diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go index 5ed6f8c2..5f0e1ee4 100644 --- a/pkg/services/object/acl/acl.go +++ b/pkg/services/object/acl/acl.go @@ -618,7 +618,12 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool { return true } - // 1. First check if bearer token is signed correctly. + // 1. First check token lifetime. Simplest verification. + if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) { + return false + } + + // 2. Then check if bearer token is signed correctly. signWrapper := v2signature.StableMarshalerWrapper{SM: token.GetBody()} if err := signature.VerifyDataWithSource(signWrapper, func() (key, sig []byte) { tokenSignature := token.GetSignature() @@ -627,7 +632,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool { return false // invalid signature } - // 2. Then check if container owner signed this token. + // 3. Then check if container owner signed this token. tokenIssuerKey := crypto.UnmarshalPublicKey(token.GetSignature().GetKey()) tokenIssuerWallet, err := owner.NEO3WalletFromPublicKey(tokenIssuerKey) if err != nil { @@ -642,7 +647,7 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool { return false } - // 3. Then check if request sender has rights to use this token. + // 4. Then check if request sender has rights to use this token. tokenOwnerField := token.GetBody().GetOwnerID() if tokenOwnerField != nil { // see bearer token owner field description requestSenderKey := crypto.UnmarshalPublicKey(reqInfo.senderKey) @@ -656,11 +661,6 @@ func isValidBearer(reqInfo requestInfo, st netmap.State) bool { } } - // 4. Then check token lifetime. - if !isValidLifetime(token.GetBody().GetLifetime(), st.CurrentEpoch()) { - return false - } - return true }