Verify token expiration time

rojer · rojer · commit d8fbbdf77c50 · 2015-06-04T16:45:13.000+01:00
Looks like tokeninfo endpoint won't do that for us, as I mistakenly
thought.
diff --git a/auth_server/server/google_auth.go b/auth_server/server/google_auth.go
@@ -354,12 +354,15 @@ func (ga *GoogleAuth) getIDTokenInfo(token string) (*GoogleTokenInfo, error) {
 	if ti.Error != "" || ti.ErrorDescription != "" {
 		return nil, fmt.Errorf("bad token %q: %s %s", token, ti.Error, ti.ErrorDescription)
 	}
+	if ti.ExpiresIn <= 0 {
+		return nil, errors.New("expired token")
+	}
 	me := ga.config.ClientId
 	if ti.Audience != me {
 		return nil, fmt.Errorf("token intended for %s, not %s", ti.Audience, me)
 	}
 	if ti.Email == "" || !ti.VerifiedEmail {
-		return nil, fmt.Errorf("no verified email in token")
+		return nil, errors.New("no verified email in token")
 	}
 	err = ga.checkDomain(ti.Email)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -354,12 +354,15 @@ func (ga GoogleAuth) getIDTokenInfo(token string) (GoogleTokenInfo, error) {`
`354`	`354`	`if ti.Error != "" \|\| ti.ErrorDescription != "" {`
`355`	`355`	`return nil, fmt.Errorf("bad token %q: %s %s", token, ti.Error, ti.ErrorDescription)`
`356`	`356`	`}`
	`357`	`+ if ti.ExpiresIn <= 0 {`
	`358`	`+ return nil, errors.New("expired token")`
	`359`	`+ }`
`357`	`360`	`me := ga.config.ClientId`
`358`	`361`	`if ti.Audience != me {`
`359`	`362`	`return nil, fmt.Errorf("token intended for %s, not %s", ti.Audience, me)`
`360`	`363`	`}`
`361`	`364`	`if ti.Email == "" \|\| !ti.VerifiedEmail {`
`362`		`- return nil, fmt.Errorf("no verified email in token")`
	`365`	`+ return nil, errors.New("no verified email in token")`
`363`	`366`	`}`
`364`	`367`	`err = ga.checkDomain(ti.Email)`
`365`	`368`	`if err != nil {`