reject expired STS credentials early without decoding sessionToken (#19072)

2025-11-07 21:02:58 -05:00 · 2024-02-19 07:34:10 -08:00
parent 23c10350f3
commit 4c8197a119
2 changed files with 9 additions and 0 deletions
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -294,6 +294,11 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
 		return nil, ErrInvalidToken
 	}

+	// Expired credentials must return error right away.
+	if cred.IsTemp() && cred.IsExpired() {
+		return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID)
+	}
+
 	secret := globalActiveCred.SecretKey
 	if cred.IsServiceAccount() {
 		token = cred.SessionToken