Less problematic handling for time drift in the socket

This commit is contained in:
Dane Everitt 2019-12-28 12:27:21 -08:00
parent 3bbb8a3769
commit 853d215b1d
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53

View File

@ -92,24 +92,17 @@ func ParseJWT(token []byte) (*WebsocketTokenPayload, error) {
alg = jwt.NewHS256([]byte(config.Get().AuthenticationToken))
}
_, err := jwt.Verify(token, alg, &payload)
now := time.Now()
verifyOptions := jwt.ValidatePayload(
&payload.Payload,
jwt.ExpirationTimeValidator(now),
)
_, err := jwt.Verify(token, alg, &payload, verifyOptions)
if err != nil {
return nil, err
}
// Check the time of the JWT becoming valid does not exceed more than 15 seconds
// compared to the system time. This accounts for clock drift to some degree.
if time.Now().Unix()-payload.NotBefore.Unix() <= -15 {
return nil, errors.New("jwt violates nbf")
}
// Compare the expiration time of the token to the current system time. Include
// up to 15 seconds of clock drift, and if it has expired return an error and
// do not process the action.
if time.Now().Unix()-payload.ExpirationTime.Unix() > 15 {
return nil, errors.New("jwt violates exp")
}
if !payload.HasPermission(PermissionConnect) {
return nil, errors.New("not authorized to connect to this socket")
}
@ -123,8 +116,8 @@ func (wsh *WebsocketHandler) TokenValid() error {
return errors.New("no jwt present")
}
if time.Now().Unix()-wsh.JWT.ExpirationTime.Unix() > 15 {
return errors.New("jwt violates nbf")
if err := jwt.ExpirationTimeValidator(time.Now())(&wsh.JWT.Payload); err != nil {
return err
}
if !wsh.JWT.HasPermission(PermissionConnect) {