Skip to content

SSASSF-2982: Fix token expiration rule#9

Merged
ds-mariole merged 2 commits into
masterfrom
ds-mariole/SSASSF-2982_token_expiration_rule
May 29, 2026
Merged

SSASSF-2982: Fix token expiration rule#9
ds-mariole merged 2 commits into
masterfrom
ds-mariole/SSASSF-2982_token_expiration_rule

Conversation

@ds-mariole
Copy link
Copy Markdown
Contributor

@ds-mariole ds-mariole commented May 29, 2026

Fix for:
https://jira.dentsplysirona.com/browse/SSASSF-2982 "Tokens with future timestamps ignore the token expiration 10 minute rule."

@ds-mariole ds-mariole requested a review from Copilot May 29, 2026 13:48
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses SSASSF-2982 by tightening API token timestamp validation so tokens with timestamps in the future don’t bypass the 10-minute expiration window.

Changes:

  • Update token time tolerance check to disallow negative elapsed time (future-issued tokens relative to validator time).
  • Add a test case asserting that tokens with future timestamps are invalid.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
test/api_token_test.rb Adds coverage for rejecting tokens that appear to be issued in the future.
lib/secure_api/api_token/validation.rb Adjusts the time tolerance check used by ApiToken.valid? to handle future timestamps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread lib/secure_api/api_token/validation.rb Outdated
Comment thread test/api_token_test.rb Outdated
@ds-mariole @claude
Fix within_time_tolerance to reject unbounded future timestamps using…
e389238 
… symmetric tolerance

Use elapsed_time.abs so tokens from slightly-ahead servers (within the 10-minute clock-skew window) remain valid, while timestamps beyond the tolerance in either direction are rejected.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ds-mariole ds-mariole requested a review from Copilot May 29, 2026 13:59
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread test/api_token_test.rb
Comment thread test/api_token_test.rb
@ds-mariole ds-mariole merged commit 8768f0d into master May 29, 2026
3 checks passed
@ds-mariole ds-mariole deleted the ds-mariole/SSASSF-2982_token_expiration_rule branch May 29, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ds-mariole