objective categorical abstract machine language personal data server
Actually rotate dpop nonces
+24
-11
+24
-11
pegasus/lib/oauth/dpop.ml
+24
-11
pegasus/lib/oauth/dpop.ml
···
49
49
(Int64.of_float (Unix.gettimeofday () *. 1000.))
50
50
!nonce_state.rotation_interval_ms
51
51
in
52
-
if now_counter <> !nonce_state.counter then (
53
-
!nonce_state.prev <- !nonce_state.curr ;
54
-
!nonce_state.curr <- !nonce_state.next ;
55
-
!nonce_state.next <-
56
-
compute_nonce !nonce_state.secret (Int64.succ now_counter) ;
57
-
!nonce_state.counter <- now_counter ) ;
52
+
let diff = Int64.sub now_counter !nonce_state.counter in
53
+
( match diff with
54
+
| 0L ->
55
+
()
56
+
| 1L ->
57
+
!nonce_state.prev <- !nonce_state.curr ;
58
+
!nonce_state.curr <- !nonce_state.next ;
59
+
!nonce_state.next <-
60
+
compute_nonce !nonce_state.secret (Int64.succ now_counter)
61
+
| 2L ->
62
+
!nonce_state.prev <- !nonce_state.next ;
63
+
!nonce_state.curr <- compute_nonce !nonce_state.secret now_counter ;
64
+
!nonce_state.next <-
65
+
compute_nonce !nonce_state.secret (Int64.succ now_counter)
66
+
| _ ->
67
+
!nonce_state.prev <-
68
+
compute_nonce !nonce_state.secret (Int64.pred now_counter) ;
69
+
!nonce_state.curr <- compute_nonce !nonce_state.secret now_counter ;
70
+
!nonce_state.next <-
71
+
compute_nonce !nonce_state.secret (Int64.succ now_counter) ) ;
72
+
!nonce_state.counter <- now_counter ;
58
73
!nonce_state.next
59
74
60
75
let verify_nonce nonce =
61
-
let valid =
62
-
nonce = !nonce_state.prev || nonce = !nonce_state.curr
63
-
|| nonce = !nonce_state.next
64
-
in
65
-
ignore next_nonce ; valid
76
+
let _ = next_nonce () in
77
+
nonce = !nonce_state.prev || nonce = !nonce_state.curr
78
+
|| nonce = !nonce_state.next
66
79
67
80
let add_jti jti =
68
81
let expires_at = int_of_float (Unix.gettimeofday ()) + Constants.jti_ttl_s in