core/authorize: check for expired tokens (#4543)

* core/authorize: check for expired tokens * Update pkg/grpc/session/session.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> * lint * fix zero timestamps * fix --------- Co-authored-by: Denis Mishin <dmishin@pomerium.com>
2025-06-02 10:52:49 +02:00 · 2023-09-15 16:06:13 -06:00 · 2023-09-15 16:06:13 -06:00 · 23ea48815f
commit 23ea48815f
parent e5a7b994b6
7 changed files with 127 additions and 1 deletions
--- a/pkg/grpc/user/user.go
+++ b/pkg/grpc/user/user.go
@ -3,8 +3,11 @@ package user

 import (
 	context "context"
+	"fmt"
+	"time"

 	"google.golang.org/protobuf/types/known/structpb"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
@ -28,6 +31,23 @@ func PutServiceAccount(ctx context.Context, client databroker.DataBrokerServiceC
 	return databroker.Put(ctx, client, serviceAccount)
 }

+// ErrServiceAccountExpired indicates the service account has expired.
+var ErrServiceAccountExpired = fmt.Errorf("service account has expired")
+
+// Validate returns an error if the service account is not valid.
+func (x *ServiceAccount) Validate() error {
+	now := time.Now()
+	for _, expiresAt := range []*timestamppb.Timestamp{
+		x.GetExpiresAt(),
+	} {
+		if expiresAt.AsTime().Year() > 1970 && now.After(expiresAt.AsTime()) {
+			return ErrServiceAccountExpired
+		}
+	}
+
+	return nil
+}
+
 // AddClaims adds the flattened claims to the user.
 func (x *User) AddClaims(claims identity.FlattenedClaims) {
 	if x.Claims == nil {