Token mechanism fixes

2026-01-12 17:06:59 +00:00 · 2017-04-24 20:33:55 +03:00
parent 9658d8cc83
commit d5edbe50c5
8 changed files with 26 additions and 16 deletions
--- a/certidude/api/bootstrap.py
+++ b/certidude/api/bootstrap.py
@@ -10,5 +10,5 @@ class BootstrapResource(object):
    def on_get(self, req, resp):
        resp.body = Template(open(config.BOOTSTRAP_TEMPLATE).read()).render(
            authority = const.FQDN,
-            servers = [cn for cn, path, buf, cert, server in authority.list_signed() if server])
+            servers = authority.list_server_names())

--- a/certidude/api/token.py
+++ b/certidude/api/token.py
@@ -35,11 +35,12 @@ class TokenResource(object):
        csum.update(username)
        csum.update(str(timestamp))

+        margin = 300 # Tolerate 5 minute clock skew as Kerberos does
        if csum.hexdigest() != req.get_param("c", required=True):
            raise falcon.HTTPUnauthorized("Forbidden", "Invalid token supplied, did you copy-paste link correctly?")
-        if now < timestamp:
+        if now < timestamp - margin:
            raise falcon.HTTPUnauthorized("Forbidden", "Token not valid yet, are you sure server clock is correct?")
-        if now > timestamp + config.TOKEN_LIFETIME:
+        if now > timestamp + margin + config.TOKEN_LIFETIME:
            raise falcon.HTTPUnauthorized("Forbidden", "Token expired")

        # At this point consider token to be legitimate