Reject oauth nonces over a day old

2016-11-02 15:35:45 +00:00 · 2016-11-02 15:35:45 +00:00 · e84f0c710d
commit e84f0c710d
parent eb21a32ea4
2 changed files with 15 additions and 2 deletions
--- a/app/models/oauth_nonce.rb
+++ b/app/models/oauth_nonce.rb
@ -6,7 +6,8 @@ class OauthNonce < ActiveRecord::Base

  # Remembers a nonce and it's associated timestamp. It returns false if it has already been used
  def self.remember(nonce, timestamp)
-    oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp)
+    return false if Time.now.to_i - timestamp.to_i > 86400
+    oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp.to_i)
    return false if oauth_nonce.new_record?
    oauth_nonce
  end
--- a/test/models/oauth_nonce_test.rb
+++ b/test/models/oauth_nonce_test.rb
@ -8,7 +8,7 @@ class OauthNonceTest < ActiveSupport::TestCase
  # string and timestamp.
  def test_nonce_uniqueness
    string = "0123456789ABCDEF"
-    timestamp = Time.now
+    timestamp = Time.now.to_i

    nonce1 = OauthNonce.remember(string, timestamp)
    assert_not_equal false, nonce1, "First nonce should be unique. Check your test database is empty."
@ -16,4 +16,16 @@ class OauthNonceTest < ActiveSupport::TestCase
    nonce2 = OauthNonce.remember(string, timestamp)
    assert_equal false, nonce2, "Shouldn't be able to remember the same nonce twice."
  end
+
+  ##
+  # nonces that are not current should be rejected
+  def test_nonce_not_current
+    string = "0123456789ABCDEF"
+
+    nonce1 = OauthNonce.remember(string, Time.now.to_i - 86430)
+    assert_equal false, nonce1, "Nonces over a day in the past should be rejected"
+
+    nonce2 = OauthNonce.remember(string, Time.now.to_i - 86370)
+    assert_not_equal false, nonce2, "Nonces under a day in the past should be rejected"
+  end
 end