feat: client assertion payload check - fix timings

italia · Dec 31, 2023 · dc49bd7 · dc49bd7
1 parent 7309f0e
commit dc49bd7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 9 deletions.
diff --git a/spid_cie_oidc/provider/schemas/client_assertion.py b/spid_cie_oidc/provider/schemas/client_assertion.py
@@ -22,8 +22,11 @@ def iss_and_sub_must_match(cls, sub, values):
 
     @validator("exp")
     def not_expired(cls, exp, values):
-        if not (values['iat'] < iat_now() < exp):
+        _now = iat_now()
+        if not (values['iat'] <= _now < exp):
             raise ValueError(
-                'Client Assertion: exp must be greater than iat and less than the current time'
+                'Client Assertion: exp must be greater than '
+                'iat and less than the current time.'
+                f'{values["iat"]} <= {_now} < {exp}'
             )
         return exp
diff --git a/spid_cie_oidc/provider/views/token_endpoint.py b/spid_cie_oidc/provider/views/token_endpoint.py
@@ -105,9 +105,7 @@ def is_token_renewable(self, session) -> bool:
             ).first()
 
             id_token = unpad_jwt_payload(issuedToken.id_token)
-
             consent_expiration = id_token['iat'] + OIDCFED_PROVIDER_MAX_CONSENT_TIMEFRAME
-
             delta = consent_expiration - iat_now()
             if delta > 0:
                 return True
@@ -138,7 +136,7 @@ def grant_refresh_token(self, request, *args, **kwargs):
             refresh_token=request.POST['refresh_token'],
             revoked=False
         ).first()
-
+        
         if not issued_token:
             return JsonResponse(
                 {
@@ -148,7 +146,6 @@ def grant_refresh_token(self, request, *args, **kwargs):
                 },
                 status=400
             )
-
         session = issued_token.session
         if not self.is_token_renewable(session):  # pragma: no cover
             return JsonResponse(
@@ -171,7 +168,7 @@ def grant_refresh_token(self, request, *args, **kwargs):
             id_token=iss_token_data['id_token'],
             refresh_token=iss_token_data['refresh_token'],
             token_type="Bearer",  # nosec B106
-            expires_in=expires_in,
+            expires_in=expires_in
         )
 
         return JsonResponse(data)
@@ -192,10 +189,8 @@ def post(self, request, *args, **kwargs):
                 },
                 status=400
             )
-
         self.commons = self.get_jwt_common_data()
         self.issuer = self.get_issuer()
-
         # check client_assertion and client ownership
         try:
             self.check_client_assertion(