api: improve timestamp delta error message (#25013)

2023-12-03 21:18:02 +01:00 · 2023-12-03 21:18:02 +01:00 · 3bc9e923ac
parent 1ece8f6fc8
commit 3bc9e923ac
2 changed files with 23 additions and 1 deletions
--- a/tests/api/test_access.py
+++ b/tests/api/test_access.py
@ -117,6 +117,24 @@ def test_get_user_from_api_query_string_error_missing_timestamp(pub):
    assert output.json['err_desc'] == 'missing/multiple timestamp field'


+def test_get_user_from_api_query_string_error_delta_timestamp(pub):
+    timestamp = (datetime.datetime.utcnow() - datetime.timedelta(seconds=60)).isoformat()[:19] + 'Z'
+    query = 'format=json&orig=coucou&algo=sha1&timestamp=' + timestamp
+    signature = urllib.parse.quote(
+        base64.b64encode(hmac.new(b'1234', force_bytes(query), hashlib.sha1).digest())
+    )
+    output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature), status=403)
+    assert output.json['err_desc'].startswith('timestamp is more than 30 seconds in the past: 0:01:')
+
+    timestamp = (datetime.datetime.utcnow() + datetime.timedelta(hours=1)).isoformat()[:19] + 'Z'
+    query = 'format=json&orig=coucou&algo=sha1&timestamp=' + timestamp
+    signature = urllib.parse.quote(
+        base64.b64encode(hmac.new(b'1234', force_bytes(query), hashlib.sha1).digest())
+    )
+    output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature), status=403)
+    assert output.json['err_desc'].startswith('timestamp is more than 30 seconds in the future: 0:59:')
+
+
 def test_get_user_from_api_query_string_error_missing_email(pub):
    timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
    query = 'format=json&orig=coucou&algo=sha1&timestamp=' + timestamp
--- a/wcs/api_utils.py
+++ b/wcs/api_utils.py
@ -72,7 +72,11 @@ def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
        raise AccessForbiddenError('invalid timestamp field; %s' % e)
    delta = (utcnow or datetime.datetime.utcnow()).replace(tzinfo=None) - timestamp
    if abs(delta) > datetime.timedelta(seconds=duration):
-        raise AccessForbiddenError('timestamp delta is more than %s seconds: %s' % (duration, delta))
+        period = 'past'
+        if delta.total_seconds() < 0:
+            delta = abs(delta)
+            period = 'future'
+        raise AccessForbiddenError(f'timestamp is more than {duration} seconds in the {period}: {delta}')
    # check nonce
    nonce = get_request().form.get('nonce')
    if nonce: