Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get attestation from ETS or Session now checks for expiry. #13

Merged
merged 1 commit into from
Jan 29, 2024

Conversation

idyll
Copy link

@idyll idyll commented Jan 29, 2024

A Samly.Assertion cached in ETS or the Session will eventually expire.

Samly.State.Store.get_assertion/3 will return currently expired sessions. This is problematic because the Samly.AuthHandler looks for the cached session and doesn't replace it even if it is expired.

This is further exacerbated by Samly.get_active_assertion/1 returning expired assertions.

To address this I've updated the session and ETS logic to no longer return an expired session.
I contemplated purging ETS based on time, but it's most likely that the session store is being used in production.

@CLAassistant
Copy link

CLAassistant commented Jan 29, 2024

CLA assistant check
All committers have signed the CLA.

@k-cross k-cross merged commit 7637ebe into dropbox:main Jan 29, 2024
1 check passed
Copy link

@k-cross k-cross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed, and thank you for the fix!

@idyll idyll deleted the cached-saml-session-expiry branch January 29, 2024 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants