Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handling 'ImmatureSignatureError' for issued_at time #794

Merged
merged 2 commits into from
Oct 15, 2022

Conversation

sriharan16
Copy link
Contributor

@sriharan16 sriharan16 commented Aug 24, 2022

Handling 'ImmatureSignatureError' for issued_at time when it is a future time epoch.

if iat > (now + leeway):
   raise ImmatureSignatureError("The token is not yet valid (iat)")

When the issued_at time in the payload is greater than the current time + leeway then we can call it out as ImmatureSignatureError as we do for (nbf)

We have nbf in the payload but still, with proper nbf someone can call the API with improper iat to fool the system.

Example:

{
  "nbf": 1661419080   # 25-08-2022 14:48 IST
  "iat": 1661419200,    # 25-08-2022 14:50 IST
  "exp": 1661419500   # 25-08-2022 14:55 IST
}

Here the token is valid from 14:48(as per nbf) and has an expiry range of 5min from iat which makes the token valid. But the iat is less than nbf which makes the token valid for 7mins instead of 5min. This should not happen as per contract but attackers may do something like this even making iat and exp with the year 2023 which still makes the token valid.

We can restrict the same way as we do for nbf.

@sriharan16
Copy link
Contributor Author

sriharan16 commented Aug 26, 2022

@jpadilla @auvipy
Kindly help here in validating and reviewing this PR.

@auvipy auvipy requested a review from jpadilla September 18, 2022 14:58
Copy link
Collaborator

@auvipy auvipy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please rebase

@sriharan16 sriharan16 requested review from auvipy and removed request for jpadilla September 22, 2022 12:09
@sriharan16
Copy link
Contributor Author

@auvipy I have rebased as mentioned.
Also not sure why requesting your review removed @jpadilla! Kindly verify the changes and also add @jpadilla again as a reviewer

@sriharan16
Copy link
Contributor Author

Team(@jpadilla, @auvipy ),

Can you please review this !

@auvipy
Copy link
Collaborator

auvipy commented Oct 14, 2022

ci triggerred

@auvipy auvipy merged commit 9cb9401 into jpadilla:master Oct 15, 2022
@auvipy
Copy link
Collaborator

auvipy commented Oct 21, 2022

there is a bug report #814 , can you verify?

@sriharan16
Copy link
Contributor Author

Replied there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants