3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2026-03-29 22:44:43 +02:00
Code Issues Projects Releases Packages Wiki Activity
Pomerium is an identity and context-aware access proxy.
4,229 commits 198 branches 147 tags 106 MiB
Find a file
Exact
bobby 23024422dc
 authenticate: fix Handle.WithNewIssuer to preserve TTL for Exp and clear Nbf (#6212) 
## Summary

- `Handle.WithNewIssuer()` cloned the handle and reset `Iat` to `Now()`
but left `Exp` and `Nbf` unchanged from the original handle
- When a stored session handle (with stale `Exp` from the original IdP
token) was reused in the stateful authenticate flow, the resulting JWT
had `iat` in the present but `exp` hours in the past
- Fix preserves the original validity duration (`exp - iat`) relative to
the new `iat`, and clears `Nbf` since the original IdP token's
not-before is meaningless after reissue

**Introducing commit:**
[`a233784ef`](a233784ef6)
(PR #6033, v0.32.0)
**Not affected:** v0.31.3 and earlier (old `State` type had no
`exp`/`nbf` fields)
**Scope:** Stateful auth flow only. Internal Pomerium auth was
functionally unaffected (JWS decoder does not validate `exp`; session
validity comes from databroker `Session.ExpiresAt`). External JWT
consumers that validate `exp` would reject the token.

## AI Disclosure

Claude drafted the fix and tests. Bobby reviewed, verified version
boundaries, and confirmed root cause analysis.

## Test plan

- [x] `go test -v -run TestHandle_WithNewIssuer ./pkg/grpc/session/` --
8 sub-tests covering TTL preservation, Nbf clearing, nil Exp, nil Iat,
negative duration, both nil, immutability, and basic Iss/Aud update
- [x] `go test ./pkg/grpc/session/...` -- full package passes
- [ ] CI
2026-03-28 08:11:29 -07:00
.github chore(deps): bump the docker group in /.github with 3 updates (#6157) 2026-03-02 15:09:30 -07:00
.vscode use tlsClientConfig instead of custom dialer (#3830) 2022-12-27 09:55:36 -07:00
authenticate authenticate: avoid double signout confirmation (#6093) 2026-02-04 09:16:24 -08:00
authorize fix(mcp): include request path in WWW-Authenticate resource_metadata URI (#6200) 2026-03-18 13:44:28 -04:00
cmd/pomerium feat: health check CLI (#5823) 2025-09-15 16:43:07 -04:00
config mcp: proto/config foundation for upstream OAuth unification (#6194) 2026-03-18 12:39:15 -04:00
databroker feat(grpc): ensure "coordination" between keepalives in http/2 protocols in internal pomerium grpc impls (#6078) 2026-02-04 15:57:32 -05:00
examples ci: update dependencies (#6190) 2026-03-18 14:31:54 -06:00
integration core/config: remove envoy options (#6021) 2026-01-05 17:18:31 -07:00
internal mcp: unify upstream OAuth flows, remove static-config parallel path (#6197) 2026-03-19 16:59:15 -04:00
k8s/zero Fix kustomization warning (#5735) 2025-07-21 14:05:26 -04:00
ospkg enable systemd health checks by default (#5850) 2025-09-25 11:24:08 -04:00
pkg authenticate: fix Handle.WithNewIssuer to preserve TTL for Exp and clear Nbf (#6212) 2026-03-28 08:11:29 -07:00
proxy mcp: add MCP server indicators and connect/disconnect to routes portal (#6184) 2026-03-11 17:39:49 -04:00
scripts ci: upgrade goreleaser to v2 and add release dry-run workflow (#6131) 2026-02-18 17:17:00 -05:00
ui chore(deps): bump yaml from 1.10.2 to 1.10.3 in /ui (#6214) 2026-03-26 06:28:02 -06:00
.clang-format config: add circuit breaker thresholds (#5650) 2025-06-16 09:38:39 -06:00
.codecov.yml development: change codecov precision 2019-07-18 16:49:37 -07:00
.dockerignore frontend: react+mui (#3004) 2022-02-07 08:47:58 -07:00
.fossa.yml rm cli code (#2824) 2021-12-15 16:25:21 -05:00
.gitattributes Add custom git merge driver for components.json (#6068) 2026-02-10 21:36:49 -05:00
.gitignore feat(grpc): ensure "coordination" between keepalives in http/2 protocols in internal pomerium grpc impls (#6078) 2026-02-04 15:57:32 -05:00
.golangci.yml ci: update dependencies (#6175) 2026-03-12 08:18:17 -06:00
.pre-commit-config.yaml chore: add pre-commit hooks and fix UI formatting (#6018) 2025-12-30 08:35:55 -08:00
.tool-versions ci: update dependencies (#6204) 2026-03-23 09:34:16 -06:00
3RD-PARTY dependencies: vendor base58, remove shortuuid (#2739) 2021-11-02 09:23:15 -06:00
DEBUG.MD deplyoment: add debug build / container / docs (#1513) 2020-10-13 16:54:21 -04:00
Dockerfile ci: update dependencies (#6190) 2026-03-18 14:31:54 -06:00
Dockerfile.debug ci: update dependencies (#6190) 2026-03-18 14:31:54 -06:00
go.mod ci: update dependencies (#6210) 2026-03-24 08:51:29 -06:00
go.sum ci: update dependencies (#6210) 2026-03-24 08:51:29 -06:00
LICENSE fix: CI after pre-commit (#5966) 2025-12-03 13:17:53 -05:00
Makefile fix: remove cd /tmp from deps-release to fix asdf compatibility (#6176) 2026-03-06 12:09:34 -05:00
pomerium.go fix go get, improve redis test (#2450) 2021-08-06 12:07:20 -06:00
README.md Update README to clarify Pomerium's functionality (#6134) 2026-02-19 16:17:31 -08:00
RELEASING.md deployment: update RELEASING.md (#3503) 2022-08-16 10:40:03 -07:00
SECURITY.md Fix SECURITY.md treated as symlink (#5211) 2024-08-07 17:20:18 -04:00

README.md

pomerium logo

Go Report Card GoDoc LICENSE Docker Pulls

Pomerium is an identity and context-aware reverse proxy. Pomerium builds secure, clientless connections to internal web apps and other services without a corporate VPN.

Pomerium is:

Its not a VPN alternative its the trusted, foolproof way to protect your business. Want a hosted control plane and management GUI? Give Pomerium Zero a try today!

Docs

For comprehensive docs, and tutorials see our documentation.

Contributing

See Contributing for information on how you can contribute to Pomerium.