pomerium / pomerium / 23688008115

52%

Build Type

push

github

Committed by web-flow

Commit Message

authenticate: fix Handle.WithNewIssuer to preserve TTL for Exp and clear Nbf (#6212)

## Summary

- `Handle.WithNewIssuer()` cloned the handle and reset `Iat` to `Now()`
but left `Exp` and `Nbf` unchanged from the original handle
- When a stored session handle (with stale `Exp` from the original IdP
token) was reused in the stateful authenticate flow, the resulting JWT
had `iat` in the present but `exp` hours in the past
- Fix preserves the original validity duration (`exp - iat`) relative to
the new `iat`, and clears `Nbf` since the original IdP token's
not-before is meaningless after reissue

**Introducing commit:**
[`a233784ef`](https://github.com/pomerium/pomerium/commit/a233784ef)
(PR #6033, v0.32.0)
**Not affected:** v0.31.3 and earlier (old `State` type had no
`exp`/`nbf` fields)
**Scope:** Stateful auth flow only. Internal Pomerium auth was
functionally unaffected (JWS decoder does not validate `exp`; session
validity comes from databroker `Session.ExpiresAt`). External JWT
consumers that validate `exp` would reject the token.

## AI Disclosure

Claude drafted the fix and tests. Bobby reviewed, verified version
boundaries, and confirmed root cause analysis.

## Test plan

- [x] `go test -v -run TestHandle_WithNewIssuer ./pkg/grpc/session/` --
8 sub-tests covering TTL preservation, Nbf clearing, nil Exp, nil Iat,
negative duration, both nil, immutability, and basic Iss/Aud update
- [x] `go test ./pkg/grpc/session/...` -- full package passes
- [ ] CI

Coverage Stats

13 of 13 new or added lines in 1 file covered. (100.0%)

26 existing lines in 9 files now uncovered.

34807 of 76559 relevant lines covered (45.46%)

115.84 hits per line