Add check for expired token.

7e918e1a · Neuber, Eugen Ramon · 77f3caf9 · 7e918e1a · 7e918e1a
Commit 7e918e1a authored 2 years ago by Neuber, Eugen Ramon
--- a/src/DataProvider/FileDataDataProvider.php
+++ b/src/DataProvider/FileDataDataProvider.php
@@ -161,6 +161,11 @@ class FileDataDataProvider extends AbstractDataProvider
            dump($data['creationTime'], $creationTime);
            throw ApiError::withDetails(Response::HTTP_FORBIDDEN, 'Creation Time change forbidden', 'blob:creationtime-change-forbidden');
        }
-        // TODO check if request is NOT too old
+        // check if request is expired
+        if ((int) $data['creationTime'] < $tooOld = strtotime('-5 min')) {
+            /* @noinspection ForgottenDebugOutputInspection */
+            dump((int) $data['creationTime'], $tooOld);
+            throw ApiError::withDetails(Response::HTTP_FORBIDDEN, 'Creation Time too old', 'blob:creationtime-too-old');
+        }
    }
 }
--- a/tests/CurlGetTest.php
+++ b/tests/CurlGetTest.php
@@ -572,4 +572,49 @@ class CurlGetTest extends ApiTestCase
            $this->fail($e->getMessage());
        }
    }
+
+    /**
+     * Integration test: get all with expired token creation time
+     */
+    public function testGetExpired(): void
+    {
+        try {
+            $client = static::createClient();
+            $configService = $client->getContainer()->get(ConfigurationService::class);
+
+            $bucket = $configService->getBuckets()[0];
+            $secret = $bucket->getPublicKey();
+            $bucketId = $bucket->getIdentifier();
+            $creationTime = strtotime('-1 hour');
+            $prefix = 'playground';
+            $payload = [
+                'bucketID' => $bucketId,
+                'creationTime' => $creationTime,
+                'prefix' => $prefix,
+            ];
+
+            $token = DenyAccessUnlessCheckSignature::create($secret, $payload);
+
+            $url = "/blob/files/?bucketID=$bucketId&prefix=$prefix&creationTime=$creationTime";
+            $options = [
+                'headers' => [
+                    'Accept' => 'application/ld+json',
+                    'HTTP_ACCEPT' => 'application/ld+json',
+                    'x-dbp-signature' => $token,
+                    'HTTP_X_DBP_SIGNATURE' => $token,
+                ],
+            ];
+
+            /* @noinspection PhpInternalEntityUsedInspection */
+            $client->getKernelBrowser()->followRedirects();
+
+            /** @var Response $response */
+            $response = $client->request('GET', $url, $options);
+
+            $this->assertEquals(403, $response->getStatusCode());
+        } catch (\Throwable $e) {
+            echo $e->getTraceAsString()."\n";
+            $this->fail($e->getMessage());
+        }
+    }
 }