reject expired STS credentials early without decoding sessionToken (#19072)

2026-03-16 17:53:43 +01:00 · 2024-02-19 07:34:10 -08:00
parent 23c10350f3
commit 4c8197a119
2 changed files with 9 additions and 0 deletions
--- a/cmd/jwt.go
+++ b/cmd/jwt.go
@@ -113,6 +113,10 @@ func metricsRequestAuthenticate(req *http.Request) (*xjwt.MapClaims, []string, b
 				return nil, errInvalidAccessKeyID
 			}
 			cred := u.Credentials
+			// Expired credentials return error.
+			if cred.IsTemp() && cred.IsExpired() {
+				return nil, errInvalidAccessKeyID
+			}
 			return []byte(cred.SecretKey), nil
 		} // this means claims.AccessKey == rootAccessKey
 		if !globalAPIConfig.permitRootAccess() {