Skip to content

Commit 767ea20

Browse files
stidgesstidges
authored
Implement leeway for nbf and iat (#147)
1 parent 63bf14e commit 767ea20

File tree

2 files changed

+60
-8
lines changed

2 files changed

+60
-8
lines changed

src/Objects/Values/SessionToken.php

+22-2
Original file line numberDiff line numberDiff line change
@@ -306,6 +306,26 @@ public function getLeewayExpiration(): Carbon
306306
return (new Carbon($this->exp))->addSeconds(self::LEEWAY_SECONDS);
307307
}
308308

309+
/**
310+
* Get the extended not before time with leeway of the token.
311+
*
312+
* @return Carbon
313+
*/
314+
public function getLeewayNotBefore(): Carbon
315+
{
316+
return (new Carbon($this->nbf))->subSeconds(self::LEEWAY_SECONDS);
317+
}
318+
319+
/**
320+
* Get the extended issued at time with leeway of the token.
321+
*
322+
* @return Carbon
323+
*/
324+
public function getLeewayIssuedAt(): Carbon
325+
{
326+
return (new Carbon($this->iat))->subSeconds(self::LEEWAY_SECONDS);
327+
}
328+
309329
/**
310330
* Checks the validity of the signature sent with the token.
311331
*
@@ -353,8 +373,8 @@ protected function verifyExpiration(): void
353373
$now = Carbon::now();
354374
Assert::thatAll([
355375
$now->greaterThan($this->getLeewayExpiration()),
356-
$now->lessThan($this->nbf),
357-
$now->lessThan($this->iat),
376+
$now->lessThan($this->getLeewayNotBefore()),
377+
$now->lessThan($this->getLeewayIssuedAt()),
358378
])->false(self::EXCEPTION_EXPIRED);
359379
}
360380
}

tests/Objects/Values/SessionTokenTest.php

+38-6
Original file line numberDiff line numberDiff line change
@@ -45,12 +45,6 @@ public function testShouldProcessForExpiredTokenStillInLeewayPeriod(): void
4545
$token = $this->buildToken(['exp' => (new Carbon($now))->subSeconds(SessionToken::LEEWAY_SECONDS - 2)]);
4646
$st = SessionToken::fromNative($token);
4747

48-
$this->assertInstanceOf(ShopDomainValue::class, $st->getShopDomain());
49-
$this->assertTrue(Str::contains($this->tokenDefaults['dest'], $st->getShopDomain()->toNative()));
50-
51-
$this->assertInstanceOf(SessionIdValue::class, $st->getSessionId());
52-
$this->assertSame($this->tokenDefaults['sid'], $st->getSessionId()->toNative());
53-
5448
$this->assertInstanceOf(Carbon::class, $st->getLeewayExpiration());
5549
$this->assertTrue($now->unix() < $st->getLeewayExpiration()->unix());
5650
$this->assertTrue($st->getLeewayExpiration()->unix() - $now->unix() < SessionToken::LEEWAY_SECONDS);
@@ -64,6 +58,44 @@ public function testShouldThrowExceptionForExpiredTokenOutOfLeewayPeriod(): void
6458
SessionToken::fromNative($token);
6559
}
6660

61+
public function testShouldProcessForNotBeforeTokenStillInLeewayPeriod(): void
62+
{
63+
$now = Carbon::now();
64+
$token = $this->buildToken(['nbf' => (new Carbon($now))->addSeconds(SessionToken::LEEWAY_SECONDS - 2)]);
65+
$st = SessionToken::fromNative($token);
66+
67+
$this->assertInstanceOf(Carbon::class, $st->getLeewayNotBefore());
68+
$this->assertTrue($now->unix() > $st->getLeewayNotBefore()->unix());
69+
$this->assertTrue($st->getLeewayNotBefore()->unix() - $now->unix() < SessionToken::LEEWAY_SECONDS);
70+
}
71+
72+
public function testShouldThrowExceptionForNotBeforeTokenOutOfLeewayPeriod(): void
73+
{
74+
$this->expectException(AssertionFailedException::class);
75+
76+
$token = $this->buildToken(['nbf' => Carbon::now()->addSeconds(SessionToken::LEEWAY_SECONDS + 2)]);
77+
SessionToken::fromNative($token);
78+
}
79+
80+
public function testShouldProcessForIssuedAtTokenStillInLeewayPeriod(): void
81+
{
82+
$now = Carbon::now();
83+
$token = $this->buildToken(['iat' => (new Carbon($now))->addSeconds(SessionToken::LEEWAY_SECONDS - 2)]);
84+
$st = SessionToken::fromNative($token);
85+
86+
$this->assertInstanceOf(Carbon::class, $st->getLeewayIssuedAt());
87+
$this->assertTrue($now->unix() > $st->getLeewayIssuedAt()->unix());
88+
$this->assertTrue($st->getLeewayIssuedAt()->unix() - $now->unix() < SessionToken::LEEWAY_SECONDS);
89+
}
90+
91+
public function testShouldThrowExceptionForIssuedAtTokenOutOfLeewayPeriod(): void
92+
{
93+
$this->expectException(AssertionFailedException::class);
94+
95+
$token = $this->buildToken(['iat' => Carbon::now()->addSeconds(SessionToken::LEEWAY_SECONDS + 2)]);
96+
SessionToken::fromNative($token);
97+
}
98+
6799
public function testShouldThrowExceptionForMalformedToken(): void
68100
{
69101
$this->expectException(AssertionFailedException::class);

0 commit comments

Comments
 (0)