From da206dcd41c0e3003907bd1c510b10991bccb0fa Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 3 Sep 2020 13:47:57 -0600 Subject: [PATCH] hard-code +/- 15 minute leeway --- cmd/telebit/telebit.go | 1 + mgmt/authstore/authstore.go | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/cmd/telebit/telebit.go b/cmd/telebit/telebit.go index 5afb7d5..b6cd294 100644 --- a/cmd/telebit/telebit.go +++ b/cmd/telebit/telebit.go @@ -98,6 +98,7 @@ func main() { apiHostname := flag.String("api-hostname", "", "the hostname used to manage clients") secret := flag.String("secret", "", "the same secret used by telebit-relay (used for JWT authentication)") token := flag.String("token", "", "an auth token for the server (instead of generating --secret); use --token=false to ignore any $TOKEN in env") + _ = flag.String("leeway", "", "(reserved for future use) allow for time drift / skew (hard-coded to 15 minutes)") bindAddrsStr := flag.String("listen", "", "list of bind addresses on which to listen, such as localhost:80, or :443") tlsLocals := flag.String("tls-locals", "", "like --locals, but TLS will be used to connect to the local port") locals := flag.String("locals", "", "a list of :") diff --git a/mgmt/authstore/authstore.go b/mgmt/authstore/authstore.go index 4cee403..6e767a6 100644 --- a/mgmt/authstore/authstore.go +++ b/mgmt/authstore/authstore.go @@ -67,12 +67,13 @@ func HMACToken(secret string, maybeExp ...int) (token string, err error) { b := make([]byte, 16) _, _ = rand.Read(b) + leeway := 15 * time.Minute claims := &jwt.StandardClaims{ Id: base64.RawURLEncoding.EncodeToString(b), Subject: "", // TODO Issuer: "", // TODO - IssuedAt: time.Now().Unix(), - ExpiresAt: exp, + IssuedAt: time.Now().Add(-leeway).Unix(), + ExpiresAt: exp + int64(leeway.Seconds()), } jwtToken := &jwt.Token{