ComputerSurge/komodo
3
0
Fork 0
forked from github-starred/komodo
Code Pull Requests 1 Actions Packages Releases Activity

KL-5 JWT clock skew tolerance

Browse Source
This commit is contained in:
mbecker20
2025-11-30 12:54:15 -08:00
parent 3e3639231d
commit afeb4ac526
2 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
bin/core/src/auth/jwt.rs
View File

@@ -17,6 +17,8 @@ use serde::{Deserialize, Serialize};
use serror::{AddStatusCode as _, AddStatusCodeError as _};
use tokio::sync::Mutex;
use crate::auth::EXCHANGE_TOKEN_CLOCK_SKEW_TOLERANCE_MS;
type ExchangeTokenMap = Mutex<HashMap<String, (JwtResponse, u128)>>;
#[derive(Serialize, Deserialize, Clone)]
@@ -103,7 +105,12 @@ impl JwtClient {
.remove(exchange_token)
.context("Invalid exchange token")
.status_code(StatusCode::UNAUTHORIZED)?;
if unix_timestamp_ms() < valid_until {
// Apply clock skew tolerance.
// Token is valid if expiration is greater than (now - tolerance)
if valid_until
> unix_timestamp_ms()
.saturating_sub(EXCHANGE_TOKEN_CLOCK_SKEW_TOLERANCE_MS)
{
Ok(jwt)
} else {
Err(

21
bin/core/src/auth/mod.rs
View File

@@ -26,7 +26,14 @@ pub mod oidc;
mod local;
/// Length of random token in Oauth / OIDC 'state'
const STATE_PREFIX_LENGTH: usize = 20;
/// JWT Clock skew tolerance in milliseconds (5 minutes for JWTs)
const JWT_CLOCK_SKEW_TOLERANCE_MS: u128 = 5 * 60 * 1000;
/// Api Key Clock skew tolerance in milliseconds (5 minutes for Api Keys)
const API_KEY_CLOCK_SKEW_TOLERANCE_MS: i64 = 5 * 60 * 1000;
/// Exchange Token Clock skew tolerance in milliseconds (1 minutes for Exchange tokens)
const EXCHANGE_TOKEN_CLOCK_SKEW_TOLERANCE_MS: u128 = 60 * 1000;
#[derive(Debug, Deserialize)]
struct RedirectQuery {
@@ -99,7 +106,11 @@ pub async fn auth_jwt_get_user_id(
let claims: JwtClaims = jwt_client()
.decode(jwt)
.map_err(|_| anyhow!("Invalid user credentials"))?;
if claims.exp > unix_timestamp_ms() {
// Apply clock skew tolerance.
// Token is valid if expiration is greater than (now - tolerance)
if claims.exp
> unix_timestamp_ms().saturating_sub(JWT_CLOCK_SKEW_TOLERANCE_MS)
{
Ok(claims.id)
} else {
Err(anyhow!("Invalid user credentials"))
@@ -123,7 +134,13 @@ pub async fn auth_api_key_get_user_id(
.await
.context("Failed to query db")?
.context("Invalid user credentials")?;
if key.expires != 0 && key.expires < komodo_timestamp() {
// Apply clock skew tolerance.
// Token is invalid if expiration is less than (now - tolerance)
if key.expires != 0
&& key.expires
< komodo_timestamp()
.saturating_sub(API_KEY_CLOCK_SKEW_TOLERANCE_MS)
{
return Err(anyhow!("Invalid user credentials"));
}
if bcrypt::verify(secret, &key.secret)