Reject oauth nonces over a day old

diff --git a/app/models/oauth_nonce.rb b/app/models/oauth_nonce.rb
index 4d615dd5defcba96a238bf6cfbab81d55ff6b875..e0510dcbf85bb59a237b33fca0c8aa6a9008ece2 100644 (file)
--- a/app/models/oauth_nonce.rb
+++ b/app/models/oauth_nonce.rb
@@ -6,7 +6,8 @@ class OauthNonce < ActiveRecord::Base
 
   # Remembers a nonce and it's associated timestamp. It returns false if it has already been used
   def self.remember(nonce, timestamp)
-    oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp)
+    return false if Time.now.to_i - timestamp.to_i > 86400
+    oauth_nonce = OauthNonce.create(:nonce => nonce, :timestamp => timestamp.to_i)
     return false if oauth_nonce.new_record?
     oauth_nonce
   end

diff --git a/test/models/oauth_nonce_test.rb b/test/models/oauth_nonce_test.rb
index f170bc69d83290c0559210ff691f8dfb1c2330fb..341019cca0d31f038ca2d4ce7f8a05076eb55b03 100644 (file)
--- a/test/models/oauth_nonce_test.rb
+++ b/test/models/oauth_nonce_test.rb
@@ -8,7 +8,7 @@ class OauthNonceTest < ActiveSupport::TestCase
   # string and timestamp.
   def test_nonce_uniqueness
     string = "0123456789ABCDEF"
-    timestamp = Time.now
+    timestamp = Time.now.to_i
 
     nonce1 = OauthNonce.remember(string, timestamp)
     assert_not_equal false, nonce1, "First nonce should be unique. Check your test database is empty."
@@ -16,4 +16,16 @@ class OauthNonceTest < ActiveSupport::TestCase
     nonce2 = OauthNonce.remember(string, timestamp)
     assert_equal false, nonce2, "Shouldn't be able to remember the same nonce twice."
   end
+
+  ##
+  # nonces that are not current should be rejected
+  def test_nonce_not_current
+    string = "0123456789ABCDEF"
+
+    nonce1 = OauthNonce.remember(string, Time.now.to_i - 86430)
+    assert_equal false, nonce1, "Nonces over a day in the past should be rejected"
+
+    nonce2 = OauthNonce.remember(string, Time.now.to_i - 86370)
+    assert_not_equal false, nonce2, "Nonces under a day in the past should be rejected"
+  end
 end