway
37
+
if leeway == 0 {
38
+
leeway = 5 * time.Second
39
+
}
40
+
41
opts := []jwt.ParserOption{
42
jwt.WithValidMethods(supportedAlgs),
43
jwt.WithAudience(s.Audience),
44
jwt.WithExpirationRequired(),
45
jwt.WithIssuedAt(),
46
+
jwt.WithLeeway(leeway),
47
}
48
49
token, err := jwt.ParseWithClaims(tokenString, &serviceAuthClaims{}, s.fetchIssuerKeyFunc(ctx), opts...)
···
79
}
80
claims, ok := token.Claims.(*serviceAuthClaims)
81
if !ok {
82
+
// TODO: is the error message returned descriptive enough?
83
return "", jwt.ErrTokenInvalidClaims
84
}
85