From a6a92496e02c1c082e27c9e189ea71193e225bce Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Thu, 30 Jan 2020 18:03:45 +0100
Subject: [PATCH 1/2] authentication: Add timestamp parameter to redis request

ts parameter is needed to filter-out invalid (delayed) requests
---
 certapi/authentication.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/certapi/authentication.py b/certapi/authentication.py
index b138f21..0a854e9 100644
--- a/certapi/authentication.py
+++ b/certapi/authentication.py
@@ -13,7 +13,9 @@ Note on logging:
     - CertAPISystemError should be logged centrally in one place with levels
       'error' for most cases and 'critical' when the application needs to stop
 """
+
 import json
+import time
 
 from flask import current_app, request
 
@@ -243,9 +245,15 @@ def store_auth_params(sn, sid, session, queue_name, r, extra_params=()):
         Parameters "nonce", "signature", "flags", "auth_type" and extra_params are
         required in the session (the param) dictionary.
     """
+    timestamp = int(time.time())
+
     params = ("nonce", "signature", "flags", "auth_type") + extra_params
     request = {i: session[i] for i in params}
-    request.update({"sn": sn, "sid": sid})
+    request.update({
+        "sn": sn,
+        "ts": timestamp,
+        "sid": sid
+    })
 
     pipe = r.pipeline(transaction=True)
     pipe.delete(get_session_key(sn, sid))
-- 
GitLab


From 44448640efd7093adc3e957981946ae608b0e467 Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Thu, 30 Jan 2020 18:08:01 +0100
Subject: [PATCH 2/2] authentication: Fix typo in docstring

---
 certapi/authentication.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certapi/authentication.py b/certapi/authentication.py
index 0a854e9..1f328b5 100644
--- a/certapi/authentication.py
+++ b/certapi/authentication.py
@@ -108,7 +108,7 @@ def get_mailpass_key(sn):
 
 def create_auth_session(req, action, r, extra_params=()):
     """ This function is called in case of `certs` when no certificate with
-        matching private key is found in redis or in case of `mailpass` at
+        matching public key is found in redis or in case of `mailpass` at
         the beginning of each session.
 
         Parameters "sn", "flags", "auth_type" and extra_params are required in
-- 
GitLab