diff --git a/token/delegation/delegation.go b/token/delegation/delegation.go index 5548477..110b8e1 100644 --- a/token/delegation/delegation.go +++ b/token/delegation/delegation.go @@ -18,7 +18,6 @@ import ( "github.com/ucan-wg/go-ucan/pkg/command" "github.com/ucan-wg/go-ucan/pkg/meta" "github.com/ucan-wg/go-ucan/pkg/policy" - "github.com/ucan-wg/go-ucan/pkg/policy/limits" "github.com/ucan-wg/go-ucan/token/internal/nonce" "github.com/ucan-wg/go-ucan/token/internal/parse" ) @@ -177,18 +176,6 @@ func (t *Token) validate() error { errs = errors.Join(errs, fmt.Errorf("token nonce too small")) } - if t.notBefore != nil { - if err := validateTimestamp(t.notBefore.Unix(), "nbf"); err != nil { - errs = errors.Join(errs, err) - } - } - - if t.expiration != nil { - if err := validateTimestamp(t.expiration.Unix(), "exp"); err != nil { - errs = errors.Join(errs, err) - } - } - return errs } @@ -228,8 +215,15 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) { tkn.meta = m.Meta - tkn.notBefore = parse.OptionalTimestamp(m.Nbf) - tkn.expiration = parse.OptionalTimestamp(m.Exp) + tkn.notBefore, err = parse.OptionalTimestamp(m.Nbf) + if err != nil { + return nil, fmt.Errorf("parse notBefore: %w", err) + } + + tkn.expiration, err = parse.OptionalTimestamp(m.Exp) + if err != nil { + return nil, fmt.Errorf("parse expiration: %w", err) + } if err := tkn.validate(); err != nil { return nil, err @@ -237,11 +231,3 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) { return &tkn, nil } - -func validateTimestamp(ts int64, field string) error { - if ts > limits.MaxInt53 || ts < limits.MinInt53 { - return fmt.Errorf("token %s timestamp %d exceeds safe integer bounds", field, ts) - } - - return nil -} diff --git a/token/internal/parse/parse.go b/token/internal/parse/parse.go index 147b308..27af240 100644 --- a/token/internal/parse/parse.go +++ b/token/internal/parse/parse.go @@ -1,9 +1,11 @@ package parse import ( + "fmt" "time" "github.com/ucan-wg/go-ucan/did" + "github.com/ucan-wg/go-ucan/pkg/policy/limits" ) func OptionalDID(s *string) (did.DID, error) { @@ -13,10 +15,15 @@ func OptionalDID(s *string) (did.DID, error) { return did.Parse(*s) } -func OptionalTimestamp(sec *int64) *time.Time { +func OptionalTimestamp(sec *int64) (*time.Time, error) { if sec == nil { - return nil + return nil, nil } + + if *sec > limits.MaxInt53 || *sec < limits.MinInt53 { + return nil, fmt.Errorf("timestamp value %d exceeds safe integer bounds", *sec) + } + t := time.Unix(*sec, 0) - return &t + return &t, nil } diff --git a/token/invocation/invocation.go b/token/invocation/invocation.go index ee85a94..286c456 100644 --- a/token/invocation/invocation.go +++ b/token/invocation/invocation.go @@ -275,8 +275,15 @@ func tokenFromModel(m tokenPayloadModel) (*Token, error) { tkn.proof = m.Prf tkn.meta = m.Meta - tkn.expiration = parse.OptionalTimestamp(m.Exp) - tkn.invokedAt = parse.OptionalTimestamp(m.Iat) + tkn.expiration, err = parse.OptionalTimestamp(m.Exp) + if err != nil { + return nil, fmt.Errorf("parse expiration: %w", err) + } + + tkn.invokedAt, err = parse.OptionalTimestamp(m.Iat) + if err != nil { + return nil, fmt.Errorf("parse invokedAt: %w", err) + } tkn.cause = m.Cause