Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling 'ImmatureSignatureError' for issued_at time #794

Merged
merged 2 commits into from
Oct 15, 2022
Merged

Handling 'ImmatureSignatureError' for issued_at time #794

merged 2 commits into from
Oct 15, 2022

Conversation

sriharan16
Copy link
Contributor

@sriharan16 sriharan16 commented Aug 24, 2022
edited
Loading

Handling 'ImmatureSignatureError' for issued_at time when it is a future time epoch.

if iat > (now + leeway):
   raise ImmatureSignatureError("The token is not yet valid (iat)")

When the issued_at time in the payload is greater than the current time + leeway then we can call it out as ImmatureSignatureError as we do for (nbf)

We have nbf in the payload but still, with proper nbf someone can call the API with improper iat to fool the system.

Example:

{
  "nbf": 1661419080   # 25-08-2022 14:48 IST
  "iat": 1661419200,    # 25-08-2022 14:50 IST
  "exp": 1661419500   # 25-08-2022 14:55 IST
}

Here the token is valid from 14:48(as per nbf) and has an expiry range of 5min from iat which makes the token valid. But the iat is less than nbf which makes the token valid for 7mins instead of 5min. This should not happen as per contract but attackers may do something like this even making iat and exp with the year 2023 which still makes the token valid.

We can restrict the same way as we do for nbf.

@sriharan16
Copy link
Contributor Author

sriharan16 commented Aug 26, 2022
edited
Loading

@jpadilla @auvipy
Kindly help here in validating and reviewing this PR.

auvipy
auvipy requested changes Sep 18, 2022
View reviewed changes
Copy link
Collaborator

@auvipy auvipy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please rebase

@sriharan16 sriharan16 requested review from auvipy and removed request for jpadilla September 22, 2022 12:09
@sriharan16
Copy link
Contributor Author

@auvipy I have rebased as mentioned.
Also not sure why requesting your review removed @jpadilla! Kindly verify the changes and also add @jpadilla again as a reviewer

@sriharan16
Copy link
Contributor Author

Team(@jpadilla, @auvipy ),

Can you please review this !

@auvipy
Copy link
Collaborator

auvipy commented Oct 14, 2022

ci triggerred

@auvipy auvipy merged commit 9cb9401 into jpadilla:master Oct 15, 2022
@AGaliciaMartinez AGaliciaMartinez mentioned this pull request Oct 21, 2022
Closed
@auvipy
Copy link
Collaborator

auvipy commented Oct 21, 2022

there is a bug report #814 , can you verify?

@sriharan16
Copy link
Contributor Author

Replied there.

@diox diox mentioned this pull request Jan 19, 2023
Closed
This was referenced Dec 1, 2023
Merged
Closed
@vergenzt vergenzt mentioned this pull request Jan 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@auvipy auvipy auvipy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sriharan16 @auvipy