core/authorize: check for expired tokens (#4543)

* core/authorize: check for expired tokens * Update pkg/grpc/session/session.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> * lint * fix zero timestamps * fix --------- Co-authored-by: Denis Mishin <dmishin@pomerium.com>
2025-08-03 00:40:25 +02:00 · 2023-09-15 16:06:13 -06:00 · 2023-09-15 16:06:13 -06:00 · 23ea48815f
commit 23ea48815f
parent e5a7b994b6
7 changed files with 127 additions and 1 deletions
--- a/pkg/grpc/session/session.go
+++ b/pkg/grpc/session/session.go
@ -4,6 +4,7 @@ package session
 import (
 	context "context"
 	"fmt"
+	"time"

 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/structpb"
@ -86,3 +87,22 @@ func (x *Session) RemoveDeviceCredentialID(deviceCredentialID string) {
 		return el.GetId() != deviceCredentialID
 	})
 }
+
+// ErrSessionExpired indicates the session has expired
+var ErrSessionExpired = fmt.Errorf("session has expired")
+
+// Validate returns an error if the session is not valid.
+func (x *Session) Validate() error {
+	now := time.Now()
+	for name, expiresAt := range map[string]*timestamppb.Timestamp{
+		"session":      x.GetExpiresAt(),
+		"access_token": x.GetOauthToken().GetExpiresAt(),
+		"id_token":     x.GetIdToken().GetExpiresAt(),
+	} {
+		if expiresAt.AsTime().Year() > 1970 && now.After(expiresAt.AsTime()) {
+			return fmt.Errorf("%w: %s expired at %s", ErrSessionExpired, name, expiresAt.AsTime())
+		}
+	}
+
+	return nil
+}