Relax iat claim as per latest DPoP draft (#173)

Matthieu Bosquet · web-flow · commit c21eef327b96 · 2022-06-28T13:37:56.000+01:00
* Relax iat claim as per latest DPoP draft
* Disable linter rule failing on client_id
diff --git a/src/config/index.ts b/src/config/index.ts
@@ -1,8 +1,18 @@
-// Clock tolerance for all time based token verifications
-export const clockToleranceInSeconds = 5;
+/*
+ * Default configuration.
+ *
+ * - clockToleranceInSeconds: How far in the future a token can be (if client's or server's clocks are off).
+ * - maxAccessTokenAgeInSeconds: How old an Access Token can be.
+ * - maxAgeInMilliseconds: For DPoP proofs & JTI cache (so that DPoP would fail to be replayed); also for Issuer Key Set cache & WebID issuers cache.
+ * - maxRequestsPerSecond: Used to calculate the default cache size based on max age.
+ *
+ * Note: DPoP clock tolerance for time based token verification is advised to be a few seconds or minutes. See DPoP Proof Replay https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-09#section-11.1).
+ */
+// Set to 120 so clients can be a bit off
+export const clockToleranceInSeconds = 120;
 // Limit Access Token Age to 24 Hours, it should probably have an exp claim much shorter than that
 export const maxAccessTokenAgeInSeconds = 86400;
-// Default max age for everything else
-export const maxAgeInMilliseconds = 60000;
-// Used to calculate the default cache size based on max age
+// Default max age to 120 seconds for everything else
+export const maxAgeInMilliseconds = 120000;
+// An estimate of 100 rps for most small to medium projects
 export const maxRequestsPerSecond = 100;
diff --git a/test/fixture/BearerAccessToken.ts b/test/fixture/BearerAccessToken.ts
@@ -9,6 +9,7 @@ const header: SolidAccessTokenHeader = {
   kid: "x",
 };
 
+/* eslint-disable camelcase */
 const payload: SolidAccessTokenPayload = {
   aud: "solid",
   exp: 1603386448,
diff --git a/test/fixture/DPoPBoundAccessToken.ts b/test/fixture/DPoPBoundAccessToken.ts
@@ -10,6 +10,7 @@ const header: SolidAccessTokenHeader = {
   kid: "x",
 };
 
+/* eslint-disable camelcase */
 const bearerPayload: SolidAccessTokenPayload = {
   aud: "solid",
   exp: 1603386448,
diff --git a/test/fixture/SOLID_ACCESS_TOKEN_X.ts b/test/fixture/SOLID_ACCESS_TOKEN_X.ts
@@ -1,5 +1,6 @@
 import type { SolidAccessToken } from "../../src/type/SolidAccessToken";
 
+/* eslint-disable camelcase */
 export const SOLID_ACCESS_TOKEN_X: SolidAccessToken = {
   header: {
     alg: "ES256",
diff --git a/test/unit/algorithm/verifySolidAccessTokenRequiredClaims.test.ts b/test/unit/algorithm/verifySolidAccessTokenRequiredClaims.test.ts
@@ -1,6 +1,7 @@
 import { verifySolidAccessTokenRequiredClaims } from "../../../src/algorithm/verifySolidAccessTokenRequiredClaims";
 import { RequiredClaimVerificationError } from "../../../src/error/RequiredClaimVerificationError";
 
+/* eslint-disable camelcase */
 describe("verifySolidAccessTokenRequiredClaims", () => {
   it("doesn't throw when the JSON object contains all required claims", () => {
     expect(() => {
