getServiceAuth: set iat, jti

DavidBuchanan314 · Dec 28, 2024 · b826d21 · b826d21
1 parent d400b12
commit b826d21
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/millipds/auth_bearer.py b/src/millipds/auth_bearer.py
@@ -81,8 +81,9 @@ async def authentication_handler(request: web.Request, *args, **kwargs):
 					algorithms=[alg],
 					audience=db.config["pds_did"],
 					options={
-						"require": ["exp", "lxm"],  # consider iat?
+						"require": ["exp", "iat", "lxm"],
 						"verify_exp": True,
+						"verify_iat": True,
 						"strict_aud": True,  # may be unnecessary
 					},
 				)

diff --git a/src/millipds/service.py b/src/millipds/service.py
@@ -6,6 +6,7 @@
 import os
 import io
 import json
+import uuid
 import hashlib
 
 import apsw
@@ -298,6 +299,8 @@ async def server_get_service_auth(request: web.Request):
 					"aud": aud,
 					"lxm": lxm,
 					"exp": exp,
+					"iat": now,
+					"jti": str(uuid.uuid4())
 				},
 				signing_key,
 				algorithm=crypto.jwt_signature_alg_for_pem(signing_key),