From 481b48b9422dacb43266c24e77fb2c08ddf22b51 Mon Sep 17 00:00:00 2001 From: Pavel Karpy Date: Thu, 10 Nov 2022 20:58:06 +0300 Subject: [PATCH] [#2028] node: Check session token's NBF and IAT ACL service did not check "Not Valid Before" and "Issued At" claims. Signed-off-by: Pavel Karpy --- CHANGELOG.md | 1 + pkg/services/object/acl/v2/service.go | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1efecd9fc..b35aa7686 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ Changelog for NeoFS Node - Child object collection on CLI side with a bearer token (#2000) - Fix concurrent map writes in `Object.Put` service (#2037) - Malformed request errors' reasons in the responses (#2028) +- Session token's IAT and NBF checks in ACL service (#2028) ### Removed ### Updated diff --git a/pkg/services/object/acl/v2/service.go b/pkg/services/object/acl/v2/service.go index b156e12f0..da8c6c148 100644 --- a/pkg/services/object/acl/v2/service.go +++ b/pkg/services/object/acl/v2/service.go @@ -573,8 +573,8 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in if err != nil { return info, errors.New("can't fetch current epoch") } - if req.token.ExpiredAt(currentEpoch) { - return info, fmt.Errorf("%s: token has expired (current epoch: %d)", + if req.token.InvalidAt(currentEpoch) { + return info, fmt.Errorf("%s: token is invalid at %d epoch)", invalidRequestMessage, currentEpoch) }