实现示例
type Claims = { iss: string; sub: string; iat: number; exp: number; email?: string; repo?: string }
function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires }
function validIssuer(iss: string, allow: Set<string>): boolean { try { const u = new URL(iss); return u.protocol === 'https:' && allow.has(u.origin) } catch { return false } }
function validSubject(sub: string, allowSubs: RegExp): boolean { return allowSubs.test(sub) }
function evaluate(c: Claims, policy: { allowIss: Set<string>; allowSub: RegExp; maxTtlSec: number }): { ok: boolean; errors: string[] } {
const errors: string[] = []
const now = Date.now()
if (!validIssuer(c.iss, policy.allowIss)) errors.push('iss')
if (!validSubject(c.sub, policy.allowSub)) errors.push('sub')
const iat = c.iat * 1000
const exp = c.exp * 1000
if (!within(iat, exp, now, 60)) errors.push('time')
if ((exp - iat) > policy.maxTtlSec * 1000) errors.push('ttl')
return { ok: errors.length === 0, errors }
}
审计与发布治理
- 审计发行方与主体、时间窗口与 TTL;异常阻断并回退到可信签名。
- 策略变更需审批与归档。
发表评论 取消回复