From e84f0c710dcf03e8a5eb92f86b6aecaa26c802d1 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 2 Nov 2016 15:35:45 +0000 Subject: [PATCH] Reject oauth nonces over a day old --- app/models/oauth_nonce.rb | 3 ++- test/models/oauth_nonce_test.rb | 14 +++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/app/models/oauth_nonce.rb b/app/models/oauth_nonce.rb index 4d615dd5d..e0510dcbf 100644 --- a/app/models/oauth_nonce.rb +++ b/app/models/oauth_nonce.rb @@ -6,7 +6,8 @@ class OauthNonce < ActiveRecord::Base # Remembers a nonce and it's associated timestamp. It returns false if it has already been used def self.remember(nonce, timestamp) - oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp) + return false if Time.now.to_i - timestamp.to_i > 86400 + oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp.to_i) return false if oauth_nonce.new_record? oauth_nonce end diff --git a/test/models/oauth_nonce_test.rb b/test/models/oauth_nonce_test.rb index f170bc69d..341019cca 100644 --- a/test/models/oauth_nonce_test.rb +++ b/test/models/oauth_nonce_test.rb @@ -8,7 +8,7 @@ class OauthNonceTest < ActiveSupport::TestCase # string and timestamp. def test_nonce_uniqueness string = "0123456789ABCDEF" - timestamp = Time.now + timestamp = Time.now.to_i nonce1 = OauthNonce.remember(string, timestamp) assert_not_equal false, nonce1, "First nonce should be unique. Check your test database is empty." @@ -16,4 +16,16 @@ class OauthNonceTest < ActiveSupport::TestCase nonce2 = OauthNonce.remember(string, timestamp) assert_equal false, nonce2, "Shouldn't be able to remember the same nonce twice." end + + ## + # nonces that are not current should be rejected + def test_nonce_not_current + string = "0123456789ABCDEF" + + nonce1 = OauthNonce.remember(string, Time.now.to_i - 86430) + assert_equal false, nonce1, "Nonces over a day in the past should be rejected" + + nonce2 = OauthNonce.remember(string, Time.now.to_i - 86370) + assert_not_equal false, nonce2, "Nonces under a day in the past should be rejected" + end end -- 2.39.5