core/authorize: check for expired tokens (#4547)

core/authorize: check for expired tokens (#4543) * core/authorize: check for expired tokens * Update pkg/grpc/session/session.go * lint * fix zero timestamps * fix --------- Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com> Co-authored-by: Denis Mishin <dmishin@pomerium.com>
2025-07-08 20:38:12 +02:00 · 2023-09-15 16:10:01 -06:00 · 2023-09-15 16:10:01 -06:00 · 57aead4eda
commit 57aead4eda
parent b904242e25
7 changed files with 127 additions and 1 deletions
--- a/authorize/databroker_test.go
+++ b/authorize/databroker_test.go
@ -7,7 +7,10 @@ import (
 	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"

+	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpcutil"
 	"github.com/pomerium/pomerium/pkg/storage"
@ -54,3 +57,20 @@ func Test_getDataBrokerRecord(t *testing.T) {
 		})
 	}
 }
+
+func TestAuthorize_getDataBrokerSessionOrServiceAccount(t *testing.T) {
+	t.Parallel()
+
+	ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*10)
+	t.Cleanup(clearTimeout)
+
+	opt := config.NewDefaultOptions()
+	a, err := New(&config.Config{Options: opt})
+	require.NoError(t, err)
+
+	s1 := &session.Session{Id: "s1", ExpiresAt: timestamppb.New(time.Now().Add(-time.Second))}
+	sq := storage.NewStaticQuerier(s1)
+	qctx := storage.WithQuerier(ctx, sq)
+	_, err = a.getDataBrokerSessionOrServiceAccount(qctx, "s1", 0)
+	assert.ErrorIs(t, err, session.ErrSessionExpired)
+}