api: improve timestamp delta error message (#25013)
gitea/wcs/pipeline/head This commit looks good
Details
gitea/wcs/pipeline/head This commit looks good
Details
This commit is contained in:
parent
1ece8f6fc8
commit
3bc9e923ac
|
@ -117,6 +117,24 @@ def test_get_user_from_api_query_string_error_missing_timestamp(pub):
|
|||
assert output.json['err_desc'] == 'missing/multiple timestamp field'
|
||||
|
||||
|
||||
def test_get_user_from_api_query_string_error_delta_timestamp(pub):
|
||||
timestamp = (datetime.datetime.utcnow() - datetime.timedelta(seconds=60)).isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha1×tamp=' + timestamp
|
||||
signature = urllib.parse.quote(
|
||||
base64.b64encode(hmac.new(b'1234', force_bytes(query), hashlib.sha1).digest())
|
||||
)
|
||||
output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature), status=403)
|
||||
assert output.json['err_desc'].startswith('timestamp is more than 30 seconds in the past: 0:01:')
|
||||
|
||||
timestamp = (datetime.datetime.utcnow() + datetime.timedelta(hours=1)).isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha1×tamp=' + timestamp
|
||||
signature = urllib.parse.quote(
|
||||
base64.b64encode(hmac.new(b'1234', force_bytes(query), hashlib.sha1).digest())
|
||||
)
|
||||
output = get_app(pub).get('/api/user/?%s&signature=%s' % (query, signature), status=403)
|
||||
assert output.json['err_desc'].startswith('timestamp is more than 30 seconds in the future: 0:59:')
|
||||
|
||||
|
||||
def test_get_user_from_api_query_string_error_missing_email(pub):
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha1×tamp=' + timestamp
|
||||
|
|
|
@ -72,7 +72,11 @@ def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
|
|||
raise AccessForbiddenError('invalid timestamp field; %s' % e)
|
||||
delta = (utcnow or datetime.datetime.utcnow()).replace(tzinfo=None) - timestamp
|
||||
if abs(delta) > datetime.timedelta(seconds=duration):
|
||||
raise AccessForbiddenError('timestamp delta is more than %s seconds: %s' % (duration, delta))
|
||||
period = 'past'
|
||||
if delta.total_seconds() < 0:
|
||||
delta = abs(delta)
|
||||
period = 'future'
|
||||
raise AccessForbiddenError(f'timestamp is more than {duration} seconds in the {period}: {delta}')
|
||||
# check nonce
|
||||
nonce = get_request().form.get('nonce')
|
||||
if nonce:
|
||||
|
|
Loading…
Reference in New Issue