fix(oidc-proxy): validate exp independently of MAX_TOKEN_AGE_SECONDS (#8832) (#8904)

Signed-off-by: Bright Zheng <bzqzheng@gmail.com>
This commit is contained in:
Bright Zheng
2026-05-12 14:20:06 -04:00
committed by GitHub
parent 1dc2749430
commit fe8f0cdec1
2 changed files with 6 additions and 3 deletions
+3 -1
View File
@@ -195,7 +195,9 @@ async function verifyOidcToken(token, env) {
if (age > parseInt(env.MAX_TOKEN_AGE_SECONDS, 10)) {
return { valid: false, reason: "Token too old" };
}
} else if (!payload.exp || payload.exp < Date.now() / 1000) {
}
if (!payload.exp || payload.exp < Date.now() / 1000) {
return { valid: false, reason: "Token expired" };
}
+3 -2
View File
@@ -229,7 +229,7 @@ describe("proxies valid requests", () => {
expect((await response.json()).id).toBe("msg_123");
});
it("accepts recently-expired token within MAX_TOKEN_AGE_SECONDS", async () => {
it("rejects expired token even when within MAX_TOKEN_AGE_SECONDS", async () => {
const now = Math.floor(Date.now() / 1000);
const token = await createSignedJwt(
validPayload({ iat: now - 600, exp: now - 300 }),
@@ -245,7 +245,8 @@ describe("proxies valid requests", () => {
const response = await worker.fetch(request, testEnv(), ctx);
await waitOnExecutionContext(ctx);
expect(response.status).toBe(200);
expect(response.status).toBe(401);
expect((await response.json()).error).toBe("Token expired");
});
});