about summary refs log tree commit diff
path: root/website/sandbox/learnpianochords/src/server/GoogleSignIn.hs
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2020-08-08T13·47+0100
committerWilliam Carroll <wpcarro@gmail.com>2020-08-08T13·47+0100
commit8a7a3b29a9413d634b8f8a71119cc54a6132df41 (patch)
treefc32f99e9f1a9a7b9ef52f364718c56d33ccedcf /website/sandbox/learnpianochords/src/server/GoogleSignIn.hs
parentf1883b279037375c66cf683b7392652624381c59 (diff)
Add tests for "exp" field of the JWT
Assert that the exp field of the JWT is "fresh".
Diffstat (limited to 'website/sandbox/learnpianochords/src/server/GoogleSignIn.hs')
-rw-r--r--website/sandbox/learnpianochords/src/server/GoogleSignIn.hs24
1 files changed, 18 insertions, 6 deletions
diff --git a/website/sandbox/learnpianochords/src/server/GoogleSignIn.hs b/website/sandbox/learnpianochords/src/server/GoogleSignIn.hs
index f138f2b615c8..e83ec2cfdb45 100644
--- a/website/sandbox/learnpianochords/src/server/GoogleSignIn.hs
+++ b/website/sandbox/learnpianochords/src/server/GoogleSignIn.hs
@@ -9,6 +9,8 @@ import Utils
 
 import qualified Network.HTTP.Simple as HTTP
 import qualified Data.Text as Text
+import qualified Web.JWT as JWT
+import qualified Data.Time.Clock.POSIX as POSIX
 --------------------------------------------------------------------------------
 
 newtype EncodedJWT = EncodedJWT Text
@@ -21,7 +23,9 @@ data ValidationResult
   | NoMatchingClientIDs [StringOrURI]
   | WrongIssuer StringOrURI
   | StringOrURIParseFailure Text
-  | MissingIssuer
+  | TimeConversionFailure
+  | MissingRequiredClaim Text
+  | StaleExpiry NumericDate
   deriving (Eq, Show)
 
 -- | Returns True when the supplied `jwt` meets the following criteria:
@@ -73,10 +77,18 @@ jwtIsValid skipHTTP (EncodedJWT encodedJWT) = do
           if not $ clientID `elem` audValues then
             pure $ NoMatchingClientIDs audValues
           else
-            case jwt |> claims |> iss of
-              Nothing -> pure MissingIssuer
-              Just jwtIssuer ->
+            case (jwt |> claims |> iss, jwt |> claims |> JWT.exp) of
+              (Nothing, _) -> pure $ MissingRequiredClaim "iss"
+              (_, Nothing) -> pure $ MissingRequiredClaim "exp"
+              (Just jwtIssuer, Just jwtExpiry) ->
                 if not $ jwtIssuer `elem` parsedIssuers then
                   pure $ WrongIssuer jwtIssuer
-                else
-                  pure Valid
+                else do
+                  mCurrentTime <- POSIX.getPOSIXTime |> fmap numericDate
+                  case mCurrentTime of
+                    Nothing -> pure TimeConversionFailure
+                    Just currentTime ->
+                      if not $ currentTime <= jwtExpiry then
+                        pure $ StaleExpiry jwtExpiry
+                      else
+                        pure Valid
generated by cgit-pink 1.4.1 (git 2.44.2) at 2025-01-15T13·16+0000