Fix #930: Restrict token validation for timestamps in future (#931)

* Fix #930: Restrict token validation for timestamps in future * Fix typo * Add property to test application.properties
wultra · Jul 14, 2023 · 97d2691 · 97d2691
1 parent 37df1eb
commit 97d2691
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 2 deletions.
diff --git a/...io/getlime/security/powerauth/app/server/configuration/PowerAuthServiceConfiguration.java b/...io/getlime/security/powerauth/app/server/configuration/PowerAuthServiceConfiguration.java
@@ -198,6 +198,13 @@ public class PowerAuthServiceConfiguration {
     @Min(1)
     private long tokenTimestampValidityInMilliseconds;
 
+    /**
+     * Token timestamp validity to future in milliseconds, checked before validating the token.
+     */
+    @Value("${powerauth.service.token.timestamp.forward.validity}")
+    @Min(0)
+    private long tokenTimestampForwardValidityInMilliseconds;
+
     /**
      * Master DB encryption key.
      */
@@ -589,6 +596,22 @@ public void setTokenTimestampValidityInMilliseconds(long tokenTimestampValidityI
         this.tokenTimestampValidityInMilliseconds = tokenTimestampValidityInMilliseconds;
     }
 
+    /**
+     * Get the token timestamp validity into future in milliseconds.
+     * @return Token timestamp validity into future in milliseconds
+     */
+    public long getTokenTimestampForwardValidityInMilliseconds() {
+        return tokenTimestampForwardValidityInMilliseconds;
+    }
+
+    /**
+     * Set the token timestamp validity into future in milliseconds.
+     * @param tokenTimestampForwardValidityInMilliseconds Token timestamp validity into future in milliseconds
+     */
+    public void setTokenTimestampForwardValidityInMilliseconds(long tokenTimestampForwardValidityInMilliseconds) {
+        this.tokenTimestampForwardValidityInMilliseconds = tokenTimestampForwardValidityInMilliseconds;
+    }
+
     /**
      * Get master DB encryption key.
      * @return Master DB encryption key.

diff --git a/...rver/src/main/java/io/getlime/security/powerauth/app/server/service/PowerAuthService.java b/...rver/src/main/java/io/getlime/security/powerauth/app/server/service/PowerAuthService.java
@@ -1088,11 +1088,17 @@ public ValidateTokenResponse validateToken(ValidateTokenRequest request) throws
             throw localizationProvider.buildExceptionForCode(ServiceError.INVALID_REQUEST);
         }
         // Verify the token timestamp validity
-        if (request.getTimestamp() < System.currentTimeMillis() - powerAuthServiceConfiguration.getTokenTimestampValidityInMilliseconds()) {
+        final long currentTimeMillis = System.currentTimeMillis();
+        if (request.getTimestamp() < currentTimeMillis - powerAuthServiceConfiguration.getTokenTimestampValidityInMilliseconds()) {
             logger.warn("Invalid request - token timestamp is too old for token ID: {}", request.getTokenId());
             // Rollback is not required, database is not used for writing
             throw localizationProvider.buildExceptionForCode(ServiceError.TOKEN_TIMESTAMP_TOO_OLD);
         }
+        if (request.getTimestamp() > currentTimeMillis + powerAuthServiceConfiguration.getTokenTimestampForwardValidityInMilliseconds()) {
+            logger.warn("Invalid request - token timestamp is set too much in the future for token ID: {}", request.getTokenId());
+            // Rollback is not required, database is not used for writing
+            throw localizationProvider.buildExceptionForCode(ServiceError.TOKEN_TIMESTAMP_TOO_IN_FUTURE);
+        }
         try {
             logger.info("ValidateTokenRequest received, token ID: {}", request.getTokenId());
             final ValidateTokenResponse response = behavior.getTokenBehavior().validateToken(request);

diff --git a/...er/src/main/java/io/getlime/security/powerauth/app/server/service/model/ServiceError.java b/...er/src/main/java/io/getlime/security/powerauth/app/server/service/model/ServiceError.java
@@ -252,9 +252,14 @@ public class ServiceError {
      */
     public static final String DUPLICATE_APPLICATION = "ERR0043";
 
+    /**
+     * Token timestamp is too much in the future.
+     */
+    public static final String TOKEN_TIMESTAMP_TOO_IN_FUTURE = "ERR0044";
+
 
     public static List<String> allCodes() {
-        List<String> list = new ArrayList<>(43);
+        List<String> list = new ArrayList<>(44);
         list.add(UNKNOWN_ERROR);
         list.add(NO_USER_ID);
         list.add(NO_APPLICATION_ID);
@@ -299,6 +304,7 @@ public static List<String> allCodes() {
         list.add(OPERATION_ERROR);
         list.add(OPERATION_TEMPLATE_ERROR);
         list.add(DUPLICATE_APPLICATION);
+        list.add(TOKEN_TIMESTAMP_TOO_IN_FUTURE);
         return list;
     }
 

diff --git a/powerauth-java-server/src/main/resources/application.properties b/powerauth-java-server/src/main/resources/application.properties
@@ -68,6 +68,7 @@ powerauth.service.http.connection.timeout=5000
 
 # Token Timestamp Validity in Milliseconds
 powerauth.service.token.timestamp.validity=7200000
+powerauth.service.token.timestamp.forward.validity=1800000
 
 # Recovery Code Configuration
 powerauth.service.recovery.maxFailedAttempts=5

diff --git a/powerauth-java-server/src/test/resources/application.properties b/powerauth-java-server/src/test/resources/application.properties
@@ -55,6 +55,7 @@ powerauth.service.http.connection.timeout=5000
 
 # Token Timestamp Validity in Milliseconds
 powerauth.service.token.timestamp.validity=7200000
+powerauth.service.token.timestamp.forward.validity=1800000
 
 # Recovery Code Configuration
 powerauth.service.recovery.maxFailedAttempts=5