Add 'expire' to filter invalid tokens

This commit is contained in:
Omar Roth 2018-11-19 18:41:11 -06:00
parent b535de690e
commit ad20d6359b
2 changed files with 3 additions and 2 deletions

View file

@ -4,7 +4,8 @@
CREATE TABLE public.nonces CREATE TABLE public.nonces
( (
nonce text nonce text,
expire timestamp with time zone,
) )
WITH ( WITH (
OIDS=FALSE OIDS=FALSE

View file

@ -203,7 +203,7 @@ end
def create_response(user_id, operation, key, db, expire = 6.hours) def create_response(user_id, operation, key, db, expire = 6.hours)
expire = Time.now + expire expire = Time.now + expire
nonce = Random::Secure.hex(16) nonce = Random::Secure.hex(16)
db.exec("INSERT INTO nonces VALUES ($1) ON CONFLICT DO NOTHING", nonce) db.exec("INSERT INTO nonces VALUES ($1, $2) ON CONFLICT DO NOTHING", nonce, expire)
challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}" challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}"
token = OpenSSL::HMAC.digest(:sha256, key, challenge) token = OpenSSL::HMAC.digest(:sha256, key, challenge)