From 481b48b9422dacb43266c24e77fb2c08ddf22b51 Mon Sep 17 00:00:00 2001
From: Pavel Karpy <carpawell@nspcc.ru>
Date: Thu, 10 Nov 2022 20:58:06 +0300
Subject: [PATCH] [#2028] node: Check session token's NBF and IAT

ACL service did not check "Not Valid Before" and "Issued At" claims.

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
---
 CHANGELOG.md                          | 1 +
 pkg/services/object/acl/v2/service.go | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1efecd9fc8..b35aa76869 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ Changelog for NeoFS Node
 - Child object collection on CLI side with a bearer token (#2000)
 - Fix concurrent map writes in `Object.Put` service (#2037)
 - Malformed request errors' reasons in the responses (#2028)
+- Session token's IAT and NBF checks in ACL service (#2028)
 
 ### Removed
 ### Updated
diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go
index b156e12f0b..da8c6c1484 100644
--- a/pkg/services/object/acl/v2/service.go
+++ b/pkg/services/object/acl/v2/service.go
@@ -573,8 +573,8 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in
 		if err != nil {
 			return info, errors.New("can't fetch current epoch")
 		}
-		if req.token.ExpiredAt(currentEpoch) {
-			return info, fmt.Errorf("%s: token has expired (current epoch: %d)",
+		if req.token.InvalidAt(currentEpoch) {
+			return info, fmt.Errorf("%s: token is invalid at %d epoch)",
 				invalidRequestMessage, currentEpoch)
 		}