forked from TrueCloudLab/frostfs-node
[#2028] node: Check session token's NBF and IAT
ACL service did not check "Not Valid Before" and "Issued At" claims. Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
This commit is contained in:
parent
2a88b49bca
commit
6acb831248
2 changed files with 3 additions and 2 deletions
|
@ -20,6 +20,7 @@ Changelog for NeoFS Node
|
||||||
- Child object collection on CLI side with a bearer token (#2000)
|
- Child object collection on CLI side with a bearer token (#2000)
|
||||||
- Fix concurrent map writes in `Object.Put` service (#2037)
|
- Fix concurrent map writes in `Object.Put` service (#2037)
|
||||||
- Malformed request errors' reasons in the responses (#2028)
|
- Malformed request errors' reasons in the responses (#2028)
|
||||||
|
- Session token's IAT and NBF checks in ACL service (#2028)
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
### Updated
|
### Updated
|
||||||
|
|
|
@ -573,8 +573,8 @@ func (b Service) findRequestInfo(req MetaWithToken, idCnr cid.ID, op acl.Op) (in
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return info, errors.New("can't fetch current epoch")
|
return info, errors.New("can't fetch current epoch")
|
||||||
}
|
}
|
||||||
if req.token.ExpiredAt(currentEpoch) {
|
if req.token.InvalidAt(currentEpoch) {
|
||||||
return info, fmt.Errorf("%s: token has expired (current epoch: %d)",
|
return info, fmt.Errorf("%s: token is invalid at %d epoch)",
|
||||||
invalidRequestMessage, currentEpoch)
|
invalidRequestMessage, currentEpoch)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue